DNA and Law Enforcement in the European Union: Tools and Human Rights Protection

Since its first successful use in criminal investigations in the 1980s, DNA has become an important tool to identify the guilty and to absolve the innocent. It provided the impetus to set up national DNA databases and legal provisions to use DNA-related data as forensic evidence. Today, given the prospect of an increasingly interconnected society, in which technical resources and technological advances allow a confusingly fast flow of people and instantaneous information on a worldwide level, the evolution of the phenomenon of crime is not lagging behind, but is keeping in step with the process of transnationalisation and is taking advantage thereof. In view of this situation, the investigation and prosecution of crime have to overcome borders by means of various judicial and police cooperation instruments, in particular those on mutual assistance and information exchange. One of the most important boosts provided over the last few years in combating transnational crime has been the development of the Convention between the Kingdom of Belgium, the Federal Republic of Germany, the Kingdom of Spain, the French Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands and the Republic of Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration (the Prüm Treaty) and its partial transformation into a EU-wide cooperation tool under Council Decision 2008/615/JHA1 and Council Decision 2008/616/JHA.2 Within this cooperation framework, the exchange of DNA profiles and related personal data acquires great relevance, given the usefulness and universality of the information it offers for investigations and prosecutions. However, there is also a grey area concerning this issue, as it poses a series of risks for fundamental rights and not all aspects of DNA collection, analysis and exchange are unified on the EU level while national provisions vary a great deal.


Introduction
Since its first successful use in criminal investigations in the 1980s, DNA has become an important tool to identify the guilty and to absolve the innocent. It provided the impetus to set up national DNA databases and legal provisions to use DNA-related data as forensic evidence.
Today, given the prospect of an increasingly interconnected society, in which technical resources and technological advances allow a confusingly fast flow of people and instantaneous information on a worldwide level, the evolution of the phenomenon of crime is not lagging behind, but is keeping in step with the process of transnationalisation and is taking advantage thereof.
In view of this situation, the investigation and prosecution of crime have to overcome borders by means of various judicial and police cooperation instruments, in particular those on mutual assistance and information exchange.
One of the most important boosts provided over the last few years in combating transnational crime has been the development of the Convention between the Kingdom of Belgium, the Federal Republic of Germany, the Kingdom of Spain, the French Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands and the Republic of Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration (the Prüm Treaty) and its partial transformation into a EU-wide cooperation tool under Council Decision 2008/615/JHA 1 and Council Decision 2008/616/JHA. 2 Within this cooperation framework, the exchange of DNA profiles and related personal data acquires great relevance, given the usefulness and universality of the information it offers for investigations and prosecutions. However, there is also a grey area concerning this issue, as it poses a series of risks for fundamental rights and not all aspects of DNA collection, analysis and exchange are unified on the EU level while national provisions vary a great deal.
The article aims to: -present the importance of DNA-related data for criminal investigations; -study the EU information exchange dimension in this area and to discover the possible reason for its success; -analyse which DNA collection, analysis, use and storage aspects are regulated by EU and national law and how they vary; and -examine possible violations of or limitations to fundamental rights while using DNA for criminal investigation purposes.

