I. The issues raised by the Bulgarian court in light of Article 10 LED
A long-expected decision on the reference for a preliminary ruling Case C-205/21 was made public on 26 January 2023.Footnote 1 The case is relevant for the application of the Law Enforcement Directive 2016/680 (LED)Footnote 2 by national authorities, in particular, when it comes to the collection of special categories of data pursuant to Article 10 LED. After, briefly introducing Article 10 LED, I summarise the facts and the issues raised by the referring court in order to provide a commentary on the matters at stake.
The LED foresees the processing of sensitive personal data in Art. 10, where those special categories of data are exhaustively listedFootnote 3 , and where their processing is “… allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject …” For the sake of this contribution, it is important to highlight that biometric and genetic data are defined in Article 3 (12) and (13) contrary to the other “special categories.” Catherine Jasserand explains this as an apparent distinction between sensitive data “by their nature,” and “biometric data that becomes sensitive when processed to ‘uniquely identify’ an individual.”Footnote 4 According to the author, this means that biometric data per se is not protected unless it is employed in processed with the abovementioned purpose, a conclusion that seems to find confirmation in Recital 51 GDPR, where photographs are not considered biometric data, unless used for biometric recognition purposes. The LED does not provide a similar provision.Footnote 5
Most importantly, however, Article 10 LED sets forth the conditions for lawful processing of sensitive data. First, there are three legal grounds therefor, namely when provided in Union or national law (Article 10 (a)), when vital interest are at stake (Article 10 (b)) and finally when they are manifestly made public by the data subject (Article 10 (c)). Second, the processing of such data should be “strictly necessary,” although the meaning of this phrase is not further developed the text of the Directive. Third, this processing should be subjected to “appropriate safeguards.” Recital 37 LED suggests that those measures may include, among others, adequate security measures, strict access rules or a prohibition to transfer the data. Catherine Jasserand recalls that in an “Opinion on some key issues of the Law Enforcement Directive (EU 2016/680) – wp258,” the WP29 also included “the prior authorisation of a court or an independent body.”
After this brief introduction of the Article 10, which plays a prominent role for the matters examined, in the following lines I provide a summary of the facts and issues of C-205/21.
1. Case C-205/21
The Bulgarian authorities accused a data subject of participation in a criminal organisation with the aim of enrichment within the proceedings against two companies for tax fraud. The accused was requested to cooperate in the creation of a police record. The person completed a declaration form, acknowledging that she had been informed of the statutory basis for creating the police record. Nevertheless, she refused to consent to the collection of her fingerprints and photographic data as well as to the taking of her DNA profile. The police did not collect the data and brought the matter to the referring court in order to request the authorisation of the enforcement of collection of the data.
Confronted with the request the Bulgarian court requested a preliminary ruling to the Court of Justice of the European Union (CJEU) concerning the compatibility of the applicable national law in matters of police record creation and the EU law. In particular, the referring court had doubts concerning the interpretation and application of the national provisions transposing Article 10 LED, which allows special categories of data processing, and its connection with the GDPR (Article 9) where this is prohibited. In addition, the national court had concerns related to the appropriate evaluation of the necessity and proportionality of the biometric and genetic data collection for the purpose of police record creation, especially where those are collected forcibly. Therefore, the decision of provided by the CJEU is highly relevant not only in light of the interpretation of LED but also for Bulgarian authorities as the creation of a police record applies compulsory to all persons accused of intentional offences subject to public prosecution and includes the collection of personal data, among which, photographs, fingerprints and DNA samples.
In C-205/21, the CJEU ruled that if the national legislation has legal provisions, which allow “in a sufficiently clear, precise and unequivocal manner” from the interpretation thereof to conclude that the processing of biometric and genetic data at issue falls within the scope of the LED, and not of the GDPR, there is no need to expressly include provisions on special categories of data for the purposes of law enforcement.
Further the Court established that if a person accused of an intentional offence refuses to have his biometric and genetic data collected for the purposes of a record, the national criminal court may authorise an enforcing measure. This could happen without reviewing the severity of the alleged grounds for the prosecution provided that an effective judicial review is guaranteed under national law afterwards.
