EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52019PC0551

Recommendation for a COUNCIL DECISION authorising the opening of negotiations for an agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism

COM/2019/551 final

Brussels, 30.10.2019

COM(2019) 551 final

Recommendation for a

COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism


EXPLANATORY MEMORANDUM

1.CONTEXT OF THE RECOMMENDATION

In the globalised world where serious crime and terrorism are increasingly transnational and polyvalent, law enforcement authorities should be fully equipped to cooperate with external partners to ensure the security of their citizens. Europol should therefore be able to exchange personal data with law enforcement authorities of third countries to the extent necessary for the accomplishment of its tasks within the framework of the requirements set out in the Regulation 2016/794 of 11 May 2016 1 .

Since the entry into application of the Regulation, Europol can exchange data with third countries or international organizations on the basis of an international agreement adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. The Commission is responsible, on behalf of the Union, for negotiating such international agreements. In so far as necessary for the performance of its tasks, Europol may also establish and maintain cooperative relations with external partners through working and administrative arrangements that cannot by themselves be a legal basis for the exchange of personal data.

In the 11th progress report towards a genuine and effective Security Union 2 the Commission identified eight priority countries 3 in the Middle East/North Africa (MENA) Region on the basis of the terrorist threat, migration-related challenges and Europol's operational needs to start negotiations. Taking into account the political strategy as outlined in the European Agenda on Security 4 , Council Conclusions 5 , and the Global Strategy 6 , the operational needs of law enforcement authorities across the EU, and the potential benefits of closer cooperation in this area as also demonstrated by the follow up to the Christchurch attack of March 2019, the Commission considers it necessary to add New Zealand as a priority country to start negotiations with in the short-term. New Zealand formally requested the initiative on 23 August 2019.

Europol and New Zealand Police have signed a working arrangement in April 2019. This provides a framework for structured strategic-level cooperation, including a secure line allowing direct secure communication, and New Zealand has deployed a liaison officer at Europol. However, it does not provide a legal basis for the exchange of personal data. At the moment, there is no legal basis for the regular and structured exchange of personal data between New Zealand law enforcement authorities and Europol, which is essential for effective operational cooperation.

The legal standards for the protection of personal data in New Zealand are primarily contained in the Privacy Act of 17 May 1993 as amended by the Privacy Amendment Act of 7 September 2010 7 . To this end, the Act sets out twelve Information Privacy Principles that regulate the processing of personal data. The Privacy Act applies to private and public bodies, including law enforcement authorities. The Privacy Act also establishes the office of the Privacy Commissioner, the independent data protection authority in New Zealand.

Political context

On 15 May 2019, in the aftermath of the Christchurch attack, French President Emmanuel Macron and New Zealand Prime Minister Jacinda Ardern, co-hosted the “Christchurch Call” event in Paris, to which President Juncker participated, highlighting the importance of tackling the issue of terrorist content online, while guaranteeing the protection of fundamental rights. The participating Governments and tech companies, as well as the European Commission expressed their support to the commitments made in the “Christchurch Call to Action” to eliminate terrorist and violent extremist content online ( https://www.christchurchcall.com/ ).

The EU and New Zealand are like-minded partners sharing similar views and approaches on many global issues. The EU-New Zealand Partnership Agreement for Relations and Cooperation Agreement, signed on 5 October 2016 paves the way for a stronger and more solid relationship as it contains a number of articles where Parties commit to cooperate in areas such as counterterrorism, law enforcement cooperation, prevention and combatting of organised crime and corruption, drugs, cybercrime, money laundering, terrorist financing, migration and asylum.

The EU and New Zealand are also partners of the Global Counter Terrorism Forum (GCTF) which is an international forum of 29 countries and the European Union with an overarching mission of reducing the vulnerabiltiy of people worldwide to terrorism by preventing, combatting, and prosecuting terrorist acts and countering incitement and recruitment to terrorism. The EU and New Zealand cooperate closely on foreign and security issues and engage in a regular political and security dialogue. This dialogue includes frequent consultations at ministerial and senior officials’ levels. New Zealand, based on the Framework Partnership Agreement from 2012 was able to take part in some EU crisis management operations, as an example it contributed to the EUNAVFOR Atalanta (piracy in the Horn of Africa).

