Due to rapid technological development, the completion of information technology, and the proliferation of networks, cybercrime, considered the shadow of computer technology, has become one of the global problems of our time.
With the use of the achievements of modern technology, many crimes have become possible through information technology, and cybersecurity has become a conditio sine quo non for the existence of modern man and society.
Digital justice poses a multidisciplinary challenge to digital justice as a system. On the one hand, citizens need to be able to exercise their right to the rule of law more effectively (e.g., the potential for structural efficiency in digital devices, standardization and automation to speed up criminal proceedings); on the other hand, the authorities also need to respond to changing forms of crime.
Adoption of such technologies poses a challenge for the above-mentioned institutions from the aspect of data protection compliance obligations.
New tools for digitization - e.g., artificial intelligence - should also be used by law enforcement, courts and law enforcement.
Due to the exponential technical development brought by the digital revolution rates of cybercrime increased significantly, which poses a significant risk to a wide range of potential victims, including entities affected by the resulting damages[1].
The Data Protection Package adopted in May 2016 - Regulation (EU) 2016/679[2] , and Directive (EU) 2016/680 "Law Enforcement Directive" (LED)[3], and the Regulation (EU) 2018/1725 (EUDPR)[4] aims to prepare EU countries for the digital age, while setting general rules for the use of artificial intelligence by setting the conditions for automated data processing. In a broader sense, it can be included here, the ePrivacy Regulation[5], however this Regulation shall not apply to the activities of competent authorities for the purposes of the prevention, investigation, detection, prosecution or enforcement of criminal offenses.
The "2016 package" includes two legal instruments: the GDPR and the LED. The GDPR sets out a generally applicable framework governing the processing of personal data. This regulation broadly defines and interprets the basic concepts of "personal data" and "processing".
By falling within the scope of the Regulation, certain "data subjects" have certain rights, the cornerstone of which, the right of access to their per-
- 25/26 -
sonal data, allows them to exercise a number of additional rights, such as the right to rectification or erasure. Data controllers - who determine the purposes and ways of processing personal data - are responsible for the processing of data in accordance with the GDPR. Data controllers must respect the principles or safeguards relating to the processing of personal data and ensure the lawfulness of data processing[6].
However, in addition to possible restrictions on specific provisions, the GDPR completely excludes certain other policies, including policies on border control, asylum and immigration, and police and judicial cooperation in criminal matters, data processing in the course of activities outside the scope of EU law; and the processing of data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against and prevention of threats to public security[7].
Article 2 (2) (d) of the GDPR provides further guidance. The LED refers to this, the processing of data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses and the execution of criminal offenses. sanctions, including protection against and prevention of threats to public security. The explicit exclusion of "law enforcement data processing" from the GDPR may give the initial impression that the division of labor between the two legislative instruments is clear.
In my research, I would like to present the link between the protection of personal data and criminal justice through the EU legislative process. I describe the data protection aspects and proposals of the changes in the current legislation, the position and proposals of the European Data Protection Board in this regard. Within the data protection package, I would like to present the contradictory relationship between the protection of personal data and criminal justice on the basis of the Data Protection Law Enforcement Directive[8], the Artificial Intelligence Act[9] and the Budapest Convention[10] and its Second Additional Protocol[11].
The protection of personal data and respect for privacy are fundamental European rights. The European Parliament has always emphasized the need to strike a balance between enhancing security and protecting human rights, including data protection and privacy.
They are based on Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The Union must ensure that the fundamental right to data protection enshrined in the Charter of Fundamental Rights of the European Union is applied. The EU's position on the protection of personal data must be implemented in all EU policies, including law enforcement and crime prevention, and in interna-
- 26/27 -
tional relations, especially in a global society characterized by rapid technological change. The current data protection legislation is based on the following main legislative acts:
- EU Charter of Fundamental Rights,
- Council of Europe Convention 108 of 1981,
- Council of Europe European Convention on Human Rights (ECHR).
Current legislation consists of the General Data Protection Regulation (GDPR), the Data Protection Law Enforcement Directive, the Directive on privacy and electronic communications, and the Regulation on the processing of personal data by the Union institutions and bodies. The proposal for a Regulation of the European Parliament and of the Council on the protection of privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC on data protection in electronic communications, as amended in 2009, is currently under discussion.
The legislation also includes Regulation (EU) 2018/1725 of the European Parliament and of the Council, the main international agreements of the European Union on data transfers, the treatment of data protection aspects in sector-specific resolutions, the EU data protection supervisory authorities, the European Data Protection Supervisor and the European Data Protection Board.
The European Parliament has an important role to play in the legislative process, currently focusing on monitoring the implementation of EU data protection legislation and the data protection aspects of the Commission's proposals for digital services legislation, artificial intelligence legislation and the data management regulation.
