EUROPEAN COMMISSION
Brussels, 1.12.2021
SWD(2021) 390 final
COMMISSION STAFF WORKING DOCUMENT
Analytical Supporting Document
Accompanying the document
Proposal for a Regulation of the European Parliament and the Council concerning the establishment of a collaboration platform to support the functioning of Joint Investigation Teams and amending Regulation (EU) 2018/1726
{COM(2021) 756 final}
Table of Contents
1.
Introduction
2.
Problem definition
2.1
Unsecure and too slow exchange of evidence and information
2.2
Unsecure and ineffective tools/channels used for the communication
2.3
Difficulties concerning daily management of a JIT
3.
Legal basis, subsidiarity and added value
3.1
Legal basis
3.2
Subsidiarity
4
Objectives
5
The preferred option
5.1
Horizontal aspects
5.2
Key functions
5.3
Other functions
5.4
Access rights
6
Stakeholder views
7
Assessment of the preferred option
7.1
Effectivenes
7.2
Technical and operational feasibility
7.3
Efficiency
7.4
Impact on fundamental rights
7.5
Information control and security.
7.6
Proportionality
8
Impact monitoring
1.Introduction
Joint Investigation Teams (JITs) are teams set up for specific criminal investigations and for a limited period of time. They are set up by the competent authorities of two or more Member States and possibly non-EU countries (third countries), to carry out together criminal investigations that cross borders. A JIT can be set up, in particular, when a Member State's investigations into criminal offences require difficult and demanding investigations having links with other Member States or third countries. It can also be set up when a number of Member States are conducting investigations into criminal offences in which the circumstances of the case necessitate coordinated, concerted action in the Member States involved.
JITs can be composed of the competent authorities of the Member States as well as the competent authorities of third countries (JIT members) or the competent Union bodies, offices and agencies such as Eurojust, Europol and the European Anti-Fraud Office (OLAF) (JIT participants).
The legal basis for setting up a JIT are Article 13 of the European Union (EU) Convention on Mutual Assistance in Criminal Matters and Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams. Third countries can be parties in JITs if the legal basis allow for this. For example, Article 20 of the Second Additional Protocol of the 1959 Council of Europe Convention and Article 5 of the Agreement on Mutual Legal Assistance between the European Union and the United States of America.
JITs are one of the most successful tools for cross-border investigations and prosecutions in the EU. They enable direct cooperation and communication between judicial and law enforcement authorities of several States to organise their actions and investigations to efficiently investigate cross-border cases.
It has recently become clear that the speed and efficiency of the exchange between those involved in these teams could be considerably enhanced by creating a dedicated IT platform to support their functioning.
The second evaluation report on JITs, prepared in 2018 by the Network of National Experts on Joint Investigation Teams (the JITs Network), a body established to support Member States and share best practices and experience in the area of JITs, already indicated that the JITs’ work could be improved and sped up if supported by a dedicated IT platform. The IT platform would enable those involved in JITs to securely communicate among themselves, and share information and evidence. The Digital Criminal Justice study confirmed the findings of that report and recommended creating an IT platform for JITs to ensure that JITs function more efficiently and more securely.
Following these findings, the Commission announced plans to propose legislation establishing a dedicated ‘collaboration platform to support the functioning of Joint Investigation Teams’ (the platform).
Following up on the above research, the European Commission has announced its plans to come up with a legal proposal concerning creation of a dedicated “collaboration platform to support the functioning of Joint Investigation Teams” (hereinafter “the platform”). This proposal has been announced in the Commission’s Communication on the digitalisation of justice in the EU, as part of a broader initiative to enable the secure electronic communication and exchange of information and documents between courts, national authorities, and justice and home affairs agencies. It also constitutes part of the digitalisation of justice package contained in the Commission’s work programme for 2021 under the heading ‘A New Push for European Democracy’.
This analytical document has been prepared in order to support and accompany the above-mentioned legal proposal. The data contained in this document has been mainly obtained from evaluation reports on JITs prepared by the JITs Network, the Digital Criminal Justice study and through a targeted consultation process involving various stakeholders involved in JITs.
2.Problem definition
Although JITs have proven to be a successful tool for cross-border investigations and prosecutions in the EU, practice shows that they have been facing several technical difficulties preventing them from being efficient in their daily work and from fostering their operations. The main difficulties concern secure electronic exchange of information and evidence (including large files), secure electronic communication, as well as a joint daily management of a JIT.
