Protection of personal data

The European Commission proposes that the Council adopt this Framework Decision on the protection of personal data * processed in the framework of judicial and police cooperation in criminal matters.

PROPOSAL

Proposal for a Council Framework Decision on the protection of personal data processed in the framework of judicial and police cooperation in criminal matters.

SUMMARY

This proposal is designed to protect personal data filing system * processed in the framework of judicial and police cooperation in criminal matters. It applies to the automated and non-automated processing filing system of personal data. The data form part of a file filing system or are intended for incorporation in a file by a competent authority * to form part of a filing system for the purpose of preventing, detecting, investigating or prosecuting criminal offences. The proposal does not apply to the processing of data by Europol, Eurojust or the Customs Information system.

SAFEGUARDING THE RIGHTS OF THE DATA SUBJECT

The proposal provides for the establishment of supervisory authorities as well as a working party on the protection of individuals with regard to the processing of personal data. In principle, the data subject must be notified of the processing of data relating to him. Member States will ensure judicial remedies for any violation of rights guaranteed by the applicable national legislation on data-processing under this proposal.

Supervisory authorities in the Member States

Member States will appoint one or more independent public authorities to supervise the application on their territories of the provisions adopted under this Framework Decision. Such authorities will act in complete independence and their decisions may be appealed against through the courts.

The supervisory authorities will be consulted on the drafting of administrative measures or regulations relating to the protection of the individuals rights and freedoms of individuals with regard to the processing of data in criminal matters. Furthermore, the said authorities will be endowed with:

• investigative powers, such as powers of access to data forming the subject-matter of processing operations;
• effective powers of intervention, such as the erasure or destruction of data;
• power to engage in legal proceedings where the national provisions adopted pursuant to this Framework Decision have been violated or to bring these violations to the attention of the judicial authorities.

Establishment of a Working Party on the Protection of Individuals with regard to the Processing of Personal Data

The proposal provides for a working party on the protection of individuals with regard to the processing of personal data to be set up.

Its tasks will include:

• examining any question covering the application of the national measures adopted under this Framework Decision;
• giving an opinion on the level of protection in the Member States and in third countries and international bodies;
• advising the Commission and the Member States on any proposed amendment of this Framework Decision.

The Working Party will be composed of a representative of the supervisory authority or authorities designated by each Member State, a representative of the European Data Protection Supervisor, and a representative of the Commission, and will have advisory status and act independently.

Notification of the data subject

The data controller * must notify the data subject of:

• the identity of the controller and of his representative;
• the purposes of the processing for which the data are intended;
• the legal basis for the processing;
• the recipients of the data;
• whether replies to questions or other forms of cooperation are obligatory or voluntary as well as the possible consequences of failure to reply.

Provision of this information may be refused or restricted amongst other things to enable the controller to fulfil his lawful duties properly or to protect public security and public order in a Member State. If the provision of data is refused or restricted, the controller must inform the data subject that he may appeal to the supervisory authority. The authority will examine whether the data have been processed correctly and, if not, whether any necessary corrections have been made. An appeal may be made to the supervisory authority without prejudice to any judicial remedy and without prejudice to national criminal procedure.

Where the data have not been obtained from the data subject or have been obtained from him without his knowledge, the controller will inform the person concerned of the purposes of the processing, the legal basis, the existence of a right of access to the data etc. The controller will provide this information to the data subject as soon as the data are recorded or, if disclosure to a third party is envisaged, within a reasonable time after the data are first disclosed. The information will not be provided where the data subject already has this information, the provision of the information proves impossible or would involve a disproportionate effort or where it would prejudice ongoing investigations.

Judicial remedies

Member States must provide for the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question pursuant to this Framework Decision. Any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Framework Decision will be entitled to receive compensation from the controller for the damage suffered. The controller may be exempted from this liability if he proves that he is not responsible for the event giving rise to the damage.

A competent authority which has received personal data from the competent authority of another Member State is liable towards the injured party for damages caused by the use of inaccurate or outdated data. If damages are awarded against the receiving authority because of its use of inaccurate data transmitted or made available by the competent authority of another Member State, the latter will refund in full to the receiving authority the amount paid in damages.

