EUROPEAN COMMISSION

Brussels, 1.12.2021

COM(2021) 756 final

2021/0391(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

establishing a collaboration platform to support the functioning of Joint Investigation Teams and amending Regulation (EU) 2018/1726

{SWD(2021) 390 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

·Reasons for and objectives of the proposal

Joint Investigation Teams (JITs) are teams set up for specific criminal investigations and for a limited period of time. They are set up by the competent authorities of two or more Member States and possibly non-EU countries (third countries), to carry out together criminal investigations that cross borders. A JIT can be set up, in particular, when a Member State's investigations into criminal offences require difficult and demanding investigations having links with other Member States or third countries. It can also be set up when a number of Member States are conducting investigations into criminal offences in which the circumstances of the case necessitate coordinated, concerted action in the Member States involved.

The legal basis for setting up a JIT are Article 13 of the European Union (EU) Convention on Mutual Assistance in Criminal Matters 1 and Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams 2 . Third countries can be parties in JITs if the legal basis allow for this. For example, Article 20 of the Second Additional Protocol of the 1959 Council of Europe Convention 3 and Article 5 of the Agreement on Mutual Legal Assistance between the European Union and the United States of America 4 .

The second evaluation report on JITs 5 , prepared in 2018 by the Network of National Experts on Joint Investigation Teams (the JITs Network), a body established to support Member States and share best practices and experience in the area of JITs, already indicated that the JITs’ work could be improved and sped up if supported by a dedicated IT platform. The IT platform would enable its members to securely communicate among themselves, and share information and evidence. The Digital Criminal Justice study 6 confirmed the findings of that report and recommended creating an IT platform for JITs to ensure that JITs function more efficiently and more securely.

(1)Ensure that the members and participants of JITs can more easily share information and evidence collected in the course of the JIT activities.

(2)Ensure that the members and participants of JITs can more easily and more safely communicate with each other in the context of the JIT activities.

(3)Facilitate the joint daily management of a JIT, including planning and coordination of parallel activities, enhanced traceability of shared evidence and coordination with third countries, especially where physical meetings are too expansive or time consuming.

To meet those objectives and to tackle the underlying problems, a dedicated IT platform consisting of both centralised and decentralised components – the JITs collaboration platform – is proposed. The platform would be accessible to all actors involved in JIT proceedings, i.e. Member States’ representatives fulfilling the role of members of a given JIT, representatives of third countries invited to cooperate in the context of a given JIT, and the competent Union bodies, offices and agencies such as Eurojust, Europol, the European Public Prosecutor’s Office and OLAF.

The key functions, described in detail below, will ease electronic communication, allow information and evidence to be shared, including large amounts of data, ensure traceability of evidence as well as planning and coordination of JIT operations.

The design, development, technical management and maintenance of the platform would be entrusted to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), which is the Union agency in charge of large-scale IT systems in the in the Area of Freedom, Security and Justice.

The platform would be of a voluntary nature, so the authorities involved in JITs would have full discretion in deciding whether they want to use the platform for a specific JIT. In addition, the JIT members and participants would be free to use other tools while making use of the platform. For instance, if they decide to pass on evidence in person at a working meeting or through the Secure Information Exchange Network Application (SIENA), managed by Europol.

The platform’s architecture would enable the creation of (non-interoperable) sessions in silo, the ‘JIT collaboration spaces,’ specific to each JIT and open only for the duration of the JIT. There would be no cross-cutting functions or any interactions between different JITs hosted by the platform.

The platform would support the functioning of JITs throughout their operational and post-operational phases. In practical terms, an individual JIT collaboration space could be created on the platform as soon as all establishing parties sign the JIT agreement. The space would be closed following the end of the evaluation process.

Access to the platform would be granted through regular computers (desktops, laptops, etc.) as well as through mobile devices. Its interface would be made available in all EU languages.

From a technical perspective, the platform would be composed of two distinctive elements, (i) a centralised information system, which would allow for a temporary central storage of data, and (ii) a communication software, a mobile application, which would enable communication and local communication data storage.

·secure, untraceable communication stored locally at the devices of the users, including a communication tool offering an instant messaging system, a chat feature, audio/video-conferencing and a function replacing standard emails;

·exchange of information and evidence, including large files, through an upload/download system designed to store the data centrally only for the limited time needed to technically transfer the data. As soon as the data are downloaded by all addresses, it would be automatically deleted from the platform;

·evidence traceability – an advanced logging mechanism logging a trail of who did what and when regarding all evidence shared through the platform, and supporting the need to ensure admissibility of evidence before a court.

·functions related to daily management of the JIT during its operational and post-operational (evaluation) phase;

·support for the administrative and financial processes;

·various technical capabilities supporting operational and administrative processes, including the integration with the JITs-related electronic services already hosted at Eurojust and managed by the JIT Secretariat, i.e. JITs Funding, JITs Evaluation and JITs Restricted Area, allowing relevant information and documents to be obtained without needing to connect separately to the platform and the services offered by the JIT Secretariat.

Particular attention will be given to the platform’s access rights. The platform’s starting principle will be that the management of access rights rests with the JIT space administrator(s) from the JITs participating Member States. They will be in charge of granting access, during the operational and post-operational phases of the JIT, to:

·representatives of the other Member States participating in the JIT;

·representatives of third countries which are also members of a given JIT;

·representatives of Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies; and

·representatives of the JIT Secretariat.

In addition, the JIT space administrator(s) will have the option to limit access to parts of information and evidence only to those who are concerned by it, including case-by-case granular access permissions. This restriction would concern all users of the JITs collaboration platform, be it the Member States, third countries, the competent Union bodies, offices and agencies or the JIT Secretariat.

It must be underlined that eu-LISA, as the hosting provider, will not have access to the data stored or exchanged through the platform. It will also not be involved in the access rights management, except for the initial process of granting access rights to JIT space administrator(s) based on the signed JIT agreement. The platform’s architecture must offer sufficient guarantees for this to happen.

The access rights of the competent Union bodies, offices and agencies should be defined in view of the operational support they provide to JITs, covering all steps of the proceedings, from the moment of the signed JIT agreement until the end of the evaluation phase. On the latter, the platform must provide for access rights for the JIT Secretariat, which plays an important role in that process. The JIT Secretariat could also be in charge of the platform’s administrative support, including access rights management, as long as the JIT space administrator(s) of each individual JIT envisage such a role.

Keeping in mind the increasing role of third countries in the successful prosecution of serious organised crime and terrorism, the platform will also be available to them, if they are part of a JIT agreement. However, specific access rights will depend on their role in a given JIT and should be set out by the JIT space administrator(s) for each respective JIT. To guarantee the respect for fundamental rights, including data protection, and in line with the currently applicable procedures, before granting access to a specific third country, the JIT space administrator(s) will need to thoroughly assess the data protection aspects against the applicable rules, notably Directive 2016/680 8 .

·Consistency with existing policy provisions in the policy area

·Consistency with other Union policies

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

·Legal basis

·Subsidiarity (for non-exclusive competence)

·Proportionality

According to the principle of proportionality laid down in Article 5(4) of the TEU, there is a need to match the nature and intensity of a given measure to the identified problem.

All problems described in this document require EU-level support to tackle them effectively. Addressing the problems individually, for instance by creating separate tools tackling the communication issue, the lack of data exchange mechanism, etc. would be much more costly and would create an administrative burden for the JITs. The Union wide IT platform is the only way to provide JITs with a common modern technical solution that will allow them to carry out their cross-border investigations more efficiently.