On the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of the prevention, investigation, detection, prosecution or enforcement of criminal offenses and repealing Council Framework Decision 2008/977/JHA, Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 entered into force in May 2018. The directive protects citizens' fundamental right to data protection when law enforcement authorities use personal data. It ensures that the personal data of victims, witnesses and suspected criminals are adequately protected and facilitates cross-border cooperation in the fight against crime[12] and terrorism.[13]
Due to the specific nature of police and judicial activities for law enforcement purposes, differentiated rules on the protection of personal data are needed in order to facilitate the free flow of data and to promote cooperation between Member States in those areas.
The purpose of the directive is twofold: in addition to guaranteeing the right of individuals to the protection of their personal data, it is intended to
- 27/28 -
guarantee a high level of public security. Data subjects rights[14]: Although it includes the obligation for Member States to provide comprehensible information [15]and to ensure the right of the person concerned to restrict access[16], rectification, erasure and processing[17], it also imposes restrictions, allowing Member States to adopt legislative measures restricting these rights[18]."This Directive does not preclude Member States from specifying processing operations and processing procedures in national rules on criminal procedures in relation to the processing of personal data by courts and other judicial authorities, in particular as regards personal data contained in a judicial decision or in records in relation to criminal proceedings."[19]
It is important to note that the rights of those affected do not in themselves prevent law enforcement from engaging in activities such as covert investigations or video surveillance. These activities may be carried out for the purpose of preventing, investigating, detecting or prosecuting criminal offenses and for the purpose of enforcing criminal sanctions, including the protection against and prevention of threats to public security.[20]
Compliance: It describes the responsibility of the controller. This includes the designation of a data protection officer to help the competent authorities ensure compliance with the data protection rules. Another tool to ensure compliance is the requirement to carry out an assessment of potential impact where a type of processing is likely to result in a high risk.
Monitoring and compensation: as regards supervisory authorities, authorities already established under the General Data Protection Regulation may also play this role[21].The law also lays down rules on mandatory mutual assistance and imposes a general obligation to cooperate[22].It also states that the remit of the European Data Protection Advisory Board extends to the data processing activities covered by this[23] Directive. The Directive also gives data subjects the right to compensation in the event that they have suffered damage as a result of unlawful or unlawful data processing[24].
Data subjects' rights Transfers to a third country: Data may only be transferred to third countries if necessary for law enforcement purposes, and the Commission has adopted an adequacy decision on the level of protection provided in the third country concerned[25]. In the absence of a compliance decision, the transfer is only possible on the basis of appropriate safeguards[26]. However, the Directive also provides for the transfer of data in special circumstances[27].
In comparison with GDPR, it can be stated that the LED is fundamentally different in terms of the purpose of data processing.
Thus, it can also be stated that that "The data protection principle of fair processing is a distinct notion from the right to a fair trial as defined in Article 47 of the Charter and in Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Natural persons should be made aware of risks, rules,
- 28/29 -
safeguards and rights in relation to the processing of their personal data and how to exercise their rights in relation to the processing"[28].
Having regard to Article 51. (1) of Directive (EU) 2016/680 of the European Parliament and of the Council (b), and Rules 12 and 22 of its Rules of Procedure, the European Data Protection Board - hereinafter referred to as the Board - adopted a recommendation on compliance. Pursuant to Article 51. the Board. shall, on its own initiative or at the request of a member or the Commission, examine any question relating to the application of this Directive and issue guidelines and recommendations with a view to promoting uniform application. The aim of this recommendation to provide guidance to the European Commission on the level of data protection in third countries and international organizations, While WP254. rev01 is intended to provide compliance guidance to the European Commission on the level of data protection under GDPR in third countries and international organizations, this document seeks to provide similar guidance based on LED[30].
The concept of conformity is dealt with in Chapter V, Articles 35 to 39 of the Directive.
In accordance with Article 36, the transfer to a third country is conditional on an "adequate level of protection" of personal data in that country.
The European Commission has stated that the level of protection is adequate if it complies with EU data protection law.[31] With regard to adequate protection, the legal framework of the third country or international organization should include specific provisions on the right to data protection in the field of law enforcement. These provisions have to be enforceable.[32]
"The purpose of adequacy decisions by the European Commission is to formally confirm, with binding effects on Member States[33] including their competent data protection authorities[34], that the level of data protection in a third country or an international organization is essentially equivalent to the level of data protection in the European Union. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where data are processed in one or several specific sectors"[35]
Eu standards for police cooperation and with regard to judicial cooperation in criminal matters, the Commission shall pay particular attention to the rule of law and respect for human rights[36] and legislation on fundamental freedoms and its implementation, in particular the possibility of effective administrative and judicial redress for those concerned.[37] The Board highlights two main aspects of "adequate protection": the content of the applicable rules and the practical implementation of the means to ensure their effectiveness. The European Commission is regularly responsible that the rules in force are effective in practice.[38] Respect for hu-
- 29/30 -
man rights means, when assessing the legal framework of a third country, it is necessary to consider whether there is a possibility of the death penalty, or any form of cruel treatment based on data transmitted from the EU. Where the law of a third country provides for such a sanction or treatment, additional safeguards should apply within the legal framework of the third country to ensure that data transmitted from the EU are not used to impose such penalties.
