EUROPEAN COMMISSION

Brussels, 8.12.2021

SWD(2021) 378 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT REPORT

Accompanying the document

PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on automated data exchange for police cooperation (“Prüm II”), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, 2019/817 and 2019/818 of the European Parliament and of the Council

{COM(2021) 784 final} - {SEC(2021) 421 final} - {SWD(2021) 379 final}

Table of contents

Glossary

Prologue - What is Prüm?

1.Introduction: Political and legal context

2.Problem definition

2.1Problem I

2.2Problem II

2.3Problem III

2.4Problem IV

3.Why should the EU act?

3.1.Legal basis

3.2.Subsidiarity: Necessity of EU action

3.3.Subsidiarity: Added value of EU action

4.Objectives: What is to be achieved?

4.1General objectives

4.2Specific objectives

5.What are the available policy options?

5.1What is the baseline from which options are assessed?

5.2Description of the policy options

5.3Options discarded at an early stage

6.What are the impacts of the policy options?

6.1Improve the technical architecture

6.2Automated exchange of additional data categories

6.3Involve Europol

6.4Regulate the hit-follow-up exchange process

7.How do the options compare?

7.1Improve the technical architecture

7.2Automated exchange of additional data categories

7.3Involve Europol

7.4Regulate the hit-follow-up exchange process

8.Preferred policy options: strengthening the Prüm framework

9.How will actual impacts be monitored and evaluated?

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

2.Organisation and timing

3.Consultation of the RSB

4.Evidence, sources and quality

Annex 2: Stakeholder consultation

1.Consultation strategy

2.Consultation activities

Annex 3: Who is affected and how?

1.Practical implications of the initiative

2.Summary of costs and benefits

Annex 4: Evaluation of the existing policy and legislative framework

Annex 5: Evaluation criteria and questions

Annex 6: Public consultation questionnaire

Annex 7: Overview of EU information systems

Glossary

Prologue - What is Prüm?

The Prüm Decisions, adopted in 2008, contribute to cross-border cooperation between EU Member States in the fields of justice and home affairs. They provide a mechanism for the exchange of information between authorities responsible for the prevention and investigation of criminal and terrorist offences. The Prüm Decisions lay down, inter alia, the conditions and procedures for mutual on-line access to national databases for automated search and supply of three categories of data: (a) DNA profiles, (b) fingerprint data and (c) certain national vehicle registration data.

DNA and fingerprint exchanges take place based on a hit/no-hit approach. It means that DNA profiles or fingerprints found at a crime scene in one Member State can be automatically compared, in a first step, with profiles held in another Member State’s database. If there is a match with data in another Member State’s database, a “hit” will be reported to the requesting Member State. Once a hit has been achieved, the corresponding actual information can be exchanged, in a second step, through a manual process.

For example, in a case where a partial fingerprint sample (so-called ‘latent print’) was found on a crime scene, this latent can be compared against the national criminal fingerprint database. If the search brings no results, i.e. the suspect remains unidentified, the Prüm framework can be used to check other Member States’ criminal databases. Indeed, checking the same latent fingerprint data also against other Member States’ criminal fingerprint databases could show that there is information available on that suspect in that other Member State’s database. As a result, after the exchange of additional data between the two Member States, the suspect can be identified and the criminal investigation can lead to the prosecution and conviction of a criminal.

Figure 1: How Prüm works

The situation with regard to vehicle registration data (‘VRD’) exchange is slightly different. Vehicle registration data, including licence plates and vehicle identification number, are exchanged through national platforms that are linked to the online application EUCARIS. Should there be a match with data in another Member State’s database, the corresponding actual information is provided immediately to the requesting Member State. There is no need to introduce a separate request manually, in a second step, to receive the corresponding actual information.

1.Introduction: Political and legal context

Criminality across Europe undermines EU citizens’ security and well-being. As set out in the EU Security Union Strategy, 1 Europe faces a security landscape in flux, with evolving and increasingly complex security threats. These threats spread across borders, cutting across a variety of crimes that they facilitate, and manifest themselves in poly-criminal organised crime groups that engage in a wide range of criminal activities. In order to fight crime effectively, law enforcement authorities need robust and performant tools. Cooperation and information sharing are the most powerful means to combat crime and pursue justice as mentioned in the EU Security Union Strategy. As stated in the EU Strategy to tackle Organised Crime 2021-2025, 2  the European Union has provided law enforcement with a range of tools to facilitate exchange of information in the EU that have proved crucial in uncovering criminal activities and networks.

According to the EU Serious and Organised Crime threat assessment 2021, more than 70% of organised crime groups are present in more than three Member States. Even the seemingly most local crime may have links to other places in Europe where the same perpetrator carried out his criminal acts. In that context, law enforcement authorities need to be able to exchange data, in a timely manner. However, in an area without internal borders, there are still borders and obstacles when it comes to data exchange between law enforcement authorities, which leads to blind spots and loopholes for numerous criminals and terrorists that act in more than one Member State. Member States alone cannot close the information gap, owing to the cross-border nature of crime fighting and enhancing security. Member States must rely on one another in these matters.

The Commission has announced at various occasions (most recently in its Strategy towards a fully functioning and resilient Schengen area) 3 its intention to present, by the end of 2021, a proposal for a Police Cooperation Code, together with a proposal for a Prüm Regulation, to address the above challenges.

The forthcoming Police Cooperation Code will provide a coherent EU legal framework to ensure that law enforcement authorities have equivalent access to information held by other Member States when they need it to fight crime and terrorism. To enhance information exchange, the Police Cooperation Code will formalise and clarify the procedures for information sharing among Member States, in particular for investigation purposes, including the role of the ‘Single Point of Contact’ for such exchanges, and making full use of Europol’s information exchange channel SIENA.

The Police Cooperation Code will be complemented by a proposal to reinforce the automated exchange of important data categories under the Prüm Council Decisions. The reinforced Prüm framework will provide specific rules and possibilities for the exchange of specific data categories within the overall framework and general rules for information exchange that the Police Cooperation Code will provide.

The existing Prüm Decisions 4 date back to 2008 and aim to support and step up cross-border police and judicial cooperation related to criminal matters. To this end, the Prüm Decisions create a framework for the exchange of information between authorities responsible for the prevention and investigation of criminal offences.

In 2018, at the occasion of the 10 years after the adoption of the Prüm Decisions, the Council underlined the importance of its main features: the automated searching and comparison of DNA profiles, dactyloscopic data and vehicle registration data for tackling terrorism and cross-border crime. 5 The Council also invited the Commission to consider revising the Decisions with a view to broadening their scope and to updating the necessary technical and legal requirements, notably to facilitate connections between Member States and speed up the exchange of data between them.

In recent years, the landscape of the large-scale EU information systems has developed substantially. This includes the revision of the three EU central information systems that are in operation: the Schengen Information System (SIS), the Visa Information System (VIS) and the Eurodac system. 6  In addition, three new systems are currently in development phase: the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN system). 7

All these current and future systems are linked through the interoperability framework for the EU information systems 8 for security, border and migration management, adopted in 2019, and which is currently being put in place. The proposed revision of the Prüm Decisions needs to comply with this framework. Notably when it comes to the technical architecture for the exchange of data, the proposed revision of the Prüm Decisions has to be consistent and compatible with the overall architecture provided by the interoperability of EU information systems and with the goals and synergies it pursues. This would mean providing for fast and controlled access to the information that law enforcement officers need to perform their tasks and for which they have access rights.

Revising the Prüm Decisions also provides an opportunity to update the data protection framework used for the automated exchange of data under these Decisions. The Prüm Decisions contain rules on data protection that predate the 2016 EU data protection reform. There is therefore a need to ensure that a revised Prüm legislation is fully aligned with the Law Enforcement Directive, 9 especially as regards the data protection safeguards. This approach is in line with the Commission’s findings laid down in its Communication of 24 June 2020. 10  Compliance with data protection is a legal requirement that applies horizontally, therefore this alignment will be an integral part of any of the various policy options considered in this impact assessment.

When preparing the legal proposal, the Commission will ensure full alignment with the interoperability framework and the data protection framework.

2.Problem definition 

This chapter presents the different problems, their drivers as well as how those problems would evolve without intervention. The following problem tree presents the problems in relation with the objectives and policy options.

As showed in the evaluation (see Annex 4), the implementation of the Prüm Decisions has been slow. Indeed, nearly ten years after the implementation deadline on 26 August 2011, all Member States have not completed the evaluation procedure and a number of bilateral connections have not been established due to the technical complexity and the important financial and human resources entailed. As a consequence, queries cannot be checked against the data in some Member States if the relevant bilateral connection has not been established. This may decrease the possibility that criminals are identified, and cross-border links between crimes are detected, hindering the exchange of information and the functioning of the Prüm system.

Law enforcement authorities are not always able to find out if data is available in the national database of another Member State. This is obviously the case for those data categories that are not covered by the Prüm Decisions (see problem II), but it is even the case for those that are covered by Prüm. Even if a search through the Prüm Decisions results in “no hit”, this is not a reliable indication for the investigating law enforcement authority that no data is available in another Member State.

The major driver for this problem lies in the complex technical architecture of the Prüm Decisions that provide for a network of bilateral connections between the national databases of Member States without any EU level central component. As a consequence of this technical architecture, each Member State should establish at least 26 connections – i.e. a connection with each Member State – per each data category. 11  However, as pointed out in the evaluation (see Annex 4), many bilateral connections between Member States’ national databases have not been established due to the technical complexity and the important financial and human resources entailed. Indeed, some Member States have explained that setting up all the connections and maintaining them is technically complex and requires considerable financial and human resources. For these reasons, they have decided to focus on establishing connections only with certain Member States.

As a result, the automated access provided by the Prüm Decisions (hit/no-hit) to DNA and fingerprints data remains incomplete. Data cannot be checked against the data in some Member States if the relevant bilateral connection has not been established. These Member States’ law enforcement authorities will not be able to find out if relevant data is available in the other Member State, preventing any information exchange from taking place.

As explained in the evaluation (see Annex 4), the fact that some Member States are not exchanging data harms the other Member States and hampers the exchange of data in general, and therefore cross-border cooperation and the fight against crime. Indeed, this may decrease the possibility of having data checked against other Member States’ databases, of identifying criminals and of detecting cross-border links between crimes.

As examined in the evaluation (see Annex 4), nearly ten years after the implementation deadline on 26 August 2011, a number of bilateral connections have still not been established. As of December 2020, 28% in the case of DNA, 29% in the case of fingerprints and 11,6% in the case of vehicle registration data of all possible connections were still missing. 12 There are also great discrepancies between Member States. While some Member States have introduced connections to almost all other Member States and to the UK, other Member States have not introduced any connection. Moreover, non-legislative action to improve implementation has been taken, 13 but it has not solved the situation regarding the coverage of bilateral connections. Without any intervention, the problem would be unlikely to change in light of the slow progress in the establishment of the bilateral connections and the support and resources which have been made available throughout the years to support the implementation. 

As showed in the evaluation (see Annex 4), one of the key success factors for the Prüm framework is the possibility to search and compare data in an automated manner in other Member States’ databases. However, this possibility currently covers only a few categories of data: DNA, dactyloscopic and vehicle registration data. There are some other categories of data in Member States’ databases that are often the subject of cross-border information requests for the purpose of criminal investigations, but that are exchanged in an inefficient way.

The lack of efficient access 14 for law enforcement authorities to all relevant categories of data 15  in other Member States’ databases impedes their work and undermines their ability to fight crime and terrorism. The 2008 Prüm Council Decisions, as the main EU instrument to implement the principle of availability, 16 only partially addressed this problem. The Prüm Decisions allow law enforcement authorities to search for DNA and fingerprints in the databases of other Member States 17 on a hit-no-hit basis through bilateral connections, and to search for vehicle registration data. The Prüm Decisions have proven instrumental in reducing the information gap as regards DNA, fingerprints and vehicle registration data, enabling law enforcement authorities to search and compare these data categories in an automated way in other Member States’ databases. This helped solving many crimes in Europe where these three data categories played a role in the investigation. 18  However, beyond DNA, fingerprints and vehicle registration data, there are other categories of data in Member States’ databases that are often relevant in criminal investigations and therefore the subject of cross-border information requests, but that are not covered by the Prüm Decisions. Examples include facial images, driving licences, police records and ballistics. These data categories are not part of any automated exchange between Member States and are exchanged in an inefficient way only. Indeed, there have been calls 19 to broaden the scope of the automated cross-border exchange to other data categories. Moreover, in reply to the public consultation, 20 most respondents agreed that the fact that these additional data categories are exchanged by sending manual queries, often time-consuming, to other law enforcement authorities is a shortcoming in the law enforcement information exchange and that EU legislation should be established to standardise and automate the exchange of additional data categories.

The main drivers for this problem are that the data is stored in a decentralised way (i.e. in national databases, as compared to SIS, EURODAC, VIS, future ETIAS and future EES) and that Member States do not give each other full access to their respective national databases, as national legislation limits access to national authorities. Moreover, the Prüm Decisions, as the existing instrument to ensure the availability of data is limited to certain categories of data (fingerprints, DNA, and vehicle registration data).

As mentioned above, the data categories necessary for law enforcement cooperation which are not within the scope of the Prüm Decisions are not part of any automated exchange between Member States. This does not mean the exchange cannot take place, it just means there is no structured way to do so, resulting in inefficient and time-consuming procedures, potentially even discouraging law enforcement authorities to work with their counterparts in other Member States. Without intervention, the current inefficient situation would stagnate.

Europol is not part of the Prüm framework. Therefore, Europol cannot make third-country sourced data accessible to Member States via the Prüm information exchange mechanisms, nor can it perform searches in Member States’ Prüm data with Europol data. The gaps can be summarized as follows: 1) Member States cannot use Europol’s third-country sourced data as an additional data source in the context of the Prüm framework and 2) Europol cannot check Europol data against relevant criminal data from Member States. These gaps may result in undetected links between criminal and terrorism cases.

While the Europol Regulation 21  provides a legal basis for Member States to have access to these data, there is no technical mechanism in place to do so. There is therefore a need to enable national authorities to search third country-sourced data stored at Europol on the basis of DNA, fingerprints data and facial images (e.g. national authorities cannot directly search data at Europol with a latent fingerprint found at a crime scene while they could use the Prüm framework to search such data in another Member State’s database). Europol as an additional source of data could provide considerable operational benefits notably with regard to third-country sourced DNA and fingerprints that the agency holds, as highlighted by Member States in the Council. 22

Member States’ law enforcement authorities do not have a technical tool at their disposal for efficient access to Europol‘s third-country sourced data (fingerprints, facial images and DNA). Moreover, there is no legal framework that would allow Europol to use third country-sourced data to query against Member States databases’ in the context of the Prüm framework. As a consequence, relevant cross-border information related to serious and organised crime and terrorism may remain undetected.

Without any changes to the Prüm Decisions, the DNA, facial images and fingerprints stored at Europol and obtained from third countries would remain outside the exchange governed by these Decisions. In principle, based on its mandate, Europol could establish a direct access to this data for Member States. However, such a parallel approach would partially duplicate the framework established by the Prüm Decisions. This would not only lead to substantial additional costs for Member States, but also require Member States to launch separate requests to search the same type of data at Europol and through the framework established by the Prüm Decisions. Not using this data against the criminal databases of Member States under the Prüm framework may result in missing relevant cross-border information related to serious and organised crime and terrorism and in incomplete criminal analysis.

As showed in the evaluation (see Annex 4), the fact that the follow-up to hits under the Prüm framework takes place under national law and therefore outside the scope of the Prüm Decisions hinders the functioning of the Prüm system. Indeed, due to differences in national rules and procedures, the exchange of hit follow-up data is very fragmented, to the extent that it sometimes takes weeks or even months to receive the relevant information behind a hit.

Even where there is an indication that data is available in the database of another Member State (“hit” under the Prüm Decisions), law enforcement authorities do not always have efficient access to the data stored in the national database of another Member State. Automated searches in Member States’ DNA and fingerprints databases under the Prüm Decisions are based on reference data only. This reference data does not contain any data from which the data subject can be directly identified. Further personal and other case related data is exchanged only when a hit has been confirmed by a forensic expert.

Already in 2012, in reply to a questionnaire circulated by the Commission in preparation of the 2012 Report on the Implementation of Council Decision 2008/615/JHA (hereinafter the ‘2012 Report’), 23  18 out of 24 Member States generally pointed to the need to improve the follow-up to Prüm hits, one third focusing on national structures while a majority saw a need for action primarily at EU level. During the consultations for this Impact Assessment, Member States reiterated that the problem still exists. The automated search function introduced by the Prüm Decisions was a far-reaching step forward in the area of law enforcement information exchange. However, without a proper follow-up, ‘hits’ have hardly any meaning for investigators. This is why Member States suggested that the exchange of hit-follow-up data be regulated under the Prüm Decisions and sped up.

The major driver for this problem, as demonstrated in the evaluation (see Annex 4), is that the exchange of “hit follow-up data” is not governed by the Prüm Decisions, but by national law. 24 Due to differences in national rules and procedures, the exchange of hit follow-up data is very fragmented: Member States use different law enforcement cooperation channels, different procedures, different data sets and different time limits when requesting and submitting follow-up data. As a consequence of this inefficient follow-up to hits generated under the Prüm Decisions, the processes are so cumbersome and time-consuming that in some cases, it may take weeks or even months for authorities to obtain the personal data behind a hit, making the access to data inefficient.

In reply to the public consultation, most respondents agreed that the fact that the exchange of further personal data after a hit has been confirmed is not governed by the Prüm Decisions is a shortcoming of the existing Prüm framework and that EU legislation should be established to streamline the hit follow-up exchange of further personal and case-related data.

As Member States, despite all problems and limitations, make more and more use of the Prüm Decisions to query data in other Member States’ national databases, the problems caused by the inefficient follow-up to hits generated under the Prüm Decisions will increase. The increase of the use of the Prüm Decisions entails an increase in the number of queries and of hits, and therefore an increase in the number of follow-ups to hits, thereby leading to a worsening of the situation. The use of different law enforcement cooperation channels, different procedures, different data sets and different time limits when requesting and submitting follow-up data will further increase the workload on all sides while undermining effectiveness and efficiency. This would not be sustainable in the long run. In any case, due to technical changes and scientific developments since the adoption of the Prüm Decisions, their technical and forensic rules and procedures need to be updated. Otherwise, the Prüm Decisions would become obsolete.

3.Why should the EU act?

3.1.     Legal basis 

The legal basis for the instrument is point (d) of the second subparagraph of Article 82(1) and point (a) of Article 87(2) of the Treaty on the Functioning of the European Union.

