Reprocessing of biometric data for law enforcement purposes: Individuals’ safeguards caught at the Interface between the GDPR and the ‘Police’ directive?
This dissertation investigates whether the new EU data protection framework, composed of the GDPR and the ‘police’ Directive, provides sufficient safeguards to individuals whose biometric data collected by private parties are accessed by law enforcement authorities for further use. While searching for the answer, the study has uncovered important findings. Focusing on the core notion of ‘biometric data’, the research has revealed not only gaps between legal and technical definitions but also uncertainty concerning the type of data that qualify as such and fall within the scope of sensitive data. Analysing the rules applicable to data processing across instruments, the research has raised doubt on the role played by the principle of purpose limitation and on the formulation of the right to information in the ‘police’ Directive. Finally, in an attempt to provide recommendations, the research has relied on the tools of Data Protection by Design (by Default) and Data Protection Impact Assessment to help mitigate the risks to individuals’ right to data protection.