DNA as data which are of interest in crime investigation and prosecution
The first conviction based on DNA profiling evidence took place in 1987 in England. Colin Pitchfork was thereby sentenced to life imprisonment for the rape and murder of two girls. 3 In many cases of violent crime body fluids are transferred between the victim, the suspect and the crime scene and DNA profiling could be a key element in the investigation. 4 Thus far, DNA profiling has been very valuable in the investigation and prosecution of homicides and rapes, especially those that amount to serial crimes. For example, in the well known case of the rape and murder of a 13-year old English girl, Caroline Dickinson, in Pleine Fourgeres (Northern France), the attacker was of Spanish nationality, with a criminal record in the United Kingdom and he had committed similar attacks in Unites States of America (USA). An American civil servant had read about the crime in the UK, linked it through the modus operandi with the crimes committed in the USA, and the identification of the perpetrator was later confirmed through DNA analysis. In this case, DNA profiling assisted in not only finding the real offender, but also in acquitting another suspect. 5 In 2010 DNA profiling helped to identify and convict an Afghan national of committing a number of violent sex attacks in California between 2002 and 2004 and of a rape in Austria in 2009. 6 Very recently DNA samples proved to be useful in an investigation into the 'Boston Strangler' case -rapes and murder committed in 1964: ' Analysis of the DNA samples extracted from a water bottle drunk by the suspect's (died in 1973) nephew showed a strong family link to DNA recovered from the crime scene. This allowed the authorisation of the exhumation of the suspect's body for the final DNA testing. ' 7 The practice also reveals the utility of DNA profiling in some investigations related to organized crime as well. According to information by the International Criminal Police Organization (INTERPOL) in the case of the organised gang 'Pink Panthers' 'DNA samples recovered from crime scenes in France, Liechtenstein, Switzerland and the United Arab Emirates revealed links between three different types of crime -armed robbery, prison escape and the use of forged travel documents -and between a group of individuals' . 8 According to INTERPOL's Global DNA Profiling Survey 2008, 120 countries use DNA profiling in criminal investigations, 54 of them have national DNA databases and 26 plan to introduce a national DNA database. 9 For example, in Spain a comprehensive juridical structure regulating databases for identifiers obtained from DNA was established by Organic Law 10/2007. 10 Until then databases that included DNA profiles were functioning outside a specific and unified nationwide set of regulations. 11

Transnational DNA-related data exchange: a focus on the European Union
The contemporary trend of globalization and the openness of movement and communications has its dark side as it is being used to facilitate the preparation and commitment of crime and to escape from justice.
The examples provided in the previous part show that the collection of DNA samples and their analysis provides only partial advantages for the investigation; more advantageous is the possibility of their cross-border exchange and comparison.
On 9 June 1997 the Council of Europe adopted a Resolution on the exchange of DNA analysis results and invited EU Member States to establish compatible national DNA databases in order to exchange data from the non-coding part of the DNA molecule. 12 Later, the Council Resolution of 25 June 2001 on the exchange of DNA analysis results 13 (with the relevant amendments made in 2009) 14 established a minimum number of DNA markers (loci) that have to be used for forensic analysis.
Outside the EU, interest is also being shown in the exchange of DNA files: 'the G8 Ministers have commented on the importance of using DNA-based evidence in the investigation of terrorism and other crimes, and urged their experts to continue to examine ways of improving the exchange of this kind of data' . 15 Not long ago DNA profiles were only exchanged on an individual basis through different cooperation channels: by sending requests to other countries through INTERPOL's or the European Police Office's (Europol) national units and liaison officers, through bilateral or multilateral liaison officers posted in foreign countries or regions, or other legally established ways (mainly on the basis of bilateral or multilateral agreements).
The exchange of individual DNA profiles, however, does not prove to be very useful; first of all, the request must be made to each state which is thought likely to possess information, or in some cases there is no clue as to the possible geographic location of the sought DNA profile and different channels are needed to send a request, and secondly, the requesting authority is not permitted to search for and compare profiles and the whole administrative burden of a search and comparison falls on the shoulders of the requested country.
This situation changed a decade ago with the establishment of INTERPOL DNA Gateway and the development of an automated DNA profile searching system within the EU that will be the object of the following analysis. migration. The main objective of the Treaty was to enhance cooperation by a system of exchanging information, including DNA-related data.

