EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 52012DC0012
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
/* COM/2012/012 final */
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters /* COM/2012/012 final */
REPORT FROM THE COMMISSION TO THE
EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE
AND THE COMMITTEE OF THE REGIONS based on Article 29 (2) of the Council
Framework Decision of 27 November 2008 on the protection of personal data
processed in the framework of police and judicial cooperation in criminal
matters
1.
INTRODUCTION
1.1.
Background
Council Framework Decision 2008/977/JHA of
27 November 2008[1]
(hereafter ‘Framework Decision’) on the protection of personal data processed
in the framework of police and judicial cooperation in criminal matters puts in
place a general legislative framework for data protection on police and
judicial cooperation in criminal matters. It entered into force on 19 January
2009[2]. The Framework Decision was necessary as at
that time there was no general instrument at European level covering data
processing in the areas of police and judicial cooperation in criminal matters[3]. Article 3 of Directive
95/46/EC on the protection of personal data and on the free movement of such
data states that it does not apply ‘to the processing of personal data in the
course of an activity which falls outside the scope of Community law, such as
those provided for by Title VI of the Treaty on European Union, nor, in any
case, to processing operations concerning public security, defence, state
security or the activities of the State in areas of criminal law’. The purpose of the Framework Decision is to
provide at EU level a high level of protection of the fundamental rights and freedoms
of natural persons when processing personal data in the framework of police and
judicial cooperation in criminal matters. At the same time, a high level of
public safety should be guaranteed[4].
It does not preclude Member States from providing higher safeguards to protect
personal data collected or processed at national level[5]. The scope[6]
of the Framework Decision is limited to the processing of personal data for the
purpose of preventing, investigating, detecting or prosecuting criminal
offences or executing criminal penalties of data which are or have been
transmitted or made available: - between Member States, - by Member States to authorities or
information systems established on the basis of Title VI of the Treaty on
European Union (‘Police and judicial cooperation in criminal matters’); or - to the competent authorities of the
Member States by authorities or information systems established on the basis of
the Treaty on European Union or the Treaty establishing the European Community. Personal data which have been transferred
from one Member State to another one may also be transferred to third States or
international bodies, provided that certain requirements are met[7]. The Framework Decision fully applies to the
UK and Ireland, because it is a development of the Schengen acquis. The
United Kingdom and Ireland are parties to the Framework Decision in accordance
with Article 5 of the Protocol integrating the Schengen acquis into the
framework of the European Union annexed to the Treaty on European Union and to
the Treaty establishing the European Community, and Council Decisions
2000/365/EC and 2002/192/EC. As regards Iceland, Norway, Switzerland and
Liechtenstein, the Framework Decision constitutes a development of the Schengen
acquis within the meaning of the Agreement and the Protocols concluded
by either the Council of the European Union or the European Union with Iceland
and Norway, the Swiss Confederation and Liechtenstein, and Council Decisions
1999/437/EC, 2008/149/JHA and 2008/262/JHA.
1.2.
Content of Framework Decision 2008/977/JHA
The scope of the Framework Decision
does not cover domestic processing of personal data by the competent judicial
or police authorities in the Member States (Article 1 (2)). In general, the sector-specific legislative
instruments for police and judicial cooperation in criminal matters that
contain provisions on the protection of personal data and that had been adopted
prior to the date of entry into force of the Framework Decision take
precedence over the latter (Article 28). Instruments deemed to set out ‘complete
and coherent set of rules’ regarding data protection are not affected by the
Framework Decision (recital 39). Other sector-specific measures that contain
data protection rules of a more limited scope take precedence over the
Framework Decision only if these rules are more restrictive than the latter.
Otherwise the Framework Decision applies (recital 40). The Framework Decision specifies the
objectives of data protection in the framework of police and judicial activities.
It lays down rules on the lawfulness of processing personal data to ensure that
any information that might be exchanged is processed lawfully and in accordance
with the fundamental principles of data quality. It also defines the rights of data subjects
to ensure the protection of personal data without jeopardising the interests of
criminal investigations. To this end, the data subjects must be informed and must
have access to their personal data. National supervisory authorities, acting in
complete independence in exercising the functions entrusted to them, must
advise and monitor the application of the measures adopted by the Member States
to transpose the Framework Decision.
