The GDPR and Private Sector Measures to Detect Criminal Activity
Revue des Affaires Européennes - Law and European Affairs
25 Pages Posted: 16 Nov 2021
Date Written: March 2021
Abstract
The task of detecting criminal activity is increasingly delegated to private entities. Laws define the objective to achieve, e.g. to detect, prevent and/or report suspected criminal activities, but private entities are asked to determine the best means to achieve the objective based on their own risk analysis. This puts the burden on private entities to strike the right balance between interference with privacy and the protection of public security. Risk-based approaches such as this tend to mix up the roles of private actors and public authorities by giving discretion to private actors to define appropriate measures to attain public interest objectives. While this approach has benefits, it also carries risks for fundamental rights and can result in gold-plating. This article examines three examples of risk-based legislation: anti-money laundering (AML) legislation; the draft EU regulation on the dissemination of terrorist content online; and the proposed EU Digital Services Act. The article concludes that these legislative measures lack the specificity required by Article 23 of the GDPR and the case law of the CJEU. The article closes with several recommendations, including that data protection impact assessments prepared by private entities in connection with their crime-detection activities be systematically reviewed by data protection authorities under Article 36 of the GDPR.
Keywords: data protection, GDPR, General Data Protection Regulation, AML, anti-money laundering, Digital Services Act, dissemination of terrorist content, data protection, fundamental right, risk-based
Suggested Citation: Suggested Citation