·Choice of the instrument

 3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

·Stakeholder consultations

Whereas no public consultations were conducted due to a specific character of the proposal, the Commission has carried out an extensive targeted consultation campaign to ensure that all stakeholders concerned have an opportunity to express their views. The campaign has involved:

·prosecutors, judges and law enforcement representatives from the Member States;

·Member States’ national authorities;

·experts from the JITs network;

·academics and practitioners in EU criminal law;

·data protection experts;

·representatives of Eurojust, Europol and OLAF.

Stakeholders have had an opportunity to voice their opinion through bilateral contacts, expert meetings, online surveys and written contributions.

The targeted consultations organised between March and July 2021, gathered views on the platform related elements of the Digital Criminal Justice study, functions that are to be covered by the future platform, as well as the applicable data protection regime(s).

First and foremost, all stakeholders welcomed the initiative and provided a positive opinion about establishment of a platform as a much-needed step towards the digitalisation of JITs cooperation.

As far as cross-cutting issues are concerned, most stakeholders focused on:

·the simplicity of the platform so that it can be used by all practitioners concerned – a too cumbersome tool with complex workflows could create problems for the users and would be a main reason for not using it;

·the prevention of an impact on the substantial or legal requirements of investigators’ work, so the proper functioning of a JIT is not jeopardised by the platform;

·the security of the platform – the level of protection is of crucial importance so practitioners can be confident that outcomes of their national investigations that are shared through the platform would not be disclosed in an uncontrolled way.

Some discussions have also taken place on the entity in charge of the platform’s future development and management. The following scenarios were considered:

·creation of the platform by the Commission and making it available to the Member States to implement when needed within their own infrastructure;

·creation of the platform and its establishment at the Commission;

·creation of the platform and its establishment at one of the JHA agencies directly involved in supporting the Member State’s authorities in combating crime (e.g. Eurojust);

·creation of the platform and its establishment at eu-LISA.

All stakeholders consulted, including Eurojust and Europol, supported the option to entrust the platform’s development and maintenance to eu-LISA. They all recognised eu-LISA’s expertise in the area as well as its experience with large-scale IT systems meeting state-of-the-art security standards. Also, this option takes into account, that JITs can be conducted without the financial support or operational involvement of either Eurojust or Europol.

Administrative process to set-up a JIT

The starting point for this discussion was the final report of the Digital Criminal Justice study, which recommends that the JITs collaboration platform covers also the pre-operational phase of JITs, i.e. the administrative process to set up a JIT. There are many advantages of such a solution, including:

·the possibility to securely and efficiently exchange documents cross-border, leading to the signature of a JIT agreement;

·a machine translations function;

·an inventory of the procedures to be followed during the JIT set-up process;

·support for various electronic signatures.

However, it has been established during the stakeholder consultations that in most Member States, actors participating in the JIT set-up process are completely different from those who are members of JITs once they are established. Moreover, the decision to join a JIT is very often taken by someone who will not necessarily be a member of the JIT itself, e.g. the Prosecutor General or even the Minister of Justice. Therefore, the inclusion of the administrative JIT set-up process in the platform would require a complete departure from the above-described model of isolated JIT spaces, as well as a separate access rights management workflow. Such a scenario would heavily complicate the envisaged easy-to-use concept of the platform and would require implementation of rather incomprehensible and time-consuming administrative workflows.

Central storage

One of the most crucial functions of the platform will be to exchange information and evidence among the JIT members and other participants. That function could be implemented in three different ways:

(1)A plain upload/download function – data would be uploaded on the platform by one member/participant of the JIT and would be stored centrally only until the other JIT member(s)/participant(s) download(s) it.

(2)A temporary flexible storage – in addition to the plain upload/download, data could be optionally stored at the platform for some period of time, e.g. one week, one month, etc. The member/participant uploading the data would define duration and access rights.

(3)A permanent storage – all exchanged data would be stored throughout the JIT’s lifespan – precise access rights to the data would be defined by the member/participant uploading the data. This option would constitute a ‘common JIT case-file.’

Though JITs allow for the direct communication, cooperation and coordinated action, the underlying national investigations remain separate and independent. The possibility to create a common case-file to supplement national investigations is not envisaged by the current legal framework. Therefore, almost all stakeholders rejected the permanent storage option (option 3). Indeed, the creation of such a common case-file would raise serious questions related to criminal procedures in certain Member States since not all JIT information is necessarily shared among all members of the JIT. Investigators from one country often do not need access to all relevant information from the investigation of the other country participating in the same JIT.

Whereas the other two options had more or less the same degree of support among the practitioners, a preferred option is to equip the platform with the plain upload/download function (option 1). This function would prevent platform’s users to view the data before downloading it. It would also prevent any central storage of exchanged data, i.e. the data would be stored centrally until it is downloaded by the other party, but for not more than four weeks. The main reason for that has been a concern that any storage of operational data, going beyond a technical requirement to send it from one party to another, would lead to at least a temporary common file and to possible follow–up questions. For example, access requests to that file. However, this instrument should not change the separate investigations and separate national files, to which the respective national rules still apply.

·Collection and use of expertise

·Impact assessment

·Fundamental rights

No major impact on fundamental rights is expected, as the legal basis for the exchanges of information and evidence within a JIT would not be changed. However, as explained in more detail below, the proposed solution will comply with fundamental rights and freedoms enshrined, in particular, in the Charter of Fundamental Rights of the European Union 16 , including the right to protection of personal data. In this regard, it will also comply with the European Convention for the Protection of Human Rights and Fundamental Freedoms, the International Covenant on Civil and Political Rights, and other human rights obligations under international law.

Since establishing the platform at EU level would imply the processing of personal data, appropriate data protection safeguards must be put in place. The platform would fully comply with Union data protection rules on the legality of exchanging information and evidence. Directive (EU) 2016/680 of the European Parliament and of the Council would apply to the processing of personal data by competent national authorities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties, including safeguarding against and preventing threats to public security. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies would also apply. These legal safeguards would need to dovetail with the alignment of the data protection approach for JITs with the current data protection rules, as proposed by the Commission on 20 January 2021 17 .

On the centralised component of the platform, i.e. the upload/download mechanism allowing temporarily storing of the operational data until the moment it is downloaded, the impact on data protection is considered to be limited because:

·the personal data would be exchanged by a very limited group of individuals who are part of an isolated JIT collaboration space;

·the personal data would be stored centrally only for technical reasons and would be deleted as soon as it is downloaded by all addresses;

·the retention period would be set at a maximum of four weeks and would be enforced automatically;

·exchange of personal data would be limited to serve the purpose for which it was obtained;

·eu-LISA would not have access to the data and would fulfil the role of data processor;

·a separate data controller for each entity uploading the personal data, apart from third countries, would be warranted;

·exchanges of personal data that qualify as international transfers to third countries that are part of a given JIT would always require a legal basis in union or Member State law applicable to such transfers;

·personal data uploaded to JIT collaboration space by third countries would be under the responsibility of a JIT space administrator who would need to check such data before it can be downloaded by other users.

4.BUDGETARY IMPLICATIONS

The proposal for a Regulation establishing the platform is envisaged to incur the following costs:

·development of the platform – the one-off cost incurred for eu-LISA;

·technical maintenance and operation of the platform – the recurring cost incurred for eu-LISA;

·development of the necessary technical adaptations of the relevant IT systems hosted at Eurojust, i.e. JITs funding, JITs evaluation and JITs restricted area to partially integrate them with the platform – the one-off cost incurred for Eurojust;

·technical maintenance and operations on the adaptations of the IT systems hosted at Eurojust – the recurring cost incurred for Eurojust;

·administrative support to the platform’s users on behalf of the JIT space administrator(s) – the recurring cost incurred for Eurojust (the JIT Secretariat).

