Data Sharing and Law Enforcement Agencies

Data sharing and LEAs

Privacy and Security by Design. Data Handling Support and Comparative Study on Data Access.

Author: Dr Irmak ERDOĞAN PETER (Ms.), Postdoctoral Researcher, KU Leuven Centre for IT & IP Law (CiTiP)

Data sharing between police and research organisations requires taking into account the European legal framework, as well as a diverse set of national laws in this field.

As a large research project, STARLIGHT dedicated Task 4.2 to shed light on the legal and ethical barriers that law enforcement agencies (LEAs) may encounter while sharing data for research purposes. With this perspective, the project surveyed the LEA partners about the applicable national legal frameworks for sharing law enforcement data for research purposes, so that it would be possible to moderate the potential drawbacks due to a fragmented legal framework.

By means of a comprehensive survey, 15 LEA partners in the STARLIGHT consortium were initially asked about their relevant national legal frameworks on sharing law enforcement data for research and development (R&D) purposes. This was followed up by further questions regarding legal-ethical elements that hinder data-sharing via LEAs within the project, such as the perception of the upcoming Artificial Intelligence Act Proposal and other potential data protection and management-related concerns amongst LEAs. 

The results of this survey were reported in "D4.3 Privacy and Security by Design: Data Handling Support and Comparative Study on Data Access".  D4.3 primarily summarised the findings regarding national legal frameworks. According to the survey, LEAs in each Member State are subject to specific legislation regarding data sharing by LEAs for R&D purposes. In most cases, this legislation comprises data protection laws, which usually reflect the safeguards in Article 89 of the General Data Protection Regulation (GDPR). In certain instances, however, national legal frameworks include more specific rules and safeguards that regulate the LEAs’ ability to share data with the STARLIGHT consortium. In Italy, for instance, there are specific rules within the Italian criminal law that prevent the cybercrime unit MIPS from sharing any data at this point. On the other hand, in Belgium, concrete legal provisions for R&D are to be regulated in the future. All these examples come to demonstrate the complicated nature of working through different legal frameworks during inter-state research.

The findings also demonstrated that most LEAs are strongly in need of a step-by-step data-processing procedure for the whole process of data sharing. Hence, the LEAs must receive guidelines both from a legal and technical perspective to understand how to proceed in each step while sharing personal data. Therefore, STARLIGHT brings co-development cycles, where LEAs, engineers, and legal partners join to discuss how to develop and implement AI technologies and how to evolve data sets.

As for the AI Act, LEAs shared that they may need specific guidance for interpreting the risk categories of AI systems and the relevant requirements. To mitigate this, the STARLIGHT partners that focuses on legal and ethical aspects of the research will update LEAs on the recent developments regarding the AI Act.

Finally, the survey revealed that nearly half of the LEAs expect clarifications on the security measures before sharing personal data. This insight underlines the necessity of sharing a clear outline of all security measures and a clear picture of the applicable cybersecurity law provisions.

The survey was an important step to reveal the current and potential stumbling blocks to data sharing via LEAs for research purposes and it provided a crucial roadmap for how to handle ethical and legal concerns.

STARLIGHT is a four-year project funded from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No. 101021797.  It aims to create a community that brings together LEAs, researchers, industry, and practitioners in the security ecosystem under a coordinated and strategic effort to bring AI into operational practices.