Abstract
The large increase in the collection of location, communication, health data etc. from seized digital devices like mobile phones, tablets, IoT devices, laptops etc. often poses serious privacy risks. To measure privacy risks, privacy impact assessments (PIA) are substantially useful tools and the Directive EU 2016/80 (Police Directive) requires their use. While much has been said about PIA methods pursuant to the Regulation EU 2016/679 (GDPR), less has been said about PIA methods pursuant to the Police Directive. Yet, little research has been done to explore and measure privacy risks that are specific to law enforcement activities which necessitate the processing of large amounts of data. This study tries to fill this gap by conducting a PIA on a big data forensic platform as a case study. This study also answers the question how a PIA should be carried out for large-scale digital forensic operations and describes the privacy risks, threats we learned from conducting it. Finally, it articulates concrete privacy measures to demonstrate compliance with the Police Directive.
Highlights
The personal data processing of large-scale digital evidence in criminal investigations falls within the scope of Directive (EU) 2016/680 of the European Parliament and of the Council
Because of its broad scope, we use the term privacy impact assessments (PIA) instead of the term Data Protection Impact Assessment (DPIA) used in the Police Directive) has to be carried out is provided in Article 27(1) as follows:Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, Member States shall provide for the controller to carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data
The costs of using a PIA methodology not considering the unique nature of police activities can be insufficient identification of risks and difficulty in demonstrating compliance with the Police Directive. This paper addresses these issues by evaluating existent PIA methods, providing a comprehensive methodology for digital forensics based on hands-on experience with a particular attention to large-scale processing
Summary
The personal data processing of large-scale digital evidence in criminal investigations falls within the scope of Directive (EU) 2016/680 of the European Parliament and of the Council (the socalled Police Directive). Because of its broad scope, we use the term PIA instead of the term DPIA used in the Police Directive) has to be carried out is provided in Article 27(1) as follows:Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, Member States shall provide for the controller to carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data. This paper addresses these issues by evaluating existent PIA methods, providing a comprehensive methodology for digital forensics based on hands-on experience with a particular attention to large-scale processing.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