As far as Member States’ access to the platform is concerned, no technical costs are envisaged because of the web-based nature of the centralised component of the platform. It would not require any adaptations of the national technical infrastructure. The same applies to the communication software, which would simply need to be downloaded on each device of the JIT platform’s users. Access to the platform for the competent Union bodies, offices and agencies would be driven by the same principles and would not incur any costs for them.

The costs for eu-LISA and Eurojust are explained in detail in the accompanying legal financial statement. In total, eu-LISA would require the following financial and human resources to develop, maintain and operate the JITs collaboration platform:

·one-off build cost – EUR 8.4 million;

·annual maintenance and operation cost – EUR 1.7 million;

·staff – 4 TA FTE as of 2024, 4 TA FTE as of 2025 and 2 CA FTE as of 2026 (10 in total).

The costs for eu-LISA apply to hosting the platform in its operational site in Strasbourg/France and the back-up site in Sankt Johann/Austria.

In total, Eurojust (including the JIT Secretariat) would require the following financial and human resources:

·for development maintenance and operations of the required technical adaptations of Eurojust IT systems, i.e. JITs funding, JITs evaluation and JITs restricted area, in order to partially integrate them with the platform: EUR 0.250 million in 2025 (one-off) and 1 FTE – a technical profile – as of 2025 onwards;

·for administrative support of the JIT Secretariat to the platform’s users on behalf of JIT space administrator(s): 2 FTEs as of 2026 onwards.

These costs would be borne by the Union general budget and would need to be reflected in the budget of both agencies.

5.OTHER ELEMENTS

·Implementation plans and monitoring, evaluation and reporting arrangements

·Detailed explanation of the specific provisions of the proposal

Chapter I General provisions

Chapter II: Development and operational management

Chapter III: Access to the JITs collaboration platform

Chapter IV: Security and liability

Chapter V: Data protection

Article 17 governs the retention period for storing operational data, as defined in Article 3. Such operational data must be stored in the centralised information system for as long as needed so that all users complete the downloading process. The retention period must not exceed four weeks. Upon expiry of this retention period, the data record must be automatically erased from the centralised system.

Article 18 governs the retention period for the storage of non-operational data, as defined in Article 3. Non-operational data must be stored in the centralised information system until the evaluation has been completed. The retention period must not exceed five years. Upon expiry of this retention period, the data record must be automatically erased from the centralised system.

Article 19 governs the data controllers and the data processor. It clarifies that each Member State competent authority, and where appropriate, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency , are data controllers in line with applicable Union data protection rules for the processing of the personal data under this Regulation. eu-LISA must be considered as data processor in line with Regulation (EU) 2018/1725 on the personal data exchanged through – and stored in the JITs collaboration platform. Wherever a third country uploads operational information or evidence to the JITs collaboration platform, that information or evidence must be scrutinised by a JIT space administrator before it can be downloaded by other platform users.

Article 20 limits the purposes of the processing of personal data entered into the JITs collaboration platform. Those data must only be processed for exchanging operational information and evidence between the platform users and exchanging of non-operational data between collaboration platform users for managing the JIT. Access to the JITs collaboration platform must be limited to authorised staff of the Member States’ competent authorities and third country authorities, Eurojust, Europol the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices or agencies. The access must also be limited to the extent needed to perform the tasks in line with the purpose referred to in paragraph 1 of Article 20, and to what is necessary and proportionate to the objectives being pursued.

Article 21 governs keeping logs. It states that eu-LISA must ensure that accessing the centralised information system and all data processing operations in the centralised information system are logged to check the admissibility of requests, to monitor data integrity and security and the lawfulness of the data processing and to self-monitor.

Chapter VI: Final provisions

Article 22 sets out eu-LISA's and the Commission's reporting and reviewing obligations. Four years after the start of the JITs collaboration platform’s operations and every four years after that, the Commission will conduct an overall evaluation of the JITs collaboration platform.

Article 23 states that the costs incurred to establish and operate the JITs collaboration platform must be borne by the general budget of the Union.

Article 24 sets out the conditions that need to be met before the Commission determines the date of the start of operations of the JITs collaboration platform.

Article 25 governs the comitology procedure to be used, based on a standard provision.

Article 26 governs the amendments to Regulation (EU) 2018/1726 for the new responsibilities and tasks of eu-LISA.

Article 27 provides that the Regulation will enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2021/0391 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

establishing a collaboration platform to support the functioning of Joint Investigation Teams and amending Regulation (EU) 2018/1726

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 82(1), point (d), thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)The Union has set itself the objective of offering its citizens a common area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. At the same time, the Union has to ensure that that common area remains a safe place. That objective can only be achieved by means of appropriate measures to prevent and combat crime, including organised crime and terrorism.

(2)That is especially challenging where crime takes a cross-border dimension on the territory of several Member States and/or third countries. In such situations, Member States need to be able to join their forces and operations to allow for effective and efficient cross-border investigations and prosecutions for which the exchange of information and evidence is crucial. One of the most successful tools for such cross-border cooperation are Joint Investigation Teams (‘JITs’) that allow for direct cooperation and communication between the judicial and law enforcement authorities of several Member States and possibly third countries to organise their actions and investigations in the most efficient way. JITs are set up for a specific purpose and a limited time-period by the competent authorities of two or more Member States and possibly third countries, to carry out jointly criminal investigations with a cross-border impact.

(3)The Union aquis provides for two legal frameworks to set up JITs with the participation of at least two Member States: Council Framework Decision 2002/465/JHA 19 and Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union on Mutual Assistance in Criminal Matters between the Member States of the European Union 20 . Third countries can be involved in JITs as parties where there is a legal basis for such involvement, such as Article 20 of the Second Additional Protocol of the 1959 Council of Europe Convention 21 and Article 5 of the Agreement on Mutual Legal Assistance between the European Union and the United States of America 22 .

(4)The existing legal frameworks at Union level do not set out how the entities participating in JITs exchange information and communicate. Those entities reach an agreement on such exchange and communication on the basis of the needs and available means. However, there is a lack of dedicated secure and effective channel to which all participants could have recourse and through which they could promptly exchange large volumes of information and evidence or allow for secure and effective communication. Furthermore, there is no system that would support daily management of JITs, including the traceability of evidence exchanged among the participants.

(5)In light of the increasing possibilities of crime infiltrating Information Technology (IT) systems, the current state of play could hamper the effectiveness and efficiency of cross-border investigations, as well as jeopardise and slow down such investigations and prosecutions, making them more costly. The judiciary and law enforcement in particular need to ensure that their systems are as safe as possible and that all JIT members can connect and interact easily, independently of their national systems.

(6)The speed and efficiency of the exchanges between the entities participating in JITs could be considerably enhanced by creating a dedicated IT platform to support their functioning. Therefore it is necessary to lay down rules establishing a centralised IT platform (‘JITs collaboration platform’) at Union level to help JITs collaborate, securely communicate and share information and evidence.

(7)The JITs collaboration platform should only be used where one of the Union legal bases is, among others, a legal basis for the JIT. For all JITs based solely on international legal bases, the platform, financed by the Union budget and developed on basis of Union legislation, should not be used. However, where a third country is part of a JIT agreement that lists one of the Union legal bases besides an international one, its competent authorities should be considered JIT members.