Finally, the national law enforcement authorities should not carry out a systematic collection of biometric and genetic data unless two conditions are met. Those are that the collection of special categories of data is “strictly necessary” for the specific objectives pursued by the public prosecution and that there are no other means, less intrusive, to achieve the same goal.
2. Case C-80/23
Less than a month after the publication of the ruling on C-205/21, on 14 February 2023, a new request for a preliminary ruling, Case C-80/23, was filed by the same judge from Sofia city court.Footnote 6 Both cases are virtually the same as they relate to the same criminal proceedings. In both instances, the national court addresses the CJEU with questions related to the interpretation of the Law Enforcement Directive 2016/680 provisions concerning biometric and genetic data collection for the purposes of police record creation.
In essence, what the Bulgarian court inquiries in C-80/23 is, from one side, a clarification of the decision C-205/21 concerning the requirement for “strict necessity” under Article 10 LED, and from the other, a clarification of paragraphs 100-101 and 132-133 of the ruling C-205/21, which concern the potential judicial review of sensitive data collection from an accused within the investigation stage of a crime.
First, the Bulgarian court considers that there is an ambiguity between the abovementioned paragraphs. On the one hand, in paras. 100–101, the CJEU appears to allow the collection of biometric and genetic data without court review when otherwise such review may turn out to be a hindrance for the conduct of the criminal investigation as long as the national law guarantees effective judicial review afterwards. On the other hand, the CJEU seems to require that the national court carry out a judicial review on the necessity to collect sensitive data from the accused in paras. 132–33. In addition, the national court points out that the CJEU based its rationale on case law that is foreign to Bulgarian law. The national court cannot make this judicial review of the necessity to collect the referred data because they do not have access to the file of the accused at the investigative stage of a potential crime. Therefore, the Bulgarian court cannot conduct the expected checks for the necessity of the data collection. Based on that, in a new reference for a preliminary ruling C-80/23, the Bulgarian court poses the following questions:
1. Is the assessment of “strict necessity” satisfied if it is carried out solely on the basis of the documentation accusing the person and the refusal to have his/her data collected or it is necessary for the court to have all the material in the person’s file?
2. In case the latter is confirmed to be the correct interpretation, can the court also assess if there are reasonable grounds to suspect that the accused committed the crime in reality?
In order to provide an interpretation to the posed questions, recent case law, together with relevant national provisions, need to be explored.
II. The C-205/21 and Bulgarian law
In Case C-205/21, the concept of “strict necessity” is examined with regards to processing sensitive data, in particular, during a police record creation. The interpretation of this requirement involves imposing stringent conditions on the processing of such data. According to the Advocate General Pitruzzella’s opinion only cases involving serious crimes allow the collection and subsequent processing of “special categories” of data.Footnote 7 This suggests that conventional data processing methods may not suffice in addressing challenges stemming from certain crimes, which makes it necessary to collect sensitive data to achieve law enforcement objectives effectively. The final judgement however, lowers this bar and employs a rather ambiguous wording. According to the ruling special categories of data processing only requires “a certain degree of seriousness.”Footnote 8
While this is the first condition (degree of seriousness of the crime) that may lift the ban on sensitive data collection, there is one additional prerequisite.Footnote 9 According to Advocate General Pitruzzella for the processing to be justified, the specific objective of the processing should be clearly outlined in national legislation.Footnote 10 Again, the final judgment rather softens this conclusion and establishes that “account is to be taken of the specific importance of the objective that such processing is intended to achieve” and “in the light of the specific circumstances in which that processing is carried out.”Footnote 11 In addition, the Advocate General explicitly ascertains that the legislation concerning police record creation under Bulgarian law does not precise the connection between the breadth of the collection and the objectives pursued (para. 61) and this potentially leads to indiscriminate data collection. The final ruling confirms implicitly this as ascertaining that any systematic gathering of sensitive data is deemed to contravene Art. 10 of the Law Enforcement Directive.Footnote 12
Having regard to these requisites, in the next lines, I explore the Bulgarian normative landscape in order to find the corresponding provisions, which may match those conditions.
