3.5.2016

EN

Official Journal of the European Union

C 158/46

---

Statement of the Council’s reasons: Position (EU) No 5/2016 of the Council at first reading with a view to the adoption of a Directive of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

(2016/C 158/02)

I.   INTRODUCTION

The Commission proposed on 25 January 2012 a comprehensive data protection package comprising of:

—	a proposal for a General Data Protection Regulation, which is intended to replace the 1995 Data Protection Directive (former first pillar) (hereinafter referred to as the draft Regulation).

—

the above-mentioned Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (1), which is intended to preplace the 2008 Data Protection Framework Decision (former third pillar)(hereafter referred to as the draft Directive).

The European Parliament adopted its Opinion on the draft Directive in March 2014 (2).

The Council agreed on a general approach on 9 October 2015 (3), thereby giving the Presidency a mandate to enter into trilogues with the European Parliament.

The European Parliament and the Council, at the level of respectively the Committee on Civil Liberties, Justice and Home Affairs and the Permanent Representatives Committee, confirmed the agreement on the compromise text resulting from the negotiations in the trilogues on respectively 17 and 18 December 2015.

At its meeting on 12 February, the Council reached a political agreement on the draft Directive (4). On 8 April 2016, the Council adopted its Position at first reading which is fully in line with the compromise text on the Directive agreed in the informal negotiations between the Council and European Parliament.

The Committee of the Regions submitted an opinion on the Regulation (OJ C 391, 18.12.2012, p. 127).

The European Data Protection Supervisor was consulted and delivered a first Opinion in 2012 (OJ C 192, 30.6.2012, p. 7) and a second opinion in 2015 (OJ C 301, 12.9.2015, p. 1-8).

The Fundamental Rights Agency submitted an opinion on 1 October 2012.

II.   OBJECTIVE OF THE PROPOSAL

The objective of the draft Directive is to ensure effective judicial cooperation in criminal matters and police cooperation and facilitate the exchange of personal data between competent authorities of the Member States while guaranteeing a consistent high level of protection of the personal data of natural persons. Compared to the Council Framework Decision 2008/977/JHA which the draft Directive will replace, the draft Directive will cover also domestic processing of personal data.

Article 16 of the Treaty on the Functioning on the European Union introduces a new specific legal basis for the adoption of rules on the protection of personal data that also applies to the processing of personal data in the area of judicial cooperation in criminal matters and police cooperation.

III.   ANALYSIS OF THE COUNCIL’S POSITION AT FIRST READING

A.    General observations

The draft Directive is part of a data protection package. The other proposal is the above-mentioned General Data Protection Regulation.

On the basis of the proposal for a Directive by the Commission, the European Parliament and the Council have conducted informal negotiations with a view to concluding an agreement at the stage of the Council Position at first reading. The text of the Council Position at first reading on the draft Directive fully reflects the compromise reached between the two co-legislators on the Directive, assisted by the European Commission. Against that background, references to the Council Position at first reading should be understood as references to the compromise reached in the trilogues.

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union lay down that everyone has the right to the protection of personal data concerning him or her. On that basis, the Council Position at first reading lays down the principles and rules on the protection of natural persons with regard to the processing of their personal data. These principles and rules must, whatever the nationality or residence of a natural person, respect his or her fundamental rights and freedoms, notably their right to the protection of personal data.

The Council Position at first reading maintains the objectives of the Framework Decision (5) and of the Commission proposal, for example the minimum harmonisation principle from the Framework Decision has been maintained. The text of the draft Directive contains clearer and more specific provisions on most of the provisions in the Framework Decision, in particular the provisions on transfers to third countries or international organisations have been further developed and expanded.

The Council reached a general approach on the draft Regulation in June 2015 and a general approach on the draft Directive in October 2015.

The new legal basis in the Treaty on the Functioning of the European Union covering the protection of personal data is applicable to all policy areas, without prejudice to the specific rules to be laid down in the area of the common foreign and security policy. However, Declaration 21 annexed to the Lisbon Treaty acknowledges that specific rules in the fields of judicial cooperation in criminal matters and police cooperation may prove necessary. For these reasons and taking into account that the draft Directive forms part of the data protection package, the Council strived to align the text of the draft Directive to the text of the draft Regulation on a number of provisions in the draft Directive. This is especially the case as regards definitions, the principles, the Chapter on the controller and processor, the adequacy decisions as well the Chapter on independent supervisory authorities. Therefore these parts of the text will be less developed in this note.