In view of the principle of proportionality[39], the Court of Justice has ruled that, in the context of Community law, the justification for a restriction on the right to privacy and data protection must be assessed by measuring the seriousness of the interference entailed by such a limitation[40] and by checking whether it is proportionate. the public interest objective pursued by that limitation.
The EDPB has adopted the Recommendations identifying essential guarantees reflecting the jurisprudence of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR). When evaluating it whether the conditions of Article 36 (2) (a) of the Directive are met, the Board considers that the guarantees set out in this Recommendation are necessary. The third country should not only ensure effective independent data protection supervision but also provide for cooperation mechanisms with the Member States' data protection authorities[41].
Concerning the general principles and safeguards it discusses the concepts, lawfulness and fairness of the processing of personal data, purpose limitation, specific conditions for further processing for other purposes, the data minimization principle, The principle of data accuracy and retention, The security and confidentiality principle , and it discusses the principle of transparency, the right of access, rectification and erasure, restrictions on the rights of data subjects and the principle of accountability.[42]
With regard to the restrictions on the rights of the data subject, I would like to emphasize that that the restriction of these rights is possible, taking into account the principles of necessity and proportionality, in the following cases:
- official or judicial inquiries,
- investigations or proceedings in order to avoid to avoid crimes prevention,
- detection, investigation, prosecution or enforcement of criminal sanctions,
- the protection of public security or national security,
- to protect the rights and freedoms of others.
Such restrictions should be examined and assessed in the light of the possibility of a complaint to the supervisory authority or a judicial remedy. The re-transfer of personal data by the original recipient to another third country or to an international organization shall not jeopardize the level of protection of the natural persons whose data are transferred. In particular, the additional recipient must be a competent authority for law enforcement pur-
- 30/31 -
poses and such retransmission of data may only take place for limited and specified purposes and only if there is a legal reason for the processing.[43]
With regard to procedural and enforcement mechanisms, the Board notes that, although the instruments used by the third country in question to ensure an adequate level of data protection may differ from those used within the European Union, systems compatible with the European system must be characterized by the following elements[44]:The existence of one or more independent supervisory authorities responsible for ensuring and enforcing data protection and privacy provisions
- A high level of awareness of the necessary obligations, duties and responsibilities of data controllers and processors of personal data on their behalf, and of their rights and how to exercise them among data subjects
- The data protection framework obliges controllers or processors of personal data on their behalf to comply with it and can prove this, in particular by the competent supervisory authority
- The data protection system should facilitate the exercise of the data subject's right
- In the event of non-compliance, data subjects whose personal data have been transferred to a third country must be provided with effective administrative and judicial redress for the third country, including compensation for damage resulting from the unlawful processing of their data. This is a key element that includes the inclusion of an independent judicial or arbitration system that allows for compensation and, in the case of sanctions, sanctions.
The EDPB recommendation address procedural issues also surrounding adequacy findings under the EU Data Protection Directive with Respect to Law Enforcement, EU standards for adequacy in police, and judicial cooperation in criminal matters, also outlining additional principles for specific types of processing related to automated decision-making, profiling and Data Protection by Design and Default[45].
The application of artificial intelligence in various forms is playing a significant role in an increasing number of areas of human activity. Due to its widespread application, a number of legal provisions regulate the conditions for the use of artificial intelligence, subject to more important data protection considerations[46].
The definition of artificial intelligence as a legal concept can be found in resolutions and regulations. According to Auer[47], "there are positions in the legal literature and attempts at conceptualization, but we do not find a uniform and good answer on how to treat artificial intelligence, phenomena related to artificial intelligence (robots) in a legal sense." Gaszt[48] also states.
Published in 2020, the White Paper[49] defines the concept of artificial intelli-
- 31/32 -
gence as a set of technologies and automatisms, in addition to encouraging the diffusion of AI technologies and drawing attention to the compliance of these technologies with European ethical standards, legal requirements and social values. There is no uniform legal definition[50].
Most importantly, however, AI systems are not just sets of software components. AI systems also include the socio-technological system that surrounds them.
On 21 April 2021, the European Commission presented a proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules for artificial intelligence[51], hereinafter "the Proposal", which also has important data protection implications.
This "Artificial Intelligence Act" Proposal defines an AI system as "software that has been developed using one or more of the techniques and approaches listed in Annex I and that provides outputs, such as content, for a specific set of man-made objectives, is able to generate predictions, recommendations or decisions that affect the environment with which they interact". These techniques and approaches include, a) Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning b) Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programing, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems; c) Statistical approaches, Bayesian estimation, search and optimization methods.
The Proposal sets out harmonized rules for the market introduction, provision and use of AI systems, a ban on the use of AI systems, rules for operators and harmonized transparency rules for AI systems that interact with people. With regard to reliable artificial intelligence, the rules of the Proposal follow a risk-based approach. In addition to defining artificial intelligence, it is important to define risk, high -risk, low -risk, and remote biometric identification systems.
