The LED’s right of access to one’s data: Loopholes on proper access,legality review and data protection authority Accountability

Introduction

The need to discuss the right of access under the LED

The right of access to one’s personal data is understood to mean obtaining some form of access to the data which a certain controller has been processing in relation to the individual requesting access or at least getting a confirmation that data concerning the individual have been or are being processed. ¹ Not least because it enables the discovery of mistakes in the data processing and their subsequent correction, does this right play a significant role, especially in a law enforcement context, as we will demonstrate in more detail later in the paper. The right of access to one’s data as processed by the law enforcement authorities has been guaranteed in the EU under the Law Enforcement Directive (LED). ²

The main provisions of the LED have already been succinctly discussed in this journal. ³ Further literature on the LED has elucidated a variety of different aspects under the LED. ⁴ One under-explored aspect in literature, but also in legal practice, is the procedure for exercising data subjects’ rights, including the right of access to one’s personal data in a law enforcement context. ⁵

The LED envisages two procedures to exercise the right of access: a default access procedure and an exceptional watered-down access procedure. The former is regulated by Article 14 LED, which provides that the data subject may request access to their personal data by default directly to the respective law enforcement authority (‘the controller’). ⁶

The exceptional procedure is sparingly regulated in Article 17 LED and boils down to a check of the data by the data protection supervisory authorities (DPAs) at the request of the data subject when the law enforcement authority refuses to give direct (full) access. As is explained later in the paper, Article 17 (3) LED is an exception that applies only in cases of restrictions on the right of access under Article 15 LED:

‘1. In the cases referred to in Article 13(3), Article 15(3) and Article 16(4) Member States shall adopt measures providing that the rights of the data subject may also be exercised through the competent supervisory authority.

[…]

3. Where the right referred to in paragraph 1 is exercised, the supervisory authority shall inform the data subject at least that all necessary verifications or a review by the supervisory authority have taken place. The supervisory authority shall also inform the data subject of his or her right to seek a judicial remedy.’ ⁷ The exact role of the DPAs in this process, however, is barely regulated in the LED. Most scholars and the predecessor to the LED, Framework Decision 2008/977/JHA, ⁸ refer to this latter procedure as ‘indirect access’, although the LED itself does not contain this term, and this is not without reason. ⁹

The present paper critically examines the two procedures for the exercise of the right of access to one’s data (under Article 14 LED and Article 17 (3) LED), emphasizing the fact that the LED frames Article 17 (3) LED as the exception and thus leaves Member States a small margin of appreciation to allow law enforcement authorities to refer the data subjects to this procedure. We will demonstrate that this has not prevented certain Member States like Belgium from making the exceptional procedure the rule in their implementing law. We will further criticise the LED and the implementing laws in Belgium, France and Germany because they do not ensure that the DPAs, when exercising the right of access, can properly carry out the necessary legality checks and communicate the outcome of the checks to the concerned data subjects. As concerns the LED, we argue that it should have anchored more explicitly the DPAs’ task to effectively check the legality of the processing of the data and to be accountable in their legality review to the individuals who request access to their data. We will demonstrate that these two weaknesses are exacerbated in the implementing laws of Belgium, Germany and France, which have overstepped their margin of appreciation and unduly restricted Article 14 LED (Belgium) and the review and publicity (transparency towards the respective data subjects) powers of their DPAs (Belgium, France and Germany).

Our paper is structured as follows. First, we will briefly clarify the nature of police work, including how it could clash with the interests of individuals to have access to their data (Section II). Second, we will provide a short overview of the procedures for the exercise of the right of access in the criminal law field in the EU Member States before the entry into force of the LED, from where the Article 17 (3) LED procedure originated (Section III). Third, we will explain in detail the direct access procedure as anchored in Article 14 LED (Section IV). Since according to the LED it is supposed to apply only where a restriction to the right of access is imposed, in Section V we will study the LED conditions on restrictions under Article 15 LED. We will then study the procedure in Article 17 (3) LED (Section VI). Following this, we will illustrate how the implementation laws of three Member States – Belgium, Germany and France – could be seen as effectively preventing ‘real’ access and/or proper legality verification, questioning whether ‘indirect access’ indeed constitutes an access right in essence (Sections VII and VIII). In the conclusion, we will summarize the critical points we raise in our discussion on the ineffectiveness of ‘indirect’ access and provide an outlook of our future work, which will focus on a fundamental and human rights analysis of the issues raised in the present paper (Section IX).

