Reprocessing of biometric data for law enforcement purposes:Individuals' safeguards caught at the Interface between the GDPR and the 'Police' directive?

The amount of biometric data (fingerprints, facial images, or voice samples) that private companies collect for various purposes is growing exponentially. Social media, such as Facebook, also hold certain types of personal data (e.g. photographs, audio-videos files) that can be reprocessed for biometric recognition purposes. These data are very valuable to law enforcement authorities as they can allow the identification of the individuals to whom they relate.This dissertation investigates whether the new EU data protection framework, composed of the GDPR and the ‘police’ Directive, provides sufficient safeguards to individuals whose biometric data collected by private parties are accessed by law enforcement authorities for further use. While searching for the answer, the study has uncovered important findings. Focusing on the core notion of ‘biometric data’, the research has revealed not only gaps between legal and technical definitions but also uncertainty concerning the type of data that qualify as such and fall within the scope of sensitive data. Analysing the rules applicable to data processing across instruments, the research has raised doubt on the role played by the principle of purpose limitation and on the formulation of the right to information in the ‘police’ Directive. Finally, in an attempt to provide recommendations, the research has relied on the tools of Data Protection by Design (by Default) and Data Protection Impact Assessment to help mitigate the risks to individuals’ right to data protection