B.    Key policy issues

1.    Scope (material and personal)

The Council Position at first reading sets out the material scope of the draft Directive in Article 1(1). It encompasses the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This means that the draft Directive, unlike the Framework Decision 2008/977/JHA, also applies to domestic processing of personal data.

The other part of the data protection package, the draft Regulation excludes the scope of the Directive from its scope, making them mutually exclusive. The draft Regulation contains the general rules whereas the draft Directive applies to the specific sector of judicial cooperation in criminal matters and police cooperation.

The work of police and other law enforcement authorities includes also the exercise of authority by taking coercive measures, for example police activities at demonstrations, major sporting events and riots. The Council Position at first reading seeks to allow such authorities, mainly the police, to process data under one single instrument, namely the Member State law transposing the draft Directive. However, where the police processes personal data for the purposes outside the scope of the draft Directive, the draft Regulation applies, as specified under point 7 below. In order to reach that objective, the Council Position at first reading clarified the scope of the draft Directive by adding ‘safeguarding against and prevention of threats to public security’.

As regards the personal scope, the Council Position at first reading has expanded the scope beyond public authorities competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties to such bodies or entities that have been entrusted by Member State law to exercise authority and public powers for the above-mentioned purposes. However only public authorities are allowed to transfer personal data to recipients, other than an authority competent for the purposes of the draft Directive, established in third countries.

2.    Principles relating to personal data

(a)   transparency

Unlike the Council Position at first reading on the draft Regulation, the Council Position at first reading on the draft Directive does not include the notion of ‘transparency’ among the principles relating to processing of personal data because in the area of law enforcement transparency could jeopardize ongoing investigations. However, transparency has been inserted in the recital relating to the principles while making clear that activities such as covert investigations or video surveillance will be allowed to take place.

(b)   security of processing

The Council Position at first reading adds that personal data should be processed in a manner that ensures appropriate security of the personal data which includes the protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. The Council Position at first reading also adds that appropriate technical or organisational measures should be used for that purpose. This is in line with the text of the draft Regulation.

3.    Further processing

(a)   compatibility

The issue of further processing and whether this could be carried out only by the same controller or also by another controller as well as the question of compatible purposes had created difficulties in the discussions on the draft Regulation. Eventually, the Council Position at first reading on the draft Directive considers that all processing that is carried out for any of the purposes set out in Article 1(1) should be considered as permitted as long as the controller was authorised to process the personal data for such purpose according to either Union or Member State law and that the processing was necessary and proportionate to the other purpose in accordance with Union or Member State law.

(b)   processing for other purposes within the scope of the draft Directive

The Council Position at first reading lays down that processing by the same or another controller for any of the purposes set out in Article 1(1) other than the one for which the personal data were collected are only be permitted where the controller is authorised to process such personal data for such purpose in accordance with Union or Member State law and the processing is necessary and proportionate to that other purpose in accordance with Union or Member State law this enables, for example, prosecutor to process the same personal data for the prosecution of a crime, as the police did for the detection of a crime given that both purposes in the example are covered by Article 1(1).

4.    Time limits of storage and review

The Council Position at first reading lays down that appropriate time limits must be established for the erasure of personal data or for a periodic review of personal data that are stored to verify if it is necessary that they are kept. The Framework Decision already had a provision on time limits and the Council Position at first reading sees merits in introducing such a provision.

This provision strengthens the principle set out in Article 4 that the data must not be kept longer than necessary for the purposes for which the data is processed.

5.    Different categories of data subjects

The Council Position at first reading lays down that the Member States must, ‘where applicable and as far as possible’, provide for the controller to make a clear distinction between personal data of different categories of data subjects. However, the Council Position at first reading ensures that the application of the right of presumption of innocence as guaranteed by the Charter of Fundamental Rights is not prevented by placing data subjects in different categories, in particular the category of persons with regard to whom there are serious grounds for believing that they have committed a or are about to commit a criminal offence.

6.    Lawfulness of processing

The Council’s Position at first reading lays down that processing of personal data is lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and is based on Union or Member State law. It is made explicit in the recitals that the protection of the vital interest of the data subject are encompassed by those activities.

The Council Position at first reading specifies the elements that the Member States’ data protection laws must contain, such as the objectives and the purposes of the processing.