3.2.     Subsidiarity: Necessity of EU action 

The improvement of information exchange in the European Union cannot be sufficiently achieved by Member States in isolation, owing to the cross-border nature of crime fighting and security issues. Member States must rely on one another in these matters.

Through several implementation projects at EU level, 25  Member States have tried to take action to address the shortcomings of Prüm 26 but despite all these actions, the shortcomings remained the same as the ones that were described in the 2012 Report. 27 This is why EU action is needed as action by Member States only has already been tried and is not sufficient.

3.3.     Subsidiarity: Added value of EU action 

A Special Eurobarometer 28 survey shows that the EU’s strategy of sharing information at EU level to combat crime and terrorism has widespread public support: almost all respondents (92 %) agree that national authorities should share information with the authorities of other Member States to better fight crime and terrorism.

Indeed, cross-border crime can only be tackled by effective cross-border police cooperation and particularly by exchanging information. As examined in the evaluation (see Annex 4), the Prüm Decisions have proven very effective in stepping up the exchange of information between law enforcement authorities and in supporting Member States in fighting crime and terrorism. The stakeholder consultation carried out in the preparation of the impact assessment also showed a very high level of satisfaction with the Prüm Decisions.

Common EU level rules, standards and requirements facilitate these information exchanges while providing compatibility between different national systems. Information exchange at EU level also allows ensuring high-level data security and data protection standards. Additionally, as the experience with the current Prüm framework demonstrates, common standards allow for a certain level of automation in information exchange workflows which release law enforcement officers from certain labour-intensive manual activities.

4.Objectives: What is to be achieved? 

4.1    General objectives 

The general objective of this initiative results from the Treaty-based goal of contributing to the internal security of the European Union. According to Article 87(2)(a) TFEU, the Union shall establish police cooperation involving all Member States’ competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences. Among measures to do so, the collection, storage, processing, analysis and exchange of relevant information is listed. The general objective of this instrument is to improve, streamline and facilitate the exchange of criminal information between Member States’ law enforcement authorities, but also with Europol as the EU criminal information hub.

Law enforcement work is inherently an information-based activity. Indeed, it is essential for fighting crime that law enforcement authorities exchange data, in an efficient and timely manner. Investigators need to have fast, streamlined and systematic access to all the information they need and which they are legally entitled to obtain in order to perform their tasks.

4.2     Specific objectives 

The specific policy objective of this initiative is to provide law enforcement authorities with fast, streamlined and more effective access to all the information they need and which they are legally entitled to obtain in order to perform their tasks in a timely and efficient manner, while ensuring a high level of protection of fundamental rights. This objective will be achieved by:

1.Providing for a technical solution for efficient automated exchange of data between law enforcement authorities to make them aware of relevant data that is available in the national database of another Member State, in line with fundamental rights including data protection requirements;

2.Ensuring that more relevant data (in terms of data categories) from national databases in other Member States is available to all competent law enforcement authorities, in line with fundamental rights including data protection requirements;

3.Ensuring that relevant data (in terms of sources of data) from Europol’s database is available to law enforcement authorities, in line with fundamental rights including data protection requirements;

4.Providing law enforcement authorities with efficient access to the actual data corresponding to a ‘hit’ that is available in the national database of another Member State, in line with fundamental rights including data protection requirements.

5.What are the available policy options?

5.1     What is the baseline from which options are assessed? 

The baseline is a ‘no policy change’ scenario.

With regard to data categories, the baseline would be to maintain the current data categories covered by the Prüm Decisions (DNA, fingerprints and vehicle registration data).

Regarding the sources of data, the baseline scenario would be to not provide for the involvement of Europol.

Regarding the technical architecture, the baseline would be to maintain the existing Prüm framework in its fully decentralised nature and therefore not integrated with the interoperability framework. This baseline option would not change the requirement for every Member State to connect to each other Member State’s database for each data category (see graph below). The access to the data in the first step would be on a hit/no-hit basis only.

Figure 2: The current architecture of the Prüm framework

When it comes to the follow-up process, the baseline would be to continue to apply the follow-up as it currently takes place after a hit in the Prüm framework. In this baseline option, the exchange of “hit follow-up data” would continue to be governed by national law without common rules and processes at EU level.

All the policy options are legislative options, as the objectives could not be achieved by non-legislative options.

5.2     Description of the policy options 

The specific objectives identified in section 4.2 lead to four guiding questions for the analysis:

a)How should the automated exchange of data be governed to make law enforcement authorities aware of all relevant data that is available in the national database of another Member State (technical architecture)?

b)What additional data categories are relevant and need to be covered by the automated exchange of data?

c)What additional sources of data are relevant and need to be covered by the automated exchange of data (involvement of Europol)?

d)How should the follow-up to “hits” in the automated exchange of data be governed to provide law enforcement authorities with efficient access to all relevant data that corresponds to the ‘hit’ and that is available in the national database of another Member State (follow-up process 29 )?

In order to address this objective, the following option is being considered: applying a hybrid solution between a decentralised and a centralised approach without data storage at central level.

This option was assessed in technical meetings with experts and stakeholders of EU Agencies and Member States.

This policy option consists of applying a hybrid solution between a decentralised and a centralised approach without any data storage at central level. This hybrid approach would consist of national databases in each Member State that all connect to a central router (see graph below). Under this option, the central router would not store any data but provide a hub between national databases. The access to the data in the first step would be on a hit/no-hit basis only.

Figure 3: The possible alternative architecture of the Prüm framework, with a central router and without data storage at central level

This option is inspired by the final report of the High-level expert group on information systems and interoperability, which suggested considering “an alternative connectivity via a ‘hub-and-spoke’ centralised Prüm router (or biometric single-search interface) replacing the current mesh network”, which would “limit the connectivity to one link per Member State while controlling, managing and reporting on the transactions centrally”. 30 According to the High-level expert group, such a “hub-and-spoke model could provide an effective solution to overcome the connectivity challenges that Member States are faced with, notably when establishing information exchange facilities with Member States where current traffic is not very frequent”.

The central router would serve as a connecting point between all Member States. It would drastically reduce the number of connections to establish and maintain from a Member State’s perspective and would facilitate the implementation of the system by Member States. As it would not store any personal data, there would not be any persistence of data in the router. Member States would retain the ownership/control over their data.

The introduction of a central router would also allow for the collection of statistics at central level, without having to ask Member States, on the number of requests and responses received notably, which would provide for necessary and useful transparency. Indeed, the lack of statistics and quantitative data at EU and Member States’ level on the functioning of the Prüm Decisions was identified as one of the major limitations in the evaluation (see Annex 4). These statistics would allow to have a clear view of the use of the Prüm framework, per data category and per Member State. A significant use of the framework as well as the detection of matches and hits in other databases would be a strong indication of the success of the measure, as it would mean that the relevant information is at the disposal of our law enforcement authorities. Indeed, a hit indicates that information on the person for which a Member State was launching a query is found in another Member State’s database. Hits may lead to solving a crime and protecting a citizen.

However, the use of the hit would fall outside of the scope of the statistics that would be collected via the central router. Indeed, the use of the information would vary according to each individual case and depending on the outcome of the investigation. These statistics could be required from the Member States in a periodical exercise.

Finally, the central router would also offer a biometric matching service. This biometric matching service would not be located in the router. Indeed, the router could use existing technology (e.g. technology similar to the one used for the shared Biometric Matching Service). 31 In doing so, the router could assess the results coming from the national databases and rematch them in order to list the potential matches in accordance with their degree of similarity. It would therefore contribute to boosting efficiency and reducing false-positives cases (matches that do not translate into hits). This service should be provided for at central level, e.g. by a Union agency.

The router would be hosted by a Union agency.

In order to address this objective, the following three options are being considered:

·introducing the exchange of facial images in the Prüm framework;

·introducing the exchange of police records data in the Prüm framework; and

·introducing the exchange of driving licence data in the Prüm framework. 

All options respond to operational needs that Member States and their law enforcement authorities raised during discussions at Council working group level, in dedicated workshops and consultations. Indeed, there has been a strong demand from Member States in the Council to broaden the scope of the automated cross-border exchange under the Prüm Decisions to other data categories. 32  

Policy option 2.1 would allow facial images to be exchanged in an automated way under the Prüm framework.

Currently, the exchange of facial images between Member States’ law enforcement authorities takes place, if at all, on a manual and case-by-case basis. This takes time and resources. There is no efficient procedure to compare facial images against images stored in other Member States’ databases.

The identification of a criminal is of vital importance for a successful criminal investigation and prosecution. The introduction of facial images (photos) of suspects and convicted criminals under the Prüm framework, in line with operational needs, would provide for necessary additional information for successfully identifying criminals and fighting crime. Indeed, in criminal investigations, it often happens that the only lead captured from the crime scene, is an image of a suspect from a nearby security camera. Comparing this image not only to images stored in national databases, but also against images stored in other Member States’ databases would significantly increase the possibilities of identifying the criminal, and could also reveal different identities used or different crimes committed by the same person in other Member States.

Member States collect facial images of suspects and criminals under national law in national criminal databases. The processes to collect these images however vary significantly between the EU Member States. In most instances, facial images are collected at police premises across the country during a process where photographs of a person are captured in parallel with the collection of fingerprints, biographic data and case data.

The process of exchanging and comparing facial images relies on the development and availability of facial recognition technology. Facial recognition technology compares images of faces to determine their similarity, which the technology represents using a similarity score. If the score computed for a candidate is under a defined threshold, this candidate is excluded. Facial images are biometric data and are therefore special categories of data in the meaning of the LED. 33

For criminal investigations, the most common use case is the retrospective one-to-many (1:N) search, where an image of an unknown person (e.g. an image taken from a surveillance camera) associated with a criminal event is searched against a database containing facial images of known individuals with the aim to determine the identity of the person, after a crime has been committed. 34  The search result is a list of candidates which is reviewed by a human operator in the requesting Member State and a decision is made on any potential match. 

Similarly, under this policy option, the use case would be retrospective and related to a specific criminal investigation. The results of the search would be returned to the requesting Member State, which would proceed to the verification of these results and to the potential confirmation of a match.

Figure 4: Retrospective use of facial recognition 35

Finally, the proposed policy option does not require any use of artificial intelligence. The biometric comparison based on facial images should take place on the basis of a comparison of their biometric templates using pre-defined algorithms. This also means that the exchange of facial images under the Prüm framework does not provide for a remote biometric identification system to be used in publicly accessible spaces 36 and is not among the prohibited practices of the proposed Regulation for an Artificial Intelligence Act. 37  There would be no profiling entailed.

Policy option 2.2 would allow police records to be exchanged in an automated way under the Prüm framework. The introduction of the exchange of police records, in line with operational needs, would provide for additional information in possibly identifying criminals and fighting crime.

The exchange of police records is already the subject of the ADEP/EPRIS project implemented by some Member States 38 on the exchange of police records. This project, supported by the Commission and launched in 2017 in order to automate the process of indicating in which Member States’ databases the relevant police records could be present, aims at reducing the need for manual work and at facilitating the subsequent bilateral or multilateral exchange of information. The pilot project developed the software and tested the main business cases, and confirmed the technical feasibility of the exchange of police records. From 2019, the second iteration of the project further developed the business-related processes and prepared the rollout of the system. The project is currently being tested in Business Acceptance Tests with “real” operational data. The policy option would extend this project to all Member States and allow for all Member States’ participation in the exchange of police records.

Currently, the exchange of police records between Member States’ law enforcement authorities takes place, if at all, on a manual and case-by-case basis. This takes time and resources. There is no efficient procedure to find out whether relevant information on police records exists in another Member State’s database. Extending the project to all Member States and providing for the automated exchange of police records data under the Prüm framework is the only way to remedy the current information gap due to long and inefficient procedures.

ADEP/EPRIS allows checking whether any police records exist in other Member States’ national police records databases on a hit/no hit basis. In case of a hit, a request to exchange further personal and case-related data is sent only to those Member States where a hit occurred. For that purpose, participants have to establish indexes of national police record databases, which will contain the limited data accessible in an automated way under the project. These indexes typically include data from all national databases that the police normally checks when receiving information requests from other law enforcement authorities. Data protection safeguards include pseudonymisation, as indexes and queries do not contain clear personal data, but alphanumerical strings. 39

Under this policy option, a limited data set of data from police records (i.e. surname, first name, date of birth, place of birth, gender) to identify a Member State possibly holding more information on a person under investigation could be exchanged in an automated way, once a “hit” has been confirmed. The following fields of data are pseudonymised: surname, first name and place of birth.

The automation of the process of finding out whether relevant information exists or not in another Member State would reduce the need for manual work and save resources. In case the automated search yields no results, competent law enforcement authorities do not have to process the request and retrieve the information, thereby saving time and resources.

This policy option would imply the setting up of national indexes on police records by Member States who have not yet set up such indexes. These indexes would be based on data from national databases containing information on police records (without containing the police records themselves). The definition of the composition of national indexes on police records would be up to each Member State, but should be limited to the sets of data mentioned above. 

The creation of national indexes and the connection of these indexes to the central router (see section 5.2.1) would remain optional and on a voluntary basis, due to political feasibility. However, the usefulness of the exchange of police records would grow exponentially the more Member States participate. The exchange of police records would still be useful if only a few Member States participate.

Policy option 2.3 would allow driving licence data to be exchanged in an automated way under the Prüm framework.

The introduction of the exchange of driving licenses under the Prüm framework would provide for additional information in supporting criminal investigations and possibly identifying criminals.

Member States are already exchanging driving licence information through the Resper application, 40 although not for law enforcement purposes. In the majority of Member States, law enforcement authorities have access to national driving licence databases. Under the principle of availability, 41 law enforcement authorities of other Member States could also be granted access to the same information under the same conditions as the national law enforcement authorities.

Driving licence information would be relevant in cases of possible fake IDs, for either corroborating or nullifying the trustworthiness of the documentation and verifying the identity of a suspect.

In order to address this objective, the following two options are being considered:

·enabling Member States to check automatically third-country sourced data at Europol as part of the Prüm framework; and

·enabling Europol to check third-country sourced data against the national databases of Member States.

Both options were assessed in technical meetings with experts and stakeholders of EU Agencies and Member States. As point of departure, it was understood and agreed by all that in all scenarios Europol’s involvement in the automated exchange would need to be in accordance with the objectives and tasks set out in the Europol Regulation, 42 and hence limited to data processing that is necessary to support Member States in preventing and combating serious crime and terrorism.

Policy option 3.1 would allow Member States to search and compare biometric data received by Europol from third countries with their own biometric data.

Biometric data is exchanged between Member States and third countries only bilaterally and on a case-by-case basis. Europol, due to its unique position, has the possibility to facilitate access to relevant third-country sourced data. In recent years, Europol has received from several third countries (e.g. US, Australia, Canada, Western Balkans) a large amount of biometric data of known terrorists and top criminals. Under this policy option, these data could be made available to Member States for searching via the Prüm framework. After a match against Europol third country-sourced data in Prüm, Member States could follow up with the third country in question via bilateral police cooperation channels, if relevant. The information about a match would never be revealed to the third country.

Including third country-sourced data stored at Europol in the already established and functioning Prüm framework would contribute to building synergies between different law enforcement tools and would streamline queries with similar data and for similar purposes.

This policy option in conjunction with policy option 1.1 would not require any additional financial or technical resources from the Member States. However, should policy option 1.1 be discarded, it would require all Member States to establish bilateral connections with Europol to enable the exchange of data. For Europol, this policy option would require certain IT developments, e.g. developing a technical interface to allow for searches with biometric data by Member States, connections to the Prüm architecture, as well as upgrading the capacity of their biometric matching service and network.

Policy option 3.2 would allow Europol to cross-check data received from third countries by directly searching Member States’ biometric databases in order to establish links between the information received from third countries and Member States’ databases.

Under this policy option, Europol could search Member States’ databases under the Prüm framework with data from third countries in order to establish any cross-border matches between criminal cases. In case of a match, only the Member State whose data created a match would be notified of it, no information on a hit would be provided to the third country in question. Once informed of the existence of such matches, the decision on whether to bilaterally follow up on these or not with the third country in question would be incumbent to the Member State(s) concerned. Being able to use Prüm data, next to other databases available for Europol, would allow establishing more complete and informed analysis on the criminal investigations and would allow Europol to provide better support to Member States.

This policy option would increase Europol’s contribution to Europe’s safety. Indeed, Europol’s role has been significantly reinforced in recent years as the EU law enforcement information hub. Moreover, information about criminals and terrorists shared by third countries with the EU is increasingly relevant for EU internal security.

This policy option would require reinforcing Europol with operational staff to conduct searches with third-country sourced data and with biometric experts to verify the search results. Additionally, it would require ICT developments to establish a connection to the Prüm framework. Similarly as for option 3.1, this policy option in conjunction with policy option 1.1 would not require any additional financial or technical resources from the Member States. However, should policy option 1.1 be discarded, it would require all Member States to establish bilateral connections with Europol to enable the exchange of data. In case policy option 3.1 is retained, policy option 3.2 would not require any additional costs for Europol (except operational costs).

In order to address this objective, the following option is being considered: regulating the follow-up process at EU level with a semi-automated exchange of actual data corresponding to a ‘hit’.

This option was assessed in technical meetings with experts and stakeholders of EU Agencies and Member States.

Policy option 4.1 would allow the exchange of core data under the Prüm framework in a semi-automated way.

Regulating the exchange of hit-follow-up data under the Prüm framework would speed up the procedure. To that end, once a hit has been confirmed, a well-defined limited set of “core data”, with data limited to what is necessary to enable the identification of a person could be returned to the requesting Member State. This set of core data would be well-defined and it would not differ between Member States.

In reply to the public consultation, one stakeholder highlighted the importance of a mandatory manual review in the requested Member State and the possibility for the requested Member State to refuse disclosure of further personal data. Under this option, Member States would retain control over the release of this limited set of core data. Indeed, a certain degree of human intervention would be maintained at key points in the process, including a decision to release personal data to a requesting Member State.

After the reception of this core data set and if needed, Member States could request additional information in a third step, using traditional law enforcement cooperation channels such as SIENA. The exchange of information in this third step would remain outside the scope of the Prüm framework. 44

5.3     Options discarded at an early stage

This section presents different options related to the four identified problems, which were not retained for consideration in this impact assessment for several reasons, as explained below.

·In relation to problem I, one option was to apply an extended hybrid solution between a decentralised and a centralised approach with some data storage at central level. This hybrid approach would consist of national databases in each Member State that all connect to a central router, with some data stored in the central router. The access to the data in the first step would be on a hit/no-hit basis as regards data in the national databases, and direct access to the data stored in the central router.