(8)The use of the JITs collaboration platform should be on a voluntary basis. However, in view of its added value for cross-border investigations its use is strongly encouraged. The use or non-use of the JITs collaboration platform should not prejudice or affect the legality of other forms of communication or exchange of information and should not change the way the JITs are set up, organised or function. The establishment of the JITs collaboration platform should not impact the underlying legal bases for JITs nor the applicable national procedural legislation regarding the collection and use of the obtained evidence. The platform should only provide a secure IT tool to improve the cooperation and the effectiveness of the JITs.

(9)The JITs collaboration platform should cover the operational and post-operational phases of a JIT, starting from the moment the relevant JIT agreement is signed by its members, and finishing once the JIT evaluation is over. Due to the fact that the actors participating in the JIT set-up process are different from the actors who are members of JIT once it is established, the process of setting up a JIT, especially the negotiation of the content and the signature of the JIT agreement, should not be managed by the JITs collaboration platform. However, following a need for an electronic tool to support the process of signing up a JIT, the Commission should consider covering that process by the e-Evidence Digital Exchange System (eEDES).

(10)For each JIT making use of the JITs collaboration platform, the JIT members should be encouraged to conduct an evaluation of the JIT, either during the operational phase of the JIT or following its closure, using the tools provided for by the JITs collaboration platform.

(11)The JIT agreement should be a prerequisite for the use of the JITs collaboration platform. The content of all future JIT agreements should be adapted to take into account the relevant provisions of this Regulation.

(12)From an operational perspective, the JITs collaboration platform should be composed of isolated JIT collaboration spaces created for each individual JIT hosted by the platform.

(13)From a technical perspective, the JITs collaboration platform should be accessible via a secure connection over the internet and should be composed of a centralised information system, accessible through a web portal, communication software for mobile and desktop devices, and a connection between the centralised information system and relevant IT tools, supporting the functioning of JITs and managed by the JIT Secretariat.

(14)The purpose of the JITs collaboration platform should be to facilitate the daily coordination and management of a JIT, ensure the exchange and temporary storage of operational information and evidence, provide secure communication, provide for evidence traceability and support the process of the evaluation of a JIT. All entities participating in JITs should be encouraged to use all functionalities of the JITs collaboration platform and to replace as much as possible the communication and data exchange channels which are currently used.

(15)The JITs collaboration platform complements existing tools allowing for secure exchange of data among judicial authorities and law enforcement, such as the Secure Information Exchange Network Application (SIENA).

(16)Communication-related functionalities of the JITs collaboration platform should be provided by a software allowing for non-traceable communication stored locally at the devices of the users.

(17)A proper functionality allowing to exchange operational information and evidence, including large files, should be ensured through an upload/download mechanism designed to store the data centrally only for the limited period of time necessary for the technical transfer of the data. As soon as the data is downloaded by all addresses, it should be automatically deleted from the JITs collaboration platform.

(18)Given its experience with managing large-scale systems in the area of justice and home affairs, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council 23 should be entrusted with the task of designing, developing and operating the JITs collaboration platform making use of the existing functionalities of SIENA and other functionalities at Europol to ensure complementarity and interoperability. Therefore, its mandate should be amended to reflect those new tasks and it should be provided with the appropriate funding and staffing to meet its responsibilities under this Regulation. In that regard, rules should be established on the responsibilities of eu-LISA, as the Agency entrusted with the development, technical operation and maintenance of the JITs collaboration platform.

(19)When designing the JITs collaboration platform, eu-LISA should ensure technical interoperability with SIENA.

(20)Since the establishment of the Network of National Experts on Joint Investigation Teams (the ‘JITs Network’) in accordance with Council Document 11037/05 24 , the JIT Secretariat supports the work of the JITs Network by organising annual meetings, trainings, collecting and analysing the JIT evaluation reports and managing the Eurojust’s JIT funding programme. Since 2011, the JIT Secretariat is hosted by Eurojust as a separate unit. To allow the JIT Secretariat to support users in the practical application of the JITs collaboration platform, as well as to provide technical and administrative support to JIT space administrators, Eurojust should be provided with appropriate staff allocated to the JIT Secretariat.

(21)Given the currently existing IT tools supporting operations of JITs, which are hosted at Eurojust and managed by the JIT Secretariat, it is necessary to connect the JITs collaboration platform with those IT tools, in order to facilitate the management of JITs. To that end, Eurojust should ensure the necessary technical adaptation of its systems in order to establish such connection. Eurojust should be provided with the appropriate funding and staffing to meet its responsibilities in that regard.

(22)In order to ensure a clear allocation of rights and tasks, rules should be established on the responsibilities of Member States, Eurojust, Europol, the European Public Prosecutor’s Office, the European Anti-Fraud Office (OLAF) and other competent Union bodies, offices and agencies, including the conditions, under which they may use the JITs collaboration platform for operative purposes.

(23)This Regulation sets out the details about the mandate, composition and organisational aspects of a Programme Management Board which should be set up by the Management Board of eu-LISA. The Programme Management Board should ensure the adequate management of the design and development phase of the JITs collaboration platform. It is also necessary to set out the details of the mandate, composition and organisation aspects of an Advisory Group to be established by eu-LISA in order to obtain expertise related to the JITs collaboration platform, in particular in the context of preparation of its annual work programme and its annual activity report.

(24)This Regulation establishes rules on access to the JITs collaboration platform and the necessary safeguards. The JIT space administrator or administrators should be entrusted with the management of the access rights to the individual JIT collaboration spaces. They should be in charge of granting access, during the operational and post-operational phases of the JIT, to JITs collaboration platform users. JIT space administrators should be able to transfer their role to the JIT secretariat.

(25)Bearing in mind the sensitivity of the operational data exchanged among the JITs collaboration platform users, the JITs collaboration platform should guarantee a high level of security. eu-LISA should take all necessary technical and organisational measures in order to ensure the security of the exchange of data by using strong end-to-end encryption algorithms to encrypt data in transit or at rest.

(26)This Regulation establishes rules on the liability of Member States, eu-LISA, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies, in respect of material or non-material damage occurring as a result of any act incompatible with this Regulation. Concerning third countries, liability clauses in respect of material or non-material damage should be contained in respective JIT agreements.

(27)In addition, this Regulation provides specific data protection provisions, concerning both operational data and non-operational data, needed to supplement the existing data protection arrangements and to provide for an adequate overall level of data protection, data security and protection of the fundamental rights of the persons concerned.

(28)Directive (EU) 2016/680 of the European Parliament and of the Council 25  applies to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. As regards the processing by Union institutions, bodies, offices and agencies, Regulation (EU) 2018/1725 of the European Parliament and of the Council 26 should apply in the context of this Regulation.

(29)Where appropriate, it should be possible for JIT space administrators to grant access to a JIT collaboration space to third countries which are parties to a JIT agreement. Any transfer of personal data to third countries or international organisations in the context of a JIT agreement is subject to compliance with the provisions set out in Chapter V of Directive (EU) 2016/680. Exchanges of operational data with third countries should be limited to those required to fulfil the purposes of the JIT agreement.

(30)Whenever a third country uploads operational information or evidence to a JIT collaboration space, the JIT space administrator should verify that such information or evidence is provided to fulfil the purposes of the JIT agreement, before it can be  downloaded by other users of the platform.

(31)Where a JIT has multiple JIT space administrators, those JIT space administrators should agree among themselves, as soon as the JIT collaboration space including third countries is established, about one of them to be controller of the data uploaded by those third countries.

(32)eu-LISA should ensure that accessing the centralised information system and all data processing operations in the centralised information system are logged for the purposes of monitoring data integrity and security, the lawfulness of the data processing as well as for the purposes of self-monitoring.