Prohibited AI practices - the category of unacceptable risk - includes AI systems that clearly endangered people's safety, livelihoods and rights -that is, their use is considered unacceptable because it violates EU values, such as a violation of fundamental rights. Prohibitions apply to practices that can unconsciously manipulate individuals to a large extent using subliminal techniques or exploit the vulnerability of certain vulnerable groups, such as children or people with disabilities, to distort their behavior in a way that is likely to harm them or others. causes physical damage. These include AI systems or applications that manipulate human behavior to circumvent users' free will, such as voice-assisted games that encourage minors to engage in dangerous behavior[52]. The Proposal also prohibits AI-based social scoring for general purposes done by public authorities, and
- 32/33 -
the use of 'real time' remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement is also prohibited unless certain limited exceptions apply.
The Proposal identifies two main categories of high-risk AI systems:
- AI systems intended to be used as safety component of products that are subject to third party exante conformity assessment
- other stand-alone AI schemes, mainly related to fundamental rights, which are listed in Annex III.
I would like to highlight the position on Remote Biometric Identification Systems (RBIS) from the proposal. An RBIS is an AI system that remotely identifies natural persons by comparing a person's biometric data with the biometric data in the reference database and without the AI system user's prior knowledge that the person is present will be and identifiable. The definition of biometrics used in this Regulation is in line with the definition of biometrics in Article 35 (4) (14) GDPR and Article 36 (3) (18) EUDPR and with the biometric data in Article 37 (3) (13) of the LED. All remote biometric identification systems are considered high risk under the Proposal and are subject to strict requirements. The Proposal distinguishes between "real-time" and "non-realtime" RBIS. "In the case of 'real-time' systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the 'realtime' use of the AI systems in question by providing for minor delays. 'Realtime' systems involve the use of 'live' or 'near-'live' material, such as video footage, generated by a camera or other device with similar functionality. In the case of 'post' systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned."[53]
The possible use of real-time RBIS in places accessible to the public for law enforcement purposes shall be considered prohibited unless such use is strictly necessary for one of the following purposes:
- targeted, specific searches for victims of crime, including missing children[54]
- the prevention of a specific, significant and imminent threat to the life or physical security of natural persons or to a terrorist attack[55],[56]
- the detection, tracing, identification or prosecution of the perpetrators or suspects of the offenses referred to in Article 2 (2) of Council Framework Decision 2002/584/JHA[57], if these offenses are punishable by a term of imprisonment of at least three years
- 33/34 -
under that law or a measure involving deprivation of liberty
The Proposal sets out several conditions for the use of high-risk systems, such as data collection criteria, technical documentation, registration requirements, transparency, which are also relevant from a data protection point of view. The Proposal also contains detailed rules on product liability and the conformity of AI systems. It seeks to develop mechanisms to facilitate standardization, compliance testing, and the introduction of certification in the application of AI systems.
Data is a key component of AI applications. Within the GDPR, a number of specific provisions concern artificial intelligence-based decisions for individuals, particularly those related to automated decision-making and profiling.[58]
The Law Enforcement Directive sets uniform rules for all EU law enforcement agencies.
With regard to profiling, it states that a decision based solely on automated data processing, including profiling, which has a legal effect that is detrimental to or significantly affects the data subject is prohibited. Unless permitted by Union or Member State law which also provides for adequate guarantees of the rights and freedoms of data subjects, including at least the right of the data subject to request human intervention from the controller.[59]
With regard to the scope of the Proposal, the resolution agrees with the aim of addressing the use of AI systems in the European Union, including the use of AI systems by EU institutions, bodies or agencies. However, the exclusion of international law enforcement cooperation from the scope of the Proposal raises concerns, as such exclusion poses a significant risk of circumvention, for example in third countries or international organizations operating high-risk applications on which the EU authorities rely.
According to the EDPB resolution on cases of illicit use of artificial intelligence, forms of AI systems that violate human dignity should be considered as prohibited AI systems under Article 5 of the Proposal, rather than simply being classified as "high risk". This applies in particular to data comparisons involving persons who have given no or little reason to police surveillance or its processing, all of which violate the purpose limitations principle under data protection law. The use of AI in public places by police and law enforcement should be based on precise, predictable and proportionate rules that take into account the interests of the persons concerned and their impact on the functioning of a democratic society.[61]
According to Article 5 (1) (c) of the Proposal, the use of AI may lead to "social scoring", discrimination and is contrary to the fundamental values of the EU. Private companies, especially social media, cloud and other providers can process huge amounts of personal data and perform community scoring. Consequently, the Proposal should prohibit all forms of social scoring. It should be noted that in the context of
- 34/35 -
law enforcement, Article 4 already significantly restricts, if not prohibits, this type of activity under the LED.[62]
Article 5 (1) (d) of the Proposal contains an extensive list of exceptions that allow real-time remote biometric identification in publicly accessible places for law enforcement purposes.