Operational needs

In all the crime areas which fall under Europol’s competence, there is potential for further cooperation to be explored with New Zealand. This is a non-exhaustive list of Europol’s most prominent operational needs with New Zealand:

·Terrorism: Terrorism poses a serious threat to both New Zealand and the European Union, which have been the target of terrorist attacks. In addition to improving the threat picture and the identification of new trends, closer cooperation including the exchange of personal data is needed to detect, prevent and prosecute terrorist offences including terrorist travel, terrorism financing as well as terrorists’ misuse of the Internet.    

Europol’s European Counter Terrorism Centre (ECTC) has a strong operational interest to be able to exchange operational/personal data with New Zealand and vice versa, as evidenced by the aftermath to the Christchurch attack. In the wake of Christchurch, Europol’s EU Internet Referral Unit (EU IRU) worked on content detection and its dissemination patterns across the Internet. The speed and volume of internet abuse in the aftermath of the attack and the vast number of Operations Service Providers (OSPs) involved was unprecedented and showed the limitations of the existing processes to address similar threats. An operational agreement with New Zealand would not only enhance Europol’s position in leading the operational response to the Christchurch Call to eliminate terrorist or violent extremist content online but also provide Europol with the legal framework to develop an advanced level of cooperation in terrorism related matters with New Zealand.  

·Cybercrime: For EU law enforcement agencies New Zealand is a key partner in investigations into child sexual exploitation cases.    

The New Zealand Police participate in, and are an active partner to, the Virtual Global Taskforce, a key partnership network for Europol’s European Cyber Crime Centre in combating online child sexual abuse. New Zealand’s advanced expertise in the area of investigating online child sexual exploitation and their willingness to share their knowledge with the participants in these meetings is highly appreciated by the competent authorities of the EU Member States who are vested with the responsibility to investigate such complex crimes and face numerous legal and technical challenges. From an operational point of view, New Zealand can bring significant added value to Europol in the area of cybercrime, in particular online child sexual exploitation. The New Zealand Police and the New Zealand Department of Internal Affairs’ Digital Child Exploitation Team are engaged and experienced in this field and have played a major role in high priority operations.    

New Zealand remains the only country in the Five Eyes
8 network with which Europol does not have a legal basis for the exchange of personal data. That limits the capacity of both sides to share valuable operational information and to engage systematically with each other. It also creates a situation where bilateral contacts must be made with Member States directly or through third-party agencies, including INTERPOL. The nature of such contacts is detrimental to the effectiveness of Member States in dealing with this crime type and deprives them of the opportunity to contribute to and gain from the added value that Europol has to offer, especially in the area of terrorist content online and online child sexual exploitation.

·Outlaw Motorcycle Criminal Gangs: The New Zealand Police and Europol have a strong interest in cooperating on Outlaw Motorcycle Criminal Gangs (OMCGs). OMCGs are a growing area of concern in New Zealand and the New Zealand Police has recently set up a Gangs Intelligence Unit with OMCGs as one of the main targets of this unit. Europol’s Analysis Project Monitor has in particular interest in travel movements to Europe and criminal records of New Zealand OMCG members as well as their alleged contacts with parts of South East Asia Organised Crime.

·Drugs: In the past, Europol has worked on a large-scale amphetamine trafficking case from the EU to New Zealand. There is potential for further cooperation in this area.

2.LEGAL ELEMENTS OF THE RECOMMENDATION

Regulation (EU) 2016/794 on the European Union Agency for Law Enforcement Cooperation (Europol) sets out a legal framework for Europol, in particular its objectives, tasks, scope of competence, data protection safeguards and ways to cooperate with external partners. This Recommendation is consistent with the provisions of the Europol Regulation 9 .

The objective of this recommendation is to obtain from the Council the authorisation for the Commission to negotiate the future agreement on behalf of the EU. The legal basis for the Council to authorise the opening of negotiations is Article 218(3) and (4) TFEU.

In line with Article 218 of Treaty on the Functioning of the European Union, the Commission shall be nominated as the Union negotiator for the agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism.

