EUROPEAN COMMISSION
Brussels, 20.1.2021
COM(2021) 21 final
2021/0009(COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data
EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Need more search options? Use the
Advanced search
You are here
Document 52021PC0021
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data
COM/2021/21 final
Language
HTML
DOC
PDF
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Directive (EU) 2016/680 1 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to transpose it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA 2 , but is a much more comprehensive and general data protection instrument. Importantly, it applies to both the domestic and the cross‑border processing of personal data by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences and executing criminal penalties, including safeguarding against and preventing threats to public security (Article 1(1)).
Article 62(6) LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.
The Commission set out the results of its review in a Communication on Way forward on aligning the former third pillar acquis with data protection rules (24 June 2020) 3 , which specifies ten legal acts that should be aligned with the LED and a timetable for doing so. The list includes Directive 2014/41/EU of the European Parliament and of the Council regarding the European Investigation Order in criminal matters 4 . The Commission indicated that it would put forward targeted amendments of that Directive in the last quarter of 2020; that is the purpose of this proposal.
This initiative is not part of the regulatory fitness programme (REFIT).
•Consistency with existing policy provisions in the policy area
The proposal aims to align the data protection rules in Directive 2014/41/EU with the principles and rules laid down in the LED, in order to provide a strong and coherent data protection framework in the Union.
•Consistency with other Union policies
n/a
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
This proposal is based on Article 16(2) of the Treaty on the Functioning of the European Union (TFEU).
The original act was based on ex-Article 34(2)(b) of the former Treaty on European Union, which rather corresponds to Article 82(1) TFEU. However, both the objective and the substance of the proposed amendment is clearly limited to the protection of personal data.
In that regard, Article 16(2) TFEU is the most appropriate legal basis. It allows for the adoption of rules on the protection of individuals with regard to the processing of personal data by Member States when carrying out activities under Union law and the rules on the free movement of personal data.
According to Article 2a of Protocol No 22, Denmark will not be bound by rules laid down on the basis of Article 16 TFEU which relate to the processing of personal data when carrying out activities falling within the scope of Chapter 4 and 5 of Title IV of Part Three of the TFEU. The same is true for Ireland according to Article 6a of Protocol No 21.
•Subsidiarity (for non-exclusive competence)
Only the Union can adopt a legislative act amending Directive 2014/41/EU.
•Proportionality
This proposal is limited to what is necessary to align Directive 2014/41/EU with Union legislation on the protection of personal data (in particular the LED) without changing the Directive’s scope in any way. This Directive does not go beyond what is necessary to achieve the objectives pursued, in accordance with Article 5(4) of the Treaty on European Union.
•Choice of instrument
To amend Directive 2014/41/EU, the most appropriate instrument is a directive.
3.RESULTS OF EX POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Ex post evaluations/fitness checks of existing legislation
This proposal follows the results of the Commission’s review under Article 62(6) LED, as presented in the Communication on Way forward on aligning the former third pillar acquis with data protection rules. That Communication lists points on which alignment is necessary. In particular, it identifies the need to clarify that any processing of personal data under Directive 2014/41/EU is subject to either the LED or Regulation (EU) 2016/679 5 (General Data Protection Regulation – GDPR), depending on whether it takes place in the context of criminal or non-criminal proceedings. The alignment should clarify that data obtained under Directive 2014/41/EU may be processed for purposes other than those for which they are collected only under the conditions laid down in the LED (Articles 4(2) or 9(1)) or the GDPR (Article 6).
By proposing the deletion of Article 20 of Directive 2014/41/EU, this proposal is limited to what is necessary to address the above points.
•Stakeholder consultations
n/a
•Collection and use of expertise
In its review, the Commission took account of a study carried out as part of the pilot project on a ‘fundamental rights review of EU data collection instruments and programmes’ 6 . The study mapped Union acts covered by Article 62(6) LED and identified provisions potentially requiring alignment on data protection issues.
•Impact assessment
The impact of this proposal is limited to competent authorities’ processing of personal data in the specific instances regulated by Directive 2014/41/EU. The impact of the new obligations arising from the LED was assessed in the context of the preparatory work for the LED. This renders a specific impact assessment for this proposal unnecessary.
•Regulatory fitness and simplification
n/a
•Fundamental rights
The right to the protection of personal data is laid down in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 TFEU. As underlined by the Court of Justice of the European Union 7 , the right to the protection of personal data is not absolute, but must be considered in relation to its function in society 8 . Data protection is also closely linked to respect for private and family life, as protected by Article 7 of the Charter.
This proposal ensures that any processing of personal data under Directive 2014/41/EU is subject to the ‘horizontal’ principles and rules of EU data protection legislation, thus further implementing Article 8 of the Charter. That legislation aims to ensure a high level of protection of personal data and clarifying that the principles and rules of Directive 2016/680 apply to data processing under the Directive will have a positive impact as regards the fundamental rights to privacy and data protection.