However, this option was not retained as Member States have consistently expressed strong opposition to any storage of data at central level in the context of the Prüm framework, mainly in light of sovereignty concerns. Member States want to retain control/ownership over their data. This policy option would also result in duplication of data, which would have a greater impact on the right to data protection.

·In relation to problem II, one option was to introduce the exchange of firearms-related data in the Prüm framework, which would allow firearms-related data to be exchanged in an automated way under the Prüm framework. Under this option, law enforcement authorities in one Member State could search and compare a firearm, which they have apprehended and which is not registered in the national registry, against other Member States’ national registries. 

However, this option was not retained due to the lack of evidence on the necessity to automate these exchanges. Indeed, national databases contain legal firearms registration data, thus not the information needed for investigations on illegal firearms. Moreover, the most relevant firearms data – illicit, wanted, stolen and lost firearms – is already stored, compared and exchanged in EU and international firearms systems (the Europol Information System (EIS), the Schengen Information System (SIS) and Interpol’s Illicit Arms Records and tracing Management System (iARMS)). Additionally, as stems from consultations with Member States, the number of cases in which a firearm used in a crime is not registered in the national database and has not been reported as illicit, wanted, lost or stolen is limited and therefore does not justify the necessity to automate firearms-related data exchanges. Moreover, other solutions could be best suited to achieve this purpose, notably traditional law enforcement cooperation channels such as SIENA and national firearms focal points. The European Commission has promoted the creation of National Firearms Focal Points (NFFPs) in each Member State, where Member States would centralise the national access to all types of firearm-related information and the communication of firearm-related data with other Member States, through secure channels (such as Europol’s Secure Information Exchange Network Application (SIENA)).

·In relation to problem II, one option was to introduce the exchange of ballistic data in the Prüm framework, which would allow ballistic data to be exchanged in an automated way under the Prüm framework.

However, this option has not been retained due to the technology not being ready for it at this stage. Indeed, currently, there are different ballistics identification systems which are used by Member States across the EU to acquire, compare and exchange ballistic data and which are not interoperable. This means that ballistic data cannot be exchanged between two different ballistics identification systems. There are some initiatives ongoing to develop a common standard that would allow for exchanges between users of these different systems, the X3P format. This development of the X3P format could lead to a future re-assessment of this option if it reaches a sufficient level of maturity to allow for exchanges between these systems.

·In relation to problem III, one option was to enable Europol to check all operational data against the national databases of Member States. This option is similar to policy option 3.2 except that it would allow Europol to compare all operational data it receives from Member States against the national databases of Member States, to make Member States aware of links that they might not be aware of. Under this option, Europol would be acting on behalf of the Member States, realising operations on their behalf.

This option has been discarded in light of strong opposition expressed by Member States in the technical workshops organised in the context of the revision of the Prüm Decisions. Indeed, Member States can actually perform these checks without necessarily having Europol do it for them. Moreover, non-legislative measures like encouraging Member States to use the data they have access to under Prüm are preferable to this option.

·In relation to problem IV, one option was to regulate the follow-up process at EU level with an automated exchange of core data. Under this option, once a hit has been confirmed, a well-defined limited set of “core data”, enabling the identification of a person, would be returned to the requesting Member State in an automated way. There would be no human intervention before the release of the core set of data. This option has been discarded as Member States have expressed their wish to manually authorise the release of personal data and their opposition to the fully automated return of core data. 45

6.What are the impacts of the policy options? 

This chapter assesses all policy options identified in section 5.2 and which have not been discarded in section 5.3 against the baseline options identified in section 5.1. Given that the baseline scenario is evidently unsuited to address the problems identified in section 2 on the problem definition, this impact assessment will not assess the baseline scenario any further. 46

Given the importance of cross-border cooperation and of the exchange of information between law enforcement authorities for fighting crime, as mentioned in the introduction section 1, the main social impacts of the policy options assessed in this chapter cover the impact on fighting crime and the wider implications for EU citizens’ security and well-being.

The following impacts will not be addressed per policy option:

1)Environmental impact: No impact is expected on the environment because the policy options do not include any environmental aspect.

2)Economic impact: Immediate economic impacts of any of the above options will be limited to the design, development and operation of the new processes. The costs will fall to the EU budget and to Member State authorities operating the systems. The proposed measures are not expected to have an impact on small and medium-sized enterprises as the policy options will not affect small and medium-sized enterprises.

As the exchange of personal data is an important aspect of the various policy options examined in this impact assessment, this chapter puts a particular focus on the assessment of the impact on fundamental rights. Therefore, we explain the methodology used during this exercise.

1)Does the measure meet an objective of general interest? And, if so, how does it contribute to said objective?

2)Does the measure have an impact on the right to data protection?

Concerning the impact on the right to data protection, it is worth noting that in the context of the Prüm framework, the applicable legislation in the context of the data protection framework is Directive (EU) 2016/680. 50 Indeed, the Prüm framework provides for processing of personal data carried out in the context of the exchange of information between law enforcement authorities responsible for the prevention and investigation of criminal offences.

The free movement of data within the EU is not to be restricted for reasons of data protection. However, a series of principles must be met. Indeed, to be lawful, any limitation on the exercise of the fundamental rights protected by the Charter must comply with the following criteria, laid down in its Article 52(1):

·it must be provided for by law;

·it must respect the essence of the rights;

·it must genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;

·it must be necessary; and

·it must be proportional.

The discussions concern a new legal proposal, which will allow the relevant option to be provided for by law.

Moreover, concerning the respect of the essence of the rights, in the case of the measures proposed, similarly to what happens today with the existing Prüm framework, the right to the protection of personal data is affected only to a limited extent. However, despite being limited, the impact on the right to the protection of personal data must be assessed to determine whether it is necessary and proportional.

Each of the options meet an objective of general interest, which is the safeguarding of the interal security of the European Union and which is assessed previously. Therefore, for each option, under the heading ‘impact on data protection’, the following two criteria will be assessed:

(a) Are they necessary?

(b) If so, are they proportional?

The impacts are assessed on a scale ranging from ‘very positive impact’ (++) to ‘very negative impact’ (--), with intermediate scores: ‘positive impact’ (+), ‘neutral’ (0) and ‘negative impact’ (-).

6.1Improve the technical architecture 

6.1.1Policy option 1.1: applying a hybrid solution between a decentralised and a centralised approach without any data storage at central level

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks by ensuring all available data is used in the context of criminal investigations and thus would contribute to enhancing the security and well-being of EU citizens.

b.Impact on national authorities (++)

Very positive impact on national authorities. The central router would serve as a connecting point between all Member States. It would drastically reduce the number of connections to establish and maintain from a Member State’s perspective and would facilitate the implementation of the system by Member States, including any future changes. Any time a new category of data is introduced in the system or a new user is added, they would just require to establish one connection to the router instead of one to each other Member State.

c.Impact on fundamental rights

I.Objective of general interest (+)

Positive impact on the security of the European citizens and societies. The router as described under Section 5.2.1 is a message broker with the specific purpose of ensuring that end-users, namely law enforcement officers, have fast, seamless and controlled access to the information that they need to perform their tasks and in line with their access rights. It would also facilitate the implementation by Member States of existing and future data exchanges in the context of the Prüm framework. The router would support information exchange in an effective and efficient way.

The router would also allow for the collection of central statistics on the use of the Prüm framework, which would contribute to its evaluation, to the monitoring of its use and finally to its improvement over the years.

Finally, the router would also offer a biometric matching service, contributing to ranking the results of the searches in order to boost efficiency and reducing the cases of false-positives (matches that do not translate to hits).

The router would do all of the above without enlarging access rights and without replacing national databases, thus respecting the national prerogatives of the Member States. Therefore, we consider the measure proportionate to the objective of general interest pursued.

II.Impact on data protection (0)

1.Necessity

The router provides law enforcement authorities a new and more efficient tool to search Member States’ data in the Prüm framework. Law enforcement authorities are already legally entitled to establish connections today but sometimes do not have the operational or technical capability to create the necessary connections. Moreover, the current situation requires each Member State to have as many connections as Member States participating in the framework multiplied by the number of data categories. The router would just require every Member State or Union Agency exchanging data via the Prüm framework to create one connection: to the router.

We therefore conclude that the policy option respects the principle of necessity.

2.Proportionality

The actual impact of the router in terms of data processing is very limited. The router only envisages a single operation of forwarding search transactions and replies to various national systems. It would serve as a message broker. These data processes can already take place today. No new data processes would be created by the router.

The router would not store any data, except the logs, to keep track of the use of the router and facilitate supervision of access rights.

Indeed, the router is consistent with the idea of interoperability: by technical means, it would contribute to facilitating and streamlining access to data to authorities that already have it. Therefore, access rights are not enlarged nor is data retention impacted by this policy option.

Creating a router and centralising searches through it delivers economies of scale and efficiency gains.

The revised Prüm framework would provide for the creation of the central router and its functionalities and architecture. Concerning data protection, the applicable legislation regarding the central router will be the Law Enforcement Directive. The future Prüm Regulation will also include a dedicated chapter on data protection laying down any specific provision regarding the router in full respect of the Law Enforcement Directive (e.g. exercise of rights, indication of who is data controller and data processor, data security, logging, etc.).

We therefore conclude that the policy option respects the principle of proportionality.

d.Costs (++)

The cost estimation for the central router includes both the setup of the router, the setup of middleware handling web services requests, including the integration layer, and the establishment of new connections from Member States to the router. In order to ensure the need for high availability and reliability, redundancy is required to make the tool robust. This cost has been included in the estimations.

A single router (and its redundant/back-up router) will be set up. This router will handle the communication of all biometric data exchanges (fingerprints, DNA and facial images) using the same Web service and NIST standard. The router should be able to handle every request and send the request to the appropriate national systems. The central router is expected to re-use wherever possible already existing IT infrastructure to support its implementation. However, additional infrastructure-related costs are foreseen to complete the already present infrastructure.

Once the router is up and running, the yearly recurrent costs for Member States for the operation of the Prüm framework should decrease. Moreover, the router has a positive impact on the costs for the remaining options.

The total cost is distributed as follows:

·Setup of the central router and help to Member States in the connection of their national systems at EU central level.

·Setup of the web services middleware and connecting the national systems to the central router by the Member States.

The costs per Member State include:

·upgrading their infrastructure to support the exchange of web services and set up the connection with the central router, implying efforts to analyse and define the new architectural landscape;

·upgrading their infrastructure to support the exchange of web services and set up the connection with the central router;

·configuring a web service exchange system and the setup of the connection with the central router;

·generic costs linked to project management.

The costs at EU level include:

·designing the details of the technical architecture, defining clear processes and the harmonization with existing initiatives;

·building the backbone infrastructure, the integration layer(s) at EU level, basic reporting capabilities;

·integrating the router with existing architecture at EU level;

·generic costs linked to project management.

e.Feasibility (+)

Concerning technical feasibility, this policy option would imply the creation of a central router, to which Member States would need to establish one connection. It stemmed from discussions in the technical workshops organised in the context of the revision of the Prüm Decisions that there is a common understanding among experts on the general technical feasibility of the introduction of a central router in the Prüm framework. Moreover, technical components offering similar (if not even greater) services are being implemented (e.g. the European Search Portal introduced via the interoperability Regulations). This also probes the feasibility of the Prüm router.

Concerning political feasibility, in reply to the public consultation, most respondents agreed that the fact that the existing Prüm framework is a decentralised network of bilateral connections between Member States’ national databases is a shortcoming of the existing Prüm framework. When asked what they consider to be the most appropriate means to address this shortcoming, most replied establishing an EU central router for transferring messages between Member States with limited functions at a central level such as technical/operational system monitoring and collection of statistics. One respondent highlighted that if a central router were to be put in place, it should only serve as a pass-through server to transmit messages between Member States, and the collection of statistical data.

We therefore conclude that the measure is feasible.

6.2Automated exchange of additional data categories 

6.2.1Policy option 2.1: introducing the exchange of facial images in the Prüm framework

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks and thus would contribute to enhancing the security and well-being of EU citizens. Only facial images of suspects and convicted criminals would be exchanged.

b.Impact on national authorities (++)

Very positive impact for national law enforcement authorities. In a number of criminal investigations, the only lead or the main lead on a suspect or perpretator of a criminal offence are facial images. While today the exchange is possible, there is no efficient procedure to do so, and it happens in a time-consuming and inefficient way. This has negative impacts both on officers’ workload as well as in the investigations, even more so in those cases where time is of the essence. Providing for the possibility to know whether another Member State has at its disposal information in your case would provide a significant boost to law enforcement authorities’ work regarding criminal investigations and prosecution of criminals.

c.Impact on fundamental rights

I.Objective of general interest (++)

Very positive impact on the internal security of the European Union. The introduction of the automated exchange of facial images in the Prüm framework would provide law enforcement authorities with faster and more reliable access to relevant information, which could be crucial in their investigations, and could contribute to identifying criminals and solving criminal cases.

Only facial images of suspect or convicted criminals and terrorists could be exchanged. This means that there would be no matching of facial images to the general population. Moreover, no use of artificial intelligence is provided for. Therefore, we consider the policy option proportionate to its objective of general interest.

II.Impact on data protection (-)

1.Necessity

As mentioned above, in a number of criminal investigations, the only lead or the main lead on a suspect or perpetrator of a criminal offence are facial images. In an area without internal borders, cooperation between Member States is crucial in resolving criminal investigations. Therefore, it is necessary for law enforcement authorities to work with their peers in other Member States. Today, exchanges of facial images are possible, but there is no efficient procedure to do so, leading to errors, information gaps and reluctance to use it by law enforcement authorities. Despite this fact, exchanges of information still take place as they are deemed necessary. When it does take place, the current process is currently both time-consuming and inefficient (there are no automated queries, everything needs to be done manually).

Moreover, today, any exchange of facial images would be done manually and in a bilateral framework. For the sake of efficiency, Member States would tend to only send queries to those Member States which they believe could have data on the suspect or convicted criminal concerned. However, experience has already demonstrated that another Member State can sometimes have relevant data for the criminal investigation on that person. This is all the more relevant in an area without internal borders such as the Schengen area. Exchanging facial images via the Prüm framework would ensure that there is no such gap and that all relevant data may be available to law enforcement officers.

Providing for the exchange of this category of data at EU level in the Prüm framework would significantly improve its efficiency. There are no other effective but less intrusive options, the policy option is essential and limited to what is necessary to achieve the specific objective.

We therefore conclude that the measure has a negative impact on data protection as the processing of a new category of data is created but respects the principle of necessity.

2.Proportionality

The exchange of facial images under the Prüm framework will not lead to storing new categories of data. Indeed, Member States already collect facial images of suspects and criminals under national law and store them in national criminal databases.

The exchange of facial images between Member States constitutes a new processing of data. However, it is limited to the extent necessary to achieve its purpose, it only allows for comparison of data in case-by-case situations, and provides several safeguards. As it concerns biometric data, which is considered a special category of personal data under the LED, the processing is permitted in order to protect the vital interests of natural persons (fight against crime and terrorism).

Moreover, still in accordance with the LED, appropriate safeguards must be provided for. First, there is no fully automated exchange. Second, the exchange of facial images will not entail the possibility for live facial recognition screening of a large number of persons in public spaces. This is not the objective of the Prüm framework. Instead, both the scope and the principles used will be similar to those applicable to the exchange of fingerprint data under the Prüm Decisions. Any search and comparison of individual facial images would take place in the course of criminal investigations on a “hit”/”no hit” basis against Member States’ databases of suspects and convicted criminals, subject to forensic verification of the results. The exchange of further personal data would take place only after confirmation of a “hit” by experts. Third, there is no envisaged use of artificial intelligence for the comparison of facial images. The comparison should be performed based on pre-defined rules and values detailed in the technical specifications. Profiling would be explicitly prohibited.

National law would be applicable to any data exchanges insofar as it does not go against the obligations and limitations set up in the revised Prüm framework. Concerning data protection, national law transposing the Law Enforcement Directive would be applicable to data exchanges between Member States.

We therefore conclude that the measure respects the principle of proportionality.

d.Costs

*Europol should only be taken into account if policy options 3.1 and 3.2 are kept.

The table presents the costs per Member State, both those expected as initial costs (one-off) and operational costs (yearly recurrent costs). The main cost driver is related to implementation and facial recognition license costs. This cost is estimated at EUR 1.5 million per Member State and will cover the implementation of a facial recognition system (included as part of the expected one-off costs).

The costs per Member State also include:

·the need to organize a tender to purchase the facial recognition system, and update the national architecture based on the system that will be selected and implemented;

·the purchase of a facial recognition system and its installation. However, Member States should already possess a facial images database. Therefore, limited resources should be allocated to a database;

·the setup of an integration layer needed to automatically exchange data with other Member States;

·generic costs linked to project management.

e.Feasibility (+)

Technical aspects and the feasibility of including the exchange of facial images in the Prüm framework were discussed in the Feasibility Study and in the focus group report on facial recognition. 51 Both reached the same conclusion and recommended such an inclusion. The focus group agreed that face recognition technology has advanced and become a highly suitable additional biometric tool in forensics.

Even though not all Member States currently have the necessary technical requirements, such as a national database with reference images or a national facial recognition software, numerous Member States are currently in the process of implementing such databases and facial recognition software. 52

Concerning political feasibility, the main aspects are the need for explaining that the exchange of facial images is possible today, however not in an automated manner and that the inclusion of facial images under the Prüm framework would not allow for live facial recognition screening of a large number of persons in public spaces.

We therefore conclude that the measure is feasible.

6.2.2Policy option 2.2: introducing the exchange of police records data in the Prüm framework

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks and thus would contribute to enhancing the security and well-being of EU citizens. Only police records of suspects and convicted criminals would be exchanged.

b.Impact on national authorities (++)

Very positive impact for national law enforcement authorities. While today the exchange of police records is possible, there is no efficient procedure to do so. The automation of the process of finding out whether relevant information exists or not in another Member State would reduce the need for manual work and save resources. In case the automated search yields no results, competent law enforcement authorities would not have to process the request and retrieve the information, thereby saving time and resources.

c.Impact on fundamental rights

I.Objective of general interest (+)

Positive impact on the security of the European citizens and societies. The introduction of the exchange of police records data in the Prüm framework would provide law enforcement authorities with additional information, which could be relevant in their investigations, and could contribute to identifying criminals and solving criminal cases.

This policy option implies only exchanges of police records linked to criminal or terrorist investigations. The measure does not provide for new access rights, and just seeks to enhance cooperation between Member States based on the principle of availability. This is all the more relevant in an area without internal borders such as the Schengen area. Therefore we consider the policy option proportionate with its objective of general interest.