Cooperation in the EU
Subsequently, some other EU Member States joined the Prüm Treaty, and finally, with the initiative of Germany in 2007, many of its provisions had been approved by the Council of the European Union as Council Decisions and became part of the acquis communautaire. 16 'It supposes to offer legal and technological instruments to fight terrorism and international crime more efficiently, compensating potential negative spill-overs of the Schengen area' . 17 Council Decision 2008/615/JHA obliges EU Member States to establish national databases and provides for rules for the competent authorities of other EU Member States to search in national DNA, dactyloscopic and vehicle registration databases and is the first EU instrument that foresees direct access to the national databases of other countries.
It is important to point out a distinction between direct access to a DNA database and direct access to all the data stored in a DNA database. Member State A is allowed to search for a DNA profile in Member State B's DNA database and receives either a positive or negative reply (hit/no hit) regarding the existence of a relevant DNA profile and reference data (the non-coding part of DNA and a reference number). The searching Member State A directly receives only reference data that can be called 'anonymous' , 18 but there is no direct access to data related to the matched DNA profile. In order to obtain personal data from the DNA database it must send an additional request to Member State B.
That means that the searching Member State will never obtain data about a DNA profile that does not match the one submitted for the search and personal data will only be provided on the basis of a DNA profile match and the provision of additional information about the purpose of obtaining this data.
The procedure for obtaining data related to the 'hit' depends on the national law of the requested Member State and this could be carried out according to mutual assistance procedures, bilateral agreements on information exchange, Council Framework Decision 2006/960/JHA 19 and other legal instruments. It means that at the 'post-hit' stage relative information will be provided according to the rules on law enforcement or judicial cooperation, depending on the national law of the requested Member State and whether the requesting Member State will only use this information for an investigation or also for prosecution purposes. In the latter case, 'post-hit' information exchange will usually take the form of judicial cooperation. In all cases the establishment of 'hit' and 'post-hit' stages allows Member States to maintain absolute control over the data associated with DNA profiles.
In the context of DNA profile exchanges, under Council Decision 2008/615/JHA a few additional issues should be mentioned. First of all, only designated contact points that are usually either forensic science services, as they have direct contact with and expert knowledge on DNA profiles, or law enforcement units responsible for information exchange can perform searches in the national DNA databases of other countries. Secondly, Article 4 of Council Decision 2008/615/JHA allows a comparison, prior to bilateral consent, of the unidentified DNA profiles from one EU Member State with all DNA profiles from another national DNA database for the investigation of criminal offences. 20 The DNA-related data exchange mechanism established by the Prüm Treaty and Prüm Decisions differs a great deal from the international mechanism applied by INTERPOL. INTERPOL has its own DNA Database, but it acts simply as a channel for the exchange and comparison of information between different states, without nominal data linking the DNA profiles contained therein to specific persons and each country retains ownership of its DNA profile data and has a responsibility to process it according to national law. 21 The level of the use of both mechanisms facilitating DNA-related data exchange is reflected in the table below on the basis of statistics from 2012.

Statistics on the exchange of DNA-related data from 2012
Exchange There could be different reasons for such a huge difference in figures. Firstly, as the countries have to submit information about DNA profiles to the INTERPOL DNA Database and retain control over the destruction of and access to the DNA profiles by other countries, this is an additional administrative burden in addition to the maintenance of national databases. Secondly, the requested country has to check whether its requesting counterpart fulfils data protection requirements, whether the data provided will be used in accordance with its purpose, etc. Thirdly, in most cases EU Member States first consult the national databases of other EU Member States, as due to free movement within the Schengen area there is a major probability that a person has remained within the EU.
But the most important reason for such a significant difference is mutual trust among countries.

Mutual trust -the reason for an efficient DNA data exchange in the EU
The Stockholm Programme emphasises that mutual trust is a tool which is necessary for efficient cooperation between law enforcement bodies, judicial authorities and decision-makers. 22,23 In the case of DNA data exchange mutual trust means: -Trust in the searching country that searches of DNA profiles will be performed and DNA-related data will be used strictly for the purposes for which it was provided, with respect for human rights and appropriate legal and technical measures for data protection. -Trust in the requested country that the data provided is accurate and has been obtained according to the law and using appropriate technical standards.
Article 25(2) of Council Decision 2008/615/JHA establishes that the supply of personal data may not take place until data protection provisions are implemented in national law and the Council unanimously decides concerning every Member State and every category of data exchanged (DNA, dactyloscopic data, vehicle registration data) whether this condition has been met. 24 According to Article 20 of Council Decision 2008/616/JHA the Council takes its decision on the basis of an evaluation report which is prepared by experts from the already operational Member States. The report is based on information in a questionnaire, an evaluation visit and a pilot run of the relevant database and it states whether the evaluated Member State has established a data protection system and technical and legal requirements for making automated searches and obtaining data from other EU Member States and whether its database is compatible with the databases of other Member States. This means that before giving the Member State in question direct access to national DNA databases and the right to exchange DNA-related information, other Member States have a possibility to become acquainted with the level of its 'trustworthiness' .
Besides this, in 2009 Council Framework Decision 2009/905/JHA was adopted. 25 Its goal is the accreditation of EU Member States' forensic laboratories to the same EN ISO/IEC 125 standard so that the results of their activities (DNA profiles and dactyloscopic data) can be recognized and treated as being equally reliable in other EU Member States. 26 The accreditation of EU Member States' forensic laboratories to the same standard will significantly contribute to mutual trust concerning DNA collection and analysis and the quality of DNA profiles and related data.