The Member States will adopt suitable measures to ensure the full implementation of the provisions of this Framework Decision and in particular lay down effective, proportionate and dissuasive sanctions to be imposed in the event of infringement of the provisions adopted pursuant to this Framework Decision.

PROCESSING OF PERSONAL DATA

Member States must ensure that personal data are processed fairly and lawfully and are obtained for specific, explicit and lawful purposes. They must be accurate and stored in a form that permits the data subject to be identified for such time as is necessary to achieve the purposes for which they have been obtained. The processing controller will maintain a register of processing operations or series of processing operations the purposes of which are identical or linked. Member States must provide for a clear distinction to be established between personal data of:

• a person who is suspected of having committed a criminal offence;
• a person who has been convicted of a criminal offence;
• a person with regard to whom there are serious grounds for believing that he or she will commit a criminal offence;
• a person who might be called on to testify;
• a person who has been the victim of a criminal offence etc.

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership or concerning health or sex life is in principle prohibited. Such data may be processed only if provided for by law and is absolutely necessary for the fulfilment of the legitimate tasks of the authority concerned and for the purpose of the prevention, investigation, detection or prosecution of criminal offences. The same holds true if the Member States provide for suitable specific safeguards, for example access to the data concerned only for personnel that are responsible for the fulfilment of the legitimate task that justifies the processing.

Transmission of data to other Member States

Personal data may only be transmitted or made available to the other Member States if necessary for the fulfilment of a legitimate task of the transmitting or receiving authority and for the purpose of the prevention, investigation, detection or prosecution of criminal offences. Member States must ensure the quality and accuracy of the data. Each automated transmission and reception of personal data, in particular by direct automated access, must be logged in order to ensure the subsequent verification of the reasons for the transmission.

Personal data received from or made available by the competent authority of another Member State may only be further processed

• for the specific purpose for which they were transmitted or made available;
• for the purpose of the prevention, investigation, detection or prosecution of criminal offences;
• for the purpose of the prevention of threats to public security or to a person.

The proposal provides for restrictions on transfers of data to other competent authorities *, authorities other than the competent authorities, private individuals, the competent authorities of third countries or international bodies. In particular, the competent authorities of third countries or international bodies must ensure an adequate level of protection for the data transferred.

Confidentiality and security of processing

Any person acting under the authority of the controller or of the processor *, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law. The controller must implement appropriate technical and organisational measures to protect personal data against destruction, alteration or unauthorised disclosure or access. In the case of automated data-processing, each Member State must implement measures designed to:

• deny unauthorised persons access to the data processing * equipment used;
• prevent the unauthorised reading, copying, modification or removal of data media;
• prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of data.

BACKGROUND TO THE PROPOSAL

Directive 95/46/EC is the basic item of legislation in Europe relating to the protection of personal data. It serves as a regulatory framework for ensuring a balance between a high level of protection for individual privacy and the free movement of personal data within the European Union (EU)

The proposal is to be seen in the context of the Hague programme adopted by the European Council on 4 November 2004 and the action plan for its implementation adopted by the Council and the Commission in June 2005.

Data protection under the Third Pillar was envisaged as long ago as 1998. At the time, the Justice and Home Affairs Council adopted the Vienna action plan [Official Journal C 19 of 23.1.1999]. According to this plan, the horizontal problems arising in the field of police and judicial cooperation on criminal matters required that consideration be given to ways and means of harmonising the rules on data protection.

In 2001, there was a draft resolution on the rules governing the protection of personal data failed under the instruments of the Third Pillar of the European Union (EU) [Council working document 6316/2/05 REV 2 JAI 13] but it was not adopted. Two years later, in June 2003, the Greek presidency proposed a series of general principles on the protection of personal data under the Third Pillar [PDF]. These principles were inspired by Directive 95/46/EC on data protection and the Charter of Fundamental Rights of the European Union.

In 2005, the EU Member States' national authorities responsible for data protection and the European Data Protection Controller (EDPC) gave their backing to a new legal instrument for the protection of data under the Third Pillar.

On 4 October 2005, the Commission adopted this proposal and transmitted it to the European Parliament and the Council of the European Union under the consultation procedure.

Last updated: 31.03.2006