II.Impact on data protection (-)

1.Necessity

In the context of criminal investigations, information on suspects and perpetrators of criminal offences already in possession of the law enforcement authorities is crucial. In an area without internal borders, cooperation between Member States is crucial in resolving criminal investigations. Therefore, it is necessary for law enforcement authorities to work with their peers in other Member States. Today, exchanges of police records may be possible, but there is no efficient procedure to do so, and it happens in a time-consuming and inefficient way. This led to the creation of the ADEP/EPRIS project by a certain number of Member States. This policy option seeks to formalise and extend the possibility of using a tool such as ADEP/EPRIS across all Member States in the framework of the Prüm Decisions.

Indeed, the only way to improve the situation, and deal with the currently existing information gap due to long and inefficient procedures is by providing for automated exchange of this data at EU level, and therefore, under the Prüm framework. There are no other effective but less intrusive options, the policy option is essential and limited to what is necessary to achieve the specific objective.

We therefore conclude that the measure has a negative impact on data protection as the processing of a new category of data is created but respects the principle of necessity.

2. Proportionality

The exchange of police records under the Prüm framework will not lead to storing new categories of data. Indeed, all Member States possess police records under national law and store them in national criminal databases.

The exchange of police records between Member States constitutes a new processing of data. However, it is limited to the extent necessary to achieve its purpose, it only allows for comparison of data in a case-by-case situation. The data concerned is pseudonymised, and would only cover a limited data set of data from police records (e.g. name, date of birth, place of birth, gender).

The policy option also provides several safeguards. First, there is no fully automated exchange. Second, in accordance with the privacy-by-design principle, the data would undergo a pseudonymisation process. As mentioned in section 5.2.2, indexes and queries do not contain personal data, but alphanumerical strings. 53  This, together with the fact that the actual data would not be stored, means that Member States’ data cannot be automatically accessed. 54 This policy option also presents a two-step approach. In the first step, only a limited set of data from police records is used to identify the Member State possibly holding more information on a person under investigation. In the second step, once the hit has been confirmed, the Member State can ask for the actual information contained in the police record. 

National law would be applicable to any data exchanges insofar as it does not go against the obligations and limitations set up in the revised Prüm framework. Concerning data protection, national law transposing the Law Enforcement Directive would be applicable to data exchanges between Member States.

We therefore conclude that the measure respects the principle of proportionality.

d.Costs

The cost estimation is based on the implementation of the ADEP/EPRIS solution.

The costs per Member State include:

·designing a new national architecture and the specifications to ensure the access of national data through the developed solution;

·setting up a new index or making an already existing index available. Regardless of the option, costs will have to be borne by Member States. The costs will differ depending on the option chosen;

·integrating the national solution;

·generic costs linked to project management.

The costs at EU level include:

·designing the details of the technical architecture, defining clear processes and harmonizing with existing initiatives;

·the backbone infrastructure and the (possible) need for integration layer(s) at EU level;

·further development of the current ADEP/EPRIS solution.

e.Feasibility (++)

The technical feasibility of establishing an automated exchange of biographical data has been demonstrated in the two iterations of the ADEP/EPRIS project.

Concerning the political feasibility, in their contributions to the public consultation, Member States generally stated their support for the inclusion of the exchange of biographical data in the Prüm framework. Some Member States have expressed concerns as to this inclusion, especially concerning the increase in the number of requests and hence the increase of the burden on the authority processing these requests. It is true that the number of potential requests could potentially increase due to the possibility to query the indexes of all Member States at once. However, as examined above, the automation of the process of finding out whether relevant information exists in another Member State would save time and resources. Moreover, manual work would only be required for the queries, which resulted in a hit.

We therefore conclude that the measure is feasible.

6.2.3Policy option 2.3: introducing the exchange of driving licence data in the Prüm framework

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks and thus would contribute to enhancing the security and well-being of EU citizens.

However, the measure also has a negative impact for citizens as it means that all citizens who have a driving licence would be potentially subject to information exchange in the context of the Prüm framework. They should be informed about this potential processing of their data.

b.Impact on national authorities (++)

Very positive impact on fighting crime and on the security of the European citizens and societies. The introduction of the exchange of driving licence data in the Prüm framework would provide law enforcement authorities with additional information, which could be relevant in their investigations, and could contribute to identifying criminals and solving criminal cases.

c.Impact on fundamental rights

I.Objective of general interest (-)

Positive impact on the security of the European citizens and societies. Exchanging data on driving licence information would be relevant in cases of possible fake documents, for either corroborating or nullifying the trustworthiness of the documentation and verifying the identity of a suspect or perpetrator.

However, despite bringing a potentially very positive impact on the security of the European citizens, the databases of driving licenses holders is not limited to criminals and terrorist but to the general population. Therefore, it is difficult to justify that the measure is proportionate to the objective pursued. This fact offsets the positive impact on security.

II.Impact on data protection (--)

1.Necessity

In the context of criminal investigations, any information on suspects and perpetrators of criminal offences is crucial. In an area without internal borders, cooperation between Member States is crucial in resolving criminal investigations. Indeed, if a Member State’s national travels to another Member State, this second Member State cannot check its national databases to verify the validity of the document submitted by the other Member State. Indeed, most Member States’ law enforcement authorities have access to the national driving licence register in the context of crime investigations.

Therefore, the only way for other Member States’ law enforcement authorities to have access to it would be via information exchange at EU level. The Prüm framework provides this, there are no other effective but less intrusive options, the policy option is essential and limited to what is necessary to achieve the specific objective.

We therefore conclude that the measure respects the principle of necessity.

2.Proportionality

There are several means to combat possible fake documents, for either corroborating or nullifying the trustworthiness of the documentation and verifying the identity of a suspect or perpetrator. This includes security features in the identification documents among others.

The data would be of an administrative nature as the needs of exchanging this data would not only be limited to cases of criminal investigations. Therefore, it should also be explored whether this information exchange could not be done in a different context than the Prüm framework.

In addition, the measure concerns the processing of data of a large share of the population. Moreover, driving licenses are only one among other documents allowing for the identification of a person, such as ID cards or passports. The reason why only driving licenses would be targeted by the measure has not been sufficiently demonstrated.

We therefore conclude that the measure does not respect the principle of proportionality.

d.Costs (0)

The impact in terms of costs of this measure are not estimated as the measure does not respect the principle of proportionality.

e.Feasibility (0)

The technical feasibility of establishing automated exchanges on the basis of alphanumerical data has already been demonstrated (e.g. driving plates). Most Member States have an online driving licence register. As stems from consultations with Member States in the form of targeted questionnaires and discussions in the technical workshops organised in the context of the revision of the Prüm Decisions, most Member States reported that their law enforcement authorities investigating crime have access to the national driving licence register. Therefore, under the principle of availability, access to other Member States’ law enforcement authorities could be granted under the same conditions as the access for the national authorities.

Member States have highlighted the added value of the exchange of driving licence information, especially for identification purposes, but also to help in detecting document forgery, use of a false identity, look alike fraud, etc. It stems from contributions to the public consultation and from consultations that there is an overall strong support for the inclusion of this new data category in Prüm.

On the other hand, allowing for exchanges of databases on citizens should only be done where it is strictly necessary and proportionate.

The measure is therefore neutral when it comes to feasibility.

6.3     Involve Europol 

6.3.1Policy option 3.1: enabling Member States to check automatically third-country sourced data at Europol as part of the Prüm framework

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks by ensuring all available data is used in the context of criminal investigations and thus would contribute to enhancing the security and well-being of EU citizens.

b.Impact on national authorities (++)

Very positive impact for national law enforcement authorities. The possibility for Member States’ law enforcement authorities to check third-party data held at Europol in the Prüm framework would contribute to the efficiency of their work. Indeed, it would allow for using data which they are already entitled to use in an effective manner and at the same time as checking other Member States’ data.

c.Impact on fundamental rights

I.Objective of general interest (++)

Very positive impact on the security of the European citizens and societies. Data provided by third countries on criminals and terrorists is even more important in an open society in a globalised world. It would allow for the potential identification of criminals known by countries outside the EU, while at the same time benefitting from strong safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals established in the Europol cooperation agreements with third countries. With this option, third-country data would be turned into valuable information for its use in criminal investigations by combining it with data held by Member States.

The measure intends to provide the outmost added value from the data already stored at the Europol information system by making Europol a part of the Prüm framework. The data to be checked is limited to third-country sourced data, which Member States may not have at their disposal. Therefore we consider the measure proportionate to its objective of general interest.

II.Impact on data protection (0)

1.Necessity 

In the context of criminal investigations, information on suspects and perpetrators of criminal offences already in Europol’s possession is crucial. The policy option is genuinely effective to achieve the specific objective of improving Europol’s ability to support Member States in identifying cases and information with relevance for their criminal investigations, and therefore also essential to the fight against serious crime and terrorism as objectives of general interest in EU law. Alternatively, another option would be to create a dedicated database for this purpose, but as Europol already stores the data, we consider the current policy option less intrusive.

We therefore conclude that the measure respects the principle of necessity.

2.Proportionality

Access to Europol information is already legally possible under the Europol Regulation. 55  The policy option would enable making searches to data stored at Europol on the basis of biometric data (DNA, fingerprints and facial images). For instance, in case Member States’ criminal investigators have found a latent fingerprint at a crime scene, national authorities would be able to directly search biometric data at Europol with this latent, which is currently not possible.

In reply to the public consultation, one stakeholder expressed concerns on the inclusion of Europol data intro the Prüm exchange mechanism and highlighted that transfers to third countries and international organisations should be subject to adequate safeguards. In this regard, safeguards related to the transfer of data to third countries laid down in the Europol Regulation would be applicable. The general prohibition of onward transfer of data obtained via the Prüm framework with the exception of well-defined specific cases 56 should be applied.

Chapter VI of the Europol Regulation on General data protection safeguards provides a comprehensive set of detailed safeguards to guarantee a robust and high level data protection, transparency and liability to the day-to-day operations of the agency. It consists of a series of general and specific data protection principles, measures, obligations, responsibilities, requirements, limitations, data subject rights and external independent supervision.

We therefore conclude that the measure respects the principle of proportionality.

d.Costs

The cost estimation for EU activities includes the costs for Europol connection to the Prüm network and developing an interface at its side (QUEST Biometrics).

The costs at EU level include:

·Developing and implementing the interface;

·Operating and maintaining the connection;

·Generic costs linked to project management.

e.Feasibility

Concerning technical feasibility, the policy option varies depending on whether or not a central router is established for the exchange of information in the Prüm framework (policy option 1.1).

If the central router is in place, it would suffice to make a single connection with the Europol Information System, which would have a high technical feasibility and imply low costs. In the absence of the central router, each Member State would need to connect individually in the context of the Prüm framework. The establishment of such connections would have a low technical feasibility and imply high costs.

Concerning political feasibility, Member State support the involvement of Europol in the Prüm framework and consider that, allowing law enforcement authorities to search and compare their biometric data with third country data held at Europol, would contribute to the fight against crime and terrorism. This policy option would bring added value from an operational perspective, as highlighted by Member States in targeted consultations in the form of questionnaires and discussions in the technical workshops organised in the context of the revision of the Prüm Decisions.

We therefore conclude that the measure is feasible in the case of policy option 1.1 being supported and not feasible in the case of policy option 1.1 not being supported.

6.3.2Policy option 3.2: enabling Europol to check third-country sourced data against the national databases of Member States

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks by ensuring all available data is used in the context of criminal investigations and thus would contribute to enhancing the security and well-being of EU citizens.

b.Impact on national authorities (0)

The policy option is neutral from national authorities’ point of view. Indeed, under this option, it would be Europol taking the responsibility of checking whether the data that it has obtained from third countries is present in Member States. Member States’ law enforcement authorities would need to contribute only in case there are “hits” with their data.

c.Impact on fundamental rights

I.Objective of general interest (++)

Very positive impact on the security of the European citizens and societies. Data provided by third countries on criminals is even more important in an open society in a globalised world. It would allow for the potential identification of criminals known by countries outside the EU, while at the same time benefitting from strong safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals established in the Europol cooperation agreements with third countries. With this option, there would be a guarantee that available data is used to its full potential.

This option combined with the previous policy option ensure that no gaps occur in relation with data related to serious crime and terrorism obtained from third countries.

The measure intends to provide the outmost added value from the data already stored at the Europol information system by making Europol a part of the Prüm framework. The data to be used by Europol is limited to third-country sourced data, which Member States may not have at their disposal. Therefore we consider the measure proportionate to its objective of general interest.

II.Impact on data protection (0)

1.Necessity

In the context of criminal investigations, information on suspects and perpetrators of criminal offences already in Europol’s possession is crucial. The policy option is genuinely effective to achieve the specific objective of improving Europol’s ability to support Member States in the fight against serious crime and terrorism. Europol, as the EU body in possession of this data, is best placed to undertake this comparison. Alternatively, this responsibility could be transferred to Member States’ law enforcement authorities. But finding a procedure for the allocation of responsibility would be cumbersome and would not make the policy option more effective.

We therefore conclude that the measure respects the principle of necessity.

2.Proportionality

The policy option affects data subjects who are convicted criminals and suspects, falling under Europol’s mandate, and whose personal data third countries share with Europol.

The policy option does not have a disproportionate and excessive impact on the persons affected by the limitation, in relation to the specific objective of enabling Europol to cooperate effectively with third countries and hence the fight against serious crime and terrorism as objectives of general interest in EU law, as Europol’s data protection regime will provide for adequate safeguards.

The policy option constitutes a proportionate response to the need to solve the problem resulting from limits in Europol’s ability to effectively support Member States in countering crimes prepared or committed using data coming from third countries.

In reply to the public consultation, one stakeholder expressed concerns on the inclusion of Europol data intro the Prüm exchange mechanism and highlighted that transfers to third countries and international organisations should be subject to adequate safeguards. In this regard, safeguards related to the transfer of data to third countries laid down in the Europol Regulation would be applicable. There should not be any automated exchange of data with third countries. Transmission of information, if any, should require manual intervention, be related to a specific case and require the consent of the Member State whose data would be concerned.

Chapter VI of the Europol Regulation on General data protection safeguards provides a comprehensive set of detailed safeguards to guarantee a robust and high-level data protection, transparency and liability to the day-to-day operations of the agency. It consists of a series of general and specific data protection principles, measures, obligations, responsibilities, requirements, limitations, data subject rights and external independent supervision.

We therefore conclude that the measure respects the principle of proportionality.

d.Costs (+/--)

*non-cumulative with the costs of policy option 3.1.

The cost estimation for EU activities includes the costs for Europol connection to the Prüm network and developing an interface at its side (QUEST Biometrics). Therefore, the expected one-off costs are the same as for policy option 3.1. If policy option 3.1 is chosen, the expected one-off costs for this policy option is 0.

If both policy options 3.1 and 3.2 are retained, the yearly costs for Europol for policy option 3.2 are estimated at EUR 1,291,000. This figure mainly covers the costs of the operational staff to conduct searches and verify biometric results (DNA, fingerprints and facial images). The current estimations only take into account the use of third country sourced data. Operational costs may slightly increase over time due to the increase in the volume of data.

e.Feasibility (+/--)

Concerning technical feasibility, the policy option varies depending on whether or not a central router is established for the exchange of information in the Prüm framework (policy option 1.1).

If the central router is in place, it is positive, it would suffice to make a connection with the Europol Information System, which would not imply high costs. In the absence of the central router, the technical feasibility would be very negative, as Europol would need to connect to each Member State individually in the context of the Prüm framework, which would also imply additional costs

Concerning political feasibility, some Member State expressed certain doubts on this policy option in the technical workshops organized in the context of the revision of the Prüm Decisions, mainly on the basis of the principle of sovereignty and the fact that Europol should not be considered as a Member State and be granted he same prerogatives as Member States. However, this policy option would not entail Member States giving up control over their databases as in case of a match, only the Member State whose data was at the origin of the match would be notified. The decision whether or not to follow up on this match would be solely incumbent to the Member State concerned. A larger number of Member States supported the idea of Europol searching their databases using data obtained from third countries, stating in particular that information provided by third countries to Europol should be made actionable and useable under the Prüm framework.

However, contrary to the previous option, this policy option would require enlarging Europol’s mandate.

We therefore conclude that the measure is feasible in the case of policy option 1.1 being supported and not feasible in the case of policy option 1.1 not being supported.

6.4     Regulate the hit-follow-up exchange process

6.4.1Policy option 4.1: regulating the follow-up process at EU level with a semi-automated exchange of core data

a.Impact on citizens (+)

Positive impact on the security of the European citizens and societies. The measure aims to support law enforcement authorities in the exercise of their tasks and thus would contribute to enhancing the security and well-being of EU citizens.

b.Impact on national authorities (++)

Very positive impact for national law enforcement authorities. The measure would result in an accelerated access to the most relevant information for law enforcement authorities, reduced workload with regard to eliminating possible unnecessary requests for additional information and effort from the requested Member State’s authorities to gather that data and, consequently, an increase in law enforcement authorities’s capacity to carry out other relevant tasks.

c.Impact on fundamental rights

I.Objective of general interest (++)

Very positive impact on the security of the European citizens and societies. The policy option would contribute to the internal security of the European Union by simplifying and streamlining the exchange of law enforcement information. It would give predictability to all users, as they would all know what data they would get in this step, as compared to the current situation where it depends on the Member State concerned.

The measure aims to facilitate and harmonize the exchange of data in the second step of the Prüm process. It would still require a human intervention, which means that Member States would still keep control of their own data. Therefore, we consider the measure proportionate to its objective of general interest.

II.Impact on data protection (0)

1.Necessity

The policy option would enable exchanging data in a semi-automated, consistent and harmonized manner across Member States. As a result, the policy option would reduce the workload and improve the efficiency of the work of EU law enforcement authorities. This would have a positive impact on the fight against crime and terrorism. As the Prüm framework is decentralised, meaning that no data is kept at central level, this semi-automated exchange of core data held at Member State level is a powerful tool to bring relevant information to the law enforcement authorities.

We therefore conclude that the policy option respects the principle of necessity.

2.Proportionality

The policy option provides for the exchange of core data. This exchange would provide for a limited access to personal data, based on which the investigator could decide if a more targeted request for more information is required. This measure does not provide for new access rights, as the users could already receive these categories of data, but only for a facilitation of this process.

The policy option also presents a range of safeguards. Indeed, there is only a partial automation: human intervention is needed before any follow-up data exchange, including the core data exchange, can be started. Indeed, it only covers the procedure under which this data is exchanged, after manual validation by the Member State in possession of the data. This human intervention can contribute to ensuring that the data is relevant to the case at hand, that there is no abuse of the framework and that any obligation under national law is respected (e.g. need for judicial authorisation).

The harmonisation of the follow-up under Prüm would also constitute a safeguard as far as it would contribute to the consistency and reliability of the procedure across Member States.

