INTRODUCTION
The Directive (EU) 2016/680, also referred to as the Data Protection Law Enforcement Directive, (hereinafter the DPLE Directive) that accompanies the General Data Protection Regulation (hereinafter the GDPR) is oft en left aside in most discussions around the EU Data Protection Reform of 2016 (also including the Passenger Name Records – hereinafter PNR – Directive). On its own merit, the DPLE Directive was praised for broadening the scope of data protection in the criminal justice sector, from the previous cross-border regime (Council Framework Decision 2008/977/JHA, hereinafter the Framework Decision) to a much wider territorial remit, extending its rules to purely internal data processing. During its drafting, however, the major European data protection supervisory bodies, i.e. the European Data Protection Supervisor (hereinafter EDPS), and the Article 29 Working Party (currently European Data Protection Board, hereinafter WP29), raised their concerns with regards to the scope of the directive, in particular the purpose of safeguarding public security. As the directive applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences including the safeguarding against and the prevention of threats to public security, the EDPS and WP29, in their respective Opinions on the Proposal for the DPLE Directive, objected to the inclusion of this last phrase, pointing out the potential for legal uncertainty that such wording may lead to. More specifically, the directive does not further define the notion of public security, while explicitly juxtaposing the concept to national security, as the latter is excluded from the scope of application of the legislation.
At the time of writing, the European Commission has referred two Member States before the Court of Justice of the European Union for failing to transpose the DPLE Directive into national law. Several months after the official deadline for the national transposition of the directive, the interpretative questions highlighted above have not been given any more thought by both regulators and scholarly literature.
Against this backdrop, this chapter aims at triggering further reflections about the DPLE Directive in a number of communities, first and foremost Member States’ legislators, data protection regulators and academics.