The LED’s right of access to one’s data: Loopholes on proper access, legality review and data protection authority Accountability

Abstract

Directive 2016/680 (the Law Enforcement Directive (LED)) provides two procedures for the exercise of the rights of access to one’s data: a direct one under Article 14 LED (directly addressed to the law enforcement authority) and an ‘indirect’ one under Article 17 (3) LED, i.e., via the intermediary of the data protection authority (DPA). In the present paper we will argue that the latter procedure should be the exception and the Article 14 LED procedure should be seen as the default. We will analyse the weaknesses of the Article 17 (3) LED provision and then criticize its, in our opinion, flawed implementation into the national laws of Belgium, France and Germany. We will demonstrate that Article 17 (3) LED, as read in light of Article 15 LED on the restrictions to the right of access, might be interpreted incorrectly to allow for the ‘indirect’ access procedure to be evoked abusively. We will argue that it lacks the explicit language to guarantee the decision-making powers of DPAs when deciding what information to communicate to the concerned data subjects when answering their request. We will demonstrate how the examined Member State laws further restrict the powers of their DPAs, which endangers the effectiveness of the ‘indirect’ access procedure because they do not guarantee the accountability, transparency, and proper legality check by the DPAs which are called on to exercise the right of access indirectly.