We therefore conclude that the policy option respects the principle of proportionality.

d.Costs (++/--)

Each Member State has its own national system in place. As such, the possible need for additional hardware/software will be dependent on each Member State. In this sense, costs may vary greatly and are exponential to the number of Member State connections and categories of data exchanged.

Since the measure would imply changes in national procedures, Member States might propose training programmes and awareness initiatives for end-users.

However, if the central router is created, the costs at both Member State and EU level of setting up this policy option are already provided for under the costs of policy option 1.1.

e.Feasibility (+/--)

Concerning technical feasibility, in the absence of the central router, it would require adaptations to all existing connections between Member States, which could be a burdensome process. However, should the router of policy option 1.1 be created, the technical feasibility could greatly improve. As the change could be performed at central level, Member States would only require to adapt their connection to the router instead of to each other Member State, limiting the interference with national IT infrastructures and building new synergies.

Concerning political feasibility, in reply to the public consultation, most respondents agreed that a limited set of data could be provided in ‘fast track’. In the technical workshops organised in the context of the revision of the Prüm Decisions, there seemed to be a common understanding among experts on the necessity to speed up the follow-up exchange of data with the return of a set of core data, provided there is a certain degree of human intervention before this set is sent back.

We therefore conclude that the measure is feasible in the case of policy option 1.1 being supported and not feasible in the case of policy option 1.1 not being supported.

7.How do the options compare? 

As none of the options are mutually exclusive, this chapter compares each option against the baseline scenario (i.e. where no action is taken for that policy option).

7.1Improve the technical architecture 

Policy option 1.1 is the preferred option. The policy option providing for the creation of a central router without data storage is a key option to provide for efficient automated exchange of data between law enforcement authorities. Indeed, the creation of a central router would improve the current architecture of the Prüm framework. This would contribute to ensuring that connections are made between all Member States’ databases, as only one connection would be required. This has also a positive impact when changes occur at the level of Member States’ databases, as only this connection would need to be changed. Moreover, the router would allow for the collection of statistics, which would contribute to enhancing the performance of the framework as well as to its monitoring and evaluation. From a costs point of view, the router would result in considerable savings for Member States’ authorities over time. The option was also considered feasible, both from a technical and political point of view. Moreover, the more policy options described in this impact assessment are considered, the more benefit for the router. Indeed, the creation of new categories of data, the connection of new entities (e.g. a Member State or Union Agency) or the automation of any follow-up are reinforced by the existence of a central router.

The creation of the central router aims to ensure that all Member States are connected and can make use of the possibilities for exchanging data under the Prüm framework. It would significantly reduce the recurrent costs of maintaining all the bilateral connections as well as significantly reduce the costs of setting up connections for exchanging new categories of data (as the proposed facial images and police records).

The router would not store any data, it would not allow for new types of data processes, it would not enlarge access rights and it would not extend data retention periods. To sum up, the router would lead to a more efficient use of the Prüm framework in order to achieve its purposes. A more efficient use of an existing tool does not entail a greater impact on data protection.

The advantages of the router compared to the baseline scenario are the following: a more efficient use of the current framework, therefore contributing to fighting crime and terrorism, a cheaper solution (in the medium to long term) and advantages in terms of technical feasibility.

7.2     Automated exchange of additional data categories 

The policy options are stand-alone options in the sense that policy option 2.1 can be chosen as preferred option irrespective of whether options 2.2 or 2.3 are chosen. The same applies for options 2.2 and 2.3.

Policy options 2.1 and 2.2 are the preferred options. These two policy options aim to enlarge the scope of the Prüm framework to other categories of data (i.e. facial images and police records) in Member States’ databases that are often relevant in criminal investigations and therefore the subject of cross-border information requests, but that are not covered today by the Prüm Decisions. These data categories can already be subject to exchanges between Member States but there is no efficient way of doing it. Their integration in the Prüm framework is the most efficient way to ensure that there is no information gap. Moreover, both options are feasible both from a technical (this is even more true for police records and the current ADEP/EPRIS pilot) and political point of view and are considered as meeting the principles of necessity and proportionality. Finally, the inclusion of facial images is in line with the developments of the technology. Indeed, new or recently updated central EU information systems use facial images (e.g. the new Entry-Exit System and the updated Visa Information System and Schengen Information System).

The inclusion of these new data categories in the Prüm framework would lead to a higher intensity of data exchanges. This is because, despite the fact that today it is possible to exchange this data, there is no channel to do it in a timely and efficient manner. This leads to errors, information gaps and reluctance to use it by law enforcement authorities. The inclusion of these data categories in the Prüm framework will provide Member States’ law enforcement authorities with an incentive to exchange this data, leading to a higher intensity of data exchanges.

The higher intensity of data exchanges is counter-balanced by the benefit brought to the fight against serious crime and terrorism. The more Member States’ law enforcement authorities exchange these new data categories, the smaller the gap in fighting serious crime and terrorism in an area without internal borders as Member States could therefore also search other Member States’ databases and not only their own.

Policy option 2.3 is discarded. Despite the fact that the exchange of information across Member States concerning driving licences would provide added value for the citizens and national authorities, the proportionality of the measure could not be demonstrated. Other options could provide a similarly effective but less intrusive way of meeting the policy objectives.

7.3     Involve Europol 

1 "+" in the case of policy option 1.1 being supported, "--" in case it is not

2 " + " in the case of policy option 1.1 being supported, "--" in case it is not

3 "+" in the case of policy option 1.1 being supported, "-" in case it is not

4 " + " in the case of policy option 1.1 being supported, "--" in case it is not

Both policy options are stand-alone options in the sense that policy option 3.1 can be chosen as preferred options irrespective of whether option 3.2 is chosen and vice-versa.

Policy options 3.1 and 3.2 are the preferred options. However, in order for policy options 3.1 and 3.2 to be chosen as preferred options compared to the baseline scenario, policy option 1.1 must be considered. Indeed, the creation of a central router is key in the development of these two policy options. The central router has a significant impact in terms of costs and technical feasibility for these policy options.

On top of the advantages for both these options brought by the central router, the policy options have merits of their own.

Policy option 3.1 would ensure that law enforcement authorities have efficient access to all relevant information that they need in the context of their criminal investigations. Indeed, including third country-sourced data stored at Europol in the framework of Prüm addresses an existing information gap. All the safeguards (including data protection safeguards) provided for in the Europol Regulation concerning the data stored at Europol would also be applicable to this policy option.

Policy option 3.2 would ensure that all relevant information in the context of criminal investigations is used in the most efficient manner. Indeed, allowing Europol to use third country-sourced data that is already stored in their information systems to compare it with Member States data would ensure that this data is used to its full extent. Avoiding situations where a terrorist or criminal is not identified or apprehended due to the impossibility to use this data in the Prüm framework. Similarly to policy option 3.1, all safeguards (including data protection safeguards) provided for in the Europol Regulation concerning the data stored at Europol would also be applicable to this policy option.

7.4     Regulate the hit-follow-up exchange process 

1 "++" in the case of policy option 1.1 being supported, "--" in case it is not

2 "+" in the case of policy option 1.1 being supported, "--" in case it is not

Policy option 4.1 is the preferred option. However, in order for policy option 4.1 to be chosen as preferred option compared to the baseline scenario, policy option 1.1 must be retained. Indeed, the creation of a central router is key in the development of this policy option. The central router has a significant impact in terms of costs and technical feasibility for this policy option.

This policy option would result in increased efficiency in the information exchange between law enforcement authorities. It would also reduce workload with regard to eliminating possible unnecessary requests for additional information and effort from the requested Member State’s authorities to gather that data. Moreover, it would provide for the harmonization of the expected replies. Compared to the current situation where there are different replies and procedures, there would be an increased predictability as regards the obtaining of core data.

8.Preferred policy options: strengthening the Prüm framework

Taken together, the preferred policy options identified in section 7 reinforce the current Prüm framework with targeted and strong tools and capabilities to step up its support to Member States in reinforcing information exchange with the final objective of preventing and investigating criminal and terrorist offences.

In this section, we will describe the proposed initiative combining all the preferred policy options as well as assessing their aggregated impact.

Regarding data categories, the scope of the Prüm framework would be enlarged to allow for the exchange of facial images and police records.

The preferred policy option also provides for the creation of a central Prüm router. Under this option, the central router would not store any data but provide a hub between the national databases. The current complex architecture of Prüm would evolve:

Figure 5: Evolution of the architecture of the Prüm framework

The Prüm router would make it technically possible to incorporate Europol into the Prüm framework. This results in closing one of the existing information gaps: it will allow Member States to query third country-sourced data stored at Europol and therefore allow for its exchange in the context of the Prüm framework. This is also interesting because all the current safeguards that exist regarding Europol data would also apply to its exchange in the context of the Prüm framework.

Similarly, Europol would also be able to use third country-sourced data stored in its information system to query Member States data in the context of the Prüm framework, with a view to supporting Member States law enforcement authorities in their fight against crime and terrorism.

Finally, the Prüm router would also allow to introduce a certain degree of automation in the exchange of data following a potential match. Indeed, a limited set of data could be exchanged in an automated manner following the verification of the authorities against which a match was obtained.

To conclude, the preferred policy option package includes several measures, each aiming to strengthen a particular aspect of the Prüm framework. Indeed, they are the result of years of reflections and work, which led to targeted and proportionated measures that deal with the existing information gaps and inefficiencies in the exchange of data and bring the framework up to date with new technologies. These policy options also aim to align the Prüm framework with both the EU data protection and interoperability frameworks.

8.1Impact on citizens (++)

Very positive impact on the security of the European citizens and societies. Each of the preferred options has a positive impact on the security of citizens, therefore the combination of all of them provides an even greater positive impact. Indeed, the whole initiative aims to support law enforcement authorities in the exercise of their tasks and thus would contribute to enhancing the security and well-being of EU citizens.

Only data related to suspects and convicted criminals and terrorists would be exchanged within the scope of the preferred policy option package.

8.2Impact on national authorities (++)

Very positive impact for national law enforcement authorities. The exchange of facial images between Member States to fight crime and terrorism is already a reality. However, there is no efficient procedure for it and it is therefore only used in ad-hoc situations and always in a bilateral way. The preferred policy option would provide a tool to ensure that Member States exchange facial images on suspects or convicted criminals and terrorists and that the data can be compared with the existing data of all Member States. Concerning the exchange of police records, this is a process that has been ongoing in the context of the ADEP/EPRIS project by some Member States. The preferred policy option extends this possibility to all Member States.

The creation of the Prüm router would result in the improvement of the architecture of the Prüm framework, regarding both its current needs as well as the needs included in the preferred policy options.

Finnaly, the proposed semi-automated exchange of data following a hit would result in an accelerated access to the most relevant information for law enforcement authorities. Its benefits include reducing both the workload with regard to eliminating possible unnecessary requests for additional information and the effort from the requested Member State’s authorities to gather that data. It also brings a certain degree of harmonisation to this first step of data exchange at EU level.

8.3Impact on fundamental rights

a.Objective of general interest (++)

Very positive impact on the security of the European citizens and societies. Each of the individual policy options aims to improve the security of the European Union in its own targeted way. As explained in section 6, each policy is narrow in its scope and provides only for what is necessary to achieve its purpose. As depicted in this impact assessment, each of the policy options aims to provide a solution to the different problems and limitations of the current Prüm framework with the final objective of strengthening the security of the European Union.

The benefit of the policy options is cumulative. Moreover, the Prüm router would contribute to render each of the other policy options more efficient, therefore further contributing to achieving their purposes.

In addition, the fact that facial images are added as a new data category in the Prüm framework would also allow for using third country-provided facial images stored in the Europol information system in this context.

The resulting policy option implies only exchanges of data linked to criminal or terrorist investigations. None of the measures provides for new access rights, and just seeks to enhance cooperation between Member States based on the principle of availability. This is all the more relevant in an area without internal borders such as the Schengen area. Therefore, we consider the policy option proportionate with its objective of general interest.

b.Impact on data protection (-)

I.Necessity

As mentioned above, each of the individual policy options aims to improve the security of the European Union in its own targeted way. This means that each new processing of data or each new improvement to existing processes is done for their own purposes as described in section 6. Therefore, the sum of the preferred policy options does not change the necessity assessment (i.e. all policy options are deemed necessary).

II.Proportionality

While the sum of the preferred policy options does not have an impact on their necessity, it does impact their proportionality. Indeed, the creation of the router brings more added value as new data categories are added to the Prüm framework. Similarly, the need to connect Europol to the framework also reinforces the need for the creation of a central router.

On the other hand, the creation of the router contributes to the safeguards laid down for each of the other policy options. Indeed, the use of statistics and the logs kept at central level will contribute to the monitoring and improvement of the performance of each new processing of data or of each new improvement to existing processes.

Finally, except for the abovementioned contribution of the router to the other policy options, none of the other options contributes to the specific objectives of the others. Which means that there is no collusion between the policy options.

Therefore, the initiative regrouping all policy options is considered to be proportional.

8.4Costs (++)

The following table summarizes the combined one-off and recurrent costs both at Member State level and at EU central level.

Despite the initial investments, the Prüm router would also reduce the burden of the Prüm framework from a financial perspective by reducing the costs for Member States, as they no longer would need to establish and maintain bilateral connections with all other Member States for each category of data. Indeed, the estimations indicate that the one-off costs of the preferred policy options would be compensated by the reduction in costs for Member States in two years. Moreover, setting up the exchanges of facial images and police records in the absence of a central component would cost around ten times more to the Member States. 57 All in all, the initiative has a very positive impact on costs. Despite the initial investment, the savings in costs for the Member State will bring savings in the medium and long term.

8.5Feasibility (++)

Very positive impact on feasibility.

Regarding the technical feasibility of the preferred options, it is worth recalling the role of the Prüm router. Indeed, the described central router does not only provide for efficient automated exchange of data between Member States’ law enforcement authorities. It will also allow Europol to participate in the framework. This way, both national law enforcement authorities and Europol would be made aware of relevant data available in the national database of another Member State or at Europol. The router also contributes to all the other objectives, acting as a facilitator. Once the central router is created, Member States would only require one connection to be part of the Prüm framework. This also includes the new data categories or the involvement of Europol.

Concerning the technical feasibility of the router, as mentioned in Section 6.1, there is a common understanding among experts of the Member State and Union Agencies on the general technical feasibility of the introduction of a central router in the Prüm framework. Moreover, technical components offering similar (if not even greater) services are being implemented (e.g. the European Search Portal introduced via the interoperability Regulations). This also probes the feasibility of the Prüm router.

Regarding the political feasibility of the preferred options, we note Member States’ support to dealing with the identified problems. As the measures offer solutions to these problems, we expect broad support subject to discussions. Moreover, the fact that the router would reduce Member States’ costs in the medium to long term would also ensure political support.

9.How will actual impacts be monitored and evaluated? 

The Commission will ensure that the necessary arrangements are in place to monitor the functioning of the measures proposed and evaluate them against the main policy objectives. Four years after the new functionalities are put in place and operating, and every four years thereafter, Member States and Union Agencies should submit to the European Parliament, the Council and the Commission a report on the technical functioning of the new proposed measures. In addition, one year after the submission of these reports by Member States and Union Agencies, the Commission should produce an overall evaluation of the measures, including on any direct or indirect impact on fundamental rights. It should examine results achieved against objectives and assess the continuing validity of the underlying rationale and any implications for future options. The Commission should submit the evaluation reports to the European Parliament and the Council.

The monitoring and evaluation of the measures proposed will be notably based on the statistics which will be collected at central level thanks to the introduction of the central router, without having to ask Member States. These statistics would include for instance the number of requests per data category and responses received, including how many hits against how many Member States’ databases. These statistics would allow to have a clear view of the use of the Prüm framework, per data category and per Member State. A significant use of the framework as well as the detection of matches and hits in other databases would be a strong indication of the success of the measure, as it would mean that the relevant information is at the disposal of our law enforcement authorities. Indeed, a hit indicates that information on the person for which a Member State was launching a query is found in another Member State’s database. Hits may lead to solving a crime and protecting a citizen. However, the use of the hit would fall outside of the scope of the statistics that would be collected via the central router. Indeed, the use of the information would vary according to each individual case and depending on the outcome of the investigation. These statistics could be required from the Member States in a periodical exercise.    

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

The lead DG is the Directorate-General for Migration and Home Affairs (DG HOME) for the preparation of the initiative and the work on the evaluation and impact assessment. The agenda planning reference is PLAN/2020/6629.

2.Organisation and timing

The inception impact assessment was published on 11 August 2020. Within this framework, the impact assessment and the evaluation were subsequently prepared.

An Inter-Service Group was set up in August 2020 with the participation of the following Commission Directorates-General: Secretariat-General (SG); Legal Service (LS); Informatics (DIGIT); Justice and Consumers (JUST); Mobility and Transport (MOVE). The Inter-Service Group met three times, discussing (1) the stakeholder consultation and the questionnaire for the public consultation, (2) the outline for the impact assessment, the first part of the draft evaluation and the planning, and (3) the draft impact assessment and evaluation.

3.Consultation of the RSB

On 21 June 2021, the Directorate-General for Migration and Home Affairs submitted the present impact assessment report to the Regulatory Scrutiny Board (RSB). The RSB issued an impact assessment quality checklist on 9 July 2021 with some discussion points and a number of comments. A written response to the main discussion points in this quality checklist was sent in advance to the RSB meeting on 13 July 2017. Following the meeting on 14 July 2021, the RSB issued a positive opinion without reservations on 16 July 2021, with a number of recommendations and comments that completed the previously issued quality checklist. These comments were incorporated into the final version of this document.

4.Evidence, sources and quality

The impact assessment is notably based on the stakeholder consultation (see Annex 2). The Commission applied a variety of methods and forms of consultation, ranging from consultation on the Inception Impact Assessment, which sought views from all interested parties, to targeted stakeholders’ consultation by way of questionnaires, experts’ interviews and targeted thematic technical workshops, which focused on subject matter experts, including practitioners at national level.

In this context, the Commission also took into account the findings of the ‘Study on the Feasibility of Improving Information Exchange under the Prüm Decisions’, 58 which was commissioned by DG HOME and developed by the contractor based on desk research and the following stakeholder consultation methods: surveys, interviews with subject matter experts, questionnaires, and three expert workshops.

Annex 2: Stakeholder consultation

This annex provides a synopsis report of all stakeholder consultation activities undertaken in the context of this impact assessment.