Recommendation for a

COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union (TFEU), and in particular Article 218(3) and (4) thereof,

Having regard to the recommendation from the European Commission,

Whereas:

(1)Regulation (EU) 2016/794 of the European Parliament and of the Council 10 was adopted on 11 May 2016 and is applicable as of 1 May 2017.

(2)The provisions of Regulation (EU) 2016/794, in particular those concerning the transfer of personal data from the European Union Agency for Law Enforcement Cooperation (Europol) to third countries and international organisations, provide that Europol may transfer personal data to an authority of a third country on the basis of an international agreement concluded between the Union and that third country pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.

(3)Negotiations should be opened with a view to concluding an Agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism (the ‘Agreement’).

(4)As also explained in Recital 35 of Regulation (EU) 2016/794, the Commission should be able to consult the European Data Protection Supervisor (EDPS) also during the negotiation of the Agreement and, in any event, before the Agreement is concluded.

(5)The Agreement should respect the fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right to private and family life, recognised in Article 7 of the Charter, the right to the protection of personal data, recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised by Article 47 of the Charter. The Agreement should be applied in accordance with those rights and principles.

(6)The Agreement should not affect, and should be without prejudice to, the transfer of personal data or other forms of cooperation between the authorities responsible for safeguarding national security.

HAS ADOPTED THIS DECISION:

Article 1

The Commission is hereby authorised to negotiate, on behalf of the Union, an Agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism.

The negotiating directives are set out in the Annex.

Article 2

The negotiations shall be conducted in consultation with the relevant [name of the special committee to be inserted by the Council].

Article 3

This Decision is addressed to the Commission.

Done at Brussels, 30.10.2019

   For the Council

   The President

(1)    Regulation (EU) 2016/794 of 11 May 2016, OJ L 135, 24.5.2016, p. 53.
(2)    COM(2017) 608 final.
(3)    Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey.
(4)    COM(2015) 185 final.
(5)    Council Document 10384/17, 19 June 2017.
(6)    Shared Vision, Common Action: A Stronger Europe - A Global Strategy for the European Union’s Foreign And Security Policy http://europa.eu/globalstrategy/en  
(7)    The Privacy Act is currently under reform following a bill introduced in March 2018.
(8)    An intelligence alliance comprising Australia , Canada , New Zealand , the United Kingdom and the United States .
(9)    In particular Articles 3, 23, 25 and Chapter VI of Regulation (EU) 2016/794.
(10)    Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
Top

Brussels, 30.10.2019

COM(2019) 551 final

ANNEX

to the

Recommendation for a COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the New Zealand authorities competent for fighting serious crime and terrorism





ANNEX

In the course of the negotiations the Commission should aim to achieve the objectives set out in detail below.

(1)The objective of the Agreement should be to provide the legal basis for the transfer of personal data between Europol and the competent authorities of New Zealand respectively, in order to support and strengthen the action by the competent authorities of this country and Member States as well as their mutual cooperation in preventing and combatting serious transnational crime and terrorism, while ensuring appropriate safeguards with respect to the protection of privacy, personal data and fundamental rights and freedoms of individuals;

(2)To guarantee purpose limitation, cooperation and exchange of data under the Agreement should only relate to crimes and related criminal offences falling within Europol's competence in accordance with Article 3 of Regulation 2016/794 (together "criminal offences"). In particular, cooperation should be aimed at preventing and combating terrorism, disrupting organised crime and fighting cybercrime. The Agreement should specify its scope and the purposes for which Europol may transfer personal data to the competent authorities of New Zealand;

(3)The Agreement should spell out clearly and precisely the necessary safeguards and controls with respect to the protection of personal data, fundamental rights and freedoms of individuals, irrespective of nationality and place of residence, in the exchange of personal data between Europol and the New Zealand competent authorities. In addition to the safeguards set out below, these should include requiring that the transfer of personal data will be subject to confidentiality obligations and that the personal data will not be used to request, hand down or execute a death penalty or any form of cruel and inhuman treatment, without prejudice to additional safeguards that may be required.

