Policing, Privacy and Data Protection
Policing routines, as any other dimension of public action, are subject to the constraints of privacy rights and data protection principles. Even though it is true that police forces must process a wide range of personal data and that certain investigative actions may require making important regulatory exceptions to those privacy rights, there is a set of legal guarantees that should be taken into account.
Moreover, the fact that Community Policing implies an “informal” dimension of public security and a closer relationship between officers and citizenry, should not mean that privacy and data protection rights and principles can just loosen up. On the contrary, both parties should become aware of potential risks derived from this alternative policing framework and take them into account. If privacy risks are not duly addressed, both citizens and police officers may be affected and even endangered.
The right to personal data protection is now officially recognised as a EU fundamental right. Entry into force of the Lisbon Treaty on 1 December 2009 marked a historic moment for data protection: it was elevated to the status of a fundamental right within the EU legal order, alongside the right to privacy. This right is based on the principle of informational self-determination, this means, we get to claim maximum control over our personal information and data.
The most recent regulatory modifications at the EU level regarding data protection have to do with the introduction of the General Data Protection Regulation (GDPR) and the Directive 2016/680. The First one, officially named Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, was approved on 14 April 2016 and it will be directly applicable in all Members States starting in May 2018. The second one, the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, repeals the previous Council Framework Decision 2008/977/JHA and needs to be transposed by the Member States through national regulations.
Nevertheless, not all the risks can be addressed through regulation. In order to guarantee the operational deployment of the principles embedded in this legal framework, technical and organizational resources should work towards enhancing security and privacy guarantees as well. Developing a corresponding Employers’ handbook or guidelines for Employees on data privacy for instance, may help to foster best practices. We could cite many examples of security protocols going wrong; one of them took place in Spain, where a student of Law (nicknamed by the press as Little Nicholas – el pequeño Nicolás ) was arrested in October 2014 by the National Police on charges of forgery, fraud and identity theft. In order to achieve his goals, he counted on the help of local police officers who accessed driver license databases for illegitimate purposes.
On the other hand, involving the citizenry in community policing and therefore in solving or fighting serious crimes, may put neighbours, police officers and entire families in danger. If an app or technology helps to solve a crime, collaborating neighbours using this app should be fully protected, making sure that anonymity of their personal data is guaranteed and that no revenge actions will fall upon them.
The attitudinal dimension of the involved stakeholders is a key element to avoid undesired consequences. For instance, revealing who reports an event or suffers the loss of control of information, like false accusations. In this context, victims, witnesses and offenders (it is important to take into account that offenders also have rights) need to be protected. Among the vulnerable groups, it is possible to find minors (especially child victims of bullying or domestic violence), women victims of gender violence, elderly people who live alone, threatened neighbours, rehabilitated offenders or citizens with criminal records, as well as celebrities, holders of public office or renowned personalities and public faces.
Mobile apps and social media may increase privacy risks in the policing context. Self-developed and customized apps and digital tools need to take into account not only the benefits and drawbacks, but also the potential risks that they may bring. On the other hand, making use of existing platforms and third-party services demands precaution to be maximised, since the control and management of the resources – and therefore the processed information – falls in to the responsibility of external organizations. We all know that information and media material such as pictures or video feeds can easily circulate through social media networks in an uncontrolled manner. Moreover, bad practices (e.g. community manager fails such as posting inappropriate language, spreading information about alleged suspects) can have a significant impact due to the wide audience in reach, even if the contents are later removed the harm remains. Not only technology may increase the privacy risks, but also traditional crime reporting may imply the disclosure of sensitive data, like the identity of the reporting person or the accused one.
All in all, it would be safe to say that any innovation in policing – and community policing specifically – affecting the processing of personal data or having an impact on the privacy of both citizens and police officers, needs a serious prior assessment and deployment of corresponding organizational, technical and legal safeguards and measures.