The EU is developing a framework to govern data-driven policing, focused on safeguarding individual rights and ensuring transparency, accountability and proportionality. Data protection and privacy form the cornerstone of this regulatory apparatus, which includes the Law Enforcement Directive 2016, the Europol Regulation and the General Data Protection Regulation. However, these regulations failed to anticipate the rapid growth and risks associated with emerging technologies such as AI, leading to the development of the Artificial Intelligence Act 2024 with a sense of regulatory urgency. Despite this progress, the framework could still be improved to better support Data Protection Officers in supervising data-driven policing activities in the EU.

Data-driven policing refers to “the process of using data from several sources to help law enforcement determine […] where crimes are occurring [and] where they are likely to occur“. Key applications include real time identification systems (such as automated licence plate readers, facial recognition, voice identification) and predictive policing tools which forecast high-crime locations or potential offenders and victims.

Data-driven policing dates back to the 1970s, with the digitisation of law enforcement records creating large computerised databases for faster and more efficient access to information. Its democratisation was accelerated by the rise of Big Data and the development of technical means for the systematic analysis of data. Technological advances such as AI and machine learning models have revolutionised data-driven policing by enabling law enforcement agencies (LEAs) to process unprecedented amounts of data for improved crime prediction and prevention. Data-driven policing also enables LEAs to address wider operational and organisational challenges, such as resource constraints. As more LEAs experiment with data-driven policing, government bodies are responding to public concerns over data protection and privacy by introducing new regulations including bans.

Balancing accuracy and privacy

The EU’s current legislative framework promotes the principle of data minimisation, which prevents law enforcement authorities from collecting more data than is strictly necessary, although LEAs benefit from exemptions with relative discretion. Effective data-driven policing relies on extensive data collection to predict and prevent criminal activity more accurately, both in the training and testing phase of algorithms, and in real-world deployment. Predictive policing, for example, uses AI and therefore relies on vast datasets to identify patterns of crime: not only does it require to be trained on large datasets to improve accuracy, it also needs to process a large quantity of data to advise LEAs accurately.

By way of example, the ‘ShotStopper gunshot detection system’ is deployed to alert local authorities when a gunshot is detected. It relies on algorithms and microphones to detect gunshots, and therefore needs a large dataset of gunshot sounds and related contextual information. The system has been controversial because it tends to malfunction and pick up other loud noises instead, lacking data in low-density areas where few sensors are deployed. This leads to gaps in coverage and potentially missed incidents of gun violence or leads to the over-policing of certain communities.

A balance therefore must be struck between ensuring the accuracy of data-driven policing with the need for comprehensive data sets, respecting privacy with the prevention of mass and generalised collection of personal data.

Overcoming algorithmic bias and achieving fairness

The data fed into data-based policing tools is subject to inherent bias, as police data is subject to geographical, political and social biases. Historical crime data for instance is particularly subject to selection bias as it often comes from periods when policing practices were discriminatory. Criminal data is also prone to errors: it may be incomplete, wrongly entered or overlooked. This reinforces biases in predictions and can lead to erroneous judgements in law enforcement decision-making, with disastrous consequences such as wrongful convictions or increased stigmatisation of certain communities. In this case, it can even create a vicious circle leading to over-policing of some communities and to the collection of more data, reinforcing bias. The ‘London Gang Matrix’ provides such a case. It is a Metropolitan Police database used to track and assess people involved in or associated with gangs, assigning them a risk score based on a history of violence, assessments and recommendations by police intelligence analysts and partner organisations to determine their likelihood of being involved in gang violence. Although there are no explicit legal consequences for those who have been ‘matrixed’, individuals do become subject to increased police surveillance.

Addressing algorithmic bias is therefore crucial for ensuring fairness in law enforcement practices and upholding data protection rights of individuals.

Fostering transparency and accountability

Data-driven tools are often based on complex and proprietary algorithms, rendering the practice opaque. Predictive policing, for example, relies on complex machine learning models which have been described as ‘black boxes’, where experts are not always able to explain how they work and formulate their decisions. Software is generally owned by private companies that are not required to disclose their code, which undermines transparency. The controversy surrounding the COMPAS (Correctional Offender Management Profiling for Alternative Sanctions) risk scoring system, developed by a private company, highlights the lack of transparency and accountability of ‘black box’ algorithms. COMPAS generates ‘risk scores’ for individuals in the criminal justice system, which judges then use to determine sentences, parole decisions and eligibility for bail. The opaque nature of this proprietary system raises serious questions of fairness and undermines the fundamental principles of justice in a democracy where defendants and courts cannot understand or control how these life-changing scores are calculated.

This situation hampers access to information, impedes algorithm audits and leads to a lack of explicability, which is crucial for LEAs to legitimise their actions and be held accountable. It also poses significant challenges for those who must ensure compliance with privacy regulations, highlighting the need for clear standards and practices which reinforce transparency and accountability in data-driven policing.

Data protection authority enforcement is hampered by low resources

Data protection authorities are currently lacking resources across all sectors. A report by the EU’s Fundamental Rights Agency recently found for instance that this lack of resources is undermining data protection enforcement in the EU, where Data Protection Officers struggle to cope with a growing number of requests, a lack of human and financial resources, and an increasingly heavy workload. Such issues also concern the LEA data protection community, all the more in EU Member States with fewer resources.

Countries like Ireland, Greece or Romania have all reported struggling with increasing demands of data protection oversight while having a shortage of financial resources and staff or facing a competitive private sector. This results in inadequate oversight, complaints and delays.

Addressing these resource gaps is essential to improving data protection enforcement and a coordinated approach at EU level is needed to avoid some Member States falling behind.

Three steps forward

First, there is a need to enhance transparency and independent oversight. As a regulatory pioneer, the EU has introduced a robust framework for data protection and privacy, while allowing LEAs to exercise a level of discretion for reasons of national security. To remedy this inherent opacity, mandatory independent control mechanisms must be implemented, including regular algorithm audits; checks on data quality and compliance with data protection regulations; and access to technical software information used by LEAs. Private providers could subject their algorithms to scrutiny, for example, through impact assessments if proprietary issues restrict disclosure. Presenting these guarantees could go a long way to improve public trust.

Second, expand resources for LEA Data Protection Officers. Effective data protection enforcement cannot happen without well-resourced, adequately trained, staffed and equipped officers to oversee data-driven policing. Funding and training should be increased across EU nations to enable these states to handle the complexities of data-driven policing, ensuring consistency across the Union.

Lastly, raising public awareness of data-driven policing is essential to build trust and address privacy or civil liberties concerns. Open dialogue between LEAs and civil society can improve the transparency and accessibility of data-driven policing practices. Data Protection Officers sitting at the intersection of these interests can play an especially key role in demystifying data-driven policing, helping this knowledge to reach beyond expert circles to the general public and fostering trust through collaboration with police communication channels.

Originally published in The Azure Forum for Contemporary Security Strategy https://azureforum.substack.com/p/data-protection-and-privacy-in-data 

Apolline Rolland is a cybersecurity and strategic intelligence consultant at Forward Global, a global risk management company, where she works on digital transformation issues in the security and defence sectors.

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.