(33)This Regulation imposes reporting obligations on eu-LISA regarding the development and functioning of the JITs collaboration platform in light of objectives relating to the planning, technical output, cost-effectiveness, security and quality of service. Furthermore, the Commission should conduct an overall evaluation of the JITs collaboration platform four years after the start of operations of the JITs collaboration platform and every four years thereafter.

(34)Each Member State as well as Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and any other competent Union body, office and agency should bear its own costs arising from their use of the JITs collaboration platform.

(35)In order to establish conditions for the technical development and implementation of the JITs collaboration platform, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council 27 .

(36)The Commission should determine the date of the start of operations of the JITs collaboration platform once the relevant implementing acts necessary for the technical development of the JITs collaboration platform have been adopted and eu-LISA has carried out a comprehensive test of the JITs collaboration platform, in cooperation with the Member States.

(37)Since the objective of this Regulation, namely to enable the effective and efficient cooperation, communication and exchange of information and evidence among JIT members, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies, cannot be sufficiently achieved by the Member States, but can rather, by setting out common rules, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective.

(38)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(39)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) No 2018/1725 and delivered an opinion on XXXX, 

HAVE ADOPTED THIS REGULATION:

CHAPTER I

General provisions

Article 1

Subject matter

This Regulation:

(a)establishes an IT platform (the ‘JITs collaboration platform’), to be used on a voluntary basis, to facilitate the cooperation of competent authorities participating in Joint Investigation Teams (‘JITs’) set up on the basis of Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union or on Framework Decision 2002/465/JHA;

(b)lays down rules on the division of responsibilities between the JITs collaboration platform users and the agency responsible for the development and maintenance of the JITs collaboration platform;

(c)sets out conditions, under which the JITs collaboration platform users may be granted access to the JITs collaboration platform;

(d)lays down specific data protection provisions needed to supplement the existing data protection arrangements and to provide for an adequate overall level of data protection, data security and protection of the fundamental rights of the persons concerned.

Article 2

Scope

1.This Regulation applies to the processing of information, including personal data, within the context of a JIT. That includes the exchange and storage of operational information and evidence as well as non-operational information. This Regulation applies to the operational and post-operational phases of a JIT, starting from the moment the relevant JIT agreement is signed by its members.

2.This Regulation does not amend or otherwise affect the existing legal provisions on the establishment, conduct or evaluation of JITs.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)‘centralised information system’ means a central IT system where storing and processing of JITs related data takes place;

(2)‘communication software’ means software that facilitates remote access to systems and the exchange of files and messages in text, audio or video formats between JITs collaboration platform users;

(3)‘competent authorities’ means the authorities competent to set up a JIT as referred to in Article 1 of Framework Decision 2002/465/JHA and Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union on Mutual Assistance in Criminal Matters between the Member States of the European Union, the European Public Prosecutor’s Office when acting pursuant to its competences as provided for by Articles 22, 23 and 25 of Council Regulation (EU) 2017/1939, as well as the competent authorities of a third country where they are party of a JIT agreement on the basis of an additional legal basis;

(4)‘JIT members’ means representatives of the competent authorities referred to in point 3 of this Article;

(5)‘JITs collaboration platform users’ means JIT members, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies;

(6)‘JIT collaboration space’ means an individual isolated space for each JIT hosted on the JITs collaboration platform;

(7)‘JIT space administrator” means a representative of the competent authorities of the Member State in charge of the JIT collaboration space;

(8)‘operational data’ means information and evidence processed by the JITs collaboration platform during the operational phase of a JIT to support cross-border investigations and prosecutions;

(9)‘non-operational data’ means administrative data processed by the JITs collaboration platform, notably to facilitate the management of the JIT and daily cooperation between JITs collaboration platform users.

Article 4

Technical architecture of the JITs collaboration platform

The JITs collaboration platform shall be composed of the following:

(a)a centralised information system, which allows for temporary central data storage;

(b)a communication software, which allows for local storage of communication data;

(c)a connection between the centralised information system and relevant IT tools, supporting the functioning of JITs and managed by the JIT Secretariat.

Article 5

Purpose of the JITs collaboration platform

1.The purpose of the JITs collaboration platform shall be to facilitate:

(a)the daily coordination and management of a JIT, through a set of functionalities supporting the administrative and financial processes within the JIT;

(b)the exchange and temporary storage of operational information and evidence, including large files, through an upload and download functionality;

(c)secure communications through a functionality covering instant messaging, chats, audio and video-conferencing;

(d)evidence traceability through a business logging mechanism allowing to keep track of all evidence exchanged through the JITs collaboration platform;

(e)the evaluation of a JIT through a dedicated collaborative evaluation process.

2.The centralised information system shall be hosted by eu-LISA at its technical sites.

CHAPTER II

Development and operational management

Article 6

Adoption of implementing acts by the Commission

The Commission shall adopt the implementing acts necessary for the technical development of the JITs collaboration platform as soon as possible, and in particular acts concerning:

(a)the list of functionalities required for the daily coordination and management of a JIT;

(b)the list of functionalities required for secure communications;

(c)business specifications of the connection referred to in Article 4, point (c); 

(d)security in accordance with Article 15;

(e)technical logs in accordance with Article 21;

(f)technical statistics in accordance with Article 22;

(g)performance and availability requirements of the JITs collaboration platform.

The implementing acts referred to in the first subparagraph of this Article shall be adopted in accordance with the examination procedure referred to in Article 25.

Article 7

Responsibilities of eu-LISA

1.The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) shall establish the design of the physical architecture of the JITs collaboration platform including its technical specifications and evolution. That design shall be approved by its Management Board, subject to a favourable opinion of the Commission.

2.eu-LISA shall be responsible for the development of the JITs collaboration platform in accordance with the principle of data protection by design and by default. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

3.eu-LISA shall make the communication software available to the JITs collaboration platform users.

4.eu-LISA shall develop and implement the JITs collaboration platform as soon as possible after the entry into force of this Regulation and following the adoption by the Commission of the implementing acts pursuant to Article 6.

5.eu-LISA shall ensure that the JITs collaboration platform is operated in accordance with this Regulation, with the implementing act referred to in Article 6, as well as in accordance with Regulation (EU) 2018/1725.

6.eu-LISA shall be responsible for the operational management of the JITs collaboration platform. The operational management of the JITs collaboration platform shall consist of all the tasks necessary to keep the JITs collaboration platform operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that the JITs collaboration platform functions at a satisfactory level in accordance with the technical specifications.

7.eu-LISA shall ensure  the provision of training on the practical use of the JITs collaboration platform.

8.eu-LISA shall not have access to the JIT collaboration spaces.

9.Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 28 , eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the centralised information system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 8

Responsibilities of the Member States

Each Member State shall make the technical arrangements necessary for access of its competent authorities to the JITs collaboration platform in accordance with this Regulation.

Article 9

Responsibilities of competent Union bodies, offices and agencies

1.Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies shall make the necessary technical arrangements to enable them to access the JITs collaboration platform.

2.Eurojust shall be responsible for the necessary technical adaptation of its systems, required to establish the connection referred to in Article 4, point (c).

Article 10

Programme Management Board

1.Prior to the design and development phase of the JITs collaboration platform, the Management Board of eu-LISA shall establish a Programme Management Board.

2.The Programme Management Board shall be composed of ten members as follows:

(a)eight members appointed by the Management Board; 

(b)the Chair of the Advisory Group referred to in Article 11; 

(c)one member appointed by the Commission.

3.The Management Board of eu-LISA shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial authorities.

4.eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of the JITs collaboration platform and on any other related work and activities.

