For a law enforcement agency to be praised for the quality of its data protection principles and practice is really saying something. Being seen as a champion of people’s privacy rights is not the norm for those in the police and intelligence world, to say the least! But at Europol, that’s what I have been consistently hearing over recent years from great bastions of data protection interests such as Giovanni Buttarelli, the European Data Protection Supervisor, members of the European Parliament and senior representatives from the NGO, Statewatch.
Today we are celebrating Data Protection Day. This brings to mind a general reflection on how and why Europol has reached this point, across the almost nine years I have spent leading the European Law Enforcement Agency. And I would be lying if I would say that all of these thoughts on this subject were always positive.
In a recent blog post I admitted that it was quite a culture shock for me when joining Europol as its Director in April 2009. Certainly compared to what I was used to in the UK, the far-reaching data protection regulations with all their restrictions seemed to render an efficient operational service almost impossible. I despaired at the prospect of my plans for major organisational reform being stymied by ‘red tape.’ I can imagine that many CEOs of private business enterprises today have similar feelings regarding the imminent application of the General Data Protection Regulation (GDPR), in May 2018.
Much of the discussion on GDPR in business has focused on the fines of up to 4% of the worldwide revenue or €20 million, whichever is higher, that can be levied for non-compliance. These punishments are significant, and that is intentional as GDPR is designed to be "effective, proportionate, and dissuasive." This will clearly make data protection a board level topic.
However, just narrowing the focus on this negative ‘threat scenario’ does not do justice to the positive shift in paradigm of the data protection reform package towards enhanced accountability. GDPR, as well as other recent data protection instruments including the Directive for data protection in the police and justice sectors, encourage companies and public sector agencies to take responsibility for setting its own risk based approach, tailored to specific circumstances. In the business world this can clearly be a competitive advantage as a precondition for the development of innovative processing operations. In the age of big data, state-of-the-art technology is necessary – not only for private enterprises but also for law enforcement.
Europol’s lessons in making the principles of robust data protection work effectively in the interests of data analytics and data security has been a highly positive one for our Agency, and a real eye-opener for me. Keep your data processing and storage clean, targeted and simple and gains are generated across the board. One of the key principles in this context is data protection by design, i.e. the due consideration of data protection requirements from the outset of any development regarding new processing operations. A knowledgeable Data Protection Officer guiding the organisation and its employees on important compliance requirements, training staff involved in data processing, and conducting regular compliance checks is an asset for the enhancement of data quality. The same applies to a strong external data protection supervisory authority with sound understanding of operational business needs.
And while these are common themes, law enforcement will always require tailored rules regarding specific aspects of the work we are carrying out. One example are data subject access requests which may be refused or restricted if this is necessary in order to guarantee that ongoing investigations will not be jeopardised.
Perhaps the biggest lesson in all this is that data protection should not be regarded as a burden. I have no doubt companies everywhere are currently labouring with the demands of being ready for GDPR, but in the end it represents an opportunity to improve internal business process and enhance external levels of trust. If the Executive Director of a transnational law enforcement agency can discover his passion for data protection, any CEO of a data driven private business enterprise can, too – it’s up to you to establish the data protection culture it takes in order to be successful in the digital age!
Rob Wainwright, Executive Director of Europol