The EDPB and the EDPS recall that data protection authorities already enforce the GDPR and the LED for AI and personal data in order to ensure the protection of fundamental rights, in particular the right to data protection. As a result, the designation of data protection authorities as national supervisory authorities would ensure a more harmonized regulatory approach and contribute to a more consistent interpretation of data management provisions across the EU, proposes their designation as a national supervisory authority.[63],[64] In any case, restrictions on the use of AI systems for "real-time" remote biometric identification for law enforcement purposes in places accessible to the public must be verified by independent authorities.[65]
The large-scale IT and technological advances of the Fourth Industrial Revolution did not leave cybercrime untouched. Already in the middle of the last century, the changes brought about by the digital revolution and the number of cybercrimes have significantly increased[66],[67],[68],[69]. A number of legal initiatives have been taken to combat these crimes, and one of the most comprehensive regulations on cooperation in the European Union was established in 2001, the Budapest Convention on Cybercrime. It was the first international treaty to focus specifically on cybercrime. There are three basic principles to a contract:1) harmonization of national legislation on cybercrime,2) to support the investigation of these crimes and 3) enhancing international cooperation in the fight against cybercrime.[70]
From 2017, the amendment to the Convention became increasingly relevant due to the impact of the digital revolution on cybercrime.[71]
The Budapest Convention (CETS 185) entered into force on 1 July 2004, following ratification by five Member States of the European Union. The Preamble sets out the primary purpose of the Convention inter alia, by adopting appropriate legislation and promoting international cooperation in the protection of society against cybercrime. According to Article 39 of the Convention, its purpose is stated in the fact that this Convention, in addition to supplementing the one - way or multi - directional agreements between the contracting parties, also aims to protect data stored on computer devices and networks and to prevent their misuse and crime. It also sets out the powers and provisions to facilitate reconnaissance and investi-
- 35/36 -
gation at national and European level, contains provisions that harmonize the substantive criminal law elements of criminal offenses and related provisions in the field of cybercrime. The Convention provides for the internal criminal procedural powers necessary to detect and prosecute such offenses, as well as for other offenses committed using the computerized information system or offenses related to electronic evidence, and for the establishment of a system of rapid and effective international cooperation[72]. The Convention consists of a Preamble, four Parts and Chapters within them, and Article 48. Part One contains interpretative provisions and definitions[73].Chapter I of Part Two deals with the substantive law of criminal law[74], Chapter II deals with the scope of criminal law provisions, the real-time collection of traffic data by Internet Service Providers, and Chapter III with the issue of jurisdiction[75]. Part Three sets out the principles of international co-operation, the principles of co-operation, extradition, and the general principles of legal aid[76]. In addition, the procedures for requesting legal aid[77] and the special provisions deal with the rapid retention of stored computer data and the rapid transfer of retained traffic data[78],[79].
The Convention provides that the Parties shall, as appropriate, consult each other from time to time to facilitate consideration of any additions or amendments to the Convention[80]. Since 2012, Parties to the Convention on Cybercrime have been investigating the difficulties faced by national judicial and police authorities in obtaining electronic evidence in the form of computer data in investigations. Finally, as part of several recommendations, the Committee on the Cybercrime Convention approved in June 2017 a mandate to draw up a Second Additional Protocol.
The purpose of the protocol is to improve cooperation on cybercrime and the collection of evidence of a crime in electronic form for the purpose of a specific criminal investigation or prosecution. Cooperation between States and with the private sector should be made more effective, and clarity and legal certainty should be increased for service providers and other entities as to the conditions under which they may respond to requests for the transfer of electronic evidence from the criminal justice authorities of other Parties.
Chapter I of the Protocol[82] contains common provisions. Chapter II to the Protocol provides for measures to strengthen cooperation[83]. A III. Chapter provides for safeguards.
It should be emphasized that, after several consultations with the EDPB during the preparation, the Article 14 deals separately with the protection of personal data.[84],[85]
Article 14 (2) to (15) sets out the basic principles of data protection, including purpose limitation, the legal basis, the quality of the data and the rules applicable to the processing of specific categories of data, as well as the obliga-
- 36/37 -
tions of data controllers. It sets out the individual rights that can be enforced in relation to retention, record keeping, security and onward transfers. It defines independent and effective supervision by one or more authorities and administrative and judicial remedies in relation to notification, access, rectification and automated decision-making. The safeguards shall cover all forms of cooperation as defined in the Protocol and shall be adjusted, if necessary, to take account of the specific features of direct cooperation. The exercise of certain individual rights may be delayed, restricted or refused where necessary and proportionate to achieve important public interest objectives, in particular to avoid jeopardizing on Article 14 of the Protocol shall be read in conjunction with Article 23 of the Protocol. Article 23 requires the Committee on the Convention on Cybercrime to evaluate the implementation and application of national legislative measures taken to give effect to the provisions of the Protocol.[86] Additional safeguards: If one of the Parties has substantial evidence that the other Party is systematically or substantially in breach of the safeguards provided for in this Protocol, it may suspend the transfer of personal data to that Party after consultations.[87] Finally, given the multilateral nature of the Protocol, it allows the Parties to agree in their bilateral relations, under certain conditions, on alternative means of protecting personal data transferred under the Protocol.[88] Parties they are covered by an international agreement establishing a comprehensive framework in accordance with the applicable law of the Parties concerned.[89]
For example, Convention 108 as amended, or the EU-US Framework Agreement. In addition the Parties may mutually determine that the transfer of personal data is subject to other agreements or arrangements between the Parties concerned.[90] EU Member States may refer to such an alternative agreement or arrangement for the transfer of data under the Protocol only if the transfer complies with the requirements of EU data protection law, namely Chapter V of Directive (EU) 2016/680 and Articles 6 and 7 of the Protocol, and the Chapter V of Regulation (EU) 2016/679.
