ISSUES OF INTERPRETATION 1. Protection of personal data of trafficked persons

(a) Processing the personal data of trafficked persons

Due to the clandestine nature of this crime, ‘reliable and holistic information on the magnitude of the problem is limited’.³² Efforts to improve the data concerning trafficking in human beings is largely concentrated on data of trafficked persons.³³ A common system in many countries is that several stakeholders, including non-governmental organisations (NGOs), collect data and share it with a central data collector. Data collectors may require data in an identifiable form in order to avoid, for instance, double counting of cases in a database.

Personal data might be shared between NGOs and a governmental data collector. Sharing or storing data would fall under processing of personal data of trafficked persons. Any violation of data protection of personal data can have far-reaching consequences. Possible risks can comprise of re-trafficking or stigmatisation, preventing (re-)integration or access to the labour market.³⁴Therefore, the protection of personal data as foreseen in Article 11 plays an essential role.

Article 11(1) states that personal data of victims have to be stored and used in conformity with conditions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.³⁵ In 2018, the Convention underwent a modernisation process, which led to enhanced consistency of the CoE framework on data protection with the EU data

29 EU Victims’ Rights Directive, Art 21(1).

30 Ibid., Art 21(2).

31 CoE Convention against Trafficking, Art 11(3).

32 Gerry et al, 212. For a critical assessment on the lack of data concerning trafficking in human beings, see Claudia Aradau, ‘Human Trafficking between data and knowledge’, presentation at the conference ‘Data protection and right to privacy for marginalized groups: a new challenge in anti-trafficking policies’ (Berlin, 25–27 September 2013) and Uhl, 410.

33 Uhl, 410.

34 Gerry et al, 213.

35 This text is based on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as amended by Protocol CETS. 223 (Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) which was adopted on 10 October 2018. The updated Convention (thereinafter Modernised Convention 108) will enter into force after the ratification of five Council of Europe Member States.

11.14

11.15

152

protection reform package.^{36 37}The Modernised Convention 108 defines personal data as ‘any information relating to an identified or identifiable individual’³⁸ and is applicable to data processing in the private and public sector, hence applies also to data protection in the area of police and criminal justice.³⁹

In relation to trafficking in human beings, one may distinguish between two general categories of victim data that constitutes personal data. First, there is general identification data, which usually includes the name and birthdate of the victim. Second, there is personal data that relates to further details of the trafficking case itself, such as the type of exploitation.

Furthermore, two general purposes for personal data collection can be distinguished: (1) personal data collected in the framework of investigation and prosecution of criminal offences and the execution of criminal penalties; and (2) data collected in order to be able to have comprehensive statistical information on trends in trafficking in human beings. The necessary safeguards to protect these personal data may vary according to the category and depend on the context in which the collection of data takes place.⁴⁰

Applicable to all data processing operations are the basic principles described in Article 5 of the Modernised Convention 108, which holds that data processing shall be processed in a way

‘proportionate in relation to the legitimate purpose pursued’ to provide a fair balance between the interests concerned for data collection and the rights and freedoms at stake.⁴¹ These principles include lawfulness of processing, transparency, purpose limitation, data minim-isation, data accuracy and data security.⁴²

For the processing of personal data related to offences, criminal proceedings and convictions, as opposed to data collected within investigations and prosecutions of criminal offences, specific rules apply. Such processing relating to offences or criminal proceedings is only allowed where appropriate safeguards are implemented in order to protect from interferences with interests, rights and fundamental freedoms of the data subject, for instance, discrimin-ation as a result of the data processing.⁴³Hence, personal data concerning trafficking in human beings, for instance, the information that a person is a victim of trafficking, falls under this special protection of ‘sensitive data’. Sensitive data requires special safeguards, which are to be applied alone or cumulatively, such as: explicit consent of the data subject (the trafficked person in the context of Article 11 of the Convention); a law covering the intended purpose

36 The EU data protection reform package consists of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119/1) (thereinafter General Data Protection Regulation) and Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119/89).

37 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 3.

38 Modernised Convention 108, Art 2(a).

39 European Union Agency for Fundamental Rights and Council of Europe,Handbook on European Data Protection Law (2018) 273.