1.3.
The Commission’s obligation to report on
implementation
Under Article 29(1) of the Framework
Decision, the Member States must take measures to comply with this Decision
before 27 November 2010. According to Article 29(2), they must
transmit to the General Secretariat of the Council and to the Commission the
text of the provisions transposing into their national law the obligations
imposed on them, as well as information on the supervisory authorities referred
to in Article 25 of the Framework Decision. The Commission must prepare a report using
the information submitted by the Member States. The Council must, before 27
November 2011, assess the extent to which Member States have complied with this
Framework Decision.
1.4.
Information sources on which this report is
based
By 9 November 2011, 26 out of 27
Member States, as well as Liechtenstein, Norway, Iceland and Switzerland, had sent
the Commission information on the implementation of the Framework Decision. Of these 26 Member States, 14
Member States indicated that their legislation in force implements the
Framework Decision (Belgium, Czech Republic, Denmark, Germany, Estonia,
Ireland, Hungary, Latvia, Lithuania, Luxembourg, Austria, Slovakia, Sweden, and
United Kingdom). Germany, Ireland, Estonia and Sweden stated that they were
still investigating whether there was a need for further implementation
measures. 9 Member
States can be considered to have implemented the Framework Decision partially,
as they report that implementing legislation still needs to be adopted. 4 Member
States have either not reacted to the Commission’s request for information
(Romania) or indicated that they have not implemented the Framework Decision
(Greece, Italy[8],
Cyprus). The content of the information, particularly the level of detail,
provided by the Member States in response to the Commission questionnaire
varies. Table 1 provides an overview of replies: it mirrors Member
States’ assessment of the status of implementation of the Framework Decision.
2.
TRANSPOSITION OF THE FRAMEWORK DECISION
2.1.
Framework Decision ex-Article 34(2)(b) of the
Treaty on European Union
This Framework Decision
is based on the Treaty establishing the European Union (TEU), and in particular
Articles 30, 31(e), and Article 34(2)(b) thereof. Framework
Decisions as legal instruments can best be compared to a directive, as they are
binding upon Member States as to the result to be achieved but leave to the
national authorities the choice of form and methods. However, framework
decisions do not have direct effect[9]. On the basis of
Article 10 of the Protocol on transitional provisions concerning acts adopted
on the basis of Titles V and VI of the TEU prior to the entry into force of the
Treaty of Lisbon (No 36), annexed to the Treaties, Commission powers under
Article 258 of the TFEU are not applicable (and those of the ECJ remain
limited) in respect of ‘ex-third pillar’ acts for a transitional period of five
years from the entry into force of the Lisbon Treaty (i.e. until 1 December 2014). Below are some
details on the implementation of four key provisions of the Framework Decision
as reported by the Member States in response to the Commission’s request of 9
December 2010.
2.1.1.
Scope of national implementation measures
The Framework
Decision applies only to the processing of personal data transmitted or made
available between Member States (Article 1(2)). Processing personal data by
police and justice in criminal matters at national level does not fall within
the scope of the Framework Decision. Table 2 of the Annex provides an overview of the implementing measures in
the Member States. Most Member States referred to the general data protection
legislation as one of the implementing measures of the Framework Decision and
added a reference to applicable sectoral legislation for police, justice,
customs and tax authorities. Some Member States decided not to adopt
legislative instruments, but to implement the Decision by issuing
administrative circulars (e.g. Germany and the United Kingdom). Most Member
States indicated that general data protection legislation applies to the processing
of personal data by the police and justice both at national level and in a
cross-border context[10],
however often alongside Criminal Procedure Acts and Police (Data) Acts[11]. Thirteen
Member States (Belgium, Czech Republic, Germany, Estonia, Italy, Luxembourg,
Hungary, Malta, the Netherlands, Slovenia, Slovakia, Finland and Sweden)
referred to Criminal Procedures Acts or similar legislation. Seven Member
States (Czech Republic, Germany, Hungary, the Netherlands, Slovenia, Finland
and Sweden) reported the existence of a specific Police (Data) Act[12]. Three Member States (e.g.
