When the European Commission (EC) published its proposal for comprehensive reform of the EU’s 1995 data protection rules in January 2012, privacy professionals and commentators focused their attention almost exclusively on the draft General Data Protection Regulation. Since then, negotiations on a complementary data protection directive have proceeded in parallel with the regulation but have gone largely unnoticed. But after the recent attacks in Paris, the importance of a so-called "police" directive has emerged from the shadows.

The timing is important here, because the attacks revived a long-running discussion about the processing of personal data to maintain public security whilst still ensuring that the data protection rights of individuals are upheld.

Despite the lack of attention placed on the directive thus far, the commission did emphasize three years ago that it was delivering a package of reforms comprising not only the regulation, setting out a general EU framework for data protection, but also a "police" directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offenses and related judicial activities. The directive would apply to "competent authorities" involved in such activities, including the police, prosecution authorities, courts and offender management services.

In Brussels, the Council of the EU’s DAPIX working group has focused its attention largely on the regulation, and the Council of Ministers has rarely discussed the directive over the last three years. However, in March 2014, the European Parliament did agree to a first reading of its own amended version of the directive. 

Now, the European Parliament and the commission  await a "general-approach" agreement from the EU member states before informal "trilogue" discussions can take place with the aim of agreeing to a compromise text. The commission recently highlighted the need to conclude EU data protection reform comprising both the regulation and the directive by the end of 2015.

On Data Protection Day this year, January 28, EC Vice-President Andrus Ansip and Justice Commissioner Vĕra Jourová said, “EU data protection reform also includes new rules for police and criminal justice authorities when they exchange data across the EU. This is very timely, not least in light of the recent terrorist attacks in Paris. There is need to continue and to intensify our law enforcement cooperation. Robust data protection rules will foster more effective cooperation based on mutual trust.”

This, however, remains a controversial debate. Calls for a reboot of the stalled negotiations on the proposed EU Passenger Names Record Directive (PNR) and also for a successor to the Data Retention Directive (2006/24/EC), which concerned the retention of electronic communications data before being declared invalid under a judgment of the European Court of Justice in April 2014, have exposed both sides of the security-versus-privacy debate.

For example, following the Paris attacks, EU interior ministers issued a joint statement: “We are further convinced of the crucial and urgent need to move toward a European Passenger Name Record framework, including intra-EU PNR," the ministers wrote. "We are prepared to move forward, adopting a constructive approach with the European Parliament."

However, Jan Philipp Albrecht, vice-chair of the European Parliament’s LIBE Committee, said “EU home affairs ministers are playing into terrorists’ hands by demanding ‘big brother’ measures entailing blanket data retention without justification … Mass storage of flight and passenger data is clearly at odds with EU law."

So while discussions continue around the adoption of new passenger records and data retention rules, how does the directive itself deal with balancing privacy rights against the need to combat serious crime and maintain public security?

To start with, the directive is designed to fill a legislative gap in data processing and data sharing for police and criminal justice purposes in the EU. That's because the current Data Protection Directive, which the proposed package of data protection reform will replace, does not specifically apply to the processing of personal data in the areas of judicial and police cooperation in criminal matters.

In 2008, the commission did attempt to provide a coherent framework for police and criminal justice data processing under a proposal which culminated in the Council Framework Decision 2008/977/JHA, but it only covered the transmission of personal data between member states, not internal data processing.

The directive is more ambitious in scope as it provides for a more comprehensive regime with regards to the rights of data subjects and obligations on data controllers. Under the directive, and subject to certain limitations, individuals will have the right to information about the processing of their data, as well rights to the access, rectification and erasure of their data. Data controllers will be obliged to apply data protection by design and default, maintain documentation, take appropriate security measures, appoint a data protection officer and notify personal data breaches to supervisory authorities within specific time limits. Data transfers to outside the EU will need to be on the basis of a commission adequacy decision or other safeguards or exemptions. As with the regulation, national supervisory authorities and the proposed European Data Protection Board will oversee the application of the directive.

Questions remain, though.

Will the data protection rights of EU residents vary from country to country under the domestic legislation that each member state will need to introduce in order to implement the directive? Will the obligations on data controllers be mandatory or optional? How will member states legislate for the requirement that processing carried out by the processor must be governed by a legal act binding the processor to the controller? Such questions are central to the work to be done by privacy professionals processing personal data related to criminal justice.

The European Commission and Parliament are keen to agree to the directive as soon as possible, and the Paris attacks have brought into focus the ongoing need for better police and judicial cooperation across Europe. Others, however, emphasize the need for a proportionate approach to the processing and sharing of data that does not override EU fundamental rights to privacy and the protection of personal data.

The ECJ ruling, which declared the Data Retention Directive invalid on the grounds that the mass retention of communications data seriously interfered with these fundamental rights, shows how difficult it is to strike the balance. But the EU negotiators will need to reconcile these positions in order to deliver the whole package of reform. Followers of the regulation may therefore want to keep track of progress on the directive, as the negotiators’ jobs will not be complete until agreement is reached on both.