The study highlights some issues in the application and regulation of the EU data protection package applicable to criminal justice and the protection of personal data, the regulation of the Law Enforcement Directive, the Artificial Intelligence Act and one of the basic regulations in the fight against cybercrime, the Convention against Cybercrime and by analyzing its Second Additional Protocol. Fundamental Rights of the European Union, adopted in Nice in 2000 Article 8 (1) of the Charter (Charter) and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) state that everyone has the right to the protection of personal data. The 2016/2018 data protection package, the GDPR and the LED, and then the EUDPR framework are deci-
- 37/38 -
sive for further legislation, including in the field of criminal justice. The fundamental differences between the Law Enforcement Directive and the General Data Protection Regulation are reflected in the purpose of data processing. a major challenge is the transfer of data for criminal purposes to a third country, which is also covered by the Directive. In addition to the appropriate level of protection, EU law allows for the transfer of data, which is reflected in the Budapest Convention, which is the main regulation in the fight against cybercrime, and in the draft Additional Protocol thereto. It is noteworthy that, mainly on the basis of the EDPB's proposal, data protection is included in a separate chapter in this regulation, detailing some of the possible issues that may arise. Through its advisory and guiding work, the European Data Protection Board contributes to the drafting of individual legislation in order to ensure that the rights of the Charter and the ECtHR are enforced within the framework of data protection regulations. An example of this is that any use of artificial intelligence to automatically detect human features, such as faces but gait, fingerprints, DNA, voice, keystrokes, and other biometric or behavioral signs, in publicly accessible locations in any environment is prohibited AI systems that classify individuals on the basis of biometric data on the basis of ethnicity, gender, political or sexual orientation, or other grounds of discrimination under Article 21 of the Charter, the use of artificial intelligence to infer the emotions of a natural person. The data protection regulations do not restrict criminal justice, the right balance in the legislation can be struck through consultations, as was the case with the draft Second Supplementary Convention to the Budapest Convention. it will contribute to the creation of a regulatory environment that respects the challenges of the 21[st] century, with respect for fundamental human rights, and will hopefully have an impact on EU legislation in relation to EU legislation. ■
NOTES
[1] Gál István László: A minősített adattal visszaélés néhány kriminológiai problémaköre. In: Barabás, Andrea Tünde, Christián, László (szerk.) Ünnepi tanulmányok a 75 éves Németh Zsolt tiszteletére: Navigare necesse est. Budapest, Magyarország Ludovika Egyetemi Kiadó, 2021. p. 79.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[3] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, Official Journal L 119, 2016. pp. 89-131
[4] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance.) PE/31/2018/REV/1, Official Journal L 295, 2018, pp. 39-98
[5] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 final - 2017/03 (COD)
- 38/39 -
[6] Regulation (EU) 2016/679 Article 5 and 6
[7] Ibid., Article 2(2)(d)
[8] Directive (EU) 2016/680, (LED)
[9] Proposal for a Regulation Of The European Parliament And Of The Council Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act) And Amending Certain Union Legislative Acts, Brussels, 21.4.2021 Com (2021) 206 Final,
[10] Council of Europe, European Treaty Series - No. 185 Convention on Cybercrime, Budapest, 23.XI.2001,
[11] Proposal for a COUNCIL DECISION authorising Member States to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence, COM/2021/719 inal
[12] Tóth Dávid - Gál István László - Kőhalmi László: Organized Crime in Hungary. In: Journal of Eastern European Criminal Law 2015/2. pp. 22-23.
[13] See further about terrorism: Tóth Dávid: The history and types of terrorism. Law of Ukraine: Legal Journal: Scientific-Practical Professional Journal 2015/1. pp. 1-24.; Kőhalmi László: A vallási terrorizmus útjai. In: Jura 2021/2. pp. 30-33.
[14] Directive (EU) 2016/680, Preamble (26). According to Preamble (26) "Any processing of personal data must be lawful, fair and transparent in relation to the natural persons concerned, and only processed for specific purposes laid down by law."
[15] Ibid., Preamble (38), (39)
[16] Ibid., Preamble (43), (44), and Article 13.
