Privacy issues in e-justice

Ioannis Iglezakis,

Privacy issues in e-justice
Presentation in the Conference ICT4Justice (THESSALONIKI, GREECE – OCTOBER 24th, 2008).

Privacy in the information society is more than the right to be left alone. The concept of privacy in its traditional form includes the right of the individual to shield its most intimate activities, thoughts and beliefs from other people. However, as modern people are not living in a state of isolation, but of interaction, it is clear that nobody can live alone, isolated from others. Therefore, it becomes evident that modern privacy (should) encompasse not just the right to be let alone, but rather the right to control how information about the individual is collected, used and being processed.

Particularly, in view of the risks which are inherent in new technologies, privacy can be conceptualized as the individual’s right to protection of personal information concerning the use of ICT. Privacy issues are emerging in various cases, in which information and communication technologies are employed. ICTs are also introduced in the justice sector with a view to provide for more efficiency, accountability and enhanced cross-border cooperation. Although e-Justice will play a big role in the modernization of the system of justice in the near future, its development should also take into account the need to provide protection of privacy.

In particular, e-justice aims at allowing greater information sharing between government departments and between judicial and police authorities in different countries. This increase in the flow of personal information may, however, infringe privacy for the reason that it could contravene with the purpose limitation principle.

In more general, the more personal data are being processed by public authorities, the more increases the surveillance potential, and this increase invokes fears of a “big brother’ State.

Furthermore, data exchanged in the framework of police and judicial cooperation in criminal matters may not find adequate protection, if there are no rules establishing clear protection of fundamental rights of individuals. It is, thus, necessary to lay down the requirements for transmission and making available to personal data to authorities in other states, as well as the further processing of such data.

In the EU, a high standard of protection is afforded and in order to maintain it, it needs to be determined that data could be transferred only when third countries provide an adequate level of protection.

The main regulatory instrument in the EU and the Member States is Directive 95/46/EEC, which introduces a high level of data protection and has contributed to harmonization of data protection legislation in the European Union. The Directive does not apply, however, to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.

On international level, there is no exemption concerning criminal law and the justice sector in the Council of Europe’s Convention for the Protection of Individuals with regard to automatic processing of personal data of 1981. This Convention is considered as a cornerstone in data protection, as it influenced the European States and formed the basis for the provisions of the EU Directive.

In Greece, protection of personal data is enshrined in Article 9A of the amended Constitution and in Law 2472/1997, which includes rules for the lawful processing of personal data, grants rights to data subjects and establishes a control system in which the central role is granted to the Authority for the Protection of Personal Data (herein forth “Authority”). In addition, it provides for administrative and criminal sanctions, and remedies in case of non-compliance with its provisions. With the enactment of the Data Protection Act the legislator defines the essential regulatory framework regarding data procession and regulates, in effect, the flow of personal data within the society and between individuals.

The Greek law regulates in Article 5 the conditions under which processing of personal data is permitted. Data processing is lawful only if it is grounded on one of the particular instances referred to in this Article. In the framework of e-justice, the provision of para. 2 lit. d is relevant, which provides that processing is necessary for the performance of a task carried out in the public interest or a project carried out in the exercise of public function by a public authority. This requirement is fulfilled where collection and electronic storage of data is carried out for the purpose of creating an electronic case file and further, where personal data are transferred to law enforcement authorities in the framework of police and judicial cooperation and on the basis of binding legal rules (e.g. Convention implementing the Schengen Agreement of 1990, Europol Convention 1995, Decision for Eurojust of 2002, etc.).

Specific rules apply for personal data of a more sensitive nature, such as those referring to criminal charges or convictions. Particularly in case of data processing in e-justice, the provision of Art. 7 (2) e is relevant, providing that processing is carried out by a Public Authority and is necessary, inter alia, for the purposes of criminal or correctional policy and pertains to the detection of offences, criminal convictions or security measures.

Additional safeguards are the provisions providing for confidentiality and security of processing and those concerning rights of the data subjects, i.e. the right to information, the right to access of data, the right to object to data processing and the right to provisional judicial protection.

Recently, with Law 3625/2007, the data protection act was amended and an exemption from the field of application was included, providing that the Law does not apply to data processing carried out by judges and public prosecutors in the administration of justice or for the need of crime investigation and concerning felonies or offences committed on intent, particularly those against life, sexual freedom and exploitation of sexuality, drugs etc. In these cases, the law states that the provisions of common legislation apply and this means that the public prosecutors and other judicial authorities are not bound by the data protection, but only by criminal law provisions, such as the Penal Code and Penal Procedure Code. Particularly the latter contains provisions providing for protection of fundamentals rights of the accused persons; however, there are no concrete provisions for data protection in this act or in other relevant legislation. This deficit is particularly apparent in the case of judicial cooperation, where there are no legislative safeguards for the individuals.

In order to address the issues concerning particularly the processing of personal data in the framework of police and judicial co-operation in criminal matters, the EU Commission submitted 2005 a Proposal for a Council Framework Decision. The proposal once accepted will fill the existing gap in this particular sector.

In particular, the Framework Decision determines common standards to ensure the protection of individuals with regard to the processing of personal data in the framework of police and judicial co-operation in criminal matters, provided for by Title VI of the Treaty on European Union. As a result, no restrictions of data flow should be imposed, according to Article 2 (2), which states that Member States shall ensure that the disclosure of personal data to the competent authorities of other Member States is neither restricted nor prohibited for reasons connected with data protection.