Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 52020DC0262

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Way forward on aligning the former third pillar acquis with data protection rules

COM/2020/262 final

Date of document:
24/06/2020
Date of dispatch:
24/06/2020; Forwarded to the Council
Date of dispatch:
24/06/2020; Forwarded to the Parliament
Author:
European Commission, Directorate-General for Justice and Consumers
Responsible body:
JUST
Form:
Communication

Brussels, 24.6.2020

COM(2020) 262 final

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Way forward on aligning the former third pillar acquis with data protection rules


COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Way forward on aligning the former third pillar acquis with data protection rules

I.Introduction

This Communication presents the review to be conducted by the Commission under Article 62(6) of the Data Protection Law Enforcement Directive 1 (Directive 2016/680, hereinafter the ‘LED’).

The LED entered into force on 6 May 2016 and Member States had, pursuant to its Article 63(1), until 6 May 2018 to transpose it in their national laws. It repealed and replaced the Council Framework Decision 2008/977/JHA. The LED applies to both domestic and cross-border processing of personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (hereinafter referred to as ‘law enforcement’) (Article 1(1)). It is the first instrument that takes a comprehensive approach in the field of law enforcement, as opposed to the previous ad hoc approaches whereby each law enforcement instrument was governed by its own data protection rules. The LED is based on Article 16 of the Treaty on the Functioning of the European Union (‘TFEU’) and is the act through which the Union legislator gives effect to the fundamental right to protection of personal data enshrined in Article 8 of the Charter of Fundamental Rights 2 , in the context of processing of personal data by law enforcement authorities.

The LED, under its Article 60, provides for a “grandfathering” clause by which the specific provisions for the protection of personal data in certain Union legal acts remain unaffected by its provisions. This concerns the specific provisions for the protection of personal data in Union legal acts that entered into force on or before 6 May 2016 in the field of judicial cooperation in criminal matters and police cooperation. The LED already applies to the remaining provisions of those acts.

Article 62(6) of the LED requires that by 6 May 2019, the Commission reviews other legal acts adopted by the Union which regulate processing by the competent authorities for law enforcement purposes, including the acts “grandfathered” by Article 60, in order to assess the need to align them with the LED and to make, where appropriate, the necessary proposals to amend those acts to ensure a consistent approach to the protection of personal data within the scope of the LED. The alignment required by Article 62(6) of the LED should aim at amending the relevant acts in such a way that the applicable personal data protection rules laid down in those Union acts (and as the case may be in implementing national rules) are aligned to the rules laid down in the LED (and the national measures to transpose that directive). This Communication lists the acts that, according to the review, should be aligned, as well as a timetable to achieve this objective. This conclusion is without prejudice to the decisions of the Commission as regards the specific amendments of each act subject to this review that it may propose, in particular where significant changes or replacement of such an instrument may be foreseen.

II.Result of the review

When conducting the review, the Commission took into account the study which was carried out as part of the European Parliament Pilot Project ‘Fundamental Rights Review of EU data collection instruments and programmes’ 3 . The study included a mapping of the Union acts covered by Article 62(6) of the LED and an identification of the provisions potentially requiring an alignment on data protection issues.

Based on this study, the Commission identified 26 Union legal acts falling under the review exercise. Out of these 26 acts, the Commission concluded that 16 do not need to be amended while 10 of them are not fully in line with the LED and therefore should be amended.

The legal acts regulating the processing of personal data by competent authorities adopted or already amended after entry into force of the LED do not fall under this review as these acts already took into account the requirements of the LED.

III.Acts which do not require alignment

The 16 legal acts that do not need alignment fall into five categories as presented in this Communication.

