Page | 1
Report: Recommendation R (87) 15 – Twenty–five years down the line
by Professor Joseph A. Cannataci and Dr. Mireille M. Caruana
Executive Summary
Between the period 2011‐2012, within the framework of the PUPIE project, the authors carried out a
survey of the state of legislation in 30 out of the Council of Europe’s 47 member States in an effort to
determine the impact of the Council of Europe’s Recommendation R(87)15 on data protection in the
police sector over the 25 years since the adoption of the Recommendation in 1987. This final report
from the PUPIE project finds that by and large the Recommendation has been widely adopted across
Europe to an extent that many European states prima facie already regulate police use of personal data
in a way comparable but not necessarily identical to that envisaged in the current draft of the European
Commission’s proposal 25.1.2012 COM(2012) 10 final 2012/0010 (COD) for a “Directive of the European
Parliament and of the Council on the protection of individuals with regard to the processing of personal
data by competent authorities for the purposes of prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, and the free movement of such data”. This
general finding in no way obviates the need for urgent action on this sector. The Report identifies two
overall findings and thirty‐one provision‐specific findings in relation to the provisions of R(87)15 and
places these in the context of eight realities as at September 2013. In response to the overall findings of
disparity of provisions and lack of harmonisation, the Report advocates that the time has come for a
binding legal instrument which is capable of being deployed across sectors which have hitherto often
been parallel worlds: that of law enforcement agencies (LEAs) and the other of Security & Intelligence
Agencies (SIS). The Report takes into account the available evidence of utility of the EU’s 2006 Data
Retention Directive as well as the significance of the Snowden revelations for privacy & data protection.
These considerations reinforce the Report’s recommendations that the Council of Europe offers the
right forum for one or more of at least three options which could produce a suitable new binding legal
instrument: (1) an entirely new multi‐lateral treaty or Convention which would contain mandatory
provisions applicable to the LEA and SIS handling of personal data; (2) an additional protocol to the
CoE’s Data Protection Convention (ETS 108) encapsulating the provisions envisaged in Option 1 and/or
Page | 2
(3) an additional protocol to the CoE’s Cybercrime Convention (ETS 185) incorporating some of the
provisions envisaged in Options 1 and 2. The Report finds that the urgency for and the onus upon the
Council of Europe to take immediate action to produce a new binding instrument is compounded by the
Snowden revelations and the possible chronic inadequacy of EU responses in the sphere of national
security on account of exclusions of competence by Art 4 Section 2 of the EU Treaty.
25th September 2013
This research was commissioned by the Council of Europe and completed with support from
Page | 3
Table of Contents
RECOMMENDATION R (87) 15 – TWENTY–FIVE YEARS DOWN THE LINE: 5
REPORT ERROR! BOOKMARK NOT DEFINED.
The history of the PUPIE project 7
Part 1 – Overview 10
Part 2 – Detailed provisions 10
Scope and definitions 10
Definition of personal data “for police purposes” 10
The controller of police files 11
Only automated, or also manual processing? 11
Legal or only natural persons? 11
Only police or also state security? 12
Basic Principles 12
Principle 1 – Control and notification 12
General or security/police‐specific ISA? 12
Privacy Impact Assessments or other reasonable measures 12
Consulting the ISA 13
Notification to ISA 14
Manual files – Notification to ISA and ancillary matters 14
Notification of ad hoc files 14
Principle 2 – Collection of data 15
Collection Limitation principle and Wider police powers 15
Informing the data subject 15
Data collection by automated means 15
Collection of sensitive data 17
Principle 3 – Storage of data 17
Data Quality Principle 17
Accuracy and reliability 17
Administrative purposes 18
Principle 4 – Use of data by the police (statement of the notion of finality) 18
Police data used for other purposes 18
Principle 5 – Communication of data 18
Exchange of data between police bodies 18
Legitimate interest? 19
Communication to other public bodies 19
Legal authorisation or obligation to communicate data to other public bodies 20
Authorisation to communicate data to other public bodies 21
Communication to private parties 21
Communication to Foreign Authorities 23
Law regulating communication 24
Page | 4
Oversight mechanisms 24
Information required by countries 25
Verification and completeness of data 25
Safeguards and purpose 25
Interconnection of files 26
Secure on‐line systems 26
Legal direct access to a file 27
Principle 6 – Publicity, right of access to police files, right of rectification and right of appeal 27
Transparency 27
Publicity vs. ad hoc 27
Access to police data 27
Register of requests 28
Rectification or erasure of data 28
Follow‐up action 29
Refusing access, rectification and erasure 29
Right of appeal 30
Appeals to independent supervisory authority 30
Principle 7 – Length of storage and updating of data 31
Time‐limitation principle 31
Data quality principle 31
Principle 8 – Data security 31
Physical and logical security 31
R(87)15 – From findings to the future ‐ Where do we go from here? 32
Key findings – Thirty‐three points to ponder 32
Overall findings 32
Provision‐specific findings 33
Utility and Futility – some reflections on the way forward 35
New provisions on private sector data in the new binding instrument 42
Annex A: Text of questionnaire 54
Annex B: Table of legislation 90
Annex C: Tables 106
Page | 5
Report: Recommendation R (87) 15 – Twenty–five years down the line:
By
Prof Joseph A. Cannataci
Chair in European Information Policy & Technology Law, Co‐Director STeP ‐ Security, Technology & e‐Privacy Research Group,
Department of European and Economic Law, Faculty of Law, University of Groningen, The Netherlands
Head of Department of Information Policy and Governance, Faculty of Media and Knowledge Sciences, University of Malta,
Adjunct Professor, Security Research Institute & School for Computer & Security Science at Edith Cowan University, Australia,
Associate, Cyber Security Center, Longwood University, USA
&
Dr Mireille M. Caruana,
Centre for IT & Law, University of Bristol
Department of Information Policy & Governance, University of Malta.
CoE Recommendation No. R(87)15 regulating the use of Personal Data in the Police Sector (R(87)15) was
developed by the CoE’s Project Group on Data Protection (CJ‐PD) in Strasbourg between 1984 – 1986.
CJ‐PD was characterised by the strong leadership of Germany’s Spiros Simitis, later involved in
incorporating data protection into the EU Charter of Fundamental Rights: he was succeeded by Peter
Hustinx, today EU Data Protection Commissioner (“EDPS”). The Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (Convention 108) had created
ambiguity by including an exclusion from its provisions for security purposes.1 R(87)15 resolved this by
explicitly subjecting police data to the same data protection regime as other personal data.
R(87)15 was also a significant victory for a key principle of data protection: “purpose specification”, in
other words, that data controllers should process data according to