Bulgaria, Portugal, Lithuania) added that they had also adopted specific
legislation to implement certain provisions of the Framework Decision not
covered by the general legislation, which only apply to cross-border processing
of personal data[13]. Three Member
States considered the limited scope of the Framework Decision as problematic.
Italy and the Netherlands reported difficulties in distinguishing in practice
between cross-border processing of data under Framework Decision 2008/977 and
processing at national level, and the related complexity for law enforcement
authorities in Member States to cope with different
processing rules for the same personal data. Poland pointed to the deficiencies
of the Framework Decision in general and, in particular, stressed their support
to the Commission's aim to establish a comprehensive framework and the
extension of general data protection rules to the area of police and judicial
cooperation in criminal matters.[14]
2.1.2.
Information of data subjects (Article 16,
recitals 26-27)
Under the
Framework Decision, Member States must ensure that their competent authorities
inform data subjects that their data are being processed or transmitted to
another Member State for the purpose of prevention, investigation, detection
and prosecution of criminal offences or the execution of criminal penalties. The
form, content, method and the exceptions (i.e. no provision or limited
provision of information) used to do so should be determined under national law.
This may take a general form, by passing a law or publishing a list of the
processing operations. If data are transferred to
another Member State, each Member State may request the other Member State not to
inform the data subject. Table 3 shows that almost all Member States indicated that they provide
data subjects with some information on the processing of their personal
data. France indicated that it does not do so. Denmark does not
grant this right either, but reported that the controller must keep a register
and inform the public. The right of
information is subject to limitations in the vast majority of Member
States. National legislation either limits this right for the purpose of preventing, investigating, detecting and prosecuting criminal offences
or provides that data processing by specific data controllers (police and/or
judiciary) is exempted from application of this right. In some cases,
limitations/exemptions are laid down without specifying for which activities. A
considerable number of Member States report such limitations for police,
military police, courts, customs and tax authorities. The Netherlands
stated that a general obligation to inform the data subject was not entirely
consistent with the nature of the work of the police and judiciary, but that
certain arrangements are in place to make sufficient provision for informing
the data subject as required on data processing by the police and judicial
authorities (i.e. laws inform about cases and conditions of data processing; the
public prosecutor informs the data subject of exercise of special investigative
powers, if the interests of the investigation permit). The Netherlands also stated
that this provision need not be implemented because Article 16(1) merely refers
to national laws of Member States. The Framework
Decision establishes data subjects’ right to information but does not contain
any details on the methods or on possible exemptions. Even if, according to the
Member States, the right to information is generally granted, implementation
varies considerably.
2.1.3.