The multiple facets of law enforcement work vs the interest of individuals to have access to their data

The reality of police work is that the police and other law enforcement authorities do not process only data concerning serious criminals, such as serial killers and terrorists, ¹⁰ while these are under investigation. In those cases, but also in other situations, e.g., to protect the identity of victims (see the discussion on Article 15 LED in Section V below), evidently more secrecy is needed, meaning that the law enforcement authorities might legitimately restrict the exercise of the right of access. As indicated in Article 6 LED, however, the police work also with the data of victims and witnesses, as well as of suspects (who may turn out not to have committed any crime eventually), and of convicts in relation to whom the investigations are over. The different categories of individuals require different degrees of secrecy about the processing of personal data. In addition, the police could also perform duties outside the criminal law field, e.g., related to administrative offences or public order. According to the first Commission report on the ‘application and functioning’ of the LED, these have been included in the scope of the LED implementing laws in some Member States. ¹¹ Without prejudice to the fact that this might constitute an incorrect transposition of the LED, in effect it means that in these Member States, the LED procedures on the exercise of the right of access to one’s data apply much more broadly.

These observations point to the fact that law enforcement work requires different degrees of secrecy and that each request by an individual to have access to their data as processed by a certain law enforcement authority needs to be assessed separately. ¹²

The need for individuals to have access to one’s data in the law enforcement field was born out of a necessity: there have been documented cases in which law enforcement authorities do make mistakes and engage in other illegal data processing practices when processing personal data. ¹³ Such occurrences could have grave consequences for the concerned individuals, as they might put restrictions on their everyday lives, e.g. not being subject to police checks or being placed under suspicion without a reason, to get a new job, and these restrictions could affect their fundamental rights. ¹⁴ One of the key roles of the right of access is that it enables individuals (and their lawyers) to discover such mistakes and take corrective actions when they are given access to their personal data which are contained in (police) files. ¹⁵ In addition, it has been argued that the right of access to one’s data is also important because it is related to and thus enhances fair trial and due process rights, and because it helps restore the informational imbalance between governmental authorities and their citizens. ¹⁶ This ‘role’ of the right of access is especially essential in the law enforcement field, due to its impact on one’s life, as mentioned above.

In light of this, it is a welcomed development that the right of access to one’s personal data has been an essential component of different EU data protection instruments in the law enforcement field. ¹⁷

The fact that despite the nature of law enforcement work the right of access has existed per se in relation to the law enforcement authorities even before the LED means that some form of transparency is in principle desirable and that granting some degree of transparency in this sensitive field is practically possible. For example, the right of access, albeit in a weaker form, was already anchored in the predecessor to the LED, namely Framework Decision 2008/977/JHA, and was supposed to be implemented in national laws when the law enforcement authorities of the Member States exchanged data with the competent authorities of other Member States. ¹⁸ It should not be forgotten that Article 8 of the Charter of Fundamental Rights of the EU (CFREU) includes the general right of access to one’s data: ‘Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.’ ¹⁹ The right applies generally both to the non-law enforcement and to the law enforcement context.

Summarizing the above, it becomes clear that a certain balance between the transparency interests of the concerned individuals and the control over the legality of the processing, on the one hand, and the fulfilment of law enforcement tasks, on the other hand, are needed. ²⁰ In the following sections, we will critically assess how the provisions on the right of access in the LED, especially the interaction between Articles 14, 15 and 17 (3) LED and their substantive provisions, strike this balance.

The right of access to one’s data under the LED: The shadows of the past

Before the entry into force of the LED, the procedural aspects related to the exercise of the right of access to personal data in the law enforcement field were largely a matter of national law. This was clearly the case with purely national databases in the field of national security and law enforcement. For example, the French legislator opted for ‘indirect’ access to the French police, judicial and national security databases, i.e. through the intermediary of the French Data Protection Authority (the CNIL). ²¹ In addition, the EU instruments in the field of police cooperation, as adopted before the adoption of the LED, explicitly allowed Member States to decide whether the exercise of the rights of data subjects should be exercised directly against the law enforcement authorities or via the supervisory authorities. ²² For instance, France, Belgium, Luxembourg and Portugal opted for the latter, e.g. in relation to the EU-wide Schengen Information System (SIS). ²³ The choice between the two procedures was left to the Member States also under Framework Decision 2008/977/JHA, the predecessor to the LED, which regulated the data protection provisions applicable to the Member States when their law enforcement authorities exchanged personal data across EU borders. ²⁴