7.    Specific processing conditions

The main rule is that personal data that were initially collected by a competent authority for the purposes of Article 1(1) of the draft Directive must only be processed for one of the purposes of the draft Directive. However, personal data initially collected by such authorities for the purposes of the draft Directive may be processed on the basis of the draft Regulation if such processing is authorised by Union or Member State law, unless the processing is carried out in an activity which falls outside the scope of Union law. The Council Position at first reading also clarifies two cases where the draft Regulation applies. Firstly, where the competent authorities are entrusted by Member States law with the performance of tasks other than the ones set out in Article 1(1). Secondly, the Regulation also applies to the processing for archiving purposes in the public interest or scientific and historical research purposes or statistical purposes, unless the processing is carried out in an activity which falls outside the scope of Union law.

8.    Special categories of personal data

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks for the fundamental rights and freedoms. The Council Position at first reading allows processing of such data but only where strictly necessary and on the condition that appropriate safeguards for the rights and freedoms of the data subject are adduced. In addition, such processing is allowed only where authorised in EU or Member State law to protect the vital interest of the data subject or where the processing relates to data that have manifestly been made public by the data subject.

Since the draft Directive and the draft Regulation form part of a package, the Council Position at first reading on the draft Directive has, as regards the list of the categories, taken on board the categories set out in the draft Regulation, including ‘biometric data’ and ‘sexual orientation’ to the list.

9.    Automated individual decision-making, including profiling

Another principle enshrined in the draft Directive is that a decision based solely on automatic processing, including profiling, which produces an adverse legal effect for the data subject or that significantly affects him or her must be prohibited unless Union or Member States law authorises it and that appropriate safeguards for the rights and freedoms of the data subject are adduced. Such safeguards must at least include the right to obtain human intervention on part of the controller. The Council Position at first reading clearly states that a decision based solely on automated processing may not be based on the special categories of data listed in Article 10 unless the data subjects’ rights and freedoms and legitimate interest are subject to suitable safeguards. It is also set out explicitly that profiling based on the special categories of data in Article 10 that would result in discrimination must be prohibited.

10.    Data subjects’ rights

(a)   Communication to the data subject

The Council’s Position at first reading sets out provisions on the rights of the data subjects. In order for the data subject to exercise his or her rights, it is necessary that they are informed that their personal data are being processed. This information must be communicated in a way that is easy to understand, in a concise, intelligible and easily accessible form and should be written in clear and plain language. Unlike the text of the draft Regulation, the Council Position at first reading on the draft Directive does not require that such information be given in a transparent manner. In the area covered by the Directive, for example, the purpose of an investigation may be jeopardized if information on the specific investigative measure is provided to the data subject at an early stage of an investigation.

(b)   Information to the data subject

The Council Position at first reading lays down which information the data subject must always be provided with, such as the identity and contact details of the controller and the purpose of the processing. This could take place on the website of the competent authority. The Council Position at first reading also sets out the additional information that must be provided in specific cases. These include the legal basis, the period for which the data may be stored and the categories of recipients. Under certain circumstances, it is possible to delay, restrict or omit the additional information, for example where a restriction constitutes a necessary and proportionate measure in a democratic society taking into consideration the fundamental rights and legitimate interests of the natural person concerned. In addition and as regards the additional information, the Member States should be able to provide in law that certain categories of processing of personal data can be exempted from the obligations of information.

(c)   Right of access

The Council Position at first reading lays down both the right of access to personal data and the restrictions to that right. Member States should be able to restrict the right to access under the same conditions as where additional information can be delayed, restricted or omitted. Where the right to access has been restricted the Member States must provide that controller informs the data subject of the reasons for this refusal, unless the purpose of the measure, for example an investigation would be jeopardized if the data subject would be informed about the reasons for the restriction.

(d)   Special cases of restriction of processing of personal data

The Member States must provide that a data subject has the right to rectify, erase or restrict the processing of his or her personal data. The Council Position at first reading has added the possibility for the data subject to restrict his or her personal data instead of erasing them in two specified cases. The first situation is where the data subject contests the accuracy of the data and it is not possible to verify whether the data is accurate or not. The other case relates to situations where the personal data is kept for the purpose of evidence. The corresponding recital specifies that examples of the latter case can be situations where there are reasonable grounds to believe that the legitimate interests of the data subject could be affected. In the latter situation the data can be processed only for the reasons which prevented their erasure.

11.    Exercise of the rights of the data subjects and verification

Where the rights of the data subjects of information, access, to rectification, erasure or restriction of processing have been limited, Member States must adopt measures providing that the rights of the data subject should also able to be exercised through the competent supervisory authority.