1.Consultation strategy 

The objective of the consultation activities was to gather data and stakeholders’ views in the context of preparations for the revision of the Prüm Decisions, back-to-back with the evaluation of the Prüm Decisions, for the review of automated exchange of data under the Prüm Decisions. More specifically, the consultations sought to:

§Gather data for assessing the effectiveness, efficiency, relevance, coherence, and EU-added value of the Prüm Decisions;

§Update the information and gather data on challenges and shortcomings, but also best practices of the existing Prüm framework;

§Identify any new and update existing information about the needs of stakeholders;

§Gather stakeholders’ views on the different policy options and their respective impacts;

§Fill any data gaps in the evidence base.

In the past years, several processes have contributed to establishing a sound knowledge about the benefits and shortcomings of the existing Prüm framework.

1)Implementation Report of the Prüm Decisions, European Commission (2012); 59

2)Several projects aiming to improve the implementations of the Prüm Decisions;

3)Regular discussions on law enforcement information exchange and specifically on the Prüm Decisions, in the Council Working Party DAPIX/IXIM; 60

4)High Level Expert Group on Information Systems and Interoperability; 61

5)Expert discussions in the context of four focus groups addressing topical improvement opportunities of the Prüm Decisions; 62

6)Study on the feasibility of improving the exchange of information under the Prüm Decisions, including 3 workshops with the end-users from Member States and other stakeholders; 63

7)Various studies, e.g. Cross-Border Exchange and Comparison of Forensic DNA Data in the Context of the Prüm Decision. 64  

The consultation activities carried out built on the data collected and the work already done, in order to minimise the administrative burden of already-consulted stakeholders. At the same time, the intention was to extend the consultation activities to a wider group of stakeholders, in order to achieve a more balanced and comprehensive assessment of the policy options and their impacts. A re-consultation with some stakeholders, especially the end-users of the system who have shared their views already in the context of the activities listed above, was still needed and was therefore carried out.

1.1Mapping of stakeholders

In preparing the initiative, Commission services carried out an initial mapping of stakeholders. Two main categories of stakeholders that may have an interest in the strengthening of the automated exchange of data under the Prüm framework were identified.

1.1.1Current and potential new end-users or other directly related stakeholders of the Prüm framework

The main stakeholders in this group are Member States’ authorities using the Prüm automated data exchange and database custodians. Depending on the national legal and administrative system, one or more of the roles listed below could belong to the same authority:

ŸLaw enforcement and judicial authorities responsible for the prevention and investigation of criminal offences;

ŸNational vehicle registration authorities;

ŸNational authorities responsible for issuing driving licences;

ŸNational databases’ custodians responsible for the national databases interconnected by the Prüm framework;

ŸForensic laboratories/institutes responsible for the forensic assessment of the results of automated matching of biometric data;

As potential new end-users, two EU agencies can be listed:

ŸThe European Union Agency for Law Enforcement Cooperation (Europol), as a potential new participant in the Prüm framework;

ŸEuropean Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), as a potential host of the possible new architectural options for the Prüm framework.

1.1.2Other important stakeholders

The second group of stakeholders includes various EU bodies, organisations and networks, who have relevant expertise and interests related to the initiative:

ŸNational data protection authorities (via European Data Protection Board).

ŸEU bodies and institutions

oEuropean Data Protection Supervisor (EDPS);

oEuropean Union Agency for Fundamental Rights (FRA);

oEuropean Parliament, notably the Committee of Civil Liberties, Justice and Home Affairs (LIBE Committee);

oGeneral Secretariat of the Council;

oEuropean Commission internal stakeholders from different Directorates-General (especially DG Justice and Consumers and DG Informatics) and services.

ŸNon-governmental organisations

oEuropean Digital Rights (EDRi)

ŸIntergovernmental organisations

oEuropean car and driving licence Information System (EUCARIS)

ŸPersons (wider public) with interest in the initiative.

1.2Methods and forms of consultation 

In view of the crisis due to the coronavirus, it was difficult to interact with stakeholders in physical meetings. Therefore, the consultation activities focused on alternatives such as online surveys, semi-structured phone interviews, as well as meetings via video conference.

The consultation activities were launched with the publication of the Inception Impact Assessment. 65 Due to the COVID-19 pandemic, the consultation period was extended from four to eight weeks, from 11 August until 6 October 2020.

A public consultation was launched for 14 weeks, 66 in order to give the possibility to the wider public to share their views on the functioning of the existing automated exchange of data under the Prüm framework and on the planned initiative. The questionnaire for public consultation was available in English, French and German. However, respondents could reply in any of the official EU languages. 67

Targeted consultation activities were aimed to build on the consultation activities that took place in the course of a feasibility study undertaken in 2018-2020, 68 especially concerning the Member States’ authorities, relevant EU agencies and EUCARIS. Four technical workshops were organised with Member States’ authorities and EU agencies to discuss the options, which were being envisaged as part of the revision from a technical perspective.

Meetings were carried out with some Member States, with EU agencies and other stakeholders.

With the exception of the public consultation, the consultation activities were conducted in English and French.

2.Consultation activities

2.1.The Inception Impact Assessment

The Inception Impact Assessment 69 was published for feedback by all interested parties on the Commission’s ‘Have your say’ portal. Respondents were invited to provide online comments and, where appropriate, submit short position papers to provide more background to their views. Due to the COVID-19 pandemic, the consultation period was extended from four to eight weeks, from 11 August until 6 October 2020.

A total of six contributions were submitted over the 8-week feedback period. Of these, two were provided by a public authority, 70  one by a non-governmental organization (NGO), 71  one from a company/business organization, 72  one from a trade union 73 and one from an EU citizen. 74  The limited number of contributions received is most likely due to the technical nature of the instrument. In general, respondents supported the Commission’s initiative to strengthen the automated exchange of data under the Prüm framework with the identified objectives and expressed their preference for certain policy options.

The majority of respondents recognized the need to speed up and streamline the hit-follow-up exchange process and supported the inclusion of one or several additional categories of data. Concerns were raised on the importance of a mandatory manual review by the requested Member State before any data is sent to the requesting Member State. The contributions from public authorities and one EU citizen highlighted the benefits of the introduction of a central router to facilitate the implementation, use and maintenance of the information system. Support was expressed by two public authorities and one company/business organization for the participation of Europol in the Prüm data exchange mechanism for the purpose of crosschecking data received from third countries. One NGO opposed the inclusion of Europol data into the Prüm exchange system. Concerns were raised on the need to take data protection safeguards into account.

2.2.The Public Consultation

The European Commission launched a public consultation on 16 December 2020, which aimed to gather feedback and collect opinions on the effectiveness of the current legislative and policy framework and on existing problems and possible options for future initiatives. The consultation closed after 14 weeks 75  on 24 March 2021.

The public consultation was conducted through an online questionnaire published on the internet in all EU official languages. It was advertised on the European Commission's website, 76 through the Council Working Party IXIM, and at all relevant meetings (as listed below). The questionnaire consisted of a series of 34 mainly closed questions, along with a limited number of open questions to allow for clarifying remarks and/or remarks of a more general nature. 77  While the questionnaire itself was only available in English, French and German, respondents were free to complete the ‘open’ elements of the questionnaire using any recognised EU language.

Thirteen practitioners and two members of the general public replied to the questionnaire of the public consultation. One practitioner provided additional input through a written contribution. The limited number of contributions received is most likely due to the technical nature of the instrument. Practitioners included:

·national public authorities (e.g. law enforcement authorities) (9);

·companies/business organisations (1);

·non-governmental organisations or networks (1).

The members of the general public contributed from IT and EL. Based on the country which they specified, practitioners from 12 Member States/Schengen associated countries contributed. 78  

Results

Questions relating to the existing Prüm framework for the automated exchange of DNA, dactyloscopic and vehicle registration data

In reply the public consultation, almost all stakeholders indicated that cooperation and the exchange of information between Member States’ law enforcement authorities for the prevention and investigation of criminal offences is very relevant. One stakeholder stressed the lack of publicly available and accurate data about the impact of the Prüm framework. Being able to search and compare DNA, fingerprint and vehicle registration data in other Member States’ databases for the prevention and investigation of criminal offences was highlighted by most stakeholders as very relevant.

It was also found by most stakeholders that the Prüm framework is effective. Almost all respondents clearly stated that the Prüm framework has improved the exchange of data between Member States, specifying that increased and faster access to the data has facilitated law enforcement authorities’ work. One stakeholder added however that the integration of the technical requirements into Decision 2008/616 has been an impediment to making the necessary amendments and updates to the Prüm system. One stakeholder disagreed and specified that from the perspective of fundamental rights protection, the Prüm framework has not improved the exchange of data between Member States’ authorities responsible for the prevention and investigation of criminal offences.

The replies to the public consultation further indicated that by preventing the need to query each Member State bilaterally, the automated data exchange under the Prüm framework brings efficiency gains in the law enforcement information exchange to the extent that it improves the speed of exchanges and decreases the administrative burden to a certain extent. Some stakeholders specified that the efficiency gains regarding the costs and the staff are smaller or difficult to ascertain. However, most replies indicated that the costs (administrative, budgetary, in terms of personnel, etc.) related to the implementation of the Prüm framework have been proportionate to its contribution in terms of the improvements in law enforcement information exchange.

The Prüm framework was also found to be coherent. Indeed, stakeholders agreed that it complements other EU and international action in the area of law enforcement information exchange.

When asked to what extent has the Prüm framework provided added value compared to what Member States could achieve in the field of law enforcement information exchange in the absence of the Prüm framework, stakeholders agreed, with several highlighting that law enforcement information exchange has been facilitated and has become faster.

Questions relating to the strengthening of the automated data exchange under the Prüm framework

Most respondents agreed that the fact that additional data categories, which are not covered by the current Prüm framework, are exchanged by sending manual queries, often time-consuming, to other law enforcement authorities, is a shortcoming in the law enforcement information exchange and that EU legislation should be established to standardise and automate the exchange of additional data categories. The majority of contributions to the public consultation expressed support for the inclusion of new data categories such as facial images, police records and driving licences in the Prüm framework. One respondent opposed the extension of the Prüm framework to include facial images and expressed concerns in terms of the use of facial recognition technology. Five respondents expressed doubts or reservations on the inclusion of police records, one stating that they are still studying the possible added value of adding these data categories instead of making better use of the current possibilities. Concerning the possible inclusion of ballistic data, replies were more mixed.

In reply to the public consultation, most respondents agreed that the fact that the exchange of further personal data after a hit has been confirmed is not governed by the Prüm Decisions is a shortcoming of the existing Prüm framework and almost all agreed that EU legislation should be established to streamline the hit follow-up exchange of further personal and case-related data. One respondent highlighted that any information exchange in addition to the automated hit/no-hit response (“supply of further personal data”) must take place in accordance with the national law of the requested Member State.

Most respondents agreed that the fact that the existing Prüm framework is a decentralised network of bilateral connections between Member States’ national databases is a shortcoming of the existing Prüm framework. When asked what they consider to be the most appropriate means to address this shortcoming, most replied establishing an EU central router for transferring messages between Member States with limited functions at a central level such as technical/operational system monitoring and collection of statistics. Some others replied establishing an EU automated biometric identification system (ABIS) that would allow matching biometric templates by a centrally managed technical solution. One respondent highlighted in particular that if a “central router” were to be put in place it should only serve as a pass-through server to transmit messages between Member States, and the collection of statistical data.

2.3.Stakeholder events

In the course of the consultation and in the context of the preparation of the initiative and the impact assessment, the Commission organised four technical workshops which were held on 17 March, 26 March, 20 April and 4 May 2021, respectively, to which representatives of the Member States, of the Schengen associated countries as well as EU agencies and the General Secretariat of the Council were invited. The workshops aimed at bringing together end-users for an exchange of views on the options, which were being envisaged and assessed to strengthen the Prüm framework, from a technical perspective.

2.3.1Technical workshop 1 – The IT architecture of Prüm and the follow-up process (17 March 2021)

This first workshop focused on (1) the IT architecture of the Prüm framework with the possible introduction of a central router and on (2) options to regulate the follow-up process (the so-called ‘second step’, i.e. the exchange of case-related personal data after a hit). 26 Member States, 2 Schengen associated countries, EU agencies (Europol, 79 eu-LISA, 80 FRA) 81 the General Secretariat of the Council and Commission Directorates-Generals (DG HOME and DG JUST) participated.

In the discussion on the possible introduction of a central router, it seemed like there was a rather broad consensus among experts on the feasibility of the introduction of a central router in the Prüm framework. From the discussion on the options to regulate the second step exchange of data, a rather broad consensus on the necessity to speed up the exchange of data following a hit appeared. Several experts underlined the importance of a human intervention before sending back data to the requesting Member State.

In the context of this first technical workshop, a targeted questionnaire was circulated to Member States and Schengen associated countries in order to support and/or further develop the discussions which took place in the workshop. 19 Member States and one Schengen associated country replied.

2.3.2Technical workshop 2 – Links between Prüm and interoperability and the participation of Europol in the Prüm framework (26 March 2021)

This second workshop focused on (1) Possibilities of linking Prüm to the interoperability framework with the querying of the Common Identity Repository via the Prüm router and European Search Portal, and on (2) The participation of Europol in the Prüm framework. 27 Member States, 2 Schengen associated countries, EU agencies (Europol, eu-LISA, FRA) the General Secretariat of the Council and Commission Directorates-Generals (DG HOME and DG JUST) participated.

In both discussions, support was expressed for the linking of the Prüm framework to the interoperability framework and for the participation of Europol in the Prüm framework. Several experts stressed the great benefit of Europol’s involvement and expressed their support therefore. However, it appeared clearly that there are different options possible for this involvement, which would need to be considered.

2.3.3Technical workshop 3 – The introduction of new data categories in the Prüm framework (20 April 2021)

This third workshop focused on the introduction of new data categories in the Prüm framework with the possible inclusion of the exchange of (1) facial images, (2) (pseudonymised) biographical data [police records], (3) driving licences, and (4) data on unidentified human remains and missing persons. 27 Member States, 3 Schengen associated countries, EU agencies (Europol, eu-LISA, FRA, EBCGA), 82 the General Secretariat of the Council and Commission Directorates-Generals (DG HOME and DG JUST) participated.

Both on the topics of facial images and of biographical data, there seemed to be a common understanding among experts that it would make a lot of sense to include these data categories into the new Prüm framework. On the possible inclusion of driving licence data, the necessity to automate these exchanges and include them in the Prüm framework did not appear so clearly. Finally, on the possibility to search for missing persons and unidentified human remains under Prüm, support was expressed to harmonise the legal scope and allow these searches under Prüm.

In the context of this third technical workshop, a targeted questionnaire was circulated to Member States and Schengen associated countries in order to support and/or further develop the discussions which took place in the workshop. 18 Member States and two Schengen associated countries replied.

2.3.4Technical workshop 4 – Options to step up the information exchange on firearms and ballistics (4 May 2021)

This fourth workshop focused on (1) Including the exchange of firearms-related data in the Prüm framework, and on (2) Including the exchange of ballistics-related data in the Prüm framework. 23 Member States, 2 Schengen associated countries, EU agencies (Europol, eu-LISA), the General Secretariat of the Council and Commission Directorates-Generals (DG HOME and DG JUST) participated.

From the discussions, there seemed to be a shared agreement on the need to streamline and improve law enforcement cooperation and the exchange of firearm-related data between Member States but whether or not this exchange should be automated (i.e. included in the Prüm framework) was not clear and the necessity of the automation of these exchanges still remained to be demonstrated. From the discussion on the exchange of ballistic data, it appeared that it is too early and premature at this stage to capture these exchanges under the automated framework of Prüm.

In the context of this fourth technical workshop, a targeted questionnaire was circulated to Member States and Schengen associated countries in order to support and/or further develop the discussions which took place in the workshop. 17 Member States and two Schengen associated countries replied.

Annex 3: Who is affected and how?

1.Practical implications of the initiative

The practical implications are given by stakeholder group.

1.1EU citizens

All the policy options aim to support law enforcement officers in the exercise of their tasks by ensuring all available data is used and that it is used in the most efficient manner possible in the context of criminal investigations. Therefore, the initiative would contribute to enhancing the security and well-being of EU citizens.

1.2National authorities

a.Law enforcement officers

The initiative aims to provide law enforcement officers with more tools to help them in the context of criminal investigations. These tools include:

·querying and accessing, via the Prüm framework, facial images and police records;

·allowing Europol to further support their tasks;

·creating a central router acting as a single-search interface to query and access Prüm data; and

·providing for the semi-automated exchange of additional actual data following hits against Member States’ databases.

b.IT organization in Member States

An initial investment would be needed to implement the Prüm router. However, this would save costs for Member States, as only one connection would be required rather than one connection per pair of Member States and per data category. Once done, further changes to any national system would require less changes to all other national systems, as the connection would be done centrally via the Prüm router and it would absorb most necessary changes.

2.Summary of costs and benefits

The overview of costs of the preferred policy options is indicated below.

All one-off and recurrent costs are implementation costs. No regulatory charges, hassle costs, administrative costs, or indirect costs were identified and therefore are not quantified. These are all provisional estimates that would need to be confirmed, including how the costs are split between the relevant Union Agencies. As a result the confidence margin of cost estimates cannot be better than 20-25% at this early stage in a project. What is stable is how the costs of the various measures compare with each other.

As can be concluded from the above table, the one-off total costs amount to €17.1 million and recurrent costs to €4.07 million per annum.

All benefits are reduced implementation costs and are based on very cautious estimates, which for instance do not consider economies of scale in the context of the bilateral connections. The benefits include reduced costs due to the central router for the Member States. These reduced costs include a reduction of the costs for maintaining the existing bilateral connections (fingerprints and DNA). Indeed, these include a reduction of the costs due to changes to national applications when any other national database or connection is modified. Moreover, there are also reduced costs for the Member States of setting up and maintaining bilateral connections for the new categories of data: facial images and police records. The one-off benefits could be larger as some bilateral connections for fingerprints and DNA do not exist today. But as these should exist we did not take them into account. We did however consider the benefits on the maintenance costs of existing connections.

The rationale for the calculation of the reduced one-off costs was to use the one-off cost of connecting to the central router and multiplying it by the number of Member States (27) 85 times the number of new data categories (2). 86

The rationale for the calculation of the reduced recurrent costs was to use the one-off cost of connecting to the central router and multiplying it by the number of Member States (27) times the number of data categories (4). 87

As can be concluded from the above table, the one-off total benefits amount to €32.9 million (exceeding the accumulated costs of the preferred option which are 17.1 million) and recurrent benefits €12.96 million per annum (exceeding the accumulated costs of the preferred option which are €4.07 million per annum).

Taking the above into consideration, just with the savings for Member States in recurrent costs (12.96 – 4.07 = €8.89 million), the costs of setting up the preferred policy option would be compensated in two years.

·Savings for Member States in operating costs in two year time = 8.89 x 2 = €17.78 million

·Total one-off costs of the preferred policy option = €17.1 million

However, the most important benefit — the contribution to fighting crime and terrorism — is not monetized in the above calculation.