2.1Unsecure and too slow exchange of evidence and information
The problem
Exchange of information and evidence among those involved in JITs is of crucial importance for successful investigations. So far, the landscape for this exchange, if not done in person, is fractured as all actors rely on their systems that usually are not interoperable. There is no single system available, to which the JIT members and, when involved, the JIT participants could connect, allowing for a properly functioning electronic flow of voluminous information and evidence, e.g. content of hard drives or CD-ROMs containing documents, images and videos. The main requirements for such electronic flows are security of the exchanged data, widespread access to the electronic means of data transportation and the possibility to transfer large files (files bigger than 50 MB). Unfortunately, in the current context, judicial authorities have a major problem as regards each of the above requirements.
The problem drivers
Until now, there is no unified technical solution, which would allow judicial authorities to exchange large amounts of data in a secure and reliable manner. While some secure information exchange channels already exist (the Secure Information Exchange Network Application - SIENA - for Europol, and a secure Eurojust e-mail mechanism), judicial authorities rarely use them, either because they are not widely accessible or because they do not offer appropriate functionalities.
The effects of the problem
A direct consequence of the above problem is that national authorities involved in JITs are very often required to apply one of the following scenarios:
·to exchange information and evidence about ongoing investigations by non-secured emails (via the internet) and thus prone to interception, or hacking;
·to share the information and evidence in non-digital ways (e.g. during face to face meetings, or using registered snail post services);
·to refrain from transmitting data to the other JIT members and participants until a physical meeting takes place.
Consequently, the documents exchanged are at risk of being leaked, which could expose all national investigations associated with a given JIT. In addition, organisation of in person meetings or usage of regular postal services creates additional costs and lengthens the whole process making the JIT cooperation costly and ineffective.
2.2Unsecure and ineffective tools/channels used for the communication
The problem
A need to communicate with other members and participants of a given JIT is critical for the proper functioning of the JIT. The investigators must share information among themselves, be it through short messages, longer email-like messages and/or audio/video conferencing calls. It is not possible to manage a JIT or to coordinate its specific actions without efficient communication tool(s) guaranteeing security and confidentiality. In practical terms, for every JIT, the Member States need to agree on procedures and technological solutions to support the activities of the individual JIT. In addition, the investigators are often forced to use non-secure communication channels, such as the most popular instant messaging and video calls commercial tools or regular emails over the internet. It is mainly due to their ease to use and convenient functionalities, in particular when quick communication is compulsory during action days. It also happens very often that physical meetings are organised at Eurojust in order to coordinate work and plan next steps of the JIT.
The problem drivers
The problem derives from the fact that there is no unified tool at present that would allow various judicial authorities constituting a JIT and coming from various Member States, to efficiently and securely communicate cross-border, either through text, audio or video.
The effects of the problem
The usage of non-secure communication tools results in non-compliance with the highest security standards (e.g. to ensure that data about national criminal cases is not stored on servers of private entities, often outside of Europe) and exposes sensitive data which is prone to interception or hacking. The fact that physical coordination meetings have to be organised represents a disadvantage in terms of cost and time spent on their organisation. The whole JIT cooperation becomes more time consuming and more costly.
2.3Difficulties concerning daily management of a JIT
The problem
There are several activities concerning the daily management of a JIT, which currently cannot be carried out in a fully effective and collective manner. JIT members and participants have no common tool at hand that would allow them to plan their activities (also from a distance) with a dedicated calendar, compare their JIT related agendas, coordinate parallel activities and, where feasible, divide JIT related tasks, or collaboratively edit or machine translate relevant documents. Especially where third countries come into play and the exchange of larger files is needed, those involved in JITs face technical challenges. The lack of traceability of evidence might pose difficulties as well. The above issues concern both the operational and post operational phases of a JIT as well as various administrative processes that accompany them.
The problem drivers
The above problems are caused by the lack of a standard technical means, which could be used by all JIT members and participants, including third countries, in order to manage the daily activities of a JIT. These activities require a unified tool allowing all stakeholders involved in a given JIT to cooperate in a collaborative manner. Some of the Member States use various national tools. However, due to the cross-border dimension and specificity of JITs, these tools cannot offer all functionalities required to manage a JIT. The tools can also not be used by other Member States in a cross-border (multilingual) environment. Obviously, there is also no dedicated platform at EU level that could be used by all parties involved in JITs. Consequently, the current ways of coordinating the daily work of JITs do not make use of the possibilities offered by digital technologies.
The effects of the problem
Because of the above problems, coordination of investigations carried out by the JITs is time consuming and very often requires offline means, e.g. face-to-face meetings having an impact on the financial side of every JIT. Meeting and exchanging information and evidence more frequently in a secure online environment would enable the JIT members and participants to enhance their cooperation. The process of agreeing on cooperation procedures, which needs to happen for each individual JIT and for all activities that need a coordinated approach, is also time consuming and causes an administrative burden. These aspects get even more complicated in case of participation of third countries that might sometimes not be a direct neighbouring country.