Possible violations of fundamental rights
DNA sample collection, analysis, its submission to a DNA profile database, and a search and comparison are linked to fundamental rights.
Fundamental rights can be affected at various stages: firstly, when the DNA sample is taken, and secondly, when it is analysed. At these stages the limitation of these rights is different depending on whether the analysis is performed with respect to a known person or is carried out on material left behind by an unknown subject, because when the DNA profile is obtained from the crime scene or the victim, the key datum of identification is missing, and therefore no limitation exists with regard to the contents of the profile or its presence on a database.
Thirdly, citizens' rights can be limited when DNA profiles are submitted and processed (including in a search) in databases, and fourthly, on every occasion the data are transmitted to another country.
With the collection, analysis and processing of DNA profiles different fundamental rights could be violated, e.g. the right to physical and moral integrity, the right not to be subject to degrading treatment, the right not to incriminate oneself, the right to family privacy together with that of not incriminating descendants or relatives in general, the right of children to personal development and the right to informative self-determination.
According to Article 52 of the Charter of Fundamental Rights of the European Union, limitations on fundamental rights are allowed if they are '(…) subject to the principle of proportionality, (…) if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others' . 27 As DNA-related data are usually helpful instruments in the investigation of crimes that threaten the security of society some limitations to fundamental rights are allowed in this regard.
It has to be said that international legislation, with the exception of data protection, usually does not specify possible limitations on fundamental rights, but leaves this to the jurisprudence of national and international courts and national legislation.
In national legislation, such limitations on fundamental rights are in principle justifiable and proportional in the context of criminal proceedings, provided they are subject to the guarantees established in international and internal procedural regulations. For example, in Spanish legislation the proportionality criterion has partly been covered by establishing the possibility of collecting samples and storage profiles in a database when these are related to serious crimes, the identification of corpses and inquiries into missing persons.
Thus, if a DNA has been collected and its profile stored according to the regulations, a limitation on the rights of the subject is justified. Carrying out a search in the database by national competent authorities fulfils the natural purpose of the database and so the act is justified, providing it is performed in accordance with the criteria of reasonableness and proportionality, which would exclude, for example, a search for family members.
The transfer of DNA profiles and related data to another country is more complicated in view of fundamental rights as the principle of proportionality has to be assured by the law of both countries involved and not only by means of national law, but also international legal provisions common to those countries.
Council Decision 2008/615/JHA establishes broad rules on opening DNA files and the storage of DNA profiles for the purpose of investigating criminal offences, without specifying whether the criminal offence is serious or not. But it does not prohibit Member States from establishing stricter rules on DNA database content, as is done, for example, in Spain, limiting it to only DNA profiles related to serious crimes. Nevertheless, on the basis of Council Decision 2006/615/JHA, other EU Member States are allowed to make automated searches for DNA profiles for the investigation of any criminal offence without specifying whether it is serious or not. But in order to obtain personal data related to a matched DNA profile stricter national rules by the requested country are often applied, as the exchange of information and data depends on the laws and limitations of the Member State whose DNA database is being searched, for example if an automated search has been made for the investigation of any kind of crime and has resulted in a 'hit' , Spain will only provide DNA-related data if the search was related to a serious crime.