1)Acts which do not contain specific data protection rules

The acts that do not contain specific data protection rules have not been “grandfathered” under Article 60 of the LED. This means that the provisions of national law transposing the LED apply to processing of personal data under such acts, and they do not require further alignment. These acts are the following seven:

I.Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States 4 ;

II.Council Framework Decision 2003/577/JHA of 22 July 2003 on the execution in the European Union of orders freezing property or evidence 5 ;

III.Council Common Position 2005/69/JHA of 24 January 2005 on exchanging certain data with Interpol 6 ;

IV.Council Framework Decision 2005/214/JHA of 24 February 2005 on the application of the principle of mutual recognition to financial penalties 7 ;

V.Council Framework Decision 2006/783/JHA of 6 October 2006 on the application of the principle of mutual recognition to confiscation orders 8 ;

VI.Council Framework Decision 2008/947/JHA of 27 November 2008 on the application of the principle of mutual recognition to judgments and probation decisions with a view to the supervision of probation measures and alternative sanctions 9 ;

VII.Council Framework Decision 2008/909/JHA of 27 November 2008 on the application of the principle of mutual recognition to judgments in criminal matters imposing custodial sentences or measures involving deprivation of liberty for the purpose of their enforcement in the European Union 10 ;

2)Acts containing a reference to Council Framework Decision 2008/977/JHA and that do not contain any specific data protection rules

The LED repealed Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters 11 with effect from 6 May 2018 and states in its Article 59 that references to Council Framework Decision 2008/977/JHA shall be construed as references to the LED. This ensures the applicability of the LED to the data processing under those legal acts. Those acts do not contain any specific data protection rules beyond the reference to Council Framework Decision 2008/977/JHA and the review has shown that no further data protection-related amendments are required. The following three acts are concerned:

I.Council Framework Decision 2009/829/JHA of 23 October 2009 on the application, between Member States of the European Union, of the principle of mutual recognition to decisions on supervision measures as an alternative to provisional detention 12 ; 

II.Council Framework Decision 2009/948/JHA of 30 November 2009 on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings 13 ; 

III.Directive 2011/99/EU of the European Parliament and of the Council of 13 December 2011 on the European protection order 14 .

3)Legislative proposals subject to inter-institutional negotiations

The following two legal acts are currently subject to pending legislative review. The ongoing legislative process initiated by the Commission has already taken into account the requirements of the LED:

I.Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences 15 regulates access to personal data in the VIS for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences. In 2018, the Commission adopted the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA 16 . This proposal aligns the provision relating to law enforcement access to the recent legislative developments and proposes to repeal the Council Decision.

II.Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person 17 . In 2016, the Commission proposed to repeal this regulation under the Proposal for a Regulation of the European Parliament and of the Council on the establishment of Eurodac for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person, for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes (recast) 18 .

4)International agreements between Member States or Schengen States only

There are several international agreements falling within the scope of the review under Article 62(6) of the LED that bind exclusively Member States, or Schengen States, which are obliged to transpose the LED into their national legal order. Therefore, the processing of personal data by the competent authorities of these States for purposes of law enforcement under such agreements is subject to national laws transposing the LED. There are three of such agreements:

I.Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on mutual assistance and cooperation between customs administrations (Naples II Convention) 19 ;

II.Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union 20 ;

III.Agreement between the European Union and the Republic of Iceland and the Kingdom of Norway on the application of certain provisions of the Convention of 29 May 2000 on Mutual Assistance in Criminal Matters between the Member States of the European Union and the 2001 Protocol thereto 21 .

5)Mutual Legal Assistance Treaty between the EU and the U.S.

Signed in 2003, the Agreement on mutual legal assistance between the European Union and the United States of America 22 (‘EU-U.S. MLAT’) entered into force on 1 February 2010. In addition to the safeguards included in the Agreement, the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences 23 (‘EU-U.S. Umbrella Agreement’), in force since February 2017, complements the Agreement with appropriate safeguards for the protection of personal data, and therefore there is no need for further alignment of the EU-U.S. MLAT.

IV.Acts to be aligned with the LED

The review identified ten legal acts for which the Commission considers appropriate a legislative intervention, either because they include specific provisions for the protection of personal data which, according to Article 60 of the LED, remain unaffected by the LED (are “grandfathered”), or have not been grandfathered but are not fully in line with the LED, as further detailed below.