5.The Programme Management Board shall meet at least once every three months, and more often as necessary. It shall ensure the adequate management of the design and development phase of the JITs collaboration platform. The Programme Management Board shall submit written reports regularly to the Management Board of eu-LISA, and where possible every month, on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the eu-LISA Management Board.

6.The Programme Management Board shall establish its rules of procedure which shall include in particular rules on chairmanship, meeting venues, preparation of meetings, admission of experts to the meetings, communication plans ensuring that non-participating Members of the eu-LISA Management Board are kept fully informed.

7.The chairmanship of the Programme Management Board shall be held by a Member State.

8.The Programme Management Board's secretariat shall be ensured by eu-LISA.

Article 11

Advisory Group

1.eu-LISA shall establish an Advisory Group in order to obtain expertise related to the JITs collaboration platform, in particular in the context of preparation of its annual work programme and its annual activity report.

2.During the design and development phase of the JITs collaboration platform, the Advisory Group shall be composed of the representatives of the Member States, the Commission and the JIT Secretariat. It shall be chaired by eu-LISA. It shall: 

(a)meet regularly, where possible at least once a month, until the start of operations of the JITs collaboration platform; 

(b)report after each meeting to the Programme Management Board; 

(c)provide the technical expertise to support the tasks of the Programme Management Board.

CHAPTER III

Access to the JITs collaboration platform

Article 12

Access to the JIT collaboration spaces by Member States’ competent authorities

1.Following the signature of a JIT agreement, a JIT collaboration space shall be created within the JITs collaboration platform for each JIT.

2.The JIT collaboration space shall be opened by the JIT space administrator or administrators, with the technical support of eu-LISA.

3.The JIT space administrator or administrators shall establish the access rights of the JITs collaboration platform users to the JIT collaboration space, on the basis of the JIT agreement.

Article 13

Access to the JIT collaboration spaces by competent Union bodies, offices and agencies

1.The JIT space administrator or administrators may decide to grant Eurojust, including the JIT Secretariat, access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU) 2018/1727 of the European Parliament and of the Council 29 . In particular, the JIT space administrator or administrators may decide to grant the JIT Secretariat access to a JIT collaboration space for the purpose of technical and administrative support, including access rights management.

2.The JIT space administrator or administrators may decide to grant Europol access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU) 2016/794 of the European Parliament and of the Council 30 .

3.The JIT space administrator or administrators may decide to grant OLAF access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council 31 .

4.The JIT space administrator or administrators may decide to grant the European Public Prosecutor’s Office access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Council Regulation (EU) 2017/1939.

5.The JIT space administrator or administrators may decide to grant other competent Union bodies, offices and agencies access to a JIT collaboration space for the purpose of fulfilling tasks set out in their basic acts.

Article 14

Access to the JIT collaboration spaces by third countries’ competent authorities

1.For the purposes listed in Article 5, the JIT space administrator or administrators may decide to grant access to a JIT collaboration space to the competent authorities of third countries which have signed a particular JITs agreement. 

2.The JIT space administrator or administrators shall ensure that the exchanges of operational data with the competent authorities of third countries that have been granted access to a JIT collaboration space are limited to what is required for the purposes of the JIT agreement and subject to the conditions laid therein.

3.Member States shall ensure that their transfers of personal data to third countries that have been granted access to a JIT collaboration space only take place where the conditions laid down in Chapter V of Directive 2016/680 are met.

CHAPTER IV

Security and liability

Article 15

Security

1.eu-LISA shall take the necessary technical and organisational measures to ensure a high level of cyber security of the JITs collaboration platform and the information security of data within the JITs collaboration platform, in particular in order to ensure the confidentiality and integrity of operational and non-operational data stored in the centralised information system.

2.eu-LISA shall prevent unauthorised access to the JITs collaboration platform and shall ensure that persons authorised to access the JITs collaboration platform have access only to the data covered by their access authorisation.

3.For the purposes of paragraphs 1 and 2, eu-LISA shall adopt a security plan, a business continuity and disaster recovery plan, to ensure that the centralised information system may, in case of interruption, be restored.

4.eu-LISA shall monitor the effectiveness of the security measures referred to in this Article and shall take the necessary organisational measures related to self-monitoring and supervision to ensure compliance with this Regulation.

Article 16

Liability

1.Where a Member State, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency, as a consequence of a failure on their part to comply with their obligations under this Regulation, cause damage to the JITs collaboration platform, that Member State, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or other competent Union body, office or agency respectively, shall be held liable for such damage, insofar as eu-LISA fails to take reasonable measures to prevent the damage from occurring or to minimise its impact.

2.Claims for compensation against a Member State for the damage referred to in paragraph 1 shall be governed by the law of the defendant Member State. Claims for compensation against Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency for the damage referred to in paragraph 1 shall be governed by their respective founding acts.

CHAPTER V

Data protection

Article 17

Retention period for storage of operational data

1.Operational data pertaining to each JIT collaboration space shall be stored in the centralised information system for as long as needed for all concerned JITs collaboration platform users to complete the process of its downloading. The retention period shall not exceed four weeks.

2.Upon expiry of the retention period referred to in paragraph 1, the data record shall be automatically erased from the centralised system.

Article 18

Retention period for storage of non-operational data

1.Where an evaluation of the JIT is envisaged, non-operational data pertaining to each JIT collaboration space shall be stored in the centralised information system until the JIT evaluation has been completed. The retention period shall not exceed five years.

2.Upon expiry of the retention period referred to in paragraph 1, the data record shall be automatically erased from the centralised system.

Article 19

Data controller and data processor

1.Each competent national authority of a Member State, and where appropriate, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency shall be considered to be data controllers in accordance with applicable Union data protection rules for the processing of personal data under this Regulation.

2.With regard to data uploaded to the JITs collaboration platform by the competent authorities of third countries, one of the JIT space administrators is to be considered data controller as regards the personal data exchanged through, and stored in the JITs collaboration platform.

3.eu-LISA shall be considered to be data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data exchanged through, and stored in the JITs collaboration platform.

4.The JITs collaboration platform users shall be jointly responsible for managing non-operational data in the JITs collaboration platform.

Article 20

Purpose of the processing of personal data

1.The data entered into the JITs collaboration platform shall only be processed for the purposes of:

(a)the exchange of operational information and evidence between the JITs collaboration platform users;

(b)the exchange of non-operational data between the JITs collaboration platform users, for the purposes of managing the JIT.

2.Access to the JITs collaboration platform shall be limited to duly authorised staff of the competent Member States’ and third country authorities, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices or agencies, to the extent needed for the performance of their tasks in accordance with the purposes referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

Article 21

Technical logs 

1.eu-LISA shall ensure that a log is kept of all access to the centralised information system and all data processing operations in the centralised information system, in accordance with paragraph 2.

2.The logs shall show: 

(a)the date, time zone and exact time of accessing the centralised information system; 

(b)the identifying mark of JIT’s collaboration platform user who accessed the centralised information system;

(c)the date, time zone and access time of the operation carried out by the JIT’s collaboration platform user;

(d)the operation carried out by the JIT’s collaboration platform user.

3.The logs shall be protected by appropriate technical measures against unauthorised access and shall be kept for three years or for such longer period as required for the termination of ongoing monitoring procedures.

4.On request, eu-LISA shall make the logs available to the competent authorities of the Member States without undue delay.

5.Within the limits of their competences and for the purpose of fulfilling their duties, the national supervisory authorities responsible for monitoring the lawfulness of data processing shall have access to logs upon request.

6.Within the limits of its competences and for the purpose of fulfilling its supervisory duties in accordance with Regulation (EU) 2018/1725, the European Data Protection Supervisor shall have access to logs upon request.