DNA sample collection and fundamental rights
It must be stressed that, as mentioned previously, the collection of samples from a suspect, whether that suspect has been arrested or is accused, represents the first of several possible infringements of fundamental rights, although the taking of samples in order to analyse DNA has traditionally fallen within the same category as external body searches or intrusive body searches involving physical intervention, depending on the degree of invasion the collection of the sample involves.
Consequently, it could be said that the fundamental rights that would be threatened with regard to the collection of samples, as the first step to be carried out in order to obtain DNA evidence, are the right to physical and moral integrity, the right not to be subjected to degrading treatment, the right to privacy and the right to non-self-incrimination.
With regard to the right to physical integrity, evidently it is not affected by the collection of saliva or hair samples, the most common samples which are taken these days, unlike other forms of physical intervention.
Concerning the right not to be subjected to degrading treatment, it is evident that there is no breach if the procedure itself cannot harm the person's dignity, provided it is performed within the framework of respect for the citizen.
With regard to self-incrimination, submitting samples for DNA analysis is very similar to alcoholmeasuring or blood test analyses and both international and national jurisprudence do not consider such procedures to amount to self-incrimination. For example, the former European Commission on Human Rights in case X. v the Netherlands recognized that submission to a blood test does not constitute a presumption of guilt which contravenes Article 6(2) of the European Convention on Human Rights. 28 As the results of the test could be positive or negative, this method of proof can be 'an advantage or disadvantage for the accused' . 29 According to the case law of the Spanish Constitutional Court (Tribunal Constitucional, TC) there is no relation between the right not to incriminate oneself and the right not to submit to such a test, and given that 'these analyses cannot be considered as, nor are, comparable to making a statement, not only does the right not to submit to them not exist, but in fact there is an obligation to do so' . 30 The TC makes a reference to the 'generic legitimacy the authorities have, in this kind of action, to proceed to investigate, by means of the judicial police, the detection of the commission of crimes, the aim or object which the study of the DNA of a person who could be classified as a suspect in a crime clearly serves' . 31 In conclusion, it could be said that only 'the right to privacy and the consistent rights to informative self-determination and genetic identity could be affected by the collection of DNA samples' . 32 As these rights are closely related to data protection, they will be touched upon in Section 4.

Heterogeneity in procedural DNA sample collection guarantees
In order to be admitted as evidence, DNA samples shall be collected according to the rules of the criminal process that are established by national legislation that determines from whom and subject to which conditions they can be taken. As the penal policies of different countries greatly vary, there are also differences in DNA sample collection guarantees.
For example, in the Spanish system there is a dual requirement for the legitimacy of proceeding to take a sample, namely, that the passive subject must at least be suspected 33 of having committed an offence in the context of an investigation, and that the offence should be of sufficient importance, or seriousness, thus guaranteeing the principle of proportionality in the limitation of citizens' rights.
In general, the category of being a suspect is not defined and does not exist as such in Spanish law, unlike in other counties, for example Portugal -remember the case of Madeleine McCann 34 -but its use in practice has been adopted by the law, which implies legal acceptance for the status of being a suspect. This term has crept into the Spanish Law of Criminal Procedure (Ley de Enjuiciamiento Criminal, LECrim) 35 from police practice, justified by the procedural need to allocate a category to persons who are subject to the measure, even if they have not been formally charged, as this must be normal practice where the measure is applied at a stage when the evidence against a person is not strong enough to actually accuse him or her. Article 363 of LECrim foresees that if a person refuses to provide a DNA sample, the police can apply to a judge for an order or warrant requiring the person to provide a sample. In this case no more would be required than the category of a passive subject being a 'suspect' . 36 Additional Provision 3 of Organic Law 10/2007 also refers to the status of 'under arrest' regarding persons who are subjected to having a sample taken, and in this case their right to defence is guaranteed.
The Supreme Court's (Tribunal Supremo) case law during the last few years has explained the peculiarities of a sample collection from detainees that requires corporal intervention. 37 The judicial police can obtain saliva or other fluids for which corporal intervention is needed only when the assistance of a lawyer is assured and a detainee gives his consent. The requirement of assistance by a lawyer has appeared in the case law since 2010 and is based on the constitutional rights for effective defence and the process concerning all guaranties. If no consent is given to samples being taken, they can only be obtained on the basis of judicial authorisation. These requirements are not applied to the taking of samples where corporal intervention is not required, e.g. collecting samples left behind by the detainee.
In suspicion of having committed a serious crime, the collection of DNA samples from the arrestee is, just like fingerprinting and photographing, a legitimate police booking procedure. It also compares DNA sample collection with searching a person and as a lawful arrest authorises a search, it can also be treated as authorisation for DNA sample collection. 38 It has become a revolutionary opinion giving the green light to collect DNA samples from an arrestee without his consent and without judicial authorisation if he has been lawfully arrested and in relation to a serious offence. According to British legislation, if someone is arrested, the police also have the capacity to collect DNA samples, subsequently influenced by the question of whether the criminal act is of a 'recordable' nature or not, i.e. liable to be recorded on the police computer in accordance with the regulations in force at the time. Bearing in mind the fact that nowadays almost all crimes are of this nature, this could lead to mass sample collection or, to put it another way, affect many people, based on them committing some kind of offence, irrespective of its gravity.
In the same way one can observe significant disparities between the different national legislations regarding suspects under the age of eighteen. Spanish law does not refer to whether minors are subjected to the collection of DNA samples and both doctrine and the public clearly have different opinions, as it is thought that this could represent a more serious intrusion into their personal lives than would be the case for an adult.
In the United Kingdom this is widespread practice, as well as in many States in the USA, where samples are taken depending on the gravity of the offence, and are almost always taken with regard to sexual offences despite the age of an arrestee.
Due to the sensitive nature of this issue additional guarantees should be applied, such as the consent of the minor and his/her parents, guardian or defence lawyer, or judicial authorization, and subject to the condition that it is in connection with an investigation into a serious crime.