The exact procedures and powers of the DPAs under the national laws of the Member States in relation to the so-called ‘indirect access’ procedure differed, especially as to whether they were given the powers to disclose information to the data subjects or to only inform them that the necessary checks have been carried out. ²⁵ In France, the CNIL did not even seem to have access to the different police systems. It could disclose the concerned personal data only with the approval of the controller. ²⁶ This was also the case where the access request concerned alerts in the SIS, which were entered by another Member State, in which case the approval of the DPA in the respective Member State was sought. Where the controller decided that no personal data should be disclosed to the concerned data subject, then the CNIL could provide only an assurance that the necessary verifications had been carried out. The CNIL seemed to be at liberty to confirm to the data subject that no personal data were being processed where this was the case. ²⁷ Somehow differently from France, in Luxembourg the responsible DPA was allowed only to confirm to the requesting data subject that no illegal processing had taken place, especially in the framework of the Schengen Information System (SIS). ²⁸

The entry into force of the Charter of Fundamental Rights of the European Union (CFREU) in 2009 did not trigger a direct change to the pre-existing procedures in the Member States: Article 8 CFREU on the fundamental right to data protection, which explicitly includes the right to access as a component of the fundamental right, does not contain any procedural requirements concerning its exercise. ²⁹ The Charter contains general requirements on the restrictions to the fundamental rights, though. ³⁰

Throughout the rest of the paper, we will discuss the changes brought by the LED to the procedure for the exercise of the right of access to one’s data and argue that it leaves Member States a much smaller margin of appreciation than the pre-existing or abolished instruments in the law enforcement field. We will critically assess these changes to demonstrate that the LED and the implementing Member State laws nevertheless do not always result in a proper review of the legality of the data processing and proper access to one’s data or information on the findings of the DPAs on the legality of the processing. In other words, we will argue that the LED has not brought into practice a big change in some Member States and that this is contrary to the provisions of the LED, both in the body of the text and in the applicable recitals. ³¹

Article 14 LED: ‘Direct’ access is the rule

Essentially, if the LED is transposed correctly in Member State law and applied correctly by the controller(s), the data subject should experience the procedure under Article 14 LED as follows. They first have to be given the right to approach directly the controller, e.g. a police authority, with their access request. The said authority should examine the request and decide whether to grant full access. Full access means disclosing the following personal data ³² and further information, as provided for in Article 14 LED:

‘Subject to Article 15, Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

The above list represents the minimum set of information which should be ideally provided to the requesting data subject ³⁴ and this means that under the national laws implementing the LED, further details might need to be disclosed. The different pieces of information in Article 14 LED can be summarized as follows: Where the controller confirms that the data concerning the requesting data subject are processed, they should ideally disclose the actual personal data which are being processed; inform the data subject of the processing details quoted above and the rights and remedies listed in Article 14 LED. ³⁵ The above information should be provided in response to a request under the national law implementing the LED, independently of whether transparency provisions in other applicable (criminal) law provisions exist. ³⁶

Normally, the controller should provide access to the data subject ‘without undue delay’, ³⁷ i.e. the controller is expected to examine and respond to the request as soon as possible. The implementing laws of certain Member States regulate the deadlines for the response more concretely. For instance, in Bulgaria the deadline is two months (with a possible extension of one month); ³⁸ under Portuguese law it is 30 days (with a possible extension of another 30 days), ³⁹ and in the Netherlands it is six weeks, which can be extended by another four. ⁴⁰

The reference to Article 15 LED in Article 14 LED above means that the controller may decide to make use of their right to restrict ‘wholly or partially’ the provision of information to the data subject, where such restrictions are provided for in the national law transposing the LED. ⁴¹ In other words, they could decide to provide only a confirmation of the processing, or a confirmation and only some of the information listed in Article 14 (a) to (g) LED, or not to provide any information at all (a ‘neither confirm, nor deny’ reply). ⁴²

Furthermore, in these cases the LED obliges the data controller to respond to the data subject within the prescribed time period ⁴³ and ideally to inform them of the reasons for the restriction. This information can also be restricted if it could prejudice the fulfilment of the purpose for which the restriction was imposed, e.g. impede an ongoing investigation. ⁴⁴ In addition, when any restriction is imposed pursuant to Article 15 LED, the controller should inform the data subject in their response that they may ask the DPA in the said Member State to check the processing of their personal data, i.e. to trigger the Article 17 (3) LED procedure for the exercise of the right of access via the DPA (discussed in detail in Section VI below).

