TY - JOUR
T1 - The LED's right of access to one's data
T2 - Loopholes on proper access, legality review and data protection authority accountability
AU - Dimitrova, Diana
AU - De Hert, Paul
PY - 2024/3
Y1 - 2024/3
N2 - Directive 2016/680 (the Law Enforcement Directive (LED)) provides two procedures for the exercise of the rights of access to one's data: a direct one under Article 14 LED (directly addressed to the law enforcement authority) and an 'indirect' one under Article 17 (3) LED, i.e., via the intermediary of the data protection authority (DPA). In the present paper we will argue that the latter procedure should be the exception and the Article 14 LED procedure should be seen as the default. We will analyse the weaknesses of the Article 17 (3) LED provision and then criticize its, in our opinion, flawed implementation into the national laws of Belgium, France and Germany. We will demonstrate that Article 17 (3) LED, as read in light of Article 15 LED on the restrictions to the right of access, might be interpreted incorrectly to allow for the 'indirect' access procedure to be evoked abusively. We will argue that it lacks the explicit language to guarantee the decision-making powers of DPAs when deciding what information to communicate to the concerned data subjects when answering their request. We will demonstrate how the examined Member State laws further restrict the powers of their DPAs, which endangers the effectiveness of the 'indirect' access procedure because they do not guarantee the accountability, transparency, and proper legality check by the DPAs which are called on to exercise the right of access indirectly.
AB - Directive 2016/680 (the Law Enforcement Directive (LED)) provides two procedures for the exercise of the rights of access to one's data: a direct one under Article 14 LED (directly addressed to the law enforcement authority) and an 'indirect' one under Article 17 (3) LED, i.e., via the intermediary of the data protection authority (DPA). In the present paper we will argue that the latter procedure should be the exception and the Article 14 LED procedure should be seen as the default. We will analyse the weaknesses of the Article 17 (3) LED provision and then criticize its, in our opinion, flawed implementation into the national laws of Belgium, France and Germany. We will demonstrate that Article 17 (3) LED, as read in light of Article 15 LED on the restrictions to the right of access, might be interpreted incorrectly to allow for the 'indirect' access procedure to be evoked abusively. We will argue that it lacks the explicit language to guarantee the decision-making powers of DPAs when deciding what information to communicate to the concerned data subjects when answering their request. We will demonstrate how the examined Member State laws further restrict the powers of their DPAs, which endangers the effectiveness of the 'indirect' access procedure because they do not guarantee the accountability, transparency, and proper legality check by the DPAs which are called on to exercise the right of access indirectly.
KW - 'indirect access'
KW - transparency
KW - right of access
KW - data protection
KW - law enforcement directive
UR - https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=wosstart_imp_pure20230417&SrcAuth=WosAPI&KeyUT=WOS:001185967700002&DestLinkType=FullRecord&DestApp=WOS_CPL
UR - http://www.scopus.com/inward/record.url?scp=85176270201&partnerID=8YFLogxK
U2 - 10.1177/20322844231214484
DO - 10.1177/20322844231214484
M3 - Article
SN - 2032-2844
VL - 15
SP - 12
EP - 32
JO - New journal of European criminal law
JF - New journal of European criminal law
IS - 1
ER -