In particular:

(a)The Agreement should contain definitions of key terms. In particular, the Agreement should contain a definition of personal data compliant with Article 3(1) of Directive (EU) 2016/680;

(b)The Agreement should respect the principle of specificity, ensuring that the data will not be processed for other purposes than for the purposes of the transfer. To this end, the purposes of the processing of personal data by the Parties in the context of the Agreement should be spelt out clearly and precisely, and should be no wider than what is necessary in individual cases for the purpose of preventing and combating terrorism and criminal offences referred to in the Agreement;

(c)Personal data transferred by Europol in accordance with the Agreement should be processed fairly, on a legitimate basis and only for the purposes for which they have been transferred. The Agreement should provide the obligation for Europol to indicate, at the moment of transferring the data, any restriction on access or use, including as regards its transfer, erasure, destruction or further processing. The Agreement should oblige competent authorities of New Zealand to respect these restrictions and specify how compliance with these restrictions will be enforced in practice. Personal data should be adequate, relevant and limited to what is necessary in relation to that purpose. It should be accurate and kept up to date. It should not be retained for longer than is necessary for the purposes for which they have been transferred. The Agreement should be accompanied by an annex containing an exhaustive list of the competent authorities in New Zealand to which Europol may transfer personal data as well as a short description of their competences;

(d)The transfer of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data and data concerning a person's health and sex life by Europol should be prohibited, unless it is strictly necessary and proportionate in individual cases for preventing or combating criminal offences as referred to in the Agreement and subject to appropriate safeguards. The Agreement should also contain specific safeguards relating to the transfer of personal data on victims of criminal offences, witnesses or other persons who can provide information concerning criminal offences, as well as minors;

(e)The Agreement should ensure enforceable rights of individuals whose personal data are processed by laying down rules on the right of access, rectification and erasure, including the specific grounds which may allow any necessary and proportionate restrictions. The Agreement should also ensure enforceable rights of administrative and judicial redress for any person whose data are processed under the agreement and guaranteeing effective remedies;

(f)The Agreement should lay down the rules on storage, review, correction and deletion of personal data as well as on keeping records for the purposes of logging and documentation as well as on information to be made available to individuals. It should also provide for safeguards in respect to automated processing of personal data;

(g)The Agreement should specify the criteria on the basis of which the reliability of the source and accuracy of the data should be assessed;

(h)The Agreement should include the obligation to ensure security of personal data through appropriate technical and organisational measures, including by allowing only authorised persons to have access to personal data. The Agreement should also include the obligation of notification in the event of a personal data breach affecting data transferred under the Agreement;

(i)Onward transfers of information from competent authorities of New Zealand to other authorities in New Zealand, including for use in judicial proceedings, should only be allowed for the original purposes of the transfer by Europol and should be made subject to appropriate conditions and safeguards, including prior authorisation by Europol;

(j)The same conditions as under (i) should apply to onward transfers of information from competent authorities of New Zealand to authorities in a third country, with the additional requirement that such onward transfers should be allowed only with respect to third countries to which Europol is entitled to transfer personal data on the basis of Article 25(1) of Regulation (EU) 2016/794;

(k)The Agreement should ensure a system of oversight by one or more independent public authorities responsible for data protection with effective powers of investigation and intervention to exercise oversight over those public authorities of New Zealand that use personal data/exchanged information, and to engage in legal proceedings. In particular, the independent authorities should have powers to hear complaints from individuals about the use of their personal data. Public authorities that use personal data should be accountable for complying with the rules on the protection of personal data under the Agreement;

(4)The Agreement should provide for an effective dispute settlement mechanism with respect to its interpretation and application to ensure that the parties observe mutually agreed rules.;

(5)The Agreement should include provisions on the monitoring and periodic evaluation of the Agreement;

(6)The Agreement should include a provision on the entry into force and validity and a provision whereby a Party may terminate or suspend it, in particular where the third country no longer effectively ensures the level of protection of fundamental rights and freedoms required under this Agreement. The Agreement should also specify whether personal data falling within its scope and transferred prior to its suspension of termination may continue to be processed. Continued processing of personal data, if permitted, should in any case be in accordance with the provisions of the Agreement at the time of suspension or termination;

(7)The Agreement may include a clause addressing its territorial application, if necessary;

(8)The Agreement should be equally authentic in the Bulgarian, Czech, Croatian, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish languages and should include a language clause to that effect.

Top