The Article 17(3) LED procedure should be distinguished from the complaints procedure before the DPAs. Although the requests under both procedures are supposed to be addressed to the same authority, i.e. a DPA, they are essentially two different procedures. ⁴⁵ A data subject may submit a complaint with a DPA ‘if the data subject considers that the processing of personal data relating to him or her infringes provisions adopted pursuant to this Directive.’ ⁴⁶ Whereas the DPA should investigate the complaint ⁴⁷ and inform the complainant of ‘the progress and the outcome of the complaint’, ⁴⁸ the complaint might also be rejected or dismissed. ⁴⁹ In the scheme of the LED, an Article 17(3) LED request does not automatically count as a complaint. This means that the data subject does not need to present a claim of an infringement of the LED, it is enough that they have not obtained (full) access to their data by the controller and they wish to exercise their right through the DPA and the LED does not offer possibilities for the dismissal of Article 17 (3) requests for indirect access.

To summarize the relationship between Articles 14, 15 and 17 (3) LED as discussed above, there are three stages when it comes to the exercise of data subject rights in the LED: (1) direct access against the controller; (2) restriction imposed by the controller (where applicable) and only then (3) access under Article 17(3) LED via the supervisory authority.^50,51 The procedure is visualised in Figure 1 below.OPEN IN VIEWER

The following two Sections will discuss in more detail the conditions of the restrictions under Article 15 LED and the Article 17(3) LED procedure. We will argue that Article 15 LED frames the restrictions on Article 14 LED, i.e. on ‘direct’ or ‘proper’ access, as the exception, i.e. Article 17 (3) is a fortiori also the exception. We will also critically analyse the effectiveness of the Article 17 (3) LED procedure as a tool for legality control, access to one’s data, and accountability by the DPA about the legality check they have performed.

Restrictions on the right of access under article 15 LED: Between the exception and the rule

The Article 15 LED provisions on the restrictions to the right of access are important because they trigger the Article 17 (3) LED procedure that is supposed to be applicable only after a partial or a whole restriction on the right of access is imposed by the controller.

We will demonstrate that although the wording of Article 15 LED might be confusing in the sense of creating the illusion that restrictions may be imposed in a more general manner, a careful reading of the LED contradicts such an understanding.

Having restrictions on different individual rights in the law enforcement sector is in principle understandable. As seen above, it is a rather sensitive sector and disclosing information in specific cases, especially as concerns ongoing investigations, might defeat their purpose and success. ⁵² For this reason, the right of access to one’s data is not absolute. To ensure that the restrictions to the data protection right of access to data concerning oneself are not arbitrary, however, the LED lists exhaustively the conditions under which Member States may provide that controllers may wholly or partially restrict the right of access.

According to Article 15 (1) LED, the restrictive measures should firstly have a basis in national law and in addition fulfil all of the following four conditions: (1) be a necessary and proportionate measure in a democratic society; (2) respect ‘the fundamental rights and legitimate interests of the natural person concerned’; (3) ensure that the restrictions are limited in time and scope (‘to the extent that, and for as long as’) ⁵³ and (4) fulfil one of the five grounds for restrictions. ⁵⁴

The third condition especially speaks for the exceptional character of the restrictions and a fortiori – of the applicability of Article 17 (3) LED. This is supported by Recital 44 LED, according to which the restrictions may result only from ‘a concrete and individual examination of each case’ by the controller. ⁵⁵ In addition, the restrictions on the right of access to one’s own data in Article 15 LED could be seen as an interference with one element of the fundamental right to data protection ⁵⁶ and should therefore also satisfy the conditions on restrictions to the fundamental rights in Article 52 (1) CFREU, amongst which the requirement on necessity and proportionality of each restrictive measure. ⁵⁷ The requirement for complying with human and fundamental rights when restricting the rights of data subjects is moreover explicitly mentioned in Recital 46 LED, according to which ‘Any restriction of the rights of the data subject must comply with the Charter and with the ECHR, as interpreted in the case-law of the Court of Justice and by the European Court of Human Rights respectively, and in particular respect the essence of those rights and freedoms.’ ⁵⁸

At the same time, Article 15 (2) LED also allows Member States to legislate that pre-determined ‘categories of processing’ could fall under the partial or whole restrictions as discussed above. ⁵⁹ This provision could be seen as being contrary to the requirements on individual restrictions as anchored in the LED and as confusing. Some might interpret it as opening the door for Member States to decide that access to certain databases or information systems should be permanently restricted, which means that it can be exercised by default only via the Article 17(3) LED procedure.