Database storage requirements
Once the DNA profile is added to the database, it is subjected to a comparison and subsequent storage. Collected DNA samples (cellular material) are also kept. The question of storage is usually more controversial than the collection of DNA samples and could affect: the right not to incriminate oneself, the right to family privacy together with that of not incriminating descendants or relatives in general, the right of children to personal development and the right to informative self-determination. In the case of S & Marper v United Kingdom the European Court of Human Rights (ECtHR) has stated that while the original taking of the DNA sample aims to link a particular person with a particular crime, the retention of cellular material and the DNA profile 'pursues the broader purpose of assisting in the identification of future offenders' . 39 The ECtHR considers that the storage of cellular material is more dangerous for the right to privacy than the storage of the DNA profile, as an analysis of cellular material can reveal much more personal data.
The most controversial question is related to the storage of cellular material and DNA profiles that belong to acquitted persons. The legislation of some countries (Belgium, Hungary, Ireland, Italy and Sweden) requires such information to be destroyed upon acquittal and the discontinuance of the criminal proceedings. Other countries (Germany, Luxembourg, the Netherlands) permit the retention of DNA profiles where there are still suspicions about the person or if further investigations are needed in a separate case. 40 The case of S & Marper v United Kingdom reveals the position adopted by the ECtHR in that the unlimited retention of such data is not justifiable and results in a violation of the right to privacy.
But the situation changes if the DNA profile belongs to a convicted person. In its decision in the case of Van der Velden v the Netherlands the ECtHR stated that if compilation and retention of a DNA profile serves the legitimate aims of the prevention of crime and the protection of the rights and freedoms of others, it can be stored even if it 'played no role in the investigation and trial of the offences committed' . 41

S & Marper v United
Kingdom also deals with the storage of minors' DNA profiles. S was a minor whose sample was collected when he was aged 11 as part of an investigation into an attempted robbery; he was acquitted, but his samples and DNA profile were retained in the custody of the police indefinitely and against his will. The ECtHR stated that juveniles should be protected from any detriment that may result from the retention of their private data by the authorities following an acquittal from a criminal offence.
The storage of the DNA profiles of minors should be different from the storage of the profiles of adults. The best option would be the creation of a special database containing minors' profiles, provided that these are destroyed when they reach the age of majority. Similarly, the storage of profiles should be excluded automatically when minors have not been convicted or are declared non-imputable -not liable for prosecution -and, if they are prosecuted, their files should receive special treatment.
Different from the process of DNA sample collection, the storage of DNA profiles is regulated not only by national legislation.

