Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52022XX0609(01)

    Summary of the Opinion of the European Data Protection Supervisor on on the Proposal for a Regulation on automated data exchange for police cooperation (‘Prüm II’) (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) 2022/C 225/04

    OJ C 225, 9.6.2022, p. 6–9 (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

    9.6.2022   

    EN

    Official Journal of the European Union

    C 225/6


    Summary of the Opinion of the European Data Protection Supervisor on on the Proposal for a Regulation on automated data exchange for police cooperation (‘Prüm II’)

    (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

    (2022/C 225/04)

    The European Commission adopted on 8 December 2021 a Proposal for a Regulation of the European Parliament and of the Council on automated data exchange for police cooperation (‘Prüm II’), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, 2019/817 and 2019/818 of the European Parliament and of the Council (the so-called ‘Prüm Decisions’). The Proposal is part of a larger legislative package, referred to as ‘EU Police Cooperation Code’, which also includes a Proposal for Directive of the European Parliament and of the Council on information exchange between law enforcement authorities of Member States (subject to a separate EDPS opinion), and Proposal for Council Recommendation on operational police cooperation.

    The objective of the Proposal is to enhance law enforcement cooperation and in particular the information exchange between the competent authorities responsible for the prevention, detection and investigation of criminal offences, by laying down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data (fingerprints), facial images, police records and certain vehicle registration data, as well as the exchange of data following a match.

    While the EDPS understands the need for the law enforcement authorities to benefit from the best possible legal and technical tools to detect, investigate and prevent crimes, he notes that the proposed new Prüm framework does not clearly lay down essential elements of the exchange of data, such as the types of crimes, which may justify a query, and is not sufficiently clear about the scope of data subjects affected by the automatic exchange of data, e.g. whether the databases, subject to a query, contain data only of suspects and/or convicted persons, or also data of other data subjects, such as victims or witnesses.

    The EDPS considers in particular that the automated searching of DNA profiles and facial images should be possible only in the context of individual investigations into serious crimes, instead of any criminal offence, as provided for in the Proposal. Furthermore, the EDPS considers necessary to introduce in the Proposal common requirements and conditions concerning the data in the national databases that are made accessible for automated searches, taking due account of the obligation under Article 6 of the Law Enforcement Directive 680/2016 (LED) to make a distinction between different categories of data subjects (i.e. convicted criminals, suspects, victims, etc.).

    The EDPS is also concerned about the implications for the fundamental rights of the concerned individuals by the proposed automated searching and exchange of police records. He considers that the necessity of the proposed automated searching and exchange of police records data is not sufficiently demonstrated. If such a measure is nevertheless adopted, even on voluntary basis, then additional strong safeguards would be required to comply with the principle of proportionality. In particular, given the data quality challenges, the future Regulation should, inter alia, explicitly define the types and/or the seriousness of crimes that may justify an automated query in the national police records.

    Regarding the inclusion of Europol within the Prüm framework, the EDPS considers that his comments and recommendations in Opinion 4/2021 on the Proposal for Amendment of the Europol Regulation remain fully valid in the context of Prüm cooperation, in particular those related to the so-called ‘big data challenge’, i.e. processing by the Agency of large and complex datasets. The EDPS would like to recall two of the key messages in the Opinion on Europol: with stronger powers should always come a stronger oversight, and, equally important, any applicable exceptions in the form of derogations should not be allowed to become the rule.

    The Proposal provides for a complex architecture for the automated searching and exchange of data within the Prüm framework with three separate technical solutions, developed and maintained by three different entities. The EDPS considers that the Proposal should be more explicit regarding the responsibility for the processing of personal data, in particular in EUCARIS, which is not based on EU law and has an intergovernmental nature. In addition, the EDPS is of the opinion that, given the scale and the sensitivity of the personal data processing, the proposed horizontal governance model of the Prüm framework is not suitable and should be further strengthened, e.g. by assigning a central coordination role to an EU entity, e.g. the Commission.

    In addition, in the interest of legal certainty, the EDPS considers that the relationship of the data protection rules in the Proposal with the existing legal framework on data protection in the EU, in particular the LED and the Regulation (EU) 1725/2018 (EUDPR), should be explicitly clarified.

    The Opinion also analyses and provides recommendations on a number other specific issues, such as the link of the Prüm framework with the interoperability framework, the transfer of data to third countries and international organisations, or the supervision of the processing operations for the purposes of Prüm cooperation.

    1.   INTRODUCTION AND BACKGROUND

    1.

    On 8 December 2021 the European Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on automated data exchange for police cooperation (‘Prüm II’), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, 2019/817 and 2019/818 of the European Parliament and of the Council (the ‘Proposal’) (1).

    2.

    The Proposal is part of a larger legislative package, referred to as ‘EU Police Cooperation Code’, which also includes:

    a Proposal for Directive of the European Parliament and of the Council on information exchange between law enforcement authorities of Member States, repealing Council Framework Decision 2006/960/JHA (2), and

    a Proposal for Council Recommendation on operational police cooperation (3).

    3.

    The objective of the EU Police Cooperation Code, as stated by the Commission, is to enhance law enforcement cooperation across Member States and in particular the information exchange between the competent authorities (4). In this regard, the Proposal lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data (fingerprints), facial images, police records and certain vehicle registration data and the exchange of data following a match between authorities responsible for the prevention, detection and investigation of criminal offences.

    4.