The Article 29 Working Party has already clarified that Article 15(2) LED ‘do[es] not allow for blanket restrictions to data subject rights to […] access’. ⁶⁰ Their clarification resonates with the above-mentioned provisions in the LED, which taken holistically, require restrictions on the data subject rights to be imposed on a case-by-case basis. In addition, as the CJEU ruled, secondary law has to be interpreted in light of the CFREU, including national transpositions, ⁶¹ e.g. when implementing the restrictions on the right of access under the LED into Member State law. The CJEU has ruled against general and permanent restrictions on notifying individuals that they have been subject to surveillance because such restrictions are not compatible with the fundamental rights to privacy and data protection in the CFREU. ⁶² Notably, such a ‘notification’ right is not anchored in the CFREU, whereas the right of access to one’s data is an integral part of the fundamental right to data protection in Article 8(2) CFREU. Therefore, we argue that an interpretation of Article 15 LED, pursuant to which access may be restricted only on an individual basis, is likely to be more in line with the CJEU case law than an interpretation according to which access to one’s data may be generally and indiscriminately restricted.

The foregoing restrictive interpretation, unfortunately, has not prevented the imposition of blanked restrictions in the different Member States. A prime example is Belgium. Its 2018 data protection law provides that access to any personal data stored in police and customs databases, or data processed by Financial Intelligence Units, should always be exercised indirectly via the DPA. ⁶³ It remains unclear which provisions of the LED the contested Belgian article implements. One might believe that this general restriction implements Article 15(2) LED and that the Belgian government might have been confused by its wording and interpreted it as a carte blanche for a general restriction. However, according to a 2020 Commission Report on the LED, the Belgian government did not make use of its margin of appreciation under Article 15(2) LED, but only under Article 15 (1) LED, ⁶⁴ which allows only for individual restrictions. Hence, it is questionable that the Belgian government acted out of confusion.

To summarize the preceding discussion, restrictions to the right of access under the LED are subject to strict regulation under the LED, as anchored in Article 15 LED and the respective recitals. These provisions seek to ensure that ongoing law enforcement work is not prejudiced, without disproportionately restricting transparency. However, Article 15 (2) LED creates a certain confusion and it could be interpreted as a loophole, leaving the door open for permanent and general restrictions on the right to direct access. This is contrary to the established case law and interpretation of the CFREU, and contrary to the clarifications in Article 15 (1) LED and the applicable recitals that restrictions on the right of access should be imposed only following an individual examination of each restriction. Certain Member State’s implementing laws have de facto made Article 17(3) LED a default procedure and it is not clear whether this implementation is the result of the confusion created by Article 15 (2) LED. Whether that procedure could eventually ensure a proper review and transparency, largely depends on the obligations and powers of the DPAs when fulfilling their obligations under Article 17(3) LED.

Problems with the Article 17(3) LED procedure (proper legality review and publicity of the review)

While the Article 29 Working Party (now the European Data Protection Board or ‘EDPB’) previously argued that the Article 17(3) LED procedure is supposed to represent an ‘additional guarantee’ for data subjects, ⁶⁵ in its contribution to the evaluation of the LED, the EDPB reported that one DPA ‘suggested evaluating whether the data subjects’ exercise of their rights through the supervisory authority, as provided by Article 17 LED, is effective in enhancing data protection in the area of law enforcement.’ ⁶⁶ The following paragraphs do not strive to conduct a comprehensive assessment of this question, which is reserved for our future research.

In the present section, we will nevertheless demonstrate that the Article 17(3) LED procedure is problematic for two main reasons: (1) it might not always ensure a proper legality review by the DPAs and (2) it might not always guarantee that DPAs may communicate to the concerned data subjects the result of the legality review and potentially disclose to them the data as they are being processed where the restriction on access was imposed illegally by the controller. As a consequence, if Article 15 LED is not read restrictively, as we argue it should be, then the right of access to one’s data in the LED and the CFREU is likely to remain illusory and it would be misleading to call the Article 17(3) LED procedure ‘indirect access’.

