Directive 2016/680 creates a harmonized data protection framework for Member State law enforcement authorities, excluding the national security authorities and Europol. Amongst the highlights of this framework is the strengthened level of protection of data subjects’ rights, e.g. of access, rectification, erasure and restriction of processing. The strengthened rights are expected to grant more transparency to the data subjects and act as safeguards against the law enforcement authorities. However, the legal framework contains many exceptions. In addition, subjects’ rights were already provided for in existing EU law enforcement instruments such as the Schengen Information System, which are not necessarily harmonized with Directive 2016/680. At the same time, the limited scope of Directive 2016/680 – which excludes the national security authorities and EU entities such as Europol (which is subject to a separate legal framework) – begs the question of how effectively Directive 2016/680 will boost data subjects’ rights. Core questions:
• Have the Member States modified the existing procedures for exercise of the rights, esp. those Member States which provided only for indirect exercise of the rights through the responsible DPA? What are the trends?
• Has Directive 2016/680 led to increases in the number of data subjects’ requests to exercise their rights? Why (not)?
• Has cooperation on EU level between national supervisory authorities and these and Europol and the EDPS improved?
• Do Directive 2016/680 and the implementing national laws contain loopholes which allow for too broad exceptions/restrictions, e.g. restricting the right of access on national security or other grounds?