Right of access of data subjects (Article
17)
The Framework Decision provides that a data
subject has the right to obtain, without constraint, excessive delay or
expense, either: (a) at least a confirmation from the
controller or from the national supervisory authority as to whether or not data
relating to him have been transmitted or made available and information on the
recipients or categories of recipients to whom the data have been disclosed and
communication of the data undergoing processing, or (b) at least a confirmation from the
national supervisory authority that all applicable checks have been carried out. Member States may legislate restrictions to
this right of access, in order to avoid obstructing official or legal inquiries,
investigations or procedures; prejudicing the prevention, detection,
investigation and prosecution of criminal offences or for the execution of
criminal penalties; protecting public security; protecting national security;
and protecting the data subject or the rights and freedoms of others (Article
17(2)). Any refusals by the controller to provide this information must be made
in writing (Article 17(3)). The information provided by the Member
States and compiled in Table 4 on the right to access mirrors the
situation as regards giving information to the data subject. It can be
concluded that all Member States[15]
grant some form of right of access to data subjects. This right is generally
enshrined in the country’s general data protection legislation. Many Member
States also regulate details of the access right in sector-specific legislation
(such as the Police Acts). Equally, all Member States provide for exemptions from the right
of access. The most frequently mentioned reasons for not granting the right
of access are: –
to prevent, investigate, detect and prosecute
criminal offences; –
national security, defence and public security; –
economic and financial interests of a Member
State and of the EU (including monetary, budgetary and taxation matters)[16]; –
to protect the rights and freedoms of the data
subject or other persons. Concerning the way
in which access to personal data is granted, some Member States have
addressed this issue explicitly, others have not. Some Member States indicated
that they grant data subjects the right to send a request for access to their
data directly to the competent authority (i.e. Austria, Germany, Bulgaria,
Finland, Ireland, Latvia, Malta, Netherlands, Poland, Slovakia, Sweden, United
Kingdom) while others only allow for ‘indirect’ access (Belgium, France). In
the latter case, it is the national supervisory authority instead of the data
subject that has access to all personal data related to the data subject. In
Finland and Lithuania, data subjects are given a choice. In Portugal, direct
access is the general rule, but indirect access is provided for in cases where the processing of personal data has a bearing on state security
or the prevention or investigation of crime. The situation is similar in
Luxembourg, where generally access is granted directly, but if an exemption
applies, the request for access must be addressed to the data protection
supervisory authority. The Framework
Decision contains general rules providing data subjects with the right to
access their data. It does not specify in detail what kind of information needs
to be given to the data subject. It also leaves it to Member States to decide whether
data subjects may exercise their right of access directly or whether they must
use the indirect route.
2.1.4.
National Supervisory authorities (Article
25)
Framework Decision 2008/977 recognises that the establishment in
Member States of supervisory authorities, exercising their functions with
complete independence, is ‘an essential component of the protection of personal
data processed within the framework of police and judicial cooperation between
the Member States’ (recital 33). It also states that the supervisory
authorities already established in Member States under the Directive ‘should
also be able’ to assume such responsibility (recital 34). Article 25 of Framework Decision 2008/977 mirrors an important part
of the provision on the supervisory authorities of Article 28 (paragraphs 1-4,
7) in Directive 95/46/EC concerning the powers of the authority, its obligation
to act in complete independence and the duty of professional secrecy. Each authority must be endowed with a number of powers, comprising
investigative powers (including access to data and collection of necessary
information), effective powers of intervention (such as issuing and publishing
opinions before processing operations; ordering blocking, erasure or
destruction of data; imposing a temporary or definitive ban on processing;
warning or admonishing the controller; referring the matter to national
parliaments or other political institutions) and the power to engage in legal
proceedings.
Table 5 shows that, in most cases, the
national supervisory authorities in charge of monitoring the implementation and
application of the general data protection rules are also responsible for
supervising the implementation and application of Framework Decision 2008/977. Sweden indicated
that its Data Inspection Board still needs to be designated as the competent
supervisory authority under Article 25 of the Framework Decision. Some Member
States expressly raised the issue of supervision of data processing by the
judiciary[17].
Denmark indicated that the Court Administration is responsible for supervising
data processing by the judiciary and Austria noted that the data protection supervisory
authority is not competent to decide on complaints for violation of data
protection rules by the judiciary. In Luxembourg the supervision of data
processing is generally the competence of the Data Protection Commission.
Processing activities carried out in the framework of a national provision
implementing an international convention are supervised by an authority which
is composed of the Procureur Général d’Etat or his delegate and two
members of the Data Protection Commission proposed by the latter and appointed
by the Minister.
2.1.5.