Current data protection rules on DNA-related data
One of the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights, is the right to the protection of personal data.
The Court of Justice of the European Union in the joined case of Volker und Markus Schecke GbR, Hartmut Eifert v Land Hessen underlined that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society. 44 DNA profiles do not offer personal information beyond identification itself, but the set of identification data can be classified as personal data and have to be protected at the stage of adding the DNA profile to the database, its storage, and consultation and exchange.
In view of the panorama surrounding these issues, W. Hassemer has noted that there has to be a 'linking' of the databases 'to a purpose' , preventing their use for any purpose other than the original one, and he claims that only when this principle is included amongst those of criminal proceedings can data protection be achieved therein. 45 Thus, if DNA analysis is limited to establishing genetic profiles based on the loci, with non-coding content, the storage of data will not lead to an interference with the right to privacy, although it will do so with regard to the informative self-denomination issue, but only to the same extent as other databases such as lophoscopic ones, the legitimacy of which is not questioned.
To protect personal data strict rules on their access, storage, use and deletion have to be established. In the case of DNA-related data national legislation is not sufficient as very often a DNA profile travels beyond the borders of the state of its origin and after crossing the border the state then lacks the necessary competence to control the data protection regime. In this case it helps if there is trust in the data receiving state and its data protection mechanism. The basis of this trust is the application of the same minimum data protection standards established by multilateral agreements, conventions and EU law.
Council Framework Decision 2008/977/JHA 46 lays down the main principles in transnational information exchange (lawfulness, proportionality and purpose). But its Recital 39 foresees that it does not affect data protection provisions in acts such as those governing the functioning of Europol, Eurojust, Schengen or the Customs Information System and Council Decision 2008/615/JHA as well.
The title of Council Decision 2008/615/JHA defines the purpose of cross-border cooperation: 'combating terrorism and cross-border crime' that at the same time is the basis for automatic search and data exchange. Article 3 specifies that the automated search of DNA profiles in the database of another EU Member State can be conducted for the investigation of individual cases of criminal offences. Its Chapter 6 establishes general provisions on data protection and includes requirements on: the purpose for which a search and data exchange are conducted, the authorities which are competent to exchange data, the storage of data, technical and organisational measures to ensure data protection and data security, and a data subject's rights to information and damages. But it does not regulate such issues as data transfer to private parties, third states or international bodies and according to Recital 40 of Council Framework Decision 2008/977/JHA, for the aspects not regulated by specific acts, the rules of this Council Framework Decision should be applied.
Both legal acts establish quite similar principles on data protection, but Council Decision 2008/615/ JHA goes one step further by ensuring that the principles and minimum data protection standards are in force and in Article 25 it lays down that a EU Member State can only participate in the DNA data exchange process after the Council's unanimous decision that this Member State fulfils all the data protection requirements. As was mentioned in Section 2.2 such a decision is taken by the Council on the basis of an evaluation visit, a pilot run and the relevant report on the EU Member State's legal and technical readiness to make searches of DNA profiles and to exchange DNA-related data.
Such a requirement is advantageous as every EU Member State is obliged to fulfil all data protection requirements in order to be allowed to use this crime-combating instrument with direct access to EU Member States' databases and a further exchange of data.