12.    Controller and processor

The draft Directive will be applied by competent authorities either domestically or when transmitting personal data between EU Member States or transferring personal data to third countries or international organisations. The competent authorities are defined as public authorities or any body or entity entrusted by Member State law to exercise public authority and public powers. The provisions of the draft Directive will be applied by public authorities and, under certain circumstances, private bodies. When competent authorities as defined in this draft Directive are processing personal data not for the purposes of the Directive they must apply the draft Regulation. The Council Position at first reading, therefore, as already set out in the introduction of these statements, aligns, to a certain extent, the provisions of the draft Directive to those of the draft Regulation.

In line with the draft Regulation the Council Position at first reading provides that the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate compliance of their processing. The Council Position at first reading spells out explicitly the obligations of the processor such as to

—	only act on instructions from the controller;

—	ensure that the persons authorised to process the data respect confidentiality;

—	make available to the controller all information that show that they are fulfilling their obligations.

13.    Records of processing activities

The Council Position at first reading puts less obligations in terms of records on the processor and has therefore listed the obligations of the controller and the processor in two separate paragraphs. The Council Position at first reading sets out that a record does not have to be maintained for every single processing activity neither by the controller nor by the processor but only for categories of processing. The Council Position at first reading provides that the other parts of the paragraph oblige the controller to provide a sufficient amount of information to fulfil the purpose of the records. It is for example compulsory for the controller to add information about categories of recipients to whom the personal data have been or will be disclosed, the categories of transfers of personal data to a third country or an international organisation or where possible the envisaged time limits for erasure of the different categories of personal data. The controller must also provide information about profiling, which is not the case in the draft Regulation. The Council Position at first reading provides that the processor only needs to maintain a record of, for example, the categories of processing carried out on behalf of each controller and where possible a general description of the technical and organisational security measures.

14.    Logging

Keeping logs is important for making it possible to establish the justification, date and time of certain processing operations in automated processing systems, such as collection, consultation, disclosure and transfers. Logs of consultation and disclosure also allow to identify the person who has consulted or disclosed personal data as well as the identity of the recipient. In line with the Framework Decision, the logs must only be used for verification of the lawfulness of the processing, self-monitoring, ensuring integrity and security of the personal data. A new element in the draft Directive is that the logs can also be used for criminal proceedings. However, bringing automated processing systems into conformity is a very cumbersome, lengthy and costly process. The Council Position at first reading therefore allows exceptionally to extend the transposition period for bringing automated processing systems that were set up before the entry into force of the draft Directive into conformity if this would involve disproportionate efforts. A supplementary extension for bringing automated processing systems into conformity is foreseen in exceptional cases for a particular automated processing system set up before the entry into force of the draft Directive if this would otherwise cause serious difficulties for the operation of that particular automated processing system.

15.    Impact assessment

While the initial Commission proposal did not provide for any data protection impact assessment, the text of the draft Regulation contains an article on an impact assessment and so does the Council Position at first reading in the area of the draft Directive. The Council Position at first reading sets out the obligation for the controller to carry out an impact assessment. An impact assessment is necessary before the controller can carry out a processing where the processing is likely to result in a high risk for the rights and freedoms of natural persons.

The draft Directive sets out the situations in which an impact assessment is compulsory in similar terms as the text of the draft Regulation. The text on the elements that the impact assessment must contain are however less detailed than in the draft Regulation. The assessment must contain at least a general description of the processing to be carried out, an assessment of the risks to the rights and freedoms of the data subjects, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the provisions of the draft Directive.

16.    Data Protection Officer

The Council Position at first reading sets out that the Member States must provide for the controllers to designate a data protection officer. Member States should however be able to exempt courts and other judicial authorities when acting in their judicial capacity from this obligation. The purpose of designating a data protection officer is to improve compliance with the draft Directive.

17.    Transfers

In order to exchange data with third countries and international organisations it is necessary to have rules on transfers. As regards the general principles for transfers of personal data, the Council Position at first reading has supplemented the conditions proposed by the Commission by requiring that the receiving authority is competent for the purposes of Article 1(1) and that when data are transmitted or made available from another Member State that Member State has given its prior authorisation. The Council Position at first reading also clearly sets out that all provisions in the Chapter on transfers must be applied in order to ensure that the level of protection of natural persons guaranteed in the draft Directive are not undermined.