1)Council Framework Decision on joint investigation teams

Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams 24  specifies the conditions for setting up a joint investigation team. It contains a specific provision relating to processing of information that may contain personal data obtained by a member or seconded member of a joint investigation team, foreseeing that such information may be used for other purposes to the extent agreed between the Member States setting up the team (Article 1(10)(d)). This provision should be aligned with the LED.

Alignment with LED

Council Framework Decision 2002/465/JHA should be aligned with the LED as regards the following:

·Specify that the personal data obtained under Council Framework Decision 2002/465/JHA may be processed for purposes other than those for which these data were collected to the extent laid down in national law and agreed between the Member States setting up the team, in line with the conditions of Articles 4(2) and 9(1) of the LED.

Way forward

The Commission will propose a targeted amendment to Council Framework Decision 2002/465/JHA in the last quarter of 2020.

2)Council Decision on exchange of information and cooperation concerning terrorist offences

Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences 25  was adopted prior to the entry into force of Council Framework Decision 2008/977/JHA and contains provisions “grandfathered” under the Article 60 of the LED. Council Decision 2005/671/JHA has recently been amended by Directive (EU) 2017/541 on combating terrorism.

Alignment with LED

Council Decision 2005/671/JHA should be aligned with the LED as regards the following points:

·Specify that the processing of personal data under Council Decision 2005/671/JHA can only take place for the prevention, investigation, detection and prosecution of terrorist offences, in line with the purpose limitation principle;

·The categories of personal data that can be exchanged should be defined more precisely by Union or Member State law, in line with the requirement of Article 8(2) of the LED, taking due account of the operational needs of the authorities concerned.

Way forward

The Commission will propose targeted amendments to Council Decision 2005/671/JHA in the first semester of 2021.

Additionally, the Commission intends, by 8 September 2021, to submit a report to the European Parliament and to the Council, assessing the added value of Directive (EU) 2017/541 with regard to combating terrorism and its impact on fundamental rights and freedoms including the right to data protection (Article 29(2) of Directive (EU) 2017/541).

3)Council Framework Decision on exchange of information between law enforcement authorities

Council Framework  Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union 26  establishes a set of general rules for the exchange among Member States’ law enforcement authorities of existing information and intelligence for the purpose of conducting criminal investigations or criminal intelligence operations. It requires that, in principle, procedures for cross-border data exchanges are not stricter than those applying to exchanges at national level.

Alignment with LED

The Council Framework Decision should be aligned with the LED on the following points:

·Specify the types of personal data that can be exchanged under the Framework Decision, while preserving its effectiveness and its nature as a horizontal tool;

·Further clarify the safeguards: in particular the requirement of a necessity and proportionality assessment of each information exchange;

·Update the references to the horizontal data protection framework and include a reference to the applicability of the LED.

Way forward

The Commission will assess this instrument in the context of wider discussions and a feasibility study carried out in 2020 on the possible future codification of EU law enforcement cooperation, which should aim to recast and modernise the various legislation in place in the field of law enforcement cooperation. The Commission will make a legislative proposal, which as a minimum will entail an amendment of Council Framework Decision 2006/960/JHA to ensure the necessary data protection alignment, in the last quarter of 2021.

4)Council Decision on cooperation between Asset Recovery Offices

Council Decision 2007/845/JHA of 6 December 2007 concerning cooperation between Asset Recovery Offices of the Member States in the field of tracing and identification of proceeds from, or other property related to, crime 27 obliges Member States to set up the Asset Recovery Offices and provide for the framework for the exchange of data between the Member States’ Asset Recovery Offices.

