Introduction
The General Data Protection Regulation No. 2016/679 (the ‘GDPR’) is the European Union’s newest and toughest data privacy and security law. Since it came into effect, in 2018, any organization in the world which targets or collects personal data of people in the EU must comply with the strict obligations provided thereby.
Besides the General Data Protection Regulation, the protection of natural persons with regard to the processing of their personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data is regulated by the Directive (EU) 2016/680 of The European Parliament and of The Council of 27 April 2016.
On the 26th of January 2023, The Court of Justice of the European Union (the ‘CJEU’) handed down its Judgement in Case C-205/21. The case was concerned with the systematic collection of biometric and genetic data of accused persons in order to be entered in a police record. The Court ruled that processing sensitive personal data in the lack of adequate legislative and procedural safeguards is contrary to the requirement of ensuring enhanced protection of such data in criminal cases.
The frame of reference
The Bulgarian authorities started criminal proceedings against several persons and entities for tax fraud and participation in a criminal organization. After serving her the accusation order, the Bulgarian police asked one of the persons under investigation to give her consent with regard to the collection and the recording of her biometric – i.e., mainly dactyloscopic and photographic – data by the police. The same person was also asked to consent to the collection of a DNA sample in order for the police to create her DNA profile.
It is, in this context, worth noting that, as far as the European legislation is concerned, the GDPR contains several concrete provisions on profiling as a means of automated processing of personal data used to evaluate specific aspects about an individual. Pursuant to Article 22 of the GDPR on automated individual decision-making, including profiling, data subjects have the right not to be subjected to a decision based solely on automated processing, including profiling. Where the data subject has already given consent to his or her profiling, the controller must implement suitable measures to safeguard that data subject’s rights, freedoms, and legitimate interests. Moreover, the data subject can contest the decision to collect his or her biometric data.
In the case at hand, as the data subject under investigation opposed the collection and recording of her biometric data, the Bulgarian authorities requested the Bulgarian Specialized Criminal Court (in Bulgarian, Spetsializiran nakazatelen sad) to authorize the enforcement of collection of V.S.’s data for the envisaged purpose. The request relied on the Bulgarian national legislation on the “creation of a police record” that allowed of the creation of profiles without the consent of data subjects.
In resolving the case, the Bulgarian court questioned the compatibility of the cited Bulgarian legislation with Directive 2016/680 as read in the light of the Charter of Fundamental Rights of the European Union. The Bulgarian court looked, in particular, at Article 10 of Directive 2016/680, which authorizes the processing of biometric and genetic data under certain conditions, and asked whether that article had been correctly transposed into the Bulgarian law. In the opinion of the Bulgarian Criminal Court, the fact that the national provisions governing the police record referred only to the General Data Protection Regulation but not also to Directive 2016/680 was enough to raise doubts on the conformity thereof with the enhanced standards of protection introduced by Directive 2016/680. The Bulgarian court also concluded that there was a blatant contradiction between several provisions contained in the national laws applicable in the case at hand which, by reference to Article 9 of the GDPR, either forbade the collection and processing of biometric and genetic data or simply authorized it. Furthermore, the national court doubted that the criterion of “sufficient evidence of the guilt of a particular person”, as stated by Article 219(1) of the Bulgarian Code of Criminal Procedure, was similar to the criterion of “serious reasons to believe that [persons] have committed an offence” referred to in Article 6(a) of Directive 2016/680. According to the Bulgarian court, it appeared that under the EU law, the processing of biometric and genetic data required significantly more convincing evidence than that required under national laws.
In light of all these concerns, the national court made a reference to the European Court of Justice for a preliminary ruling. The referring court addressed the ECJ four preliminary questions on the processing of biometric and genetic data in criminal proceedings.
The conclusions of the CJEU consequently focused on a national court’s obligation to authorize the coercive collection of personal data (photographing, fingerprinting, and sampling in order to create a DNA profile) of a culprit who refuses to comply, especially when it is not possible to determine whether there is sufficient evidence to incriminate that data subject. The CJEU also probed the compatibility of the Bulgarian national law with the European law on the protection of natural persons with regard to the processing of their personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. In short, with Directive 2016/680.