Annex 4: Evaluation of the existing policy and legislative framework

1.introduction

Purpose and scope of the evaluation

The main objective of this evaluation is to provide an understanding of whether Council Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, 88 and Council Decision 2008/616/JHA on the implementation of Decision 2008/615/JHA 89 (hereinafter referred to as the ‘Prüm Decisions’ or the ‘Decisions’ or the ‘Prüm framework’) are still “fit-for-purpose” 13 years after their adoption in 2008. In line with the “evaluate first” principle, this evaluation supports the preparation of a new initiative to strengthen the automated exchange of data by law enforcement authorities for preventing and investigating criminal offences. 90

The Prüm Decisions aim to support and step up cross-border cooperation in matters covered by Title VI of the Treaty (now Part III, Title V, Chapters 1, 4 and 5 of the Treaty on the Functioning of the EU), namely in police and judicial cooperation in criminal matters, particularly the exchange of information between authorities responsible for the prevention and investigation of criminal offences. To this end, the Prüm legal framework contains rules in the following areas:

(a) provisions on the conditions and procedures for mutual on-line access to national databases for automated search and supply of DNA profiles, dactyloscopic data and certain national vehicle registration data. Thanks to the Prüm Decisions, law enforcement authorities in one Member State are able to search and compare DNA, fingerprints and vehicle registration data in other Member States, which helps them in their investigations.

The Prüm Decisions also cover provisions on operational police cooperation, which are not covered by this evaluation and are instead addressed in the study supporting the preparation of the forthcoming Police Cooperation Code (PCC) initiative: 91

(b) provisions on the conditions for the supply of non-personal and personal data in connection with major events with a cross-border dimension. Those provisions help Member States to exchange data for the prevention of criminal offences and in maintaining public order and security for major events with a cross-border dimension, in particular for sporting events or European Council meetings.

(c) provisions on the conditions for the supply of information in order to prevent terrorist offences. Those provisions help Member States to exchange data when there are reasons to believe that criminal offences will be committed.

(d) provisions on the conditions and procedure for stepping up cross-border police cooperation through various measures. Those provisions help Member States to set up joint operations and provide each other with mutual assistance in connection with mass gatherings, in maintaining public order and security and in preventing criminal offences.

The focus of this report is to evaluate the functioning of the automated exchange of data pursuant to the Prüm Decisions (only letter a) as indicated above) and the level of implementation and application in each EU Member State since the adoption of the instruments in 2008, according to the five evaluation criteria set out in the Commission’s Better Regulation Guidelines: 92  

1)Relevance: whether the tools provided by the Prüm Decisions for the automated exchange of data correspond to the current operational needs;

2)Effectiveness: whether the original objectives of the Prüm Decisions have been achieved as regards the automated exchange of data;

3)Efficiency: assessing the functioning of the Prüm Decisions as regards the automated exchange of data from a simplification and burden reduction perspective;

4)Coherence: examining how the Prüm Decisions work together with other relevant EU instruments in the field of data exchange; 93 and

5)EU added value of the Prüm Decisions as regards the automated exchange of data.

This evaluation has been carried out against the background of considerable developments and changes in terms of EU legal framework, operational needs, technical and forensic possibilities, and data protection requirements that have materialized since 2008. It aims at identifying best practices and possible key problems and obstacles that hamper the effective use of the Prüm Decisions.

The scope of the evaluation is the following:

·Material scope: the evaluation covers the current state of implementation of the Prüm Decisions and their functioning to the extent that they establish a decentralised system for the automated exchange of DNA, dactyloscopic data and vehicle registration data.

·Geographical scope: the evaluation covers all EU Member States and participating third countries. 94 Since the United Kingdom left the European Union as of 1 February 2020 and the reference period for this evaluation is 2011-2020, this evaluation includes information on the United Kingdom.

·Temporal scope: the reference period for this evaluation runs from 2011 (implementation deadline for Chapter 2 of Council Decision 2008/615/JHA and Decision 2008/616/JHA) to 2020.

The implementation of the Prüm Decisions has been discussed in various fora over the past years, namely in the Commission report of 2012 on the implementation of the Prüm Decisions, 95 regular discussions in the Council Working Party DAPIX/IXIM, 96  several implementation projects at EU level such as the ‘Mobile Competence Team’ (MCT) project or establishment of a ‘Prüm helpdesk’ by Europol, 97 discussions in the High Level Expert Group on Information Systems and Interoperability, 98 the reports of four focus groups composed of Member States experts, 99 and the Commission study on the feasibility of improving information exchange under the Prüm Decisions. 100 This has allowed the establishment of a solid understanding of the benefits and of the difficulties and shortcomings encountered by law enforcement authorities when using the Prüm Decisions, pointing at a need to revise the EU legal framework. Moreover, the data protection framework has changed considerably. For that reason, it was decided to conduct the evaluation in parallel to the impact assessment (“back-to-back”).

This evaluation assists in determining the level of EU intervention necessary for the efficient and effective exchange of data between law enforcement authorities when fighting crime and terrorism. The findings of this evaluation serve as one relevant input to the impact assessment.

2.Background to the intervention

2.1.The context of the intervention

The Prüm Decisions (henceforth the 'Decisions') built on the Prüm Treaty (or Prüm Convention) on stepping up cross-border cooperation in combating terrorism, cross-border crime and illegal migration, 101 which was concluded by seven EU Member States in 2005, outside of the scope of the European Union legal framework. The Prüm Treaty left participation in such cooperation open to all other EU Member States and sought, as provided for by its article 1(4), to have its provisions brought within the legal framework of the Union three years after its entry into force. While a number of EU Member States acceded to the Prüm Treaty by 2008, not all Member States became contracting parties. 102 With the adoption of the Prüm Decisions by the Council in 2008, the substance of the provisions of the Prüm Treaty was incorporated into the legal framework of the European Union. 103  

The Prüm Treaty aimed to improve data exchange between the contracting parties’ law enforcement authorities, in particular for the search and comparison of DNA, fingerprints and vehicle registration data, by means of direct online access to the databases of the State storing those data. When a law enforcement authority of a contracting party searches DNA or fingerprints data in another contracting party’s databases, the reply received is a “hit” or a “no hit”, depending on whether there is a match with data in the databases searched or not. This first step is based on reference data only, which does not contain any data from which the data subject can be directly identified. In case of a hit, the investigative authority may ask the State holding the data, in a second step, for further corresponding personal information. The supply of such follow-up information is governed by national law and national legal assistance of the supplying State.

The Prüm Treaty was drafted in line with the Hague Programme on strengthening freedom, security and justice in the European Union, 104 a multi-annual programme adopted by the European Council in 2005, which focused in particular on the improvement of police and judicial cooperation to fight organised cross-border crime and to repress the threat of terrorism. The Hague Programme emphasized the importance of the exchange of information as an operational prerequisite for internal security, and highlighted that such exchange of information should be governed by the principle of availability. 105 In the Hague Programme, the European Council underlined the need for an innovative approach to the cross-border exchange of law enforcement information to strengthen freedom, security and justice. Subsequently, the Council and Commission Action Plan implementing the Hague Programme 106 announced the implementation of the principle of availability in the areas of DNA, fingerprints, ballistics, telephone numbers, vehicle registrations and civil registers. Finally, the Hague programme and the principle of availability were referred to explicitly in the preamble of Council Decision 2008/615/JHA.

In emphasizing the need for an innovative approach, the Hague Programme took into consideration the 2004 Communication from the Commission towards enhancing access to information by law enforcement agencies, which stated that “[a]t present, law enforcement authorities can search databases that are nationally accessible. However, accessing information held by law enforcement services from other Member States poses challenges that amount to making them inaccessible in practice.” 107

Another relevant instrument in the field of law enforcement cooperation with regard to the principle of availability is Council Framework Decision 2006/960/JHA of 18 December 2006 (also known as the Swedish Framework Decision (‘SFD’) or the Swedish Initiative), 108 which aims at simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union and of the Schengen associated countries. At the moment of its adoption in 2006, it described the situation as follows: “[c]urrently, effective and expeditious exchange of information and intelligence between law enforcement authorities is seriously hampered by formal procedures, administrative structures and legal obstacles laid down in Member States' legislation; such a state of affairs is unacceptable to the citizens of the European Union and it therefore calls for greater security and more efficient law enforcement while protecting human rights.” 109 To mitigate that situation and in developing the Schengen acquis, the Framework Decision aimed at simplifying the exchange of information and intelligence between law enforcement authorities of the Member States and of the Schengen associated countries. In implementing the principle of availability, it laid down the rules regarding time limits and standard forms for the exchange, on prior request or spontaneously, of information and/or intelligence, i.e.:

–    any type of information or data which is held by law enforcement authorities; and

–    any type of information or data which is held by public authorities or by private entities and which is available to law enforcement authorities without the taking of coercive measures. 110

Figure 1: Timeline of the context of the Prüm Decisions

Table 1 Main characteristics of legal instruments in the context of the Prüm Decisions

The proposal for the Prüm Decisions was put forward at the initiative of Belgium, Bulgaria, Germany, Spain, France, Luxembourg, the Netherlands, Austria, Slovenia, Slovakia, Italy, Finland, Portugal, Romania and Sweden, entitled to do so by the right of initiative shared between the Commission and the Member States under the third pillar of the Treaty on European Union. This led to the adoption of the Prüm Decisions in 2008. The rather broad scope of the Prüm Treaty was reduced as its incorporation into Union law focused on the substance of the Prüm Treaty referring to data exchange, data protection and police cooperation. Provisions on cooperation on illegal immigration were not incorporated into the Prüm Decisions.

2.2.The intervention logic of the Prüm Decisions

The adoption of the Prüm Decisions was not based on a prior impact assessment. There was also no prior evaluation of the application of the Prüm Treaty. Therefore, the intervention logic set out below is based on the adopted legal texts of the Prüm Decisions and the operational and legal circumstances at the time of their adoption in 2008.

The starting point for the negotiations of the Prüm regime was the need for a fast, efficient and cost-effective means of law enforcement information exchange to combat terrorism and crime. Plurality of national administrative, legal and judicial systems, lack of common standards and procedures resulted in difficulties in law enforcement information exchange. At the same time, access to the right information in a timely and efficient manner is key in any criminal investigation, and even more so in the area of free movement of goods, services and persons.

The intervention logic therefore identified as a general, strategic objective the streamlining of police cross-border cooperation and, to that end, brought it in line with state-of-the-art communication technologies. The focus was set on measures enhancing the collection, storage, processing, analysis and exchange of law enforcement information based on the principle of availability. Member States agreed to follow an innovative approach in this area aiming at:

·establishing a mesh network of Member States' national databases with mutual access rights. This preference for a decentralised structure was based on the understanding that no new centralised European database should be created unless their added value has been duly proven; 114 and

·defining specific measures both with regard to security and protection of personal data and with regard to the data subjects' rights, in order to respect fundamental freedoms and due to the lack of a Union legal basis regarding the protection of personal data processed by law enforcement authorities. 115  

To achieve the ambitious objectives and to frame this cooperation, the legislator foresaw:

·national databases for DNA and dactyloscopic data files to be established and kept for the investigation of criminal offences, and for certain vehicle registration data, for the purpose of search and comparison of these data;

·mutual cross-border access rights to these databases; and

·rules on accountability and appropriate guarantees and safeguards for the joint use of such data, in particular with regard to both security and protection of personal data.

Accordingly, Decision 2008/615/JHA

·lays down general rules on the conditions and the procedure for the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data (chapter 2), and

·defines the general framework on data protection for the processing of personal data in line with the purposes of the Decision (chapter 6),

while Decision 2008/616/JHA

·provides in particular for the necessary measures for the implementation of the provisions of chapter 2 of Decision 2008/615/JHA, which were to be based on the Implementing Agreement of 5 December 2006 concerning the administrative and technical implementation and application of the Prüm Treaty;

·establishes the common normative provisions for the administrative and technical specifications necessary for implementing the envisaged data exchange pursuant to chapter 2 of Decision 2008/615/JHA; and

·sets out the technical implementing provisions in its Annex, in particular the evaluation procedure to be followed as a prerequisite before the launch of the automated exchange of each data category can be initiated.

As a consequence, Member States had to provide for appropriate national legislation to comply with the provisions of the Decisions. They had to establish, if not already established before or under the Prüm Treaty, national databases and national contact points (NCPs) for the search and comparison and for the supply of data respectively. NCPs were to be designated for incoming and outgoing requests relating to information exchange in each data category. For the automated exchange of DNA, fingerprint data and VRD, the Trans European Services for Telematics between Administrations (TESTA II) communications network was chosen and Member States were to ensure the automated searching or comparison of those data 24 hours a day and seven days a week. For the exchange of VRD, it was decided to make use of the European Vehicle and Driving Licence Information System (EUCARIS), a system established for the exchange of data on vehicle registration, driving licences and the accompanying personal data, connecting national registration authorities. A specific application was developed within this system, for the exchange of VRD under the Prüm Decisions. 116

The facilitation of the cross-border data exchange under the Prüm Decisions was expected to speed up the existing procedures enabling a Member State to find out whether any other Member State, and if so, which, has the information it needs, and to open up a new dimension in crime fighting by cross-border data comparison. 117  Cooperation between law enforcement authorities would grow together with increased trust in evidence received from other Member States due to the use of common forensic standards. Finally, the technical and procedural set-up of the system guarantees the respect of fundamental rights, in particular the right to respect for privacy and to protection of personal data.

2.3.Evolution of the context

Considerable developments and changes in terms of the EU legal framework, operational needs, technical and forensic possibilities, 118 and data protection requirements have materialized since 2008.

Figure 2: Timeline of the evolution of the context of the Prüm Decisions

The Justice and Home Affairs (JHA) information exchange legal framework has undergone significant change over the past 13 years, with the strengthening and the maximisation of the benefits of existing information systems and the establishment of new information systems. Indeed, on the one hand, in November 2018, the further reinforcement of the existing Schengen Information System (SIS) 119 improved the sharing of information between Member States by introducing new types of alerts and the use of biometrics. It also enhanced the use of SIS in the context of counter-terrorism, vulnerable people and irregular migration, and the access to SIS for EU agencies. Additionally, negotiations are ongoing on the revised legal basis for the EU asylum fingerprint database (Eurodac) 120 and for the Visa Information System (VIS), 121 including law enforcement access to these systems.

On the other hand, additional information systems have been established to address identified gaps in the EU’s data management architecture: the Entry/Exit System (EES) 122 and the European Travel Information and Authorisation System (ETIAS) 123 to strengthen security checks on visa-free travellers by enabling advance irregular migration and security vetting. The European Criminal Record Information System for third-country nationals (ECRIS-TCN) 124 is under development to address the identified gap in the exchange of information between Member States on convicted non-EU nationals.

In June 2016, the Commission set up a high-level expert group on information systems and interoperability in order to elaborate on the legal, technical and operational aspects of options to achieve interoperability between EU information systems for borders, migration and security. 125  The high-level expert group identified shortcomings and potential information gaps caused by the complexity and fragmentation of information systems, and made a number of recommendations to address these. This work resulted in the adoption of the Interoperability Regulations establishing a framework for interoperability between EU information systems in the area of justice and home affairs. 126 Easier information sharing will considerably improve security in the EU, allow for more efficient checks at external borders, improve detection of multiple identities and help prevent and combat illegal migration while safeguarding fundamental rights.

These developments have widened law enforcement access to data in the EU central systems in the area of Justice and Home Affairs, have enhanced the use of biometrics for the purpose of identification and verification of identity and have changed the roles of the EU bodies acting in the JHA area. These developments need to be taken into account when evaluating the fitness of the Prüm Decisions in the current law enforcement information management landscape.

The architecture of Justice and Home Affairs (JHA) cooperation also changed considerably with the adoption of the Treaty of Lisbon, which not only formally abolished the Pillar structure, but also transferred the supervision of compliance with and implementation of EU law on police and judicial cooperation in criminal matters from Member States’ domestic authorities to the European Parliament, the Commission and the European Court of Justice (CJEU). 127 This shift implied transnational legal, judicial and democratic accountability of national laws and practices meant to implement EU law, and, in particular, of the extent to which EU legislation is timely and duly observed by national authorities.

However, while paving the way for that shift, the Lisbon Treaty introduced transitional provisions. They limited for a period of five years (1 December 2009 to 1 December 2014) the enforcement powers of the Commission and the CJEU’s scrutiny over legislative measures adopted before the entry into force of the Lisbon Treaty under the then 'third pillar' (Title VI of the former version of the Treaty on the European Union). Furthermore, Article 10(1) to (3) of Protocol 39 on Transitional Provisions stated that the legal effects of pre-Lisbon ‘common positions’, ‘framework decisions’ and ‘decisions’ as defined in Article 34 of the former TEU would be preserved until such acts are amended or replaced (or, indeed, repealed or annulled).

It follows from this and from the judgement of the CJEU of 22 September 2016 that the provisions of the Prüm Decisions would stay in force as adopted in 2008. 128 In this same judgment, the Court refused the attribution of co-decision powers to the European Parliament in the evaluation procedure to be followed by Member States before they can start exchanging data (see below, Section 2.4). The European Parliament is, however, to be consulted before the decision on the launch of automated data exchange in a Member State is taken by the Council. 129

Considerable developments of the EU data protection framework have materialized since 2008, with the adoption of the General Data Protection Regulation (‘GDPR’) 130 and of the Law Enforcement Directive (‘LED’) 131 in 2016. Only the LED is relevant in this context as competent law enforcement authorities under the Prüm framework process and transfer natural persons’ sensitive personal data (e.g. biometric data) for the prevention, investigation, detection or prosecution of criminal offences. In the absence of an EU data protection legal framework at the adoption of the Prüm Decisions, specific provisions were included in the Decisions. According to these provisions, Member States were to guarantee, in their national law and as regards the processing of personal data supplied pursuant to the Prüm Decisions, a level of protection that is at least equal to that resulting from the Council of Europe Convention taken as a reference in the Prüm Decisions. 132 As set out in the June 2020 Communication on the way forward on aligning the former third pillar acquis with the data protection rules, there is a need to ensure that a revised Prüm legislation is fully aligned with the Law Enforcement Directive, especially as regards the data protection safeguards. 133

2.4.Key elements of the automated exchange of data in the Prüm Decisions

The core of the Prüm Decisions lies in the automated exchange of three categories of data: DNA, dactyloscopic data (‘fingerprints’) and vehicle registration data. For that purpose, each Member State has to grant the other Member States access to its national databases so that each Member State can check its reference data against the reference data in other Member States’ databases. The reference data does not contain any data from which the data subject can be directly identified.