Looking for a security and data protection balance
One of the novelties brought about by the Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community in the area of freedom, security and justice is the new Article 16 of the Treaty on the Functioning of the European Union that foresees that 'The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data' . 48 Declaration 21 'On the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation' , annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon, foresees that '(...) specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields ' . 49 On this basis, on 25 January 2012 the European Commission adopted: -a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: Draft General Data Protection Regulation); 50 and -a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (hereinafter: Draft Data Protection Directive). 51 The obligatory character of the regulation and the directive will force EU Member States to follow established data protection standards. The Draft Data Protection Directive has a double objective: to protect personal data and to ensure its exchange between competent authorities. It goes a few steps further than Council Framework Decision 2008/977/JHA as: -its scope is not only limited to the regulation of cross-border data exchange, but also the harmonization of data exchange on the national level; -it obliges a distinction to be made between different categories of data subjects (suspects, those convicted of a criminal offence, victims, third parties in criminal offences (witnesses, etc.), persons who do not fall within any of these categories); -it covers the exchange of genetic data; -it establishes as a general rule that data could be transferred to a third country or an organisation if the Commission has decided that that country or organisation ensures an adequate level of data protection; -it foresees that bilateral and multilateral agreements concluded by Member States have to be amended according to the provisions of this Directive.
Besides all the mentioned improvements, the Draft Data Protection Directive does not cover all areas of freedom, security and justice as it states that the data protection rules of previously adopted acts of the EU for judicial and police cooperation in judicial matters (including Council Decision 2008/615/JHA) remain, for the time being, unaffected and within three years after the entry into force of this Directive, the Commission will evaluate the need to align their provisions with those of the Directive. This and other aspects of the The same concerns were expressed by the European Parliament that believes that with proper modifications 53 this package can provide more legal certainty in the area of data protection 54 and emphasises 'stronger incentives for data protection by design and by default' . 55 Data protection is certainly vital in all areas of life and most of the comments by the European Data Protection Supervisor and the European Parliament are reasonable, especially those on unified data protection rules in all areas of justice and home affairs. Nevertheless, it would be more effective to look for efficient responsibility mechanisms for law enforcement institutions and the EU Member States in applying data protection rules rather than establishing too many new data protection restrictions.

Conclusions
Identification opportunities that lie within DNA have made it a reliable tool for the investigation and prosecution of crimes and in some cases have become pivotal forensic evidence. The increased mobility of crime has made it necessary to create new legal bases and technological possibilities for the transnational exchange of DNA-related data and has resulted in mechanisms such as the automated search for and comparison of DNA profiles in the national databases of other countries. Although cooperation under Council Decision 2008/615/JHA has only been in effect for a few years, the number of searches that have resulted in a 'hit' (20,561 hits in 2011 and 52,507 hits in 2012) proves the high rate of crime mobility and the necessity for such cooperation.
The analysis of the legislation applied to DNA collection and use for criminal investigation and prosecution purposes has revealed a few findings: 1. EU legislation obliges Member States to create DNA analysis files (databases), foresees some rules on the forensic analysis of samples and establishes rules on direct access to and automatic searches in national DNA databases. Nevertheless, the rules on DNA sample collection and 'post-hit' data provision are subject to national regulation and vary a great deal, beginning with the taking of samples without a person's consent and the subsequent judicial authorisation and finishing with the provision of DNA-related data only within the framework of judicial cooperation. An attempt to establish common rules for sample collection was made in Council Framework Decision 2009/905/ JHA, but it covers only the technical part of the collection process, leaving it to the national rules of criminal procedure to determine the subject and circumstances of DNA sample collection.
2. While in the collection, analysis, use and storage of cellular materials and DNA profiles limitations to or even violations of some fundamental rights appear, international law establishes that some fundamental rights (such as the right to privacy) are not absolute and can be proportionally limited for the sake of public security. Such limitations are usually established by national law and differ in the same way as the above-mentioned regulations on DNA sample collection. Nevertheless, international jurisprudence emphasises that limitations on fundamental rights have to be proportional and restricted to those which are necessary. In other cases international jurisprudence has come to the conclusion that relevant fundamental rights (such as the right not to incriminate oneself) are not violated by the collection of DNA samples.
3. A process of converging legal provisions leading to greater homogeneity between the data protection regulations in the EU Member States is taking place within the EU. EU legislation foresees minimum standards to be followed and facilitates the building of mutual trust among EU Member States that results in permission for direct access to national databases that was unthinkable a few decades ago. From another point of view, establishing only minimum standards puts EU Member States with stricter rules in a difficult position, as evidence gathered in other countries with a less harsh procedure in force is not recognized as sufficient and reliable evidence. One solution would be to opt for the application of the procedural legislation in force in the State requesting the procedure (if it is stricter) , in order to ensure its validity once it is sent to the interested party. This would lead to the logical conclusion that all processing and storage of DNA profiles intended to be included in an international database would have to be carried out in such a way as to respect the guarantees common to all the countries with access to this source of information, which, although differently expressed, would actually be another way of homogenizing the procedural guarantees concerning the collection and storage of genetic data. ¶