Between GDPR and the police directive: Navigating through the maze of information sharing in public-private partnerships

Research output: Contribution to journalArticleScientificpeer-review

Abstract

- Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not.
- Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs to be accounted for in the analysis of the applicability of the two data protection regimes.
- GDPR as a general data protection instrument and the Police Directive as a lex specialis are meant to leave no space for the private-public data transfers to fall through the cracks. However, which legal regime applies when private entities and law enforcement act as joint controllers is a grey area of the dual EU data protection regime and may seriously undermine legitimacy of PPPs, unless private parties are given status of competent authorities or controllership within PPPs is assigned in a special legal act.
- Private parties may be subject to less data protection restrictions, e.g. exempted from the purpose limitation principle, when collaborating with the law enforcement. This may create motivation for the public law enforcement to actively seek such collaboration to avoid constraints imposed on them by law.
- It is recommended that the legislative measures creating such exemptions subject private-public data transfers to the same conditions of legality of processing as the processing by competent authorities.
LanguageEnglish
JournalInternational Data Privacy Law
DOIs
StateE-pub ahead of print - 2018

Fingerprint

data protection
public private partnership
police
law enforcement
data exchange
legitimacy
public law
exemption
legality
EU
Law

Keywords

  • Cybercrime, data transfer, information sharing, joint controllers, Police Directive, public-private partnership

Cite this

@article{427b4f270f4140829511d2904dccc758,
title = "Between GDPR and the police directive: Navigating through the maze of information sharing in public-private partnerships",
abstract = "- Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not.- Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs to be accounted for in the analysis of the applicability of the two data protection regimes.- GDPR as a general data protection instrument and the Police Directive as a lex specialis are meant to leave no space for the private-public data transfers to fall through the cracks. However, which legal regime applies when private entities and law enforcement act as joint controllers is a grey area of the dual EU data protection regime and may seriously undermine legitimacy of PPPs, unless private parties are given status of competent authorities or controllership within PPPs is assigned in a special legal act.- Private parties may be subject to less data protection restrictions, e.g. exempted from the purpose limitation principle, when collaborating with the law enforcement. This may create motivation for the public law enforcement to actively seek such collaboration to avoid constraints imposed on them by law. - It is recommended that the legislative measures creating such exemptions subject private-public data transfers to the same conditions of legality of processing as the processing by competent authorities.",
keywords = "Cybercrime, data transfer, information sharing, joint controllers, Police Directive, public-private partnership",
author = "Nadezhda Purtova",
year = "2018",
doi = "https://doi.org/10.1093/idpl/ipx021",
language = "English",
journal = "International Data Privacy Law",
issn = "2044-3994",

}

TY - JOUR

T1 - Between GDPR and the police directive

T2 - International Data Privacy Law

AU - Purtova,Nadezhda

PY - 2018

Y1 - 2018

N2 - - Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not.- Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs to be accounted for in the analysis of the applicability of the two data protection regimes.- GDPR as a general data protection instrument and the Police Directive as a lex specialis are meant to leave no space for the private-public data transfers to fall through the cracks. However, which legal regime applies when private entities and law enforcement act as joint controllers is a grey area of the dual EU data protection regime and may seriously undermine legitimacy of PPPs, unless private parties are given status of competent authorities or controllership within PPPs is assigned in a special legal act.- Private parties may be subject to less data protection restrictions, e.g. exempted from the purpose limitation principle, when collaborating with the law enforcement. This may create motivation for the public law enforcement to actively seek such collaboration to avoid constraints imposed on them by law. - It is recommended that the legislative measures creating such exemptions subject private-public data transfers to the same conditions of legality of processing as the processing by competent authorities.

AB - - Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not.- Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs to be accounted for in the analysis of the applicability of the two data protection regimes.- GDPR as a general data protection instrument and the Police Directive as a lex specialis are meant to leave no space for the private-public data transfers to fall through the cracks. However, which legal regime applies when private entities and law enforcement act as joint controllers is a grey area of the dual EU data protection regime and may seriously undermine legitimacy of PPPs, unless private parties are given status of competent authorities or controllership within PPPs is assigned in a special legal act.- Private parties may be subject to less data protection restrictions, e.g. exempted from the purpose limitation principle, when collaborating with the law enforcement. This may create motivation for the public law enforcement to actively seek such collaboration to avoid constraints imposed on them by law. - It is recommended that the legislative measures creating such exemptions subject private-public data transfers to the same conditions of legality of processing as the processing by competent authorities.

KW - Cybercrime, data transfer, information sharing, joint controllers, Police Directive, public-private partnership

U2 - https://doi.org/10.1093/idpl/ipx021

DO - https://doi.org/10.1093/idpl/ipx021

M3 - Article

JO - International Data Privacy Law

JF - International Data Privacy Law

SN - 2044-3994

ER -