Alignment with LED

Council Decision 2007/845/JHA, or any instrument that may replace it, should be aligned with the LED on all relevant aspects, including:

·To clarify that the processing of personal data under Council Decision 2007/845/JHA is subject to the LED. Currently, Article 5 of Council Decision 2007/845/JHA refers explicitly to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and the Additional Protocol of 8 November 2001 to that Convention, regarding Supervisory Authorities and Transborder Data Flows. This Council Decision was adopted prior to the entry into force of Council Framework Decision 2008/977/JHA and its specific provisions for the protection of personal data are also covered by Article 60 of the LED with the result that these provisions are not affected by the LED (i.e. they are “grandfathered”). Therefore, a legislative amendment is required to ensure that the LED is fully applied;

·The categories of personal data that can be exchanged should be defined more precisely, taking due account of the operational needs of the authorities concerned.

Way forward

The Commission is in a process of reflection on the role and functions of the Asset Recovery Offices. To that end, the Commission launched in December 2019 a study on “Freezing, confiscation and asset recovery in the EU – what works and what does not work”. The final report of this study is expected in July 2020.

The findings and recommendations of this study could serve as a basis for further consideration of the EU acquis on asset recovery, including Council Decision 2007/845/JHA. A legislative proposal, including the amendments necessary for data protection alignment  will be presented by the end of 2021.

5)Council Decisions on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (Prüm Decisions)

Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 28 and Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 29 lay down the rules for cooperation between Member States’ law enforcement authorities primarily related to exchange, on a “hit/no-hit” basis, of fingerprint and DNA data held in the national criminal databases. The Prüm Framework also provides for direct access to vehicle owner registration via the online application “EUCARIS”.

Alignment with LED

The revision of the Prüm Decisions needs to ensure full alignment of the new Prüm Framework with the LED, especially regarding the data protection safeguards. The Commission will propose changes aimed at ensuring alignment with the LED, including as regards the following points:

·Alignment of the data subject rights and rules regarding liability for personal data processing, and remedies;

·Ensure that the logging requirements are fully aligned with the LED;

·Align rules on transfer of personal data to a third country or international organisation;

·Consider the interplay between the Article 9(3) LED and the system established by the Prüm Decisions;

·As regards Chapters 3 and 5 of the Council Decision 2008/615/JHA, clarify the categories of personal data that may be processed for the prevention of the criminal offences and in maintaining public order and security of major events, or in relation to other forms of cooperation in line with the requirement of Article 8(2) of the LED;

·Clarify that any exchange of information taking place under the Decision, in particular supply of data in relation to major events or other forms of cooperation (Chapters 3 and 5 of Council Decision 2008/615/JHA) is for the purpose of the prevention and investigation of criminal offences and public security only;

·The Commission would also take the opportunity of the alignment to update the reference to the applicable data protection framework, i.e. replace the reference to Council Framework Decision 2008/977/JHA with the reference to the applicability of the LED.

Way forward

In November 2018, the Commission launched a feasibility study on the future of the Prüm framework. 30 It includes the assessment of the technical, operational and legal feasibility of amending the technical architecture, improving the exchange of personal and case related data after the “hit” provided by the system has been confirmed, including new data categories and improving existing data processing, and linking Prüm to other EU central databases and interoperability solutions. Subject to the result of the study, the Commission will consider a legislative proposal providing a revised and modernised legal framework which will present the opportunity to include the necessary alignments with the LED in 2021.

6)Council Decision on the use of information technology for customs purposes

Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes 31 establishes the Customs Information System (CIS) to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. This central system is accessible to Member State authorities, Europol, Eurojust and the European Commission.

Alignment with LED

Council Decision 2009/917/JHA should be aligned with the LED on the following points:

·In relation to the ‘serious contraventions’ to which the Council decision applies;

·Clarify the conditions for collecting and recording the data and require that data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence;

·Provide for additional requirements related to security of processing aligning the list of required security measures with Article 29 of the LED, i.e. by adding requirements on system recovery, reliability and integrity;

·Restrict the subsequent processing of data recorded in CIS for purposes other than for which personal data were collected only under the conditions provided for in the LED;

·Make the processing of personal data under Council Decision 2009/917/JHA subject to the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725. 32 The Decision is the only remaining legal act whereby the supervision of processing of personal data is carried out by the Joint Supervisory Authority which has now become obsolete;

·Update the general reference to Council Framework Decision 2008/977/JHA with the reference to the applicability of the LED. Any provision that overlaps with the LED (such as definitions or the provisions on the rights of the data subjects or availability of judicial remedy and liability) should be removed as outdated and obsolete. References to specific provisions of the Council Framework Decision 2008/977/JHA should be updated with specific corresponding references to the LED.