40 Gerry et al, 213 and Modernised Convention 108, Art 11.

41 Modernised Convention 108, Art 5(1).

42 Ibid., Art 5(4).

43 Ibid., Art 6.

D. ISSUES OF INTERPRETATION

11.16

11.17

11.18

and means of the processing or indicating the exceptional cases where processing such data would be permitted; a professional secrecy obligation; measures following a risk analysis or technical security measures such as data encryption.⁴⁴

For data collected in criminal investigations, there are exceptions from data protection rules to allow for flexibility and more effective results.⁴⁵Still, nevertheless, these measures have to be provided for by law, proportionate and necessary in a democratic society. Hence no less intrusive means must be available.⁴⁶The respective safeguards can be of technical nature and an organisational nature, including adjusting the safeguards to different categories of data.⁴⁷ The CoE Recommendation regulating the use of personal data in the police sector⁴⁸requires to make a clear distinction in how the police processes personal data that relates to different categories of persons, for instance, suspects, victims and witnesses.⁴⁹Generally, police should apply at all stages of data processing the relevant principles: the principles of necessity, proportionality and purpose-bound data processing.⁵⁰

In relation to the lawfulness of data processing, it must be ensured that the processing operation is based on a legitimate basis. As mentioned above, the Modernised Convention 108 implies the consent of the data subject as one option among others to legitimatise the processing of sensitive data.⁵¹ The consent has to be freely given, specific, informed and unambiguous. Consent can consist either of a statement or a clear affirmative action. Silence, inactivity or pre-validated forms or boxes cannot constitute consent. The trafficked person has to be informed about the implications of his or her decision; hence, it has to be explained what the consent entails.⁵²This also means that the authority processing the data has to be able to provide a detailed definition of the purpose, including time frame and definition of the legitimate interest.⁵³

Data protection in anti-trafficking action (datACT), an initiative of NGOs on data protection in anti-trafficking responses,⁵⁴ recommends non-governmental data collectors to make sure that (presumed) trafficked persons give their informed written consent before collecting their personal data. At the same time, the organisation should assign a staff member as a contact person in case the trafficked person wants to withdraw their consent, to access or to rectify his

44 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 56.

45 Gerry et al, 213 and Modernised Convention 108, Art 11.

46 Modernised Convention 108, Art 11 and Council of Europe, Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 91.

47 Council of Europe Consultative Committee of the CoE Personal Data Protection Convention,Practical Guide on the Use of Personal Data in the Police Sector, 15 February 2018, T-PD(2018)01, 4.

48 Council of Europe, Recommendation no. R(87)15 of the Committee of Ministers to Member States regulating the use of personal data in the police sector, 17 September 1987, in the following ‘CoE Police Recommendation’.

49 Council of Europe Consultative Committee of the CoE Personal Data Protection Convention,Practical Guide on the Use of Personal Data in the Police Sector, 3. This is based on CoE Police Recommendation, principle 3.2.

50 Council of Europe Consultative Committee of the CoE Personal Data Protection Convention,Practical Guide on the Use of Personal Data in the Police Sector, 3.

51 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 56.

52 Ibid., para 42.

53 Data protection in anti-trafficking action (datACT),Data Protection Challenges in Anti-Trafficking Policies – A Practical Guide(2015) 74.

54 Data protection in anti-trafficking action (datACT) <https://www.kok-gegen-menschenhandel.de/en/kok-projects/

data-protection-datact> (accessed 18 August 2020).

11.19

11.20

11.21

154

or her data.⁵⁵ Regarding the consent to be freely given, it has to be ensured that the consent

‘represents the free expression of an intentional choice’ of the victim. Thus, the victim must, in fact, have a free choice to consent without being subject to any undue influence or pressure such as intimidation or coercive measures.⁵⁶Otherwise, consent cannot be used as a legitimate basis for data processing.