Other issues raised by Member States
Out of the 26 Member States, 20 – 8 of which did not reply at all to
this question (Belgium, Denmark, Estonia, Greece, Hungary, Luxembourg, Cyprus
and Austria) – did not report any particular problems with the Framework
Decision. .. As shown in Table 6, 6 Member States made comments on
issues of concern to them, such as the following issues: - Poland considered that the Framework
Decision contained numerous deficiencies, which should be remedied, and
expressed support for reform in order to establish a
comprehensive and coherent data protection system at EU level; - Italy and the Netherlands raised a difficulty
in distinguishing in practice between cross-border processing of data under
Framework Decision 2008/977 and processing at national level, and the related
difficulty for law enforcement authorities in Member States to cope with different processing rules for the same personal data; - Italy, the Czech Republic and the Netherlands expressed criticism
towards the rules on international transfers included in the Framework
Decision. In particular, Italy said that it was necessary to provide for an
adequate and more uniform level of data protection for data transfers to third
countries. The Netherlands considered problematic the lack of criteria in the
Framework Decision to determine the adequate level of protection of a third
country, leading to variable implementation by Member States. Finally, the
Czech Republic considered the rules on international transfers in the Framework
Decision as 'unrealistic';
- France
referred to a specific problem at national level in relation to the storage
periods of personal data transmitted to and from a third country having
different requirements in that respect; - Slovakia said it was necessary to
differentiate more between data processing by the police and by the judiciary
(court proceedings); - Both the Czech
Republic and the Netherlands indicated that it was confusing for law
enforcement to have to comply with multiple data protection rules at
international (such as the Council of Europe), EU and national level.
3.
THE WORK
AHEAD
This report takes stock of the state of
implementation and functioning of the Framework Decision on the protection of
personal data processed in the framework of police and judicial cooperation in
criminal matters. The practical
difficulties encountered by a number of Member States in distinguishing between
rules for domestic and cross-border data processing, could
be solved through a single set of rules covering data
processing both at national level and in a cross-border context. The scope and possible exemptions at EU level regarding the data
subjects’ right to information would merit further clarification. Minimum
harmonised criteria regarding data subjects’ right of access could
strengthen the rights of data subjects while also providing exemptions to allow
the police and justice to properly perform their tasks. Under Article
16 of the Treaty on the Functioning of the European Union, which enshrines the
right to the protection of personal data, there is now the possibility of
establishing a comprehensive data protection framework
ensuring both a high level of protection of individuals’ data in the area of
police and judicial cooperation in criminal matters and a smoother exchange of
personal data between Member States’ police and judicial authorities, fully
respecting the principle of subsidiarity. [1] OJ L
350, 30.12.2008, p. 60. [2] Article 30. [3] Recital 5 of Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data, OJ L 281, 23.11.1995, p. 31. [4] Article 1. [5] Article 1(5). [6] Article
1(2). [7] Article
13. [8] Italy informed the Commission that specific
implementing instruments have not yet been formally adopted. It refers to the
Personal Data Protection Code[8], the Criminal procedure Code and
other acts which contain provisions applicable to processing in these areas.
Other Member States take a different approach and indicate that the data
protection rules in force also apply to the processing of personal data by
Police and Justice at national level as well as to the cross-border processing
by Police and Justice in criminal matters. In addition they have informed the
Commission of additional implementing measures that are currently being prepared. [9] See Case C-105/03, Pupino,
judgment of 16.5.2005, para. 34, 43-45, 47, 61, in which the ECJ held that
national courts interpreting national laws are obliged to strive to achieve a
consistent interpretation, including framework decisions. [10] This was already the case before the adoption of the
Framework Decision (see Commission Staff Working Document, Impact Assessment,
SEC(2005) 1241 of 4.10.2005, point 5.1.2.). [11] See Table 2. [12] See Table 2. [13] See comments from the Netherlands. [14] See also the contribution of Poland (Ministry of
Interior) to the public consultation launched by the Commission end 2010 (referred
to in their reply to the questionnaire): http://ec.europa.eu/justice/news/consulting_public/0006/contributions/public_authorities/pl_min_pl.pdf. [15] This
conclusion can be drawn although some Member States did not provide
specifications (see details in Table 3). [16] This is not an exemption that
is expressly mentioned in Article 17 of Framework Decision 2008/977. It does,
however, reflect an exemption listed in Article 13(1) of Directive 95/46/EC. [17] See recital 35, last sentence,
of the Framework Decision, stating that the powers of supervisory authorities ‘should
not interfere with specific rules set out for criminal proceedings or the independence
of the judiciary’.