Way forward

The Commission will propose targeted amendments to Council Decision 2009/917/JHA in the first quarter of 2021.

7)Mutual Legal Assistance Agreement with Japan

Alignment with LED

As regards the Agreement between the European Union and Japan on mutual legal assistance in criminal matters 33 , the review identified several areas where the safeguards currently included should be improved. Areas requiring further consideration in this respect include:

·Provisions on data quality and security issues;

·Safeguards applicable to the processing of special categories of personal data;

·Remedies available to data subjects and rules on oversight;

·Restrictions on onward transfers;

·Rules on retention and record keeping.

Way forward

The Commission will therefore inform the Japanese authorities of the possible need for an amendment of the Agreement and the procedure to be followed to include enhanced data protection safeguards in line with the LED, with the aim of addressing the Council with a recommendation in the first quarter of 2021.

8)Directive on the European Investigation Order

Processing of personal data under Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters 34 lays down the framework for issuing, transmission and execution of the European Investigation Order.

Alignment with LED

Directive 2014/41/EU should be aligned with the LED on the following points:

·Clarify that any processing of personal data obtained under this Directive for purposes other than those for which these data are collected is permitted only under conditions provided for under Article 4 or 9(1) of the LED or Article 6 of the GDPR, e.g. by deleting Article 20;

·The Commission will update the general reference to Council Framework Decision 2008/977 by referring to the applicability of the LED and including a reference to the applicability of the GDPR for processing of personal data related to EIO in the context of non-criminal proceedings.

Way forward

The Commission will propose targeted amendments to Directive 2014/41/JHA in the last quarter of 2020.

9)Directive on exchange of information on road safety-related traffic offences

Directive (EU) 2015/413 of the European Parliament and of the Council of 11 March 2015 facilitating cross-border exchange of information on road-safety-related traffic offences 35 aims to ensure a high level of protection for all road users in the Union by facilitating the cross-border exchange of information on certain specific road safety related traffic offences. To this end, it provides Member State authorities with access to each other’s vehicle registers via an electronic information system that enables the identification of the presumed non-resident offender i.e. vehicle owner or holder and thereby facilitates the enforcement of road-traffic related sanctions.

Alignment with LED

Directive (EU) 2015/413 should be aligned with the LED on the following points:

·Introduce an explicit reference to the applicability of the LED where the road-traffic related act is considered a criminal offence. Given that the main objective is a high level of protection of road users, the Directive is based on Article 91(1)(c) TFEU on measures to improve road safety, and currently refers to the provisions on data protection set out in Directive 95/46/EC as applicable. Nevertheless, the aim of the Directive is to facilitate sanctioning road-traffic related offences, which in some Member States are qualified as “administrative”, while in others as “criminal”. In the first case, the General Data Protection Regulation replaces Directive 95/46/EC and the application of the correct legal framework for processing personal data is ensured. In the latter case, as mentioned in Recital 23 of the Directive, Member States have the possibility to apply specific data protection provisions set out in Decision 2008/615/JHA. The access to the data exchanged under this Decision, and their subsequent processing, needs to be aligned with the LED by providing clear reference to applicability of the LED in such cases (see point 5 above);

·The alignment should ensure that the obligation to send an information letter to the owner or holder of the vehicle, or the otherwise identified person suspected of committing the road-safety-related traffic offence, on initiating the investigation or prosecution and granting them specific information is without prejudice to the right to information under Article 13 of the LED.