National implementing laws further restrict the powers of the DPAs

First, pursuant to the LED implementation provisions in Belgium, the Belgian DPA may communicate to the data subject only (‘uniquement’) that the necessary checks have been carried out, not even what their result were. ⁷² The law theoretically allows the DPA to provide additional contextual information, ⁷³ but what this additional information may be, should be determined by a royal decree, ⁷⁴ which we have not identified so far. In effect, the Belgian law restricts the provision of further information by the DPA. In this way, it also modifies the LED wording, according to which the confirmation that the necessary checks have been carried out is only the ‘at least’ or minimum information. Instead, under Belgian law, this information is the only information to be provided by the DPA, with no room for manoeuvre or decision-making power left to the DPA. In practice, in Belgium, individuals receive only a ‘neither confirm, nor deny’ reply. Furthermore, if the data originated from the national security authorities, then the responsible DPA (the ‘COC’) may not check the lawfulness of their processing. ⁷⁵

The German and French implementing laws at first sight seem to provide more freedom to the DPAs to grant additional information to the data subject, but in effect this freedom is illusory. For example, the German Federal Data Protection Law grants the supervisory authority a small margin of appreciation to decide whether it may provide further information, namely whether the authority has established any infringements under data protection law. ⁷⁶ In exercising this margin of appreciation, the DPA is, however, not completely free, because the DPA may not disclose to the concerned data subject the processed personal data unless the competent (law enforcement) authority approves the said disclosure. ⁷⁷ The law clarifies that the competent authority may refuse the disclosure only for the duration and the purposes of the imposed restriction on access. ⁷⁸ However, it does not clarify that this refusal may be overridden by the DPA where it considers that the restriction has been illegally imposed.

The German law contains a further restriction in cases where the personal data of the concerned data subject were transmitted to one of the national security authorities. In that case, the controller may inform the data subject of the said communication only if the said national security authority has approved the communication. ⁷⁹ The German DPAs have voiced concerns that the law contains no criteria or rules on the basis of which the said national security authorities may disclose the data to the concerned data subject and that this could lead to arbitrary refusals and to the impossibility of the DPAs to examine the legality of the refusal. ⁸⁰ This is especially problematic because national security falls outside the scope of the LED ⁸¹ and practically the DPAs may not supervise them unless national law provides otherwise. This could be a problem for the right to indirect access because we argue that the DPA should be able to check the legality of the refusal, so that it can overturn it, as the case might be, but in the above-described constellation it might lack the powers to do so. Furthermore, lacking objective criteria for the restriction, the DPA might be influenced by the desire of these authorities not to inform the data subject that they have received the data from the controller and hence simply rubber-stamp the restriction, instead of declaring it illegal and possibly disclosing the information to the concerned data subject.

A further restriction is that the DPA may be given access to the personal data of the requesting data subject only if the highest national security authority does not object to the disclosure. This authority can object if the national security of one of the Länder or the federation is threatened. ⁸² We note that the phrasing of the German law is quite broad and hides the potential to be misused to restrict the right of access to one’s data. If the competent authority refuses the disclosure to the DPA, then the DPA practically cannot even examine the legality of the processing of the concerned personal data, e.g. the legality of the data disclosure from the police authority to the national security authority. In other words, it may not fulfil its tasks under the LED. The German DPAs have rightfully criticized this provision, pointing out that DPAs normally have security clearance and there should be no restriction on their access to data. ⁸³ Unfortunately, in practice, they have reported that they did not always have access to the data, the legality of whose processing they are supposed to control. ⁸⁴

As to the French law, in principle, it mirrors the provisions in the LED on indirect access. ⁸⁵ This means that it formally abolishes the previous rule that by default access to law enforcement databases should be indirect (see Section III). ⁸⁶ We do not know whether this makes a real difference in practice because we do not know how often law enforcement authorities have tended to restrict the right to access and in this way open the possibility for indirect access. It is however indicative that in France the right to indirect access seems to be much more frequently exercised than in other Member States, ⁸⁷ which suggests a high number of restrictions on direct access. In addition, the CNIL has reported that overall, the French legal system is confusing for the concerned data subjects, because the French legislator has not updated the legal acts on all the law enforcement files and it is not always clear that direct access is now the rule. Another confusion comes from the fact that some files could simultaneously fall under the LED (where direct access is the rule), and under national security provisions, where indirect access is still the rule, creating more administrative burden on the data subjects. ⁸⁸