The article on the general principles lays down the choices for the controllers to transfer personal data, in descending order of preference, starting with the adequacy decisions. Next in line are transfers subject to appropriate safeguards, followed by transfers where derogations for specific situations apply. The article on adequacy decisions now only refers to adequacy decisions taken under the draft Directive itself and no longer those under the Regulation. The elements that the Commission must take into account when assessing the adequacy of the level of protection set out in the draft Directive are identical to the ones set out in the draft Regulation.

In the articles on transfers by way of appropriate safeguards and derogations for specific situations, the Council Position at first reading specifies that such transfers must be documented and that the documentation must be made available to the supervisory authority as well as the elements that the documentation must contain.

The Council Position at first reading adds a basis for transfers, namely the possibility for competent authority, but only those that are public authorities (and not the bodies or entities entrusted by Member State law to exercise public powers), to transfer personal data to recipients established in third countries. This possibility is an exemption from the general principle that personal data are transferred only if the controller in the third country or international organisation is an authority competent for the purposes in Article 1(1) of the draft Directive. The Council Position at first reading therefore allows the above-mentioned competent authorities, in individual and specific cases, and as long as the other provisions of the Directive are complied with and that a number of exhaustively listed conditions are fulfilled, to transfer personal data directly to recipients because international agreements do not always allow for the swift reply that may be required. These conditions include that the transfer is strictly necessary for the performance of a task of the transferring competent authority as provided for by Union or Member State law for the purposes set out in Article 1(1), the transferring competent authority considers that the transfer to an authority that is competent for the purposes referred to in Article 1(1) in the third country is ineffective or inappropriate, in particular because the transfer cannot be achieved in good time and that the transferring authority informs the recipient of the specified purpose or purposes for which the personal data must be processed. Like for the transfers on the basis of safeguards and on the basis of derogations of specific situations, an obligation of documentation of the transfer has been added. Such transfers could be particularly useful where there is an urgent need to transfer personal data to save the life of a person who is in danger of becoming a victim of a criminal offence or in the interest of preventing an imminent perpetration of a crime, including terrorism.

18.    Supervisory authorities

In order to ensure compliance with the rules of the draft Directive the monitoring of the draft Directive as well as the draft Regulation will be carried out by supervisory authorities. The rules on the supervisory authorities in the draft Directive are to a large extent taken over from the text of the draft Regulation. Member States are allowed to provide for the supervisory authorities established in the draft Regulation to be supervising the draft Directive as well. The draft Directive however excludes the supervision by the supervisory authorities as defined in the draft Directive of processing operations of courts when they act in their judicial capacity. Member States should be able to exclude the supervision by supervisory authorities as defined in the draft Directive of processing operations of other independent judicial authorities when they act in their judicial capacity. This does not mean however, that the processing of such bodies is exempted from supervision. It is therefore added in the corresponding recital that the processing operations by courts and other independent judicial authorities are, in line with the Charter of Fundamental Rights of the European Union, subject to an independent supervision.

19.    Powers of the Supervisory authorities

The Council Positions at first reading sets out that the supervisory authorities powers should have in each Member State the same tasks and effective powers to allow them to carry out the tasks of effective, reliable and consistent monitoring of compliance with and enforcement of the draft Directive throughout the Union.

The Council Position at first reading classifies the powers of the supervisory authorities, that have to be set out bylaw, in three different categories, namely effective investigative, corrective and advisory powers as well as the power to bring infringements of the provisions adopted pursuant to the draft Directive to the attention of judicial authorities.

20.    Relationship with previously concluded international agreements

The Council Position at first reading, and in line with the Council Position at first reading on the draft Regulation, specifies that international agreements that were concluded by the Member States prior to the date of entry into force of the draft Directive and which are in accordance with Union law, applicable prior to the date of entry into force of this draft Directive shall remain in force until amended, replaced and revoked. As stated for the draft Regulation, maintaining the agreements in force ensures legal certainty for controllers.

IV.   CONCLUSION

The Council Position at first reading reflects the compromise reached in negotiations between the Council and the European Parliament, facilitated by the Commission. By approving the Council Position at first reading without amendments, the European Parliament establishes, together with the Council, high data protection standards both at domestic and cross-border level allowing for enhanced cooperation between law enforcement authorities.

---

(1)  5833/12

(2)  7428/14

(3)  12555/15

(4)  5463/16

(5)  Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60.

---