CHAPTER VI

Final provisions

Article 22

Monitoring and evaluation

1.eu-LISA shall establish procedures to monitor the development of the JITs collaboration platform as regards the objectives relating to planning and costs and to monitor the functioning of the JITs collaboration platform as regards the objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.The procedures referred to in paragraph 1 shall provide for the possibility to produce regular technical statistics for monitoring purposes.

3.In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for the delays and of their impact in terms of timeframes and finances.

4.Once the development of the JITs collaboration platform is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

5.In the event of a technical upgrade of the JITs collaboration platform, which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council before making the upgrade.

6.Two years after the start of operations of the JITs collaboration platform and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of the JITs cooperation platform, including its security.

7.Four years after the start of operations of the JITs collaboration platform and every four years thereafter, the Commission shall conduct an overall evaluation of the JITs collaboration platform. The Commission shall transmit the overall evaluation report to the European Parliament and the Council.

8.The Member States’ competent authorities, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 4 and 7. That information shall not jeopardise working methods or include information that reveals sources, names of staff members or investigations.

9.eu-LISA shall provide the Commission with the information necessary to produce the overall evaluation referred to in paragraph 7.

Article 23

Costs

The costs incurred in connection with the establishment and operation of the JITs collaboration platform shall be borne by the general budget of the Union.

Article 24

Start of operations

1.The Commission shall determine the date of the start of operations of the JITs collaboration platform, once it is satisfied that the following conditions are met: 

(a)the relevant implementing acts referred to in Article 6 have been adopted;

(b)eu-LISA has carried out a comprehensive test of the JITs collaboration platform, in cooperation with the Member States, using anonymous test data.

2.Where the Commission has determined the date of start of operations in accordance with paragraph 1, it shall communicate that date to the Member States, Eurojust, Europol, the European Public Prosecutor’s Office and OLAF. 

3.The decision of the Commission determining the date of the start of operations of the JITs collaboration platform, as referred to in paragraph 1, shall be published in the Official Journal of the European Union.

4.The JITs collaboration platform users shall start using the JITs collaboration platform from the date determined by the Commission in accordance with paragraph 1.

Article 25

Committee procedure

1.The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.Where reference is made to this Article, Article 5 of Regulation (EU) No 182/2011 shall apply.

3.Where the committee delivers no opinion, the Commission shall not adopt the draft-implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

Article 26

Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1) in Article 1, the following paragraph 4a is inserted:

“4a. The Agency shall be responsible for the development and operational management, including technical evolutions, of the Joint Investigation Teams (‘JITs’) collaboration platform”;

(2) the following Article 8b is inserted:

“Article 8b

Tasks related to the JITs collaboration platform

In relation to the JITs collaboration platform, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) No XXX/20XX of the European Parliament and of the Council*;

(b) tasks relating to training on the technical use of the JITs collaboration platform, including provision of online training materials.

__________

* Regulation (EU) No XXX/20XX of the European Parliament and of the Council establishing a centralised collaboration platform to support the functioning of Joint Investigation Teams and amending Regulation (EU) 2018/1726 (OJ L …).”;

(3) in Article 14, paragraph 1 is replaced by the following:

“1.The Agency shall monitor developments in research relevant for the operational management of SIS II, VIS, Eurodac, the EES, ETIAS, DubliNet, ECRIS-TCN, e-CODEX, the JITs collaboration platform and other large-scale IT systems as referred to in Article 1(5).”;

(4) in Article 19(1), point (ff) is replaced by the following:

“(ff) adopt reports on the technical functioning of the following:

(i) SIS pursuant to Article 60(7) of Regulation (EU) 2018/1861 of the European Parliament and of the Council* and Article 74(8) of Regulation (EU) 2018/1862 of the European Parliament and of the Council**;

(ii) VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA;

(iii) EES pursuant to Article 72(4) of Regulation (EU) 2017/2226;

(iv) ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240;

(v) ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(8) of Regulation (EU) 2019/816 of the European Parliament and of the Council***;

(vi) the interoperability components pursuant to Article 78(3) of Regulation (EU) 2019/817 and Article 74(3) of Regulation (EU) 2019/818;

(vii) the e‑CODEX system pursuant to Article 14(1) of Regulation (EU) XXX****;

(viii) the JITs collaboration platform pursuant to Article xx of Regulation (EU) XXX***** [this Regulation];

__________

* Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14).

** Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).

*** Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).

**** Regulation (EU) XXX of … (OJ L …).

***** Regulation (EU) XXX of … (OJ L …).”;

(5) in Article 27(1), the following point (dc) is inserted:

“(dc) the JITs collaboration platform Advisory Group;”.

Article 27

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States in accordance with the Treaties.

Done at Brussels,

LEGISLATIVE FINANCIAL STATEMENT

Contents

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned

1.3.The proposal relates to:

1.4.Objective(s)

1.4.1.General objective(s)

1.4.2.Specific objective(s)

1.4.3.Expected result(s) and impact

1.4.4.Indicators of performance

1.5.Grounds for the proposal/initiative

1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative

1.5.2.Added value of Union involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this point 'added value of Union involvement' is the value resulting from Union intervention which is additional to the value that would have been otherwise created by Member States alone.

1.5.3.Lessons learned from similar experiences in the past

1.5.4.Compatibility with the Multiannual Financial Framework and possible synergies with other appropriate instruments

1.5.5.Assessment of the different available financing options, including scope for redeployment

1.6.Duration and financial impact of the proposal/initiative

1.7.Management mode(s) planned

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

2.2.Management and control system(s)

2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed

2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them

2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure)

2.3.Measures to prevent fraud and irregularities

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

3.2.Estimated impact on expenditure

3.2.1.Summary of estimated impact on expenditure

3.2.2.Estimated impact on Eurojust's appropriations

3.2.3.Estimated impact on eu-LISA's appropriations

3.2.4.Estimated impact on Eurojust's human resources

3.2.5.Estimated impact on eu-LISA's human resources

3.2.6.Compatibility with the current multiannual financial framework

3.2.7.Third-party contributions

3.3.Estimated impact on revenue

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE 

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned 

1.3.The proposal relates to: 

☑ a new action 

◻ a new action following a pilot project/preparatory action 32  

◻ the extension of an existing action 

◻ a merger or redirection of one or more actions towards another/a new action 

1.4.Objective(s)

1.4.1.General objective(s)

1.4.2.Specific objective(s)

1.4.3.Expected result(s) and impact 

Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.

1.4.4.Indicators of performance

Specify the indicators for monitoring progress and achievements.

1.5.Grounds for the proposal/initiative 

1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative

1.5.2.Added value of Union involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this point 'added value of Union involvement' is the value resulting from Union intervention which is additional to the value that would have been otherwise created by Member States alone.

1.5.3.Lessons learned from similar experiences in the past

1.5.4.Compatibility with the Multiannual Financial Framework and possible synergies with other appropriate instruments

1.5.5.Assessment of the different available financing options, including scope for redeployment

1.6.Duration and financial impact of the proposal/initiative

◻ limited duration

–◻    in effect from [DD/MM]YYYY to [DD/MM]YYYY

–◻    Financial impact from YYYY to YYYY for commitment appropriations and from YYYY to YYYY for payment appropriations.

☑ unlimited duration

–Implementation with a start-up period from YYYY to YYYY,

–followed by full-scale operation.