The opinion of the Advocate General
According to AG Pitruzzella, when it comes to the investigation, detection or prosecution of criminal offences, technological evolution offers a variety of methods. However, these methods must be carefully regulated so that they do not become a threat to the privacy of personal data.
Mr. Pitruzzella saw the request for a preliminary ruling submitted by the Spetsializiran nakazatelen sad (Bulgaria) as a great opportunity for the CJEU to come with a clear interpretation of a very important instrument of Union law meant to ensure adequate protection for personal data of people in the EU.
The Advocate General acknowledged the Bulgarian authorities’ efforts to reach full effectiveness in their penal policies. He however added that no democratic society should find virtue in the fallibility of such policies, but that it is equally important to keep an opened door when it comes to the ability of each member state to protect its citizens.
In the particular field of data protection, concluded the AG, it is important to identify and particularize the different categories of personal data in order to ensure an enhanced protection of all data subjects, especially when involved in criminal proceedings. According to Mr. Pitruzzella, the key principles of data protection such as data minimisation and purpose limitation must always be taken into consideration.
The conclusions of the CJEU
In its judgement, the CJEU confirmed that the collection and the recording of biometric and genetic data represent a severe interference with the right to the protection of personal data. Such interference should therefore be authorized only if it is strictly necessary for achieving the specific objectives pursued, and only provided that the national law offers a sufficiently clear and precise basis to authorize that processing. Thus, a clear and precise legal basis is a prerequisite for the legitimacy of the authorization of any personal data processing. On the other hand, the fact that national legislation refers to the GDPR but not also to Directive 2016/680 is not, in itself, able to undermine the conformity and legitimacy of such authorization, inasmuch as it is evident that that national legislation allowing it effectively falls within the special scope of that Directive (and not within that, more general, of the GDPR).
The CJEU also clarified that the systematic collection of biometric and genetic data during the investigation of an intentional offence subject to public prosecution with the purpose to enter such data in a record cannot be legally authorized than only if the authority that runs the investigation has previously established that those objectives cannot be reached by other measures which constitute a less serious interference with the rights and freedoms of the person concerned.
And, as the relevant Bulgarian legislation referred to the provisions of the GDPR regarding processing of sensitive data while reproducing the contents of Directive 2016/680 – yet without explicitly referring to it, the CJUE insisted, once more, that the two sets of provisions are not equivalent. As the GDPR prohibits, in general, the processing of biometric and genetic data, Directive 2016/680 allows such processing, limitedly, in criminal proceedings, but only where strictly necessary.
Thus, drawing from AG Pitruzzella’s opinion, the CJEU, too, pointed to the need – imposed by the right to effective judicial protection and the principle of the presumption of innocence postulated by the Charter and reaffirmed in Directive 2016/680 – that all member states make a clear distinction, in their legislation, between the different categories of personal data, since the same degree of interference can affect various categories of personal data differently. In the case of biometric and genetic data, a clear and precise legal basis for their processing in criminal proceedings must necessarily require the existence of sufficient items of evidence pointing to that person’s guilt.
However, the provisions of Directive 2016/680 and the principles proclaimed by the Charter do not preclude, as such, the provision, in national legislation, of the possibility to authorize, by court order, the compulsory processing of biometric and genetic data in the case of an intentional offence subject to public prosecution where the data subject refuses to cooperate, provided however that that national law “subsequently guarantees effective judicial review of the conditions for that accusation, from which the authorization to collect those data arises”.
On the other hand, an enhanced protection of biometric and genetic data in criminal proceedings requires that the processing thereof must be allowed “only where strictly necessary”. The conditions for processing such data must therefore be strengthened, and the scope of the requirement clearly determined, in line with the principles of data processing – purpose limitation and data minimisation.
In the light of all these arguments, the Court found the Bulgarian law to fall short of the requirements laid down in Directive 2016/680, since it allows the collection of personal data from, practically, any data subjects charged with “intentional criminal offence subject to public prosecution”, without distinction and without sufficient safeguards in place, which generates a significant risk to the rights and freedoms of the people concerned.
Autor: Ana Maria Iuliana Dumitrașcu