1. Necessity
As far as the necessity precondition is concerned, several documents could be pointed out. Article 51 of the Bulgarian Data Protection Act (BDPA)Footnote 13 mirrors the original provisions of the LED Directive’s Art. 10. The expectation that those provisions would be developed in Article 25 of the Ministry of Interior LawFootnote 14 , turns out not to provide additional clarity on the specific necessity for collecting sensitive data as it simply refers to the BDPA, Article 51, and the GDPR, Article 9.
The Order for the Procedure of Conducting and Removing Police RegistrationFootnote 15 aims to shed more light. According to Article 3(1), police authorities conduct police registration for individuals accused of general premeditated crimes. While this might seem like a restriction on data collection purposes, it actually affirms the broad scope of data collection.
This is because the Bulgarian Criminal Code categorises criminal cases into general and private categories based on the nature of the crime. Crimes not specifically designated as of private nature are considered general. General crimes are those affecting societal interests and thus requiring public prosecution and encompass a large spectrum of offenses such as theft, tax violations or murder. As a result, police registration is required for nearly all criminal offenses. Furthermore, there is no differentiation between categories of crimes or their “degree of seriousness” in light of the application of the LED.
2. Outlined in law
While the general objectives for data processing are outlined in the BDPA, specific personal data collected, and their purposes remain unspecified. Delving into related legislation fails to provide clarity. Sectoral laws are not more illuminating. Conversely, Article 26(3) of the Ministry of Interior Law allows the police authority to process “all necessary categories of data” without specifying purposes. Advocate General Pitruzzella, in his Opinion on C-205/21, arrives at a similar conclusion in para. 61.
Moreover, the police registration process in Bulgaria includes the collection of biometric and genetic data, such as fingerprints and oral DNA profiles.Footnote 16 Consequently, some of the data collected during a police registration falls within the realm of special categories of data under the Bulgarian data protection act, which mirrors the GDPR definitions for genetic and biometric data. This entails that the same procedure and data categories are collected each time an individual is accused of an intentional crime of a general nature, irrespective of any prior registrations.
This approach is problematic for the following reasons. First, the majority of crimes under the Bulgarian Criminal Code are of general nature. As highlighted in paragraph 130 of the C-205/21 judgment, the mere accusation of an intentional criminal offense subject to public prosecution does not inherently justify the collection of biometric and genetic data. Second, for the purposes of creating a police record, authorities collect personal data Bulgarian identification documents already contain biometric data, including facial images, fingerprints, and signatures. Given that there is no differentiation in “seriousness” of the crime in light of the LED, this translates into a double collection of sensitive data, which in certain cases may be necessary but for many others not. Hence, law enforcement agencies already possess biometric data, albeit not specifically for law enforcement purposes but for the maintenance of “public order.” The analysis of the latter goes beyond the scope of this study, however, it would be challenging to justify the collection of special categories of data under this premise, given the lack of definition and the ambiguity of the term under Bulgarian law.
Therefore, it could not be concluded that the relevant national law meets the requirements stablished in LED and developed in case law.
III. Suggested interpretation of the questions posed in C-80/23
Based on the previous, it is sensical to give the following answers to the questions posed by the Bulgarian courtFootnote 17 :
1. To the first question, whether the court needs all the information about the accused in order to allow the forced collection of special categories of data, it should be answered in the affirmative.
Paras. 100–101 indeed provide grounds for the national court to approve the collection of sensitive data without a thorough judicial review, however, this is so as long as all the other legal prerequisites are in place such as legislation that correctly transposes the relevant LED provisions. Thus, the answer to the question of the Bulgarian court could be better looked for in the paras. 130–132 of the C-205/21. In addition, Bulgarian authorities already possess the same data, which they request in the police registration procedure. The repeated collection of personal data together with the above analysis on the Bulgarian law suggest that any succinct review of a persons’ refusal to be subjected to forced collection of data and subsequent approval of the collection may lead to an undue interference with fundamental rights, guaranteed by Articles 7 and 8 of the EU Charter.
2. To the second question, whether the national court can also assess if there are reasonable grounds to suspect that the accused committed the crime, it should be answered negatively.