Way forward

Article 11 of the Directive requires the Commission to report to the European Parliament and to the Council on the application of this Directive by November 2016. Following the 2016 evaluation of the Directive 36 , the Commission published an Inception Impact Assessment 37 (Roadmap) on 15 March 2019, as the first step in the Impact Assessment process concerning the revision of the Directive. The Commission will present a legislative proposal, including the necessary alignment with the LED 38 by the end of 2021.

10)Directive on the use of passenger name record (PNR)

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime 39 sets out an obligation for the transmission of the passenger name record data of passengers on international flights from airlines to competent authorities of the European Union’s Member States. It also sets conditions for access and processing of such data by relevant authorities in Members States for the purpose of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Alignment with LED

The PNR directive is currently the subject of a preliminary reference lodged to the Court of Justice of European Union 40 in which its compatibility with Articles 7, 8 and 52(1) of the Charter is being examined. The Commission will assess the need for any data protection-related revision of the PNR directive in the light of the Court’s ruling.

Way forward

Article 19 of the EU PNR Directive requires the Commission to conduct a review of all the elements of this Directive and to present a report to the European Parliament and to the Council by 25 May 2020. Following the review, and taking stock of the Court ruling in Case C-817/19, the Commission will consider whether proposing a legislative proposal with a view to amending this Directive is necessary or appropriate. The Commission has initiated an analysis of the implementation of the PNR Directive in the last quarter of 2019.

(1)

   Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, (OJ L 119, 4.5.2016, p. 89–131).

(2)

     See, with regard to the relationship between Article 16 TFEU and Article 8 of the Charter of Fundamental Rights, the Opinion of the Court (Grand Chamber) A-1/15, ECLI:EU:C:2017:592, point 120.

(3)

   The Pilot Project was requested by the European Parliament, managed by the Commission and carried out by a contractor (group of independent experts). The Commission selected the contractor on the basis of criteria defined by the European Parliament. The deliverables of the project reflect the views and opinions only of the contractor, and the Commission cannot be held responsible for any use which may be made of the information contained therein. Its results are published under the following link: http://www.fondazionebrodolini.it/en/projects/pilot-project-fundamental-rights-review-eu-data-collection-instruments-and-programmes

(4)

     OJ L 190, 18.7.2002, p. 1–20.

(5)

     OJ L 196, 2.8.2003, p. 45–55.

(6)

     OJ L 27, 29.1.2005, p. 61–62.

(7)

     OJ L 76, 22.3.2005, p. 16–30. As regards the Council Framework Decision 2005/214/JHA, it is worth mentioning that the GDPR applies in cases of financial penalties that have been issued in respect of administrative rather than criminal offences.

(8)

     OJ L 328, 24.11.2006, p. 59–78.

(9)

     OJ L 337, 16.12.2008, p. 102–122.

(10)

     OJ L 327, 5.12.2008, p. 27–46.

(11)

     OJ L 350, 30.12.2008, p. 60-71.

(12)

     OJ L 294, 11.11.2009, p. 20–40.

(13)

     OJ L 328, 15.12.2009, p. 42–47.

(14)

     OJ L 338, 21.12.2011, p. 2–18.

(15)

     OJ L 218, 13.8.2008, p. 129–136.

(16)

     COM(2018) 302 final.

(17)

     OJ L 180, 29.6.2013, p. 31–59.

(18)

     COM/2016/0272 final - 2016/0132 (COD).

(19)

   Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on mutual assistance and cooperation between customs administrations (OJ C 24, 23.1.1998, p. 2–22.

(20)

    OJ C 197, 12.7.2000, p. 1–2.

(21)

   OJ L 26, 29.1.2004, p. 3–9.

(22)

   OJ L 181, 19.7.2003, p. 34–42.

(23)

     OJ L 336, 10.12.2016, p. 3–13.

(24)

     OJ L 162, 20.6.2002, p. 1–3.

