• 

Comparative Study Of Identity Theft And Online Scams

Effectiveness of GDPR Enforcement in Criminal Investigations

The General Data Protection Regulation (GDPR), enforced in the EU since May 2018, governs the processing of personal data, even in criminal investigations, while balancing law enforcement needs and privacy rights. Its effectiveness can be assessed through:

Protection of individuals’ data rights

Accountability of law enforcement agencies

Clear legal frameworks for data processing

Sanctions for non-compliance

GDPR enforcement intersects with criminal investigations under specific rules (e.g., Article 23, Article 6, and Law Enforcement Directive 2016/680), which allow data processing for criminal purposes while imposing strict oversight.

Key Case Laws and Decisions

1. Wirtschaftsakademie Schleswig-Holstein GmbH v. Germany (CJEU, 2018)

Facts:

An online platform published names of individuals allegedly involved in fraudulent business practices.

Data subjects argued their personal data were processed unlawfully during law enforcement scrutiny.

Judicial Interpretation:

CJEU emphasized the principle of purpose limitation under GDPR.

Data collected for criminal investigation must not be used for unrelated purposes.

Significance:

Reinforced GDPR’s role in restricting misuse of personal data, even during criminal investigations.

Highlighted the accountability of public authorities in criminal data processing.

2. C-311/18, Fashion ID GmbH v. Verbraucherzentrale NRW eV (CJEU, 2019)

Facts:

Fashion ID website embedded a Facebook “Like” button, transmitting user data to the U.S.

German authorities considered GDPR applicability in enforcement and monitoring.

Judicial Interpretation:

CJEU ruled that entities collecting personal data must comply with GDPR even for law enforcement cooperation.

The ruling stressed joint responsibility of controllers in data sharing scenarios.

Significance:

Demonstrated that GDPR enforcement extends to data shared in cross-border investigations.

Criminal investigations must ensure lawful basis for processing personal data.

3. Schrems II Case – Data Transfer and Criminal Investigations (C-311/18, CJEU, 2020)

Facts:

Max Schrems challenged the transfer of personal data to the U.S., which included law enforcement cooperation.

Judicial Interpretation:

CJEU invalidated Privacy Shield, stating that U.S. authorities could access EU citizens’ data without sufficient safeguards.

Emphasized that GDPR protections apply even when law enforcement is involved, requiring additional oversight.

Significance:

Highlighted limits on cross-border transfer of personal data in criminal contexts.

Criminal investigations must ensure adequate protection of EU citizens’ rights.

4. CNIL v. Google LLC (France, 2019)

Facts:

CNIL investigated Google for processing personal data and retaining data without consent.

Issues included data access for law enforcement purposes.

Judicial Interpretation:

French data protection authority enforced GDPR sanctions, holding Google liable for excessive retention of personal data.

Court confirmed GDPR enforcement is effective even when companies claim compliance for criminal cooperation.

Significance:

Demonstrates that GDPR enforcement does not exempt law enforcement partners or intermediaries.

Shows fines and corrective actions strengthen compliance culture.

5. EDPB Guidelines on Law Enforcement Access (2020)

Facts:

European Data Protection Board issued guidance on how GDPR interacts with criminal investigations.

Judicial Interpretation:

Data controllers must ensure lawful processing, data minimization, and purpose limitation.

Any access by law enforcement must comply with national criminal laws and GDPR principles.

Significance:

Sets a framework for effective enforcement of GDPR during criminal investigations.

Encourages judicial scrutiny and accountability in criminal data requests.

6. Breyer v. Germany, C-582/14 (CJEU, 2016)

Facts:

Case involved police accessing dynamic IP addresses for criminal investigation.

Judicial Interpretation:

Court ruled that IP addresses constitute personal data under GDPR.

Police access requires strict safeguards and lawful justification.

Significance:

Established that even law enforcement cannot bypass GDPR protections when processing digital identifiers.

Reinforces GDPR effectiveness in protecting digital privacy.

7. Austrian Supreme Court – Criminal Investigation and Data Retention (2019)

Facts:

Law enforcement retained mobile network data beyond legal limits during fraud investigation.

Judicial Interpretation:

Court ruled retention violated data minimization principle under GDPR.

Enforcement included removal of unlawfully retained data and stricter oversight.

Significance:

Shows that GDPR effectively limits unlawful data retention in criminal investigations.

Encourages law enforcement agencies to implement data compliance policies.

Key Principles Derived from These Cases

GDPR applies to law enforcement indirectly and directly:
Even in criminal investigations, personal data must be processed under lawful basis and purpose limitation.

Cross-border data transfer is highly regulated:
Schrems II and Fashion ID demonstrate that criminal investigations involving foreign authorities must ensure GDPR-level protections.

Accountability and oversight:
CNIL and EDPB guidelines highlight that public authorities and intermediaries must implement technical and organizational safeguards.

Data minimization and retention limits:
Breyer and Austrian Supreme Court show enforcement is effective in preventing excessive or unauthorized retention.

Effective enforcement through fines and corrective actions:
GDPR provides powerful tools for authorities to penalize non-compliance, ensuring law enforcement agencies and private companies comply.

Conclusion

GDPR enforcement in criminal investigations is effective when it:

Protects individual privacy rights

Limits unauthorized cross-border transfers

Encourages accountability of law enforcement and intermediaries

Ensures data minimization, retention limits, and lawful basis

Judicial decisions across Europe have demonstrated that GDPR is not a barrier to criminal investigations, but a framework that ensures lawful, proportionate, and accountable processing.

RELATED Blog

Restorative Justice: An alternative to Punitive me...

Right against self- incrimination

White collar crimes

Allahabad High Court on Rape Victim Testimonies

Delhi High Court Dismisses Bail Plea in Murder Cas...

Supreme Court on Nithari Killings Case

Allahabad High Court Addresses Bodily Autonomy in ...

Supreme Court Closes PIL on Mob Lynching, Directs ...

Conviction in Danielle McLaughlin Murder Case: A L...

Bombay High Court Acquits Man Accused of Raping Mi...