There are also other repercussions: for instance, the lack of a tool to properly trace evidence exchanged among all members of a JIT might cause problems during the court proceedings.
3.Legal basis, subsidiarity and added value
3.1Legal basis
The legal basis for the proposal is Article 82(1)(d) of the Treaty on the Functioning of the European Union (TFEU). In line with that Article, the EU has the power to adopt measures to ease cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters.
3.2Subsidiarity
According to the principle of subsidiarity laid down in Article 5(3) of the TEU, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU. Furthermore, there is a need to match the nature and intensity of a given measure to the identified problem.
The creation of a common Union wide IT platform to support JITs, allowing the Member States to make use of a technology solution that does not depend on the national IT infrastructure, can neither be achieved unilaterally at Member State level nor bilaterally between the Member States. It is by its nature a task to be undertaken at EU level. Therefore, it is also for the Union to establish a legally binding instrument to create such a system and to lay down the conditions under which that system will function.
4Objectives
The general objective of the proposal is to provide technological support to those involved in JITs to increase the efficiency and effectiveness of their cross-border investigations and prosecutions.
The specific objectives of the proposal are to:
1.Ensure that the members and participants of JITs can more easily share information and evidence collected in the course of the JIT activities.
2.Ensure that the members and participants of JITs can more easily and more safely communicate with each other in the context of the JIT activities.
3.Facilitate the joint daily management of a JIT, including planning and coordination of parallel activities, enhanced traceability of shared evidence and coordination with third countries, especially where physical meetings are too expansive or time consuming.
5The preferred option
In order to address the problems defined in section 2 and to achieve the objectives listed in section 4, a dedicated IT platform consisting of both centralised and decentralised components – the JITs collaboration platform – is proposed.
The platform would be a highly secure online collaboration tool aiming to facilitate the exchanges and cooperation within JITs throughout their duration. The platform would be accessible to all actors involved in JIT proceedings, i.e. Member States’ representatives fulfilling the role of members of a given JIT, representatives of third countries invited to cooperate in the context of a given JIT, and the competent Union bodies, offices and agencies such as Eurojust, Europol, the European Public Prosecutor’s Office and OLAF. The key functions, described in detail below, will ease electronic communication, allow information and evidence to be shared, including large amounts of data, ensure traceability of evidence as well as planning and coordination of JIT operations.
The design, development, technical management and maintenance of the platform would be entrusted to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), which is the Union agency in charge of large-scale IT systems in the in the Area of Freedom, Security and Justice.
Assuming that the proposal establishing the platform is adopted in 2023, the platform would be operational as of beginning of 2026.
5.1Horizontal aspects
The platform would be of a voluntary nature, so the authorities involved in JITs would have full discretion in deciding whether they want to use the platform for a specific JIT. In addition, the JIT members and participants would be free to use other tools while making use of the platform. For instance, if they decide to pass on evidence in person at a working meeting or through SIENA.
The platform’s architecture would enable the creation of (non-interoperable) sessions in silo, the ‘JIT collaboration spaces,’ specific to each JIT and open only for the duration of the JIT. There would be no cross-cutting functions or any interactions between different JITs hosted by the platform.
The platform would support the functioning of JITs throughout their operational and post-operational phases. In practical terms, an individual JIT collaboration space could be created on the platform as soon as all establishing parties sign the JIT agreement. The space would be closed following the end of the evaluation process.
Access to the platform would be granted through regular computers (desktops, laptops, etc.) as well as through mobile devices. Its interface would be made available in all EU languages.
From a technical perspective, the platform would be composed of two distinctive elements, (i) a centralised information system, which would allow for a temporary central storage of data, and (ii) a communication software, a mobile application, which would enable communication and local communication data storage.
From a security perspective, while the platform will operate over the internet to offer flexible means of accessing it, the focus will be to guarantee confidentiality by design. This will be achieved by using robust end-to-end encryption algorithms to encrypt data in transit or at rest (i.e. stored on a physical storage). This feature is crucial for gaining the trust of JITs practitioners who deal with sensitive data and must be reassured regarding any risk of uncontrolled disclosure. In addition, appropriate multi-step identification and authentication mechanisms will be put in place to ensure that only authorised JIT members and participants have access to the platform.
When designing the JITs collaboration platform, eu-LISA should ensure technical interoperability with SIENA.
5.2Key functions
The platform would offer the following key functionalities:
·secure, untraceable communication stored locally at the devices of the users, including a communication tool offering an instant messaging system, a chat feature, audio/video-conferencing and a function replacing standard emails;
·exchange of information and evidence, including large files, through an upload/download system designed to store the data centrally only for the limited time needed to technically transfer the data. As soon as the data are downloaded by all addresses, it would be automatically deleted from the platform.