    The Proposal, as well as the EU Police Cooperation Code more generally, is linked to the policy goals of several EU strategic documents in the area of Justice and Home Affairs, in particular the EU Security Union Strategy (5), the EU Strategy to tackle Organised Crime 2021-2025 (6) and 2021 Strategy on Schengen area (7). Moreover, the proposals establishing the Police Cooperation Code should be considered in the light of the ongoing reform of Europol and the growing role of the Agency as a central criminal information hub of the Union, collecting and processing ever-increasing amounts of data (8).

    5.

    The Commission consulted the EDPS on the Proposal for Regulation Prüm II on 5 January 2022, pursuant to Article 42(1) of Regulation (EU) 2018/1725. The comments and recommendations in this Opinion are limited to the provisions in the Proposal that are most relevant from data protection perspective.

    4.   CONCLUSIONS

    73.

    The proposed new Prüm framework does not clearly lay down essential elements of the exchange of data, such as the types of crimes, which may justify a query (search), especially of DNA profiles, i.e. any criminal offence or only more serious crimes. In addition, the Proposal is not clear about the scope of data subjects affected by the automatic exchange of data, i.e. whether the databases, subject to a query, contain data only of suspects and/or convicted persons, or also data of other data subjects, such as victims or witnesses.

    74.

    In order to ensure the necessity and proportionality of the interference with the fundamental right to the protection of personal data, in the light of Article 52(1) of the Charter, it is essential to clarify the personal and the material scope of the measures, i.e. the categories of data subjects who will be directly affected, and the objective conditions which may justify an automated query in the respective database of other Member States or of Europol.

    75.

    The EDPS considers in particular that the automated searching of DNA profiles and facial images should only be possible in the context of individual investigations of serious crimes, and not of any criminal offence, as provided for in the Proposal. Furthermore, in line with the obligation under Article 6 LED to make a distinction between different categories of data subjects, the Proposal should provide for a limitation of the categories of data subjects whose DNA profiles and facial images, stored in the national databases, should be made accessible for automated searches, considering especially the inherent purpose limitation for data from other categories than convicted criminals or suspects.

    76.

    The EDPS considers that the necessity of the proposed automated searching and exchange of police records data is not sufficiently demonstrated. If such measure is nevertheless adopted, even on voluntary basis, then additional strong safeguards would be required to comply with the principle of proportionality. In particular, given the data quality challenges, which cannot be solved by technical measures like pseudonymisation alone, the future Regulation should as a minimum lay down the types and/or seriousness of crimes that may justify an automated search in the national police records.

    77.

    Regarding the inclusion of Europol within the Prüm framework, the EDPS considers that his comments and recommendations in Opinion 4/2021 on the Proposal for Amendment of the Europol Regulation remain fully valid in the context of Prüm cooperation, in particular those related to the processing of large datasets by the Agency. In addition, the EDPS recommends clarifying the personal scope, i.e. specifying the data subject categories subject to queries under Article 49 and Article 50, as well as alignment of the retention periods for logs, in order to ensure consistency with the Europol Regulation.

    78.

    The Proposal provides a complex architecture for the automated searching and exchange of data within the Prüm framework with three separate technical solutions, developed and maintained by three different entities. Moreover, one of them - EUCARIS - in not based on EU legal act but has an intergovernmental nature. Therefore, the EDPS considers that the Proposal should explicitly address the responsibility for the processing of personal data in EUCARIS. In addition, the EDPS considers that, given the scale and the sensitivity of the personal data processing, the current horizontal governance model of the Prüm framework is not suitable and should be further strengthened, e.g. by assigning a central coordination role to a EU entity, such as the Commission.

    79.

    Another important element of the Proposal, which requires careful analysis of its fundamental rights implications, is the alignment of the Prüm framework with the interoperability framework of the EU information systems in the area of justice and home affairs. The EDPS invites co-legislator to consider the need for a additional rules in this regard, e.g. in an implementing or delegated act, which should address specific challenges such as the quality and the performance of the matching algorithms for facial images.

    80.

    Taking into account that the legal basis of the Proposal includes, inter alia, Article 16 TFEU, in the interest of clarity and certainty, the EDPS recommends specifying in the Proposal that the data protection provisions in Chapter 6 are without prejudice to the application of the LED and the EUDPR, as regards the processing of personal data in the context of law enforcement cooperation under Prüm framework.

    81.

    Furthermore, the EDPS considers that the requirement for regular audits of the personal data processing operations for the purposes of the Regulation Prüm II should be extended and should cover also personal data processing operations at national level. In this context, the EDPS recommends that Article 60 (2) of the Proposal refers generally to the powers of the EDPS, pursuant to Article 58 EUDPR, and not only to some of them.

    Brussels, 2 March 2022.

    Wojciech Rafał WIEWIÓROWSKI


    (1)  COM(2021) 784 final.

    (2)  COM(2021) 782 final.

    (3)  COM(2021) 780 final.

    (4)  https://ec.europa.eu/home-affairs/news/boosting-police-cooperation-across-borders-enhanced-security-2021-12-08_en

    (5)  Communication from the Commission on the EU Security Union Strategy, COM/2020/605 final.

    (6)  Communication from the Commission on the EU Strategy to tackle Organised Crime 2021-2025, COM/2021/170 final

    (7)  Communication from the Commission ‘A strategy towards a fully functioning and resilient Schengen area’, COM/2021/277 final.

    (8)  For more information see the EDPS Opinion 4/2021, https://edps.europa.eu/system/files/2021-03/21-03-08_opinion_europol_reform_en.pdf


    Top