(25)

     OJ L 253, 29.9.2005, p. 22–24.

(26)

     OJ L 386, 29.12.2006, p. 89–100.

(27)

     OJ L 332, 18.12.2007, p. 103–105.

(28)

     OJ L 210, 6.8.2008, p. 1–11.

(29)

     OJ L 210, 6.8.2008, p. 12–72. 

(30)

   Study on the feasibility of improving information exchange under the Prüm Decisions: Final Report ( https://op.europa.eu/en/publication-detail/-/publication/6c877a2a-9ef7-11ea-9d2d-01aa75ed71a1/language-en/format-PDF/source-130489216 ); Advanced technical report ( https://op.europa.eu/en/publication-detail/-/publication/3236e6ae-9efb-11ea-9d2d-01aa75ed71a1/language-en ); Cost benefits analysis ( https://op.europa.eu/en/publication-detail/-/publication/503f1551-9efc-11ea-9d2d-01aa75ed71a1/language-en ).

(31)

     OJ L 323, 10.12.2009, p. 20–30.

(32)

   Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance) (OJ L 295, 21.11.2018, p. 39–98).

(33)

     OJ L 39, 12.2.2010, p. 20–35.

(34)

     OJ L 130, 1.5.2014, p. 1–36.

(35)

    OJ L 68, 13.3.2015, p. 9–25.

(36)

   Commission Staff Working Document on the evaluation of cross-border exchange of information on road traffic offences (SWD(2016) 355 final) and Report from the Commission to the European Parliament and the Council on the application of Directive (EU) 2015/413 facilitating cross-border exchange of information on road-safety-related traffic offences (COM(2016) 744 final).

(37)

   Inception Impact Assessment: Revision of the Cross-Border Enforcement Directive ( https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2019-1732201_en ).

(38)

     The alignment will also take into account any necessary alignment to the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37-47).

(39)

   OJ L 119, 4.5.2016, p. 132–149.

(40)

     Case C-817/19, Ligue des droits humains, pending at the moment of adoption of this Communication.

Top

Brussels, 24.6.2020

COM(2020) 262 final

ANNEXES

to the

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Way forward on aligning the former third pillar acquis with data protection rules


ANNEX I: Acts that fall within the scope of the review but do not require amendments 

Acts that do not contain specific data protection rules and are therefore not “grandfathered”, meaning that the LED already applies to them (7 acts):

1.Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States 1 ;

2.Council Framework Decision 2003/577/JHA of 22 July 2003 on the execution in the European Union of orders freezing property or evidence 2 ; 

3.Council Common Position 2005/69/JHA of 24 January 2005 on exchanging certain data with Interpol 3 ;

4.Council Framework Decision 2005/214/JHA of 24 February 2005 on the application of the principle of mutual recognition to financial penalties 4 ;

5.Council Framework Decision 2006/783/JHA of 6 October 2006 on the application of the principle of mutual recognition to confiscation orders 5 ;

6.Council Framework Decision 2008/947/JHA of 27 November 2008 on the application of the principle of mutual recognition to judgments and probation decisions with a view to the supervision of probation measures and alternative sanctions 6 ;

7.Council Framework Decision 2008/909/JHA of 27 November 2008 on the application of the principle of mutual recognition to judgments in criminal matters imposing custodial sentences or measures involving deprivation of liberty for the purpose of their enforcement in the European Union 7 .

Acts that contain a reference to Council Framework Decision 2008/977/JHA, which is to be construed as a reference to the LED as per Article 59(2) thereof, and do not contain any specific data protection rules (3 acts):

1.Council Framework Decision 2009/829/JHA of 23 October 2009 on the application, between Member States of the European Union, of the principle of mutual recognition to decisions on supervision measures as an alternative to provisional detention 8 ;

2.Council Framework Decision 2009/948/JHA of 30 November 2009 on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings 9 , and

3.Directive 2011/99/EU of the European Parliament and of the Council of 13 December 2011 on the European protection order 10 .