When Member States search DNA or dactyloscopic data in other Member States’ databases, the reply they receive is a “hit”- or a “no hit”-message, depending on whether there is a match with reference data in the databases searched or not. When the comparison results in a “hit”, the searching Member State receives an automated message specifying only the reference data of the corresponding profiles in the respective databases. A forensic expert of the requesting Member State then verifies whether the match is sufficiently relevant and reliable, and reports it to the relevant law enforcement or judicial authority (depending on the national administrative and legal system). Only after this forensic verification has taken place can further personal and case-related data corresponding to the hit be requested. This request and the subsequent exchange of follow-up data is not governed by the Prüm Decisions, but by the national law, including the legal assistance rules, of the requested Member States.

For vehicle registration data, the search needs to be conducted with a full chassis number or a full licence plate number. Should data searched for relating to the owner/operator or to the vehicle be available in the consulted databases, the data are provided immediately, without a request for further personal or case-related data having to be introduced separately in a second step.

Before a Member State can start exchanging data, it needs to undergo an evaluation procedure in accordance with article 25 of Decision 2008/615/JHA and article 20 of Decision 2008/616/JHA. 134 This procedure aims to verify whether the Member State concerned has implemented the general provisions on data protection (Chapter 6 of Decision 2008/615/JHA) into its national law. It is up to the Council to decide whether this implementation condition has been met and subsequently to authorise the launch of the automated exchange of data pursuant to the Prüm Decisions by the Member State concerned. 135

Once a Member State has taken the necessary measures to comply with the Decisions and believes it fulfils the prerequisites for sharing data, it notifies the General Secretariat of the Council and the Commission thereof and submits the declarations foreseen and the replies to the questionnaires on data protection and on the data category concerned by the evaluation to the relevant Council Working Party. 136 Upon endorsement of these replies, a pilot run and an evaluation visit related to the data category in question is carried out by experts from supporting Member States, which are already operational and sharing data. A report on the outcome of the evaluation visit is to be produced by the evaluation team while consulting the Member State concerned and to be endorsed by the relevant Council Working Party.

On that basis, the Council proceeds to the adoption of Council Conclusions on the fulfilment of data protection requirements, and subsequently to the adoption of the Council Implementing Decision on the launch of automated exchange of the respective data for the Member State concerned. The Council Implementing Decision, which specifies the date from which the Member State concerned can start exchanging data, is adopted by the Council after having consulted the European Parliament.

Once the evaluation procedure is complete and the Member State concerned has been authorised to exchange data in the relevant category pursuant to article 25(2) and, in particular, article 33 of Decision 615/2008/JHA, it can set up the required bilateral connections for DNA and fingerprints, and start cooperating with already operational Member States.

The situation with regard to vehicle registration data exchange is slightly different. Indeed, once the Member State has undergone the required evaluation with respect to VRD and has been duly authorised by the Council, it connects to the EUCARIS application and is thereby automatically connected to all other operational Member States. Member States do not need to establish bilateral connections separately with each other.

2.5.Automated searching and comparison of DNA data

To assess the likelihood of the involvement of a suspect in a crime, forensic scientists compare DNA found at a crime scene to DNA reference samples taken from this suspect and analysed to establish the individual's DNA profile. If there is no match, the suspect may be ruled out. If, however, there is a match, further information may be requested.

DNA profiling in the criminal justice system started in 1986. Since then, thanks to forensic and technical developments, highly accurate testing procedures have been developed. DNA profiling has a high level of accuracy and can provide strong evidence when linking or exonerating a suspect to or from a crime. However, DNA profiling, despite being very accurate, remains only one element in the overall investigation.

In order to build up the Prüm network for DNA data exchange, Member States first had to establish and to keep national DNA analysis files for the investigation of criminal offences. Secondly, Member States had to make available data from their databases as reference data for automated search and comparison within the Prüm framework. Finally, Member States granted each other direct cross-border access to each other’s national DNA analysis files for the purpose of investigating criminal offences in individual cases. 137 Dedicated national contact points act as agencies competent for sending and receiving requests relating to information exchange.

The DNA search and comparison under the Prüm Decisions is done on the basis of, according to the Prüm terminology, ‘anonymous profiles’, i.e. on the basis of reference data from the national DNA analysis files. This reference data does not allow the direct identification of the data subject. Two types of profiles are to be distinguished: the ‘reference DNA profile’, which refers to an identified person, and the ‘unidentified DNA profile’, which refers to traces found on a crime scene and not yet attributed to a known person.

‘Full matches’ or ‘near matches’ are defined in detail in the Prüm Decisions. 138 In case a search is performed under the Prüm framework, both instances of full or near matches and ‘no hits’ are reported in an automated way to the requesting and to the requested national contact point.

In case of a match between supplied data and data stored in the searched file, the searching Member State receives the reference data with which the match has been found and no data immediately revealing the data subject. Once the match has been confirmed by the requesting Member State according to the rules of the Prüm Decisions, this Member State may request further personal data and other information relating to the reference data that is the subject of the match. The exchange of this follow-up data is conducted outside the scope of the Prüm Decisions, subject to the national rules of the requested Member State. Annual Figures on the dimension of national DNA databases and sent DNA profiles as well as on national match statistics are compiled on the basis of a model agreed upon by the relevant Council Working Party. The General Secretariat of the Council produces an annual summary overview on the basis of these statistics submitted by the Member States. 139

2.6.Automated searching and comparison of dactyloscopic data

Fingerprints provide the police with physical evidence that links suspects to evidence or crime scenes. Dactyloscopic analysis is based on the principle that each individual has distinguishing biometric features, in this case fingerprints, which are recognizable and verifiable. Computer processing of fingerprints began in the early 1960s with the introduction of computer hardware that could reasonably process these prints. Since then, the introduction of Automated Fingerprint Identification Systems (AFIS) replacing laborious and time-consuming manual processing of fingerprints by automated processing has remarkably improved crime solving performance. These systems process and store digitised fingerprint images (reference data) and enable the comparison of this reference data to crime scene traces.

In order to build up the Prüm network, Member States had to establish national automated fingerprint identification systems for the prevention and investigation of criminal offences and make their reference data available for automated search and comparison across borders. Dedicated national contact points act as agencies competent for sending and receiving requests relating to information exchange.

Dactyloscopic search and comparison under the Prüm Decisions is done on the basis of, according to the Prüm technology, ‘anonymous profiles’, i.e. on the basis of reference data from the national AFIS. This reference data does not allow to identify directly the data subject. Two types of profiles are to be distinguished: tenprints and latents. While the former refer to fingerprints taken from a known individual under well-defined technical conditions, the latter are recovered from a crime scene or physical evidence and not yet attributed to a known person. Latents are often only partial or highly fragmented and therefore less reliable. In case of a search with a latent in other Member States’ AFIS, several potential matches might be retrieved, which require further analysis and interpretation by forensic experts to verify the reliability of these matches. The confirmation of a potential match and the request for further personal data in a second step take place in the same way as with DNA (see above).

In order to allow for the calibration of the national AFIS connected with each other in the Prüm network, Member States define in line with the principle of reciprocity maximum daily search capacities. The search capacities for data of identified persons and for data of not yet identified persons are set out in the Manual kept up to date by the General Secretariat of the Council. Figures on outgoing requests and verified hits are compiled in accordance with a model agreed upon by the relevant Council Working Party. The General Secretariat of the Council produces an annual summary overview on the basis of these statistics submitted by the Member States. 140

2.7.Automated searching of vehicle registration data

Access to vehicle registration data under the Prüm Decisions should provide law enforcement authorities with useful information in three different scenarios:

·in the prevention and investigation of criminal offences;

·in dealing with other offences coming within the jurisdiction of the courts of the public prosecution service in the searching Member States; and

·in maintaining public security.

For these purposes, Member States grant each other on-line access to a specified set of national vehicle registration data, which may be consulted across the border: data relating to the owners or operators and data relating to vehicles. Such automated searching is to be carried out in compliance with the searching Member State's national law and is restricted to individual cases, that is to a single investigation or prosecution file. The search can be launched either with the chassis number (vehicle identification number) or with the licence plate. While in the former case, the search can be carried out in one or all of the participating Member States, in the latter case, the search can only be performed in one participating Member State.

To carry out such searches, Member States use a dedicated version of the European Vehicle and Driving License Information System (EUCARIS) software application, and where necessary, amended versions of that software. The application connects all participating Member States in a mesh network where each Member State communicates directly to another Member State. There is no central component needed for the communication to be established. 141  Dedicated national contact points act as agencies competent for sending and receiving requests relating to the exchange of VRD.

An overview of the license plates/vehicle types for which the Member State will make VRD available in the framework of Council Decision 2008/615/JHA is set out in the manual, comprising factual information provided for the Member States, prepared and kept up to date by the General Secretariat of the Council. 142  Annual statistics on VRD searches are prepared by the EUCARIS secretariat, referring to the total annual amount of EUCARIS/Prüm inquiries and responses. They are set out in the annual summary overview produced by the General Secretariat of the Council. 143

3.Implementation / state of Play

3.1.     Baseline and points of comparison

The information available on the baseline situation prior to the adoption of the Prüm Decisions and to the conclusion of the Prüm Treaty is very limited and no quantitative data that could provide a point of comparison was identified. There are no statistics available on the pre-Prüm regime cross-border data exchange between Member States at EU level. Therefore, this evaluation focused on descriptions of the pre-Prüm situation, as set out in a report to the JHA Council of 1/2 December 2005, 144 using qualitative data where possible. At the time of drafting this report:

·The majority of Member States had DNA databases with the capability to compare DNA profiles from other Member State with the profiles contained in their own databases. However, much international data exchange continued to take place within the EU via the classic “police-to-police” approach of indirect access to information upon request or through using mutual legal assistance (MLA) channels. Various channels of communication for such indirect exchanges existed, including via the national Interpol, Europol or SIRENE national units or bureaux, or via the bilateral liaison officers network. Procedures in place for exchanging DNA data were deemed to be time consuming and resource intensive;

·Fingerprints were exchanged on a regular basis upon request between Member States, mostly via the Interpol National Central Bureaux, though in certain Member States mutual legal assistance was required. Law enforcement authorities also noted that the procedures for exchanging fingerprint data could be time consuming, subject to error and resource intensive;

·VRD was exchanged between Member States via three principal channels. First, through informal, reciprocal, arrangements which existed between registration authorities. Second, through ad hoc requests transmitted via existing law enforcement communication channels such as via the Interpol, Europol or Sirene bureaux. Third, through the EUCARIS platform which, however, at that time had not yet been formally established.

At the time of the adoption of the Prüm Decisions, the cross-border exchange of information between police authorities was governed, on the one hand, at central level by the Schengen acquis and the use of the Schengen Information System and, on the other hand, at decentralised level by intergovernmental bilateral and multilateral agreements.

At political level, the European Council set forth, in the Hague Programme of November 2004, its conviction that an innovative approach to the cross-border exchange of law enforcement information was needed. In line with the requirements of the Hague Programme, the Prüm Treaty was concluded between a small number of EU Member States.

As examined in Section 2.1, the Swedish Framework Decision described at the moment of its adoption in 2006 the situation of cross-border law enforcement cooperation as follows (recital 6): “[c]urrently, effective and expeditious exchange of information and intelligence between law enforcement authorities is seriously hampered by formal procedures, administrative structures and legal obstacles laid down in Member States' legislation; such a state of affairs is unacceptable to the citizens of the European Union and it therefore calls for greater security and more efficient law enforcement while protecting human rights.” The SFD has a wide scope and broadly covers the exchange of information between law enforcement authorities while the automated Prüm exchange process for certain data categories (DNA, dactyloscopic data and VRD) is deemed in this context to be a sub-set of information exchange.

In order to meet the substantive requirements of the Hague Programme and to make applicable the substance of the essential parts of the Prüm Treaty to all Member States, its relevant parts with regard to police cooperation were brought into the EU legal framework by the adoption, on 23 June 2008, of the Prüm Decisions.

3.2.Description of the current situation and state of play of implementation of the Prüm Decisions

The Decisions were adopted on 23 June 2008, and entered into force on 26 August 2008. Member States were given until 26 August 2011 to implement Chapter 2 of Decision 2008/615/JHA and the relevant provisions of Decision 2008/616/JHA into national law. 145 An overview on the state of play of the general implementation and in particular, of the degree of bilateral connectivity is set out in the Manual kept by the GSC. 146

According to article 36(4) of Decision 2008/615/JHA, the Commission was to submit a report to the Council by 28 July 2012 on the implementation of Decision 2008/615/JHA. In the 2012 Report on the Implementation of Council Decision 2008/615/JHA (hereinafter the ‘2012 Report’), 147 the Commission noted considerable delays in the implementation process. On 31 October 2012, the state of play of the implementation was as follows:

·DNA:        18 Member States were operational

·Fingerprints:    14 Member States were operational

·VRD:        13 Member States were operational

In order to support the implementation of the Prüm Decisions, the Commission has made funding available through the Prevention of and Fight against Crime programme (ISEC) and the Internal Security Fund-Police. 148 Besides funding, several initiatives (e.g. the Mobile Competence Team (MCT) and the Prüm helpdesk at Europol) were also put in place to support Member States in their efforts. A number of operational Member States with considerable experience in running the Prüm instrument could be consulted for advice.

According to the 2012 report, the main reasons for implementation delays were technical in nature and caused by a lack of human and financial resources in the Member States. The 2012 report also stated that bearing in mind the indicated technical problems and scarce resources, it was surprising that non-operational Member States had been reluctant to request support from the assistance tools put in place. Indeed, in reply to a questionnaire circulated to Member States in the context of the preparation of the final report of the Study on the Feasibility of Improving Information Exchange under the Prüm Decisions, only 3 Member States reported that their implementation process had been supported by a MCT or the Europol helpdesk. The report concluded that “given the various possibilities to obtain support and the long period of time that has elapsed since the adoption of the two Prüm Decisions, it is hard to see any reasons which could justify lack of implementation. What is needed above all seems to be political will and appropriate prioritisation to overcome barriers at national level.”

The Commission repeatedly invited the Member States to take necessary action (e.g. in the 2012 report, in the European Information Exchange Model (EIXM) communication 149 and in the 2015 European Agenda on Security) 150 to complete the implementation of the Prüm Decisions.

Decision 2008/616/JHA only outlined the evaluation procedure and called upon the relevant Council Working Party to define the details. That evaluation procedure was only set out in 2010 with the final approval of the data exchange questionnaires, the reply to which serves as a pre-requisite for any evaluation of a Member State's legal and technical readiness to start Prüm data exchange. Additionally, the peer-to-peer evaluation procedure itself requests a lot of coordination between numerous stakeholders as to pilot runs, evaluation visits and drafting of reports. The procedure became heavily bureaucratic, cumbersome, more time consuming than expected and turned out to be a complex issue in its own. Finally, the adoption 151 of the Council Decision up to its publication in the Official Journal to enter into force also takes time. These elements may partially explain the slow implementation of the Prüm Decisions in the EU Member States. Other elements will be analysed in Section 5 (see notably 5.2, Q5).

Therefore, the deadline 3 years after the adoption of the Decisions, probably was too ambitious for the implementation of chapter 2 of Decision 2008/615/JHA, not to mention the establishment of all bilateral connections necessary for the completion of the entire Prüm network. However, nearly ten years after the deadline for the implementation of the Decisions expired, the fact that this deadline was perhaps a bit too ambitious cannot explain why some Member States have still not completed the implementation.

Following the expiry of the transitional period under Article 10(3) of Protocol 36 to the Treaties ceasing five years after entry into force of the Treaty of Lisbon, i.e. on 1 December 2014, the limitations to the judicial control by the Court of Justice of the EU and to the Commission's enforcement powers regarding former third pillar instruments which have not been repealed, annulled or amended after the entry into force of the Lisbon Treaty, have been lifted. Since that date, the Commission can, under Article 258 TFEU, monitor the complete and correct transposition and implementation of these instruments. This includes the possibility of launching infringement proceedings where appropriate. Using these new possibilities, on 29 September 2016 the European Commission addressed letters of formal notice to Croatia, Greece, Ireland, Italy and Portugal for failing to comply with the Prüm Decisions. These Member States had not yet ensured automated data exchanges in at least two of the three data categories of DNA, fingerprints and national vehicle registration data. As of December 2020, two of these infringement cases were still open, against Italy and Greece.

In addition to the launch of infringement proceedings, the Commission organised a workshop, which took place on 19 January 2017 with Member States on the implementation of the Prüm Decisions, designed primarily for the benefit of practitioners to allow them to learn from one another and build even stronger cooperation. 152 Experienced, operational Member States shared their experiences of using the system, including what lessons they have learned and how they have addressed various challenges that they faced over the years. Member States concurred in highlighting the benefits that they have obtained by using Prüm – with large numbers of ‘matches’ providing assistance in criminal investigations.

By 16 April 2021, the state of play of the implementation of the Prüm Decisions was the following: 153

·26 Member States and the United Kingdom 154 had been authorised by the Council to exchange DNA profiles; 155

·26 Member States and the United Kingdom had been authorised by the Council to exchange dactyloscopic data; 156

·25 Member States had been authorised by the Council to exchange vehicle registration data. 157

However, it has to be noted that in the case of DNA and fingerprints, the number of Member States authorised to start exchanging data under the Prüm Decisions does not show if the Member State actually exchanges data with other Member States. Indeed, the formal authorisation to start exchanging data granted by the Council (as explained above, see Section 2.4) means that the Member State in question has successfully passed the evaluation procedure and is therefore operational for the data category in question. It does not, however, mean that it is exchanging data (DNA or fingerprints) as this Member State needs to establish bilateral connections with each other Member State before it can actually start exchanging DNA or fingerprint data. For VRD, as examined above, the situation is slightly different as the Member State connects to the EUCARIS application and is thereby automatically connected to all other Member States, without having to establish bilateral connections.

As of 16 April 2021, 26 Member States (+ UK) had been authorised to exchange DNA or fingerprint data, and 25 Member States had been authorised to exchange VRD. 158 However, some Member States had not established any bilateral connections (i.e. are not exchanging any DNA or fingerprints) despite the fact that by the respective Council Implementing Decisions they have been authorised to do so. 159 Indeed, full implementation of the Prüm automated data exchange system requires that all of the 378 possible connections in the respective data categories have been established between Member States (+ the UK). As 16 April 2021, of all possible bilateral connections between Member States (and the UK), 72 % had been established in the case of DNA, 71 % in the case of fingerprints, and 88,4 % in the case of VRD. 160  

Table 2 Evolution of the number of Member States authorised to exchange data

The below tables 161 visualize the degree of connectivity in each data category. A grey box shows that a bilateral connection exists, a white box that it still needs to be established.