[17] Ibid., Article 13. (e)
[18] Ibid., Preamble (20)
[19] Ibid., Preamble (20)
[20] Kőhalmi László: Einige evidenz- und nicht evidenzbasierte Gedanken über die Sicherheit. In: Rita, Haverkamp - Michael, Kilchling - Jörg, Kinzig - Dietrich, Oberwittler; Gunda, Wössner (hrsg.) Unterwegs in Kriminologie und Strafrecht - Exploring the World of Crime and Criminology: Festschrift für Hans-Jörg Albrecht zum 70. Geburtstag Berlin, Németország: Duncker & Humblot 2021 pp. 137-141.
[21] Ibid., Article 41. (3)
[22] Ibid., Preamble (77) and Article 40. (b)
[23] Ibid., Preamble (84) and Article 51.
[24] Ibid., Preamble (88) and Article 56.
[25] Ibid. Preamble (64) and Article 36. (1)
[26] Ibid., Preamble (70) (71), (72) and Article 35.and 37.
[27] Ibid., Article 38.
[28] Ibid., Preamble (26)
[29] 29 EDPB, Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, Adopted on 2 February 2021, https://edpb.europa.eu/sites/default/files/files/filel/recommendations012021onart.36led.pdf_en.pdf, Accessed: 15.08.2021
[30] EDPB, Recommendations 01/2021. Introduction 5. pp. 4." As WP254.rev01 on Compliance References seeks to provide guidance to the European Commission on the level of data protection under GDPR in third countries and international organizations"
[31] Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, 16 July 2020, ECLI:EU:C:2020:559, (Schrems II) §92
[32] EDPB, Recommendations 01/2021, 4.26.
[33] Treaty on the Functioning of the European Union, Article 288
[34] Case C-362/14, Maximillian Schrems v Data Protection Commissioner, 6 October 2015, ECLI:EU:C:2015:650, (Schrems I), §52.
[35] EDPB, Recommendations 01/2021 .2.13.
[36] Kőhalmi László: The Human Rights in the Criminal Procedure, In: Magdalena, Sitek; Gaetano, Dammacco; Aleksandra, Ukleja; Marta, Wojcicka (szerk.) Europe of Founding Fathers: Investment in the Common Future Olsztyn, Lengyelország: University of Warmia and Mazury, Faculty of Law and Administration, 2013. pp. 397-403.
[37] EDPB, Recommendations 01/2021, 4. 24.
[38] Ibid., 4. 25.
[39] Charter of Fundamental Rights, Article 52 (1)
[40] EDPB, Recommendations 01/2021, Footnote 18. "The court noted for instance that 'the interference constituted by the real-time collection of data that allows terminal equipment to be located appears particularly serious, since that data provides the competent national authorities with a means of accurately and permanently tracking the movements of users of mobile telephones (...)' (joined cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, 6 October 2020, ECLI:EU:C:2020:791, §187, including cited jurisprudence)."
[41] Directive (EU) 2016/680, Preamble (67)
[42] EDPB, Recommendations 01/2021, A. 34-57.
[43] Ibid., A. 54-55.
[44] Ibid., B. 68-71.
[45] Ibid., B.59- 61.
[46] Nagy Zoltán András: Mesterséges intelligencia a bűnügyi munkában. In: Ürmösné, Simon Gabriella; Kudar, Mariann (szerk.) Sokszínű Kar Konferencia III.: Absztraktfüzet Budapest, Magyarország: Nemzeti Közszolgálati Egyetem Rendészettudományi Kar, 2021. p. 9.
- 39/40 -
[47] Auer Ádám: Gondolatok a mesterséges intelligencia egyes polgári jogi kérdéseiről, Scientia et Securitas 2021/2. pp. 106-113.
[48] Gaszt Csaba: A mesterséges intelligencia szabályozási kérdései, különös tekintettel a robotikára. Infokommunikáció és Jog 2019/17. pp. 21-26.
[49] WHITE PAPER on Artificial Intelligence - A European approach to excellence and trust ,COM/2020/65 final
[50] COM (2020) 65 final). "2.8. It should also be noted that legal definitions (for the purpose of governance and regulation) differ from pure scientific definitions, whereas a number of different requirements must be met, such as inclusiveness, preciseness, permanence, comprehensiveness, and practicability. Some of these are legally binding requirements and some are considered good regulatory practice."
[51] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL LAYING DOWN HARMONISED RULES ON ARTIFICIAL INTELLIGENCE (ARTIFICIAL INTELLIGENCE ACT) AND AMENDING CERTAIN UNION LEGISLATIVE ACTS, COM/2021/206 final
[52] Kőhalmi László: A társadalomra veszélyesség fogalma a büntető anyagi kódexekben. Büntetőjogi Szemle, 2012/1, pp. 15-17.
[53] Proposal For "Artificial Intelligence Act" (23)
[54] Gál István László, Nagy Melánia, Ripszám Dóra: Gyermekkereskedelem a terrorizmus tükrében. In: Mezőfi, Nóra, Németh, Kornél, Péter, Erzsébet, Püspök Krisztián (szerk.) V. Turizmus és Biztonság Nemzetközi Tudományos Konferencia tanulmánykötet Nagykanizsa, Magyarország: Pannon Egyetem Nagykanizsai Kampusz, 2021. pp. 9-17.