We further note that the transparency provisions and the powers of the CNIL have not changed significantly. In its response to an access request, the CNIL has to inform the concerned individual that the necessary verifications have been carried out, after which the case is considered closed. ⁸⁹ In addition, the CNIL may decide to disclose the processed data, subject to the approval of the controller, if the disclosure is not likely to prejudice the interests of national or public security, defence and the legitimate purpose for which the right of access was restricted. ⁹⁰

It seems the CNIL could order that further data may be disclosed where the CNIL has decided that the imposed restriction on access is illegal and the controller has not objected to this conclusion. ⁹¹ It looks like the CNIL may disclose the processed data to the concerned data subject where the controller does not process any personal data of the concerned individual or where it has been established that the data has been illegally processed, as long as the disclosure will not prejudice the interests of public and national security or the defence. ⁹²

What is evident is that although the French law seems to grant more flexibility to the DPA than the Belgian law, this flexibility is in many situations restricted by the necessity for disclosure approval by the concerned law enforcement authority, similar to the situation in Germany. So far, the French courts seem to have been relatively uncritical of the procedure on access via the CNIL. For example, recently, the Conseil d’Etat has ruled that the ‘indirect access’ procedure does not violate the right to private life and effective remedies of the concerned individuals. ⁹³

Did member states misunderstand the article 17 (3) LED procedure?

Looking at the above Member State implementing laws, it appears that the LED wording seems to be misunderstood as giving Member States a large margin of appreciation in restricting the information and accountability obligations of the national DPAs. We argue that Article 17 (3) LED should not be interpreted as an invitation to prohibit DPAs from providing further information or as an invitation to make further communication dependent on the approval of the law enforcement authorities but to indicate the clear obligation that the DPAs should respond to a request for indirect access. This clear obligation was presumably inserted on the background of the experience under the predecessor of the GDPR (Directive 95/46/EC) that the DPAs did not always respond to the complaints of the data subjects or even examine them. A different reading risks contradicting the requirement on ‘complete’ DPA independence in the LED ⁹⁴ and the established CJEU case law, a topic which we will examine in another paper.

The European Data Protection Board (EDPB) has reported that since the entry into force of the LED across the different Member States, in most of the reported cases of requests under Article 17 LED, the concerned data subjects were informed solely that a review has taken place. Only in some Member States did the DPAs provide the complete or certain of the personal data to the data subject or ordered the controller to disclose all or certain of the data. ⁹⁵ While this low disclosure rate could be due to the fact that the DPA concluded that the imposed restriction by the controller was legal, it is not known whether this is indeed the case in the majority of cases.

Finally, the Article 29 Working Party (now the EDPB) has remained largely uncritical towards the minimalistic transparency requirements of indirect access in Article 17 (3) LED, simply repeating the article text that DPAs should communicate to the data subject ‘at least’ that the necessary checks have been carried out in its Opinion on Key Aspects of the LED. ⁹⁶ This is a problem because of the transparency differences between the procedures under Articles 14 and 17 LED, which make direct access much more favourable to the concerned data subjects, as seen in the previous sections, and because of the restrictions on the powers of the DPAs.

The exception to direct access has become the rule (conclusions)

This paper highlights how the right of access to one’s personal data is supposed to be exercised under the LED. This directive foresees two procedures: a direct one spelt out in Article 14 LED, where a data subject can approach the law enforcement authority directly with an access request, and the alternative procedure, organised in a very cryptic manner in Article 17 (3) LED. In particular, we discussed the complexities of this second procedure for access via the supervisory authorities as anchored in Article 17 (3) LED. Briefly put, Article 17(3) LED should ideally apply only when the law enforcement controller has exceptionally restricted the (full) access to one’s personal data in an individual situation ⁹⁷ and the concerned data subject has turned to the DPA with the request to the DPA to exercise their right of access through the DPA. In other words, we argue that a holistic reading of the provisions on the right of access in Articles 14 and 15 LED reveals that the Article 14 LED procedure takes priority over the Article 17 LED procedure.

