Investigative authorities all over the world collect a great deal of criminal data. The Netherlands is no exception. It can include seizures or hacks of large data carriers in the interest of a criminal investigation based on a suspicion of criminal acts. Examples are the cracked messages of Ennetcom, Encrochat or Sky ECC. But also, full sets of administration of companies can for instance be seized. All this data is of course relevant for a specific investigation but is this data “in safe hands” afterwards? Will it be destroyed? Or may this data also be used for other purposes?
This is the subject of the Dutch WODC study “Processing of criminal data” published on 25 October of this year. This study offers an exploratory study into the standardization of the processing of personal data for criminal justice purposes. What does this research teach us?
The WODC notes that rules regarding the acquisition of data is included in the Dutch Code of Criminal Procedure, but that this code says nothing about the retention or use of data. This is relevant because investigative agencies today are also paying close attention to advanced technologies, which increasingly combine and analyze data. This means that seized data may not only be used for a specific investigation but also for data analysis, for example. How seized data should be kept and for what purposes it may subsequently be used is not in the Code of Criminal Procedure, but in the Dutch Police Data Act. It is unclear how the rules in this law relate to the rules in the Code of Criminal Procedure. The WODC notes that this makes the regulations insufficiently clear. For example, the law does not answer the question of whether and when seized data may be used for data analysis at a later time. The research team recommends that data processing will be more explicitly and clearly defined in the Code of Criminal Procedure.
Another important aspect is the use and processing of bulk data. The report shows that nothing is actually stipulated about this in current and/or forthcoming regulations. While legal regulation is necessary for the processing thereof to be in accordance with European law. So here too, according to the WODC, Dutch regulations are insufficient.
But one of the most important observations in the report is that current supervision is inadequate. The criminal courts, for example, test only briefly against the Police Data Act because a violation often does not lead to any legal consequence in a specific case against a specific suspect. The research team therefor recommends the creation of an oversight committee that can monitor investigations and also control the processing of the data.
As these recommendations are to be acted upon in the future, we believe that the criminal courts should take this role more seriously as long as there is no effective oversight body. Personal data should be “in safe hands” once it has been used for the purpose it has been collected for: a criminal investigation. We believe that violations of the law regarding the processing of personal data should be subject to judicial review, even if this often ‘only’ results in a perceived violation of the right to privacy which does not lead to serious impact on the decision of that court. The fact that such a violation is recorded in the decisions, provides more insight on what is happening with the data. We should not forget that protection of personal privacy is an important pillar in a democratic constitutional state. It is imminent that the judiciary monitors whether the executive power abides the law to safeguard that our principles of the rule of law are met. So (obviously) this also applies to the processing and use of criminal records.