Acts where amendments are already under negotiation (2 acts):

1.Council Decision 2008/633/JHA of 23 June 2008 regulates access to VIS data for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences 11 , which is subject to repeal under Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA 12 ;

2.Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person 13 ; it is subject to repeal under Proposal for a Regulation of the European Parliament and of the Council on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person, for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes (recast) 14 .

International agreements that bind exclusively Member States or Schengen States which are obliged to transpose the LED into their national orders, and where the processing of personal data by the competent authorities for purposes of law enforcement under such agreements is subject to national laws transposing the LED (3 acts):

1.Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on mutual assistance and cooperation between customs administrations (Naples II Convention) 15 ;

2.Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union 16 ;

3.Agreement between the European Union and the Republic of Iceland and the Kingdom of Norway on the application of certain provisions of the Convention of 29 may 2000 on Mutual Assistance in Criminal Matters between the Member States of the European Union and the 2001 Protocol thereto 17 .

Mutual Legal Assistance Treaty between the EU and the U.S.:

1.Agreement on mutual legal assistance between the European Union and the United States of America 18 .


ANNEX II: Acts that require amendments

1.Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams 19 .

2.Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences 20 ;

3.Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union 21 ;

4.Council Decision 2007/845/JHA of 6 December 2007 concerning cooperation between Asset Recovery Offices of the Member States in the field of tracing and identification of proceeds from, or other property related to, crime obliges Member States to set up the Asset Recovery Office and provide for the framework for the exchange of data between the Member States’ Asset Recovery Offices 22 ;

5.Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 23 and Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 24 ;

6.Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes 25 ;

7.Agreement between the European Union and Japan on mutual legal assistance in criminal matters 26 ;

8.Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters 27 ;

9.Directive (EU) 2015/413 of the European Parliament and of the Council of 11 March 2015 facilitating cross-border exchange of information on road-safety-related traffic offences 28 ;

10.Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime 29 .

(1)

     OJ L 190, 18.7.2002, p. 1–20.

(2)

     OJ L 196, 2.8.2003, p. 45–55.

(3)

     OJ L 27, 29.1.2005, p. 61–62.

(4)

     OJ L 76, 22.3.2005, p. 16–30.

(5)

     OJ L 328, 24.11.2006, p. 59–78.

(6)

     OJ L 337, 16.12.2008, p. 102–122.

(7)

     OJ L 327, 5.12.2008, p. 27–46.

(8)

     OJ L 294, 11.11.2009, p. 20–40.

(9)

     OJ L 328, 15.12.2009, p. 42–47.

(10)

     OJ L 338, 21.12.2011, p. 2–18.

(11)

     OJ L 218, 13.8.2008, p. 129–136.

(12)

     COM(2018) 302 final.

(13)

     OJ L 180, 29.6.2013, p. 31–59.

(14)

     COM/2016/0272 final - 2016/0132 (COD).

(15)

   OJ C 24, 23.1.1998, p. 2–22.

(16)

   OJ C 197, 12.7.2000, p. 1–2.

(17)

     OJ L 26, 29.1.2004, p. 3–9.

(18)

     OJ L 181, 19.7.2003, p. 34–42.

(19)

     OJ L 162, 20.6.2002, p. 1–3.

(20)

     OJ L 253, 29.9.2005, p. 22–24.

(21)

     OJ L 386, 29.12.2006, p. 89–100.

(22)

     OJ L 332, 18.12.2007, p. 103–105.

(23)

     OJ L 210, 6.8.2008, p. 1–11.

(24)

     OJ L 210, 6.8.2008, p. 12–72.

(25)

     OJ L 323, 10.12.2009, p. 20–30.

(26)

     OJ L 39, 12.2.2010, p. 20–35.

(27)

     OJ L 130, 1.5.2014, p. 1–36.

(28)

   OJ L 68, 13.3.2015, p. 9–25. 

(29)

   OJ L 119, 4.5.2016, p. 132–149.

Top