The GDPR and Private Sector Measures to Detect Criminal Activity

Revue des Affaires Européennes - Law and European Affairs

25 Pages Posted: 16 Nov 2021

See all articles by Winston Maxwell

Winston Maxwell

Telecom Paris - Institut Polytechnique de Paris

Date Written: March 2021

Abstract

The task of detecting criminal activity is increasingly delegated to private entities. Laws define the objective to achieve, e.g. to detect, prevent and/or report suspected criminal activities, but private entities are asked to determine the best means to achieve the objective based on their own risk analysis. This puts the burden on private entities to strike the right balance between interference with privacy and the protection of public security. Risk-based approaches such as this tend to mix up the roles of private actors and public authorities by giving discretion to private actors to define appropriate measures to attain public interest objectives. While this approach has benefits, it also carries risks for fundamental rights and can result in gold-plating. This article examines three examples of risk-based legislation: anti-money laundering (AML) legislation; the draft EU regulation on the dissemination of terrorist content online; and the proposed EU Digital Services Act. The article concludes that these legislative measures lack the specificity required by Article 23 of the GDPR and the case law of the CJEU. The article closes with several recommendations, including that data protection impact assessments prepared by private entities in connection with their crime-detection activities be systematically reviewed by data protection authorities under Article 36 of the GDPR.

Keywords: data protection, GDPR, General Data Protection Regulation, AML, anti-money laundering, Digital Services Act, dissemination of terrorist content, data protection, fundamental right, risk-based

Suggested Citation

Maxwell, Winston, The GDPR and Private Sector Measures to Detect Criminal Activity (March 2021). Revue des Affaires Européennes - Law and European Affairs, Available at SSRN: https://ssrn.com/abstract=3964066

Winston Maxwell (Contact Author)

Telecom Paris - Institut Polytechnique de Paris ( email )

19 place Marguerite Perey
Palaiseau, 91120
France

HOME PAGE: http://telecom-paris.fr

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
159
Abstract Views
513
Rank
358,232
PlumX Metrics