[55] Kőhalmi László: Gondolatok a vallási indíttatású terrorizmus ürügyén. Belügyi Szemle 2015/63. pp.52-71.
[56] Tóth Dávid: A terrorizmus típusai és a kiberterrorizmus. In: Rab, Virág (szerk.) XII. Országos Grastyán Konferencia előadásai Pécs, Magyarország, PTE Grastyán Endre Szakkollégium, 2014. pp. 286-290.
[57] 2002/584/JHA: Council Framework Decision of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States - Statements made by certain Member States on the adoption of the Framework Decision, Official Journal L 190, 2002. pp.1-20.
[58] EU 2016/679, Article 4. (4)
[59] EU 2016/680, Article 11.(1)
[60] 58 EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), 18 June 2021, https://edpb.europa.eu/system/files/2021-06/edpb-edps_joint_opinion_ai_regulation_en.pdf, Accessed: 8. Sep.2021
[61] EDPB-EDPS Joint Opinion 5/2021, 2.3 27
[62] Ibid.,2.3 29.
[63] Proposal for "ARTIFICIAL INTELLIGENCE ACT" Article.59
[64] EDPB-EDPS Joint Opinion 5/2021,2.5.1 48.
[65] Ibid.,5/2021 Ibid.
[66] Dumitrescu Mihaela-Sorina, Marica Mihaela-Emilia: Cybercrime in Digital Era, in the New Trends in Sustainable Business and Consumption, ed. Basiq International Conference, Bucharest: Editura ASE, 2019. pp. 433-440.
[67] Digital 2019: Global Digital Overview, Datareportal, https://datareportal.com/reports/digital-2019-global-digital-overview, Accessed:21.10.2020
[68] Internet Organised Crime Threat Assessment, Europol, 2018 https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018, Accessed:21.10.2020
[69] Holt J.Thomas, Bossler M. Adam: Cybercrime in progress: Theory and prevention of technology-enabled offenses. ed. Richard Wortley London: Routledge 2015. https://doi.org/10.4324/9781315775944, Accessed:20.10.2020
[70] Explanatory Report to the Convention on Cybercrime, 23. November 2001, https://rm.coe.int/16800cce5b, Accessed:20.10.2020
[71] Fenyvesi Csaba: A kriminalisztikai világtendenciák - Különös tekintettel a digitális felderítésre. In: Mezei, Kitti (szerk.) A bűnügyi tudományok és az informatika, Pécs, Magyarország, Budapest, Magyarország : Pécsi Tudományegyetem, Állam- és Jogtudományi Kar, MTA Társadalomtudományi Kutatóközpont, 2019. p. 64.
[72] Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM/2018/226 final -2018/0107 (COD)
[73] Convention on Cybercrime, Article 1.
[74] Ibid., Article 2-13.
[75] Article 14-12.
[76] Ibid., Article 23-26
- 40/41 -
[77] Ibid., Article 27-28.
[78] Ibid., Article 29-30
[79] Ibid., Article 36-48.Part Four contains the final provisions and signatures, as well as the modalities of accession to the Convention, and discusses the provisions on territorial application, scope, reservations, amendments, settlement of disputes and denunciation of the Convention
[80] Convention on Cybercrime, Article 46 (1) (c)
[81] 81 Proposal for a COUNCIL DECISION authorizing Member States to ratify, in the interest of the European Union, the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence,COM/2021/719 final
[82] Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence Draft Protocol version 3 as approved by the T-CY at its 24th Plenary, (28 May 2021), Council of Europe, https://rm.coe.int/0900001680a2aa1c, Accessed:20.Sep.2021
[83] Tóth Dávid, Gáspár Zsolt: Nemzetközi bűnügyi együttműködéssel összefüggő nehézségek a kiberbűnözés területén. Büntetőjogi Szemle, 2020, pp.140-150.
[84] EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) Brussels, 13th November 2019.
https://edpb.europa.eu/sites/default/files/files/file1/edpbcontributionbudapestconvention_en.pdf, Accessed:20.Oct.2020
[85] EDPB contribution to the 6th round of consultations on the draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime Brussels, 4 May 2021, EDPB https://rm.coe.int/0900001680a26108, Accessed:20.Sep.2021
[86] Second Additional Protocol to the Convention on Cybercrime, Article 23 (3) explicitly states that the implementation of Article 14 by the Parties shall be assessed when ten Parties to the Convention have indicated that they accept the Protocol as binding on them.
[87] Ibid. Article 14 (15)
[88] Ibid. Article 14 (1) (b) and (c)
[89] Ibid. Article 14 (1) (b),
[90] Ibid. Article 14 (1) (c),
Lábjegyzetek:
[1] The Author is doctoral student, Doctoral School of the Law, University of Pécs.
Visszaugrás