According to the principle of data minimisation, personal data should be processed in a way that is ‘adequate, relevant and not excessive in relation to the purposes for which they are processed’.⁵⁷‘Not excessive’ means that data processing ‘should be limited to what is necessary for the purpose for which it is processed’.⁵⁸The ‘not excessive’ requirement does not refer only to the quantity of data collected but also to the quality of the data: ‘Personal data which is adequate and relevant but would entail a disproportionate interference in the fundamental rights and freedoms at stake should be considered as excessive and not be processed.’⁵⁹Already at the stage of investigating trafficking in human beings, the application of the principle of data minimisation should entail an analysis of which personal data is, in fact, essential for the investigation.⁶⁰

Moreover, it is essential to provide victims with information regarding the existence of their right to data protection, the categories of personal data processed, the legal basis and purposes as well as the recipients of these data.⁶¹ In the context of criminal investigations, this transparency can be restricted, however, only if provided for by law and if it respects the essence of the fundamental right to privacy and data protection and constitutes a necessary and proportionate measure.⁶²Considering the stigma a person that is declared as a victim of human trafficking may face,⁶³ emphasis should further be given on the accuracy of the data, which includes keeping the data up to date and routinely checking its accuracy.

GRETA reports show that various data collection models with different safeguards are applied. Several reports refer to the application of national data protection legislation.⁶⁴ In Cyprus, files on trafficking in human beings held by the Asylum Service are confidential and no details are stored in any electronic database, except basic data.⁶⁵In Poland, personal data is stored by the National Consulting and Intervention Centre, which is funded by the Ministry of Interior, based on the victims’ consent concerning the use of their data. Further technical

55 Data protection in anti-trafficking action (datACT), Data protection standards for NGO service providers, 2,

<https://www.kok-gegen-menschenhandel.de/fileadmin/user_upload/medien/Projekte/datact_standards_en_2018.pdf>

(accessed 18 August 2020).

56 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 42.

57 Modernised Convention 108, Art 5(4)(c).

58 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 52.

59 Ibid.

60 Europol Joint Supervisory Body,Victims of Trafficking in human beings, a data protection perspective(2016) 13.

61 Modernised Convention 108, Art 8.

62 Ibid., Art 11.

63 Gerry et al, 214.

64 See for instance GRETA,Report on Belgium, II GRETA(2017)26, paras 132–133; GRETA,Report on Croatia, II GRETA(2015)33, para 118; GRETA,Report on Moldova, II GRETA(2016)9, para 126.

65 GRETA,Report on Cyprus, II GRETA(2015)20, para 98.

D. ISSUES OF INTERPRETATION

11.22

11.23

11.24

safeguards are that the data are saved on an internal computer system without network access and secured by a password.⁶⁶

When police are collecting personal data during, for instance, an investigation of a case of trafficking in human beings and these data are at a later stage used for a different purpose, the principle of purpose limitation entails that the rules of subsequent use of data have to be applied.⁶⁷ For instance, data on trafficked persons are collected in the course of prosecuting trafficking in human beings. After completing the prosecution, the data are stored in a database to deduct statistical data on trafficking or, as mentioned in GRETA’s report on Albania, to monitor the situation of trafficked persons and their reintegration.⁶⁸ Subsequent use of personal data has to be undertaken for a legitimate aim, should be necessary and proportionate to the legitimate aim pursued. Personal data related to victims, however, require additional care and the principles of necessity and proportionality need specific attention.⁶⁹ Storing personal data to monitor the reintegration of trafficked persons – with interest in preventing trafficking in human beings – interferes with the right to privacy of the trafficked persons and therefore might infringe the principle of proportionality.

(b) Compiling reliable statistical data on trafficking in human beings

As regularly held by GRETA, Member States should set up a comprehensive and coherent information systems on trafficking in human beings by compiling reliable statistical data,⁷⁰ since data are needed to prepare, monitor and evaluate anti-trafficking policies. Consequently, personal data on trafficked persons may be collected in order to be able to provide statistical data at a later stage. At a certain stage of data processing, personal data turns into statistical data. Since the personal data relates to an offence or criminal proceedings, these data are sensitive data.

The CoE Recommendation concerning the protection of personal data collected and processed for statistical purposes⁷¹gives further guidance on how personal data has to be processed for statistical purposes. Generally, as soon as data are no longer necessary in an identifiable form, it should be made anonymous.⁷²Moreover, sensitive data collected for statistical purposes should be collected in such a way that the data subject is not identifiable.⁷³ In the case that the processing of sensitive data for specified, legitimate statistical purposes requires the identifi-cation of the data subject (the trafficked person in this context), then a law has to provide for (further) appropriate safeguards. For example, the identification data are separated from the

66 GRETA,Report on Poland, II GRETA(2017)29, para 133.

67 Council of Europe Consultative Committee of the CoE Personal Data Protection Convention,Practical Guide on the Use of Personal Data in the Police Sector, 15 February 2018, T-PD(2018)01, 4.

