Research portal

Between GDPR and the police directive: Navigating through the maze of information sharing in public-private partnerships

Research output: Contribution to journalArticleScientificpeer-review

- Legitimacy of public-private partnerships for combatting cybercrime partially depends on whether or not law enforcement data processing activities are subject to the same data protection-related restrictions, whether they involve cooperation of private parties or not.
- Information sharing within PPPs is a complex phenomenon with various configurations and power structures. This complexity needs to be accounted for in the analysis of the applicability of the two data protection regimes.
- GDPR as a general data protection instrument and the Police Directive as a lex specialis are meant to leave no space for the private-public data transfers to fall through the cracks. However, which legal regime applies when private entities and law enforcement act as joint controllers is a grey area of the dual EU data protection regime and may seriously undermine legitimacy of PPPs, unless private parties are given status of competent authorities or controllership within PPPs is assigned in a special legal act.
- Private parties may be subject to less data protection restrictions, e.g. exempted from the purpose limitation principle, when collaborating with the law enforcement. This may create motivation for the public law enforcement to actively seek such collaboration to avoid constraints imposed on them by law.
- It is recommended that the legislative measures creating such exemptions subject private-public data transfers to the same conditions of legality of processing as the processing by competent authorities.
Original languageEnglish
JournalInternational Data Privacy Law
StateE-pub ahead of print - 2018

    Research areas

  • Cybercrime, data transfer, information sharing, joint controllers, Police Directive, public-private partnership


Login to Pure (for TiU staff only)