The latter procedure is, unfortunately, difficult to decrypt. For many data subjects, referring to the Article 17 (3) LED procedure as ‘indirect access’ creates the expectation that the procedure actually results in partial or whole disclosure of the data processed by the controller (a law enforcement authority) and thus caters for some level of transparency through the involvement of the DPA, where transparency will not prejudice the ongoing law enforcement work. It also creates the expectation that the DPAs will always be enabled by the law enforcement authorities to have access to all data in order to check the legality of its processing and that DPAs will be at liberty to communicate to the concerned data subject their findings on the legality of the processing, where this will not prejudice law enforcement work. In that sense, there is the expectation of a proper review and accountability by the DPAs.

However, in our paper, we demonstrated that this is not always the case. This is due to three problems. First, Member States like Belgium have implemented the Article 17(3) LED procedure as a default procedure in relation to police databases and it is not clear whether this is a misreading of the option under the LED for Member States to determine that access to certain categories of processing may be restricted in Article 15 (2) LED. We argued that such general and indiscriminate restrictions are at odds with the rest of the provisions on restrictions to the right of access in the LED and primary EU law. Second, DPAs might be impeded from performing effective legality checks as per national law (what we call ‘limited review’). Third, the Article 17 (3) LED procedure does not provide that the DPAs must or should be able to disclose more information than a confirmation that the necessary checks have been carried out. However, if we interpret Article 17 (3) LED in light of the applicable provisions on the independence and powers of the DPAs in the LED, we can safely argue that DPAs should be at liberty to carry out a proper legality review of the data processing and decide what information to disclose to the data subjects.

The impact of the minimalistic interpretation of Article 17(3) LED is visible in national implementing laws. Certain national DPAs, e.g. those of France, Belgium and Germany, are not completely free to independently disclose information to the data subject where they conclude that the restriction was imposed illegally and the data disclosure will not prejudice an ongoing investigation. The respective national implementation laws anchor different levels of flexibility for the DPA decision-making power, with the Belgian DPA not being allowed to disclose any information and the French and German ones being allowed to disclose some information to the data subject, but very often only if the concerned data processing authority approves the disclosure (what we called ‘limited transparency and publicity’).

We find these restrictions on the right of access and the review, publicity and accountability powers of the DPAs problematic because we argue that they are based on a wrong reading of the LED, and because they do not seem to ensure a proper balance between the interests of the law enforcement authorities on the one hand, and the interests of the data subjects in having their personal data processed legally and in a transparent manner where possible, on the other hand.

The arguments in our paper are based on a holistic analysis of the applicable LED provisions. For space reasons, we did not yet perform a detailed and extensive analysis of the applicable provisions of the CFREU or those of the ECHR, and the respective case law. Instead, we have taken up the identified problems and critically analysed them from the point of view of human and fundamental rights in two upcoming papers on these respective topics. More precisely, in these papers, we focus on whether the LED and the discussed Member State laws ensure independent oversight over personal data processing by the law enforcement authorities, ⁹⁸ which is an integral element of the fundamental right to data protection in Article 8 (3) CFREU ⁹⁹ and the provision on data protection in Article 16 (2) TFEU. ¹⁰⁰ In another paper, we analyse the Article 17(3) LED procedure on the background of the ECtHR case law on interferences with the human rights to private life, fair trial and effective remedies, especially when it comes to transparency towards the concerned individuals requesting access and independent oversight over the law enforcement authorities.

Last but not least, we expect more clarity on whether Member States may impose general and permanent restrictions on Article 14 LED, leading automatically to triggering the Article 17 (3) LED procedure, and what the powers of DPAs under the Article 17 (3) LED procedure should be, from an upcoming ruling of the CJEU. ¹⁰¹ Looking at the Opinion of AG Medina in this case, we note that she has recommended to the CJEU a reading of Article 17 (1) and (3) LED which confirms on many points our conclusion that the procedure under Article 17 (1) LED is supposed to be the exception (‘That directive guarantees the direct exercise of the rights by data subjects ‘as a matter of principle’’) ¹⁰² and that under Article 17 (3) LED DPAs should be allowed to communicate further information to the concerned data subject to the information that the necessary checks have been performed (‘…there can be circumstances in which the supervisory authority can or must go beyond such minimum information.’). ¹⁰³ Finally, similar to our conclusion, AG Medina also opined that ‘Article 42 of the LPD [Belgian implementing law] establishes a regime of indirect exercise of rights which is incompatible with the manner in which the rights of data subjects are exercised as set out in Directive 2016/680.’ ¹⁰⁴