4.BUDGETARY IMPLICATIONS
n/a
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
n/a
•Explanatory documents (for directives)
This proposal does not require explanatory documents on transposition, as it involves deleting one article of Directive 2014/41/EU.
•Detailed explanation of the specific provisions of the proposal
Article 1 deletes Article 20 of Directive 2014/41/EU. In doing so, this proposal is limited to what is necessary to address the above points. Article 20 requires that any processing of personal data under the Directive comply with Council Framework Decision 2008/977/JHA and the principles of the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (28 January 1981) and its Additional Protocol.
The LED repealed the Framework Decision with effect from 6 May 2018. Under Article 59 LED, references to the Framework Decision are to be construed as references to the LED.
Under its Article 2(1), the LED applies to the processing of personal data by competent authorities for the purposes set out in its Article 1(1), i.e. preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, including safeguarding against and preventing threats to public security. However, Directive 2014/41/EU also applies to certain types of non-criminal proceedings – these are regulated by the GDPR.
The fact that Article 20 of Directive 2014/41/EU refers to the Framework Decision could result in confusion as to whether the LED also applies to the processing of personal data relating to European investigation orders in the context of non-criminal proceedings (which do not lie within the scope of the LED). Deleting Article 20 is sufficient to remedy this situation. The LED continues to apply to the processing of personal data under Directive 2014/41/EU within its scope.
As the LED and the GDPR (each within its scope) apply to the processing of personal data under Directive 2014/41/EU, the processing of such data for purposes other than that for which they are collected will be carried out in accordance with the LED (Articles 4(2) and 9(1)) or the GDPR (Article 6(4)). No new provision is needed to that effect.
Article 20 of Directive 2014/41/EU also requires that access to personal data be restricted, without prejudice to the rights of the data subject, and that only authorised persons have access to such data. The LED and the GDPR establish a comprehensive framework on data subjects’ rights and the data controller’s obligations, including as regards data protection by design and by default, and security of processing. The second paragraph of Article 20 is therefore redundant.
Since Directive 2014/41/EU does not contain specific data protection rules, no further data protection related amendments are required.
Article 2 sets the deadline for transposing the proposed new Directive.
Article 3 sets the date of entry into force of this Directive.
Article 4 provides that this Directive is addressed to Member States.
2021/0009 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16(2) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Pursuant to Article 62(6) of Directive (EU) 2016/680 9 , the Commission is to review other acts of Union law which regulate processing of personal data by the competent authorities for the purposes set out in Article 1(1) of that Directive, in order to assess the need to align those acts with that Directive and to make, where appropriate, the necessary proposals to amend these acts to ensure a consistent approach to the protection of personal data within the scope of that Directive. That review has led to the identification of Directive 2014/41/EU 10 as one of those other acts to be amended.
(2)In the interest of consistency and the effective protection of personal data, the processing of personal data under Directive 2014/41/EU should respect the rules set out in Directive (EU) 2016/680, where applicable. Regulation (EU) 2016/679 11 should apply to the processing of personal data in relation to proceedings as referred to in Article 4, points (b), (c) and (d) of Directive 2014/41/EU where not covered by Directive (EU) 2016/680.
(3)In accordance with Articles 1, 2 and 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Directive and is not bound by it or subject to its application.
(4)In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union , Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.
(5)Directive 2014/41/EU should therefore be amended accordingly.
(6)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 12 and delivered an opinion on XX XXXX 13 ,
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Amendments to Directive 2014/41/EU
Article 20 of Directive 2014/41/EU is deleted.
Article 2
1.Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by [one year after adoption] at the latest. They shall forthwith communicate to the Commission the text of those provisions.
When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
2.Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.
Article 3
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 4
This Directive is addressed to the Member States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President
- (1) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
- (2) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60).
- (3) COM(2020) 262 final.
- (4) OJ L 130, 1.5.2014, p. 1.
- (5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
-
(6)
The pilot project was requested by the European Parliament, managed by the Commission and carried out by a contractor (group of independent experts). The Commission selected the contractor on the basis of criteria determined by the Parliament. The project deliverables reflect the views and opinions only of the contractor and the Commission cannot be held responsible for any use that may be made of the information contained therein. The results are published at http://www.fondazionebrodolini.it/en/projects/pilot-project-fundamental-rights-review-eu-data-collectioninstruments-and-programmes
-
(7)
CJEU, 9 November 2010, Volker und Markus Schecke and Eifert, Joined Cases C-92/09 and C-93/09 (ECLI:EU:C:2009:284, par. 48).
-
(8)
In line with Article 52(1) of the Charter, the exercise of the right to data protection may be made subject to limitations that are provided for by law, respect the essence of the right and freedoms, and (subject to the principle of proportionality) are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
- (9) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
- (10) Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ L 130, 1.5.2014, p. 1).
- (11) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
- (12) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).