68 GRETA,Report on Albania, II GRETA(2016)6, paras 128–129.

69 Council of Europe Consultative Committee of the CoE Personal Data Protection Convention,Practical Guide on the Use of Personal Data in the Police Sector, 15 February 2018, T-PD(2018)01, 4.

70 See, for instance, GRETA,Report on Armenia, I GRETA(2012)8, para 75.

71 Committee of Ministers, Recommendation No. Rec(97)18 of the Committee of Ministers to Member States concerning the Protection of Personal Data collected and processed for Statistical Purposes, 30 September 1997.

72 See for instance also the recommendation of the Maltese Office of the Data Protection Commissioner to anonymise data on trafficking for research and statistics as soon as possible, GRETA,Report on Malta, II GRETA(2017)3, para 104.

73 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 61.

11.25

11.26

11.27

156

rest of the data ‘as from the stage of collection’.⁷⁴ Use of a pseudonym or of any digital identifier or digital identity can be regarded as another appropriate safeguard for data security.

However, it does not make personal data anonymous, and thus, the rules on data protection continue to apply. Hence, when data are indirectly related to individuals by using a digital identifier, for instance, in order to avoid double-counting of cases in a database, these data have to be still considered also as personal data.⁷⁵

Applying these standards to the context of data collection on trafficking in human beings would imply that data need to be depersonalised as early as possible. Hence, data should be depersonalised by the primary data collector, for instance, the NGO, and after that shared with, for example, the national rapporteur or any other organisation or authority that is tasked by the State with monitoring and evaluating the situation on trafficking in the country. Gerry, Muraszkiewicz and Vavoula state that when depersonalisation and anonymisation are not possible, then data controllers, whether governmental or non-governmental, should avoid processing excessive information and the storage of data in large-scale databanks. The risk of unauthorised access and abuse is significantly higher in the case of large-scale databanks.⁷⁶ Furthermore, in the light of the principle of data minimisation, it is necessary to limit the data to those that are, in fact, essential for the purpose of having reliable statistical data. As pointed out by GRETA, disaggregated data concerning ‘sex, age, type of exploitation, country of origin and/or destination’⁷⁷are necessary. Hence processing of personal data for gathering statistical data should be limited to those categories.

Several State Parties, disaggregated data are provided by several actors, including NGOs, and collected by a central data collector. For example, the Observatory of Trafficking in Human Beings in Portugal runs a database.⁷⁸ Further examples of this method can be found for instance in the Former Yugoslav Republic of Macedonia⁷⁹and Sweden.⁸⁰ Another group of State Parties that do not have a body centralising the statistical data collected by several actors consists of, for instance, Austria,⁸¹ Italy,⁸² or Latvia.⁸³ In the Netherlands, personal data of (presumed) trafficked persons provided by various actors are first collected by an NGO and then, in a second step, anonymised and submitted to the national rapporteur.⁸⁴

GRETA stresses that it is necessary to include ‘victims of [trafficking in human beings]

identified by law enforcement agencies, NGOs and other relevant bodies regardless of whether criminal proceedings have been instituted and whether the persons have given testimony

74 Committee of Ministers, Recommendation No. Rec(97)18, paras 3.3 and 4.8.

75 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 18. See also on this matter European Data Protection Supervisor,EDPS comments on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – ‘The EU Strategy towards the Eradication of Trafficking in Human Beings 2012–2016’(10 July 2012) 3.

75 Council of Europe,Explanatory Report to the Protocol amending the CoE Personal Data Protection Convention, para 18. See also on this matter European Data Protection Supervisor,EDPS comments on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – ‘The EU Strategy towards the Eradication of Trafficking in Human Beings 2012–2016’(10 July 2012) 3.

Im Dokument A COMMENTARY ON THE COUNCIL OF EUROPE CONVENTION ON ACTION AGAINST TRAFFICKING IN HUMAN BEINGS (Seite 187-196)