As it was stated in judgment C-205/21, para. 134, if the national law fails to ensure a review of the measure involving the collection of biometric and genetic data, it is the referring court to uphold the full effect of Art. 10 LED. The reason for the judicial review is not to provide a judgment on the case but to assess the necessity of an intervention with a person’s fundamental rights, aiming to ascertain that persons’ role in a crime in order to provide a judgment afterwards. The referred in para. 131 “serious grounds” suggests that the construction of the accusation should count with sufficient valid and incriminating proofs, which lead to incrimination of the person. From the same, it could be concluded that in such a context the collection of special categories of data would be never necessary, as law enforcement authorities would already have sufficient data in order to sustain an accusation. However, there may be cases where the link between the voluntary conscious nature of the act and the materialisation of the same in the reality may not be clearly established. Those cases should be clearly defined and in case the reality defies the normative hypothesis, then a judge would need to determine the necessity of the sensitive data collection.
1. The Opinion of AG Richard de la Tour on Case C-80/23
In the following lines, the report published on 13 June 2024 Opinion of Advocate General Richard de la Tour on Case-80/23 is briefly summarised and commented in the light of the previous section.Footnote 18
The Advocate General suggests that the assessment of the police record creation is “strictly necessary” for the purposes aimed with its creation must be carried out by the respective competent authorities for the creation of the record before requesting a court authorisation. Therefore, it is not sufficient that this assessment is done for the first time by the court only when the accused refuses to consent, and only based on one purpose stated in the national law supporting this collection.
On the second question, the Advocate General proposes that the preliminary ruling should establish that the review by the national court of the strict necessity does not require a review of the material grounds for the accusation, that is to say whether it is well-founded. In addition, a full disclosure of the case file is not necessary if the judicial review can be done based on the decision designating the person as accused.
2. Commentary
Reading the Advocate General Richard de la Tour (AG) conclusions an alignment could be established on key points regarding the necessity and scope of judicial review as well as the roles of competent authorities and the court.
On the first question, the AG’s opinion and the proposed interpretation assert the necessity of a comprehensive review before the collection of sensitive data. While the proposed interpretation affirms that the court needs all relevant information about the accused to allow the forced collection of special categories of data, the AG state that the assessment must be carried out first by the competent authorities seeking the creation of a record before requesting court authorisation. The AG’s emphasis on prior assessment by competent authorities resonates with the concern about succinct reviews potentially interfering with fundamental rights and it is implicitly supported by the Court’s requirement for a thorough and prior assessment by the respective authorities.
In addition, both texts underline the potential for undue interference if the judicial review process is inadequate. The proposed interpretation warns that a succinct review could lead to such interference. Similarly, the AG highlights that the assessment of necessity must not be performed solely when the accused refuses to consent.
On the second question, both interpretations agree that the national court’s role is not to evaluate the foundation of the accusation but to assess the necessity of data collection. The AG clarifies that the court’s review of whether the collection of biometric and genetic data is “strictly necessary” does not require assessing the accusation’s validity, aligning with the proposed interpretation’s assertion that the national court should not determine if there are reasonable grounds to suspect the accused.
However, a divergence emerges regarding the extent and basis of judicial review. The AG notes that full disclosure of the case file is not required for the court to assess necessity, provided the review is based effectively on the decision designating the person as an accused. In contrast, the proposed interpretation suggests that existing data should restrict the need for further data collection if sufficient to sustain an accusation.
IV. Conclusion
In Case C-205/21 the Court established that the processing of biometric and genetic data is allowed only if it is strictly necessary for law enforcement objectives and if no less intrusive means are available. The ruling mandates a sufficiently clear, precise, and unequivocal legal framework for such data collection, ensuring effective judicial review post-collection. Bulgarian law, however, appears to fall short of these standards, particularly in the lack of specific legislative provisions detailing the necessity and proportionality of data collection. The subsequent preliminary ruling request in Case C-80/23 seeks to address ambiguities related to judicial review and the necessity assessment. The Advocate General’s opinion in C-80/23 aligns with the need for a thorough necessity assessment by competent authorities before court authorisation and stresses that judicial review does not require full case disclosure but should ensure that necessity criteria are rigorously met. The examination of the challenges suggests that while the CJEU’s rulings provide a robust framework for protecting fundamental rights in data processing, there remains a need for national laws to precisely reflect these higher requirements to prevent undue interference with individuals’ rights.