1.7.Management mode(s) planned 

◻ Direct management by the Commission

–◻ by its departments, including by its staff in the Union delegations;

–◻    by the executive agencies

◻ Shared management with the Member States

☑ Indirect management by entrusting budget implementation tasks to:

–◻ third countries or the bodies they have designated;

–◻ international organisations and their agencies (to be specified);

–◻ the EIB and the European Investment Fund;

–☑ bodies referred to in Articles 70 and 71 of the Financial Regulation;

–◻ public law bodies;

–◻ bodies governed by private law with a public service mission to the extent that they are provided with adequate financial guarantees;

–◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that are provided with adequate financial guarantees;

–◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.

2.MANAGEMENT MEASURES 

2.1.Monitoring and reporting rules 

Specify frequency and conditions.

2.2.Management and control system(s) 

2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed

2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them

2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure) 

2.3.Measures to prevent fraud and irregularities 

Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE 

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected 

·Existing budget lines

In order of multiannual financial framework headings and budget lines.

·New budget lines requested

In order of multiannual financial framework headings and budget lines.

3.2.Estimated impact on expenditure 

3.2.1.Summary of estimated impact on expenditure

EUR million (to three decimal places)

EUR million (to three decimal places)

EUR million (to three decimal places)

EUR million (to three decimal places)

3.2.2.Estimated impact on Eurojust's appropriations 

–◻    The proposal/initiative does not require the use of operational appropriations

–☑    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.3.Estimated impact on eu-LISA's appropriations 

–◻    The proposal/initiative does not require the use of operational appropriations

–☑    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.4.Estimated impact on Eurojust's human resources 

3.2.4.1.Summary

–◻    The proposal/initiative does not require the use of appropriations of an administrative nature

–☑    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below 39 :

EUR million (to three decimal places)

Staff requirements 40  (FTE):

Recruitement dates are planned at beginning of the year. No assumptions have been made for a potential increase of the salary indexation or the correction coefficient applicable to the Netherlands.

Staff required for the SPECIFIC OBJECTIVE No 1 - to develop the necessary technical adaptations of the relevant Eurojust IT systems:

Staff required for the SPECIFIC OBJECTIVE No 2 - to provide administrative support to the JITs collaboraton platform users:

Description of the profiles:

3.2.5.Estimated impact on eu-LISA's human resources 

3.2.5.1.Summary

–◻    The proposal/initiative does not require the use of appropriations of an administrative nature

–☑    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below 41 :

EUR million (to three decimal places)

Staff requirements 42 (FTE):

Recruitement dates are planned at beginning of the year. No assumptions have been made for a potential increase of the salary indexation or the correction coefficient applicable to Estonia and France.

Staff required for the SPECIFIC OBJECTIVE No 1 - to develop the JITs collaboration platform:

Staff required for the SPECIFIC OBJECTIVE No 2 - to maintain and operate the JITs collaboration platform:

Description of the profiles:

3.2.5.2.Estimated requirements of human resources for the parent DG

–◻    The proposal/initiative does not require the use of human resources.

–☑    The proposal/initiative requires the use of human resources, as explained below:

Estimate to be expressed in full amounts (or at most to one decimal place)

The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.

Description of tasks to be carried out:

Description of the calculation of cost for FTE units should be included in the Annex V, section 3.

3.2.6.Compatibility with the current multiannual financial framework 

–☑    The proposal/initiative can be partially financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).

–☑    The proposal/initiative requiresuse of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.

3.2.7.Third-party contributions 

–☑ The proposal/initiative does not provide for co-financing by third parties.

–◻ The proposal/initiative provides for the co-financing estimated below:

EUR million (to three decimal places)

3.3.Estimated impact on revenue 

–☑    The proposal/initiative has no financial impact on revenue.

–◻    The proposal/initiative has the following financial impact:

–◻    on own resources

–◻    on other revenue

–please indicate, if the revenue is assigned to expenditure lines ◻    

EUR million (to three decimal places)

For assigned revenue, specify the budget expenditure line(s) affected.

Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).

(1)    OJ C 197, 12.7.2000, p. 3–23.

(2)    OJ L 162, 20.6.2002, p. 1–3.

(3)    CET No 182.

(4)    OJ L 181, 19.7.2003, p. 34.

(5)     https://www.eurojust.europa.eu/sites/default/files/Partners/JITs/2018-02_2nd-Report-JIT-Evaluation_EN.pdf

(6)     https://op.europa.eu/en/publication-detail/-/publication/e38795b5-f633-11ea-991b-01aa75ed71a1

(7)    Commission Communication on the Digitalisation of justice in the European Union - A toolbox of opportunities, COM (2020) 710 final, 2.12.2020.

(8)    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

(9)    Commission Communication on the Digitalisation of justice in the European Union - A toolbox of opportunities, COM (2020) 710 final, 2.12.2020.

(10)    Commission Communication Commission Work Programme 2021, A Union of vitality in a world of fragility, COM(2020) 690 final.

(11)    Commission Communication on the EU Security Union strategy, COM(2020) 605 final.

(12)    Commission Communication on a counter-terrorism agenda for the EU, COM(2020) 795 final.

(13)    Commission Communication on the EU strategy to tackle organised crime 2021-2025, COM(2021) 170 final.

(14)    Cross-border Digital Criminal Justice, Final report, https://op.europa.eu/en/publication-detail/-/publication/e38795b5-f633-11ea-991b-01aa75ed71a1/language-en .

(15)    SWD(2021) 390

(16)    OJ C 326, 26.10.2012, p. 391–407.

(17)    COM (2021) 21 Final - Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data.

(18)     https://europa.eu/european-union/sites/default/files/docs/body/joint_statement_and_common_approach_2012_en.pdf .

(19)    Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams (OJ L 162, 20.6.2002, p. 1).

(20)    OJ C 197, 12.7.2000, p. 3.

(21)    CET No 182

(22)    OJ L 181, 19.7.2003, p. 34.

(23)    Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99).

(24)    Council of the European Union, Outcome of Proceedings of Article Art 36 Committee on 7 and 8 July 2005, Item 7 of the Agenda: Joint Investigation Teams - Proposal for designation of national experts, 11037/05.

(25)    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(26)    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(27)    Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(28)    Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission,(OJ L 56, 4.3.1968, p. 1).

(29)    Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) (OJ L 295, 21.11.2018, p. 138).

(30)    Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) (OJ L 135, 24.5.2016, p. 53)

(31)    Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).

(32)    As referred to in Article 58(2) (a) or (b) of the Financial Regulation.

(33)    Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.

(34)    EFTA: European Free Trade Association.

(35)    Candidate countries and, where applicable, potential candidates from the Western Balkans.

(36)    Year 2024 is the year in which implementation of the proposal starts – following the planned adoption in 2023.

(37)    Year 2024 is the year in which implementation of the proposal starts – following the planned adoption in 2023.

(38)    Year 2024 is the year in which implementation of the proposal starts – following the planned adoption in 2023.

(39)    The costs estimates for staff are cumulative and have been made on the basis of the average costs for temporary staff, indexed to the correction coefficient applicable for the Netherlands as of 07/2020 (113,9%).

(40)    Cumulative. The number indicated under each year is the number of old staff from the previous year(s) and newly recruited staff.

(41)    The costs estimates for staff are cumulative and have been made on the basis of the average costs for temporary and contract staff.

(42)    Cumulative. The number indicated under each year is the number of old staff from the previous year(s) and newly recruited staff.

(43)    AC = Contract Staff; AL = Local Staff; END = Seconded National Expert; INT = agency staff; JPD = Junior Professionals in Delegations.

(44)    Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).

(45)    Mainly for the EU Cohesion Policy Funds, the European Agricultural Fund for Rural Development (EAFRD) and the European Maritime Fisheries and Aquaculture Fund (EMFAF).

(46)    As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20 % for collection costs.