·evidence traceability – an advanced logging mechanism logging a trail of who did what and when regarding all evidence shared through the platform, and supporting the need to ensure admissibility of evidence before a court.
5.3Other functions
Apart from the above-mentioned key functions, the platform is also planned to offer the following:
·functions related to daily management of the JIT during its operational and post-operational (evaluation) phase, i.e.:
oa JIT dashboard containing general information about JIT, the JIT agreement, overall contact details of the JIT members and participants, etc.;
ocalendars/planners facilitating planning activities;
oa task management module allowing to assign, monitor and follow-up on various tasks within the JIT.
·support for the administrative and financial processes, i.e.:
oa JIT funding dashboard providing for information about deadlines, awarded funding, budget overview, etc., pertaining to JIT financing obtained from Eurojust and/or Europol;
oupload/download of administrative documents;
oa documents repository;
oan administrative reporting module;
oaccess to various documents, e.g. templates, best practices, leaflets, guidelines, model JIT agreements, etc. - covering all phases of a JIT, developed by the Network of JITs national experts and used on a regular basis by those involved in JITs.
·various technical capabilities supporting operational and administrative processes, e.g.:
oan automatic translation service;
ocollaborative editing of documents, e.g. reports of meetings or administrative documents like press releases, memos, common requests to third countries, etc.;
othe integration with the JITs-related electronic services already hosted at Eurojust and managed by the JIT Secretariat, i.e. JITs Funding, JITs Evaluation and JITs Restricted Area, allowing relevant information and documents to be obtained without needing to connect separately to the platform and the services offered by the JIT Secretariat.
5.4Access rights
Particular attention will be given to the platform’s access rights. The platform’s starting principle will be that the management of access rights rests with the JIT space administrator(s) from the JITs participating Member States. They will be in charge of granting access, during the operational and post-operational phases of the JIT, to:
·representatives of the other Member States participating in the JIT;
·representatives of third countries which are also members of a given JIT;
·representatives of Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies; and
·representatives of the JIT Secretariat.
In addition, the JIT space administrator(s) will have the option to limit access to parts of information and evidence only to those who are concerned by it, including case-by-case granular access permissions. This restriction would concern all users of the JITs collaboration platform, be it the Member States, third countries, the competent Union bodies, offices and agencies or the JIT Secretariat.
It must be underlined that eu-LISA, as the hosting provider, will not have access to the data stored or exchanged through the platform. It will also not be involved in the access rights management, except for the initial process of granting access rights to JIT space administrator(s) based on the signed JIT agreement. The platform’s architecture must offer sufficient guarantees for this to happen.
The access rights of the competent Union bodies, offices and agencies should be defined in view of the operational support they provide to JITs, covering all steps of the proceedings, from the moment of the signed JIT agreement until the end of the evaluation phase. On the latter, the platform must provide for access rights for the JIT Secretariat, which plays an important role in that process. The JIT Secretariat could also be in charge of the platform’s administrative support, including access rights management, as long as the JIT space administrator(s) of each individual JIT envisage such a role.
Keeping in mind the increasing role of third countries in the successful prosecution of serious organised crime and terrorism, the platform will also be available to them, if they are part of a JIT agreement. However, specific access rights will depend on their role in a given JIT and should be set out by the JIT space administrator(s) for each respective JIT. To guarantee the respect for fundamental rights, including data protection, and in line with the currently applicable procedures, before granting access to a specific third country, the JIT space administrator(s) will need to thoroughly assess the data protection aspects against the applicable rules, notably Directive 2016/680.
6Stakeholder views
Whereas no public consultations were conducted due to a specific character of the proposal, the Commission has carried out an extensive targeted consultation campaign to ensure that all stakeholders concerned have an opportunity to express their views. The campaign has involved:
·prosecutors, judges and law enforcement representatives from the Member States;
·Member States’ national authorities;
·experts of the JITs Network
·academics and practitioners in EU criminal law;
·data protection experts,
·representatives of Eurojust, Europol and OLAF.
Stakeholders have had an opportunity to voice their opinion through bilateral contacts, expert meetings, online surveys and written contributions.
The targeted consultations organised between March and July 2021, gathered views on the platform related elements of the Digital Criminal Justice study, functions that are to be covered by the future platform, as well as the applicable data protection regime(s).
First and foremost, all stakeholders welcomed the initiative and provided a positive opinion about establishment of a platform as a much-needed step towards the digitalisation of JITs cooperation.
As far as cross-cutting issues are concerned, most stakeholders focused on:
·the simplicity of the platform so that it can be used by all practitioners concerned – a too cumbersome tool with complex workflows could create problems for the users and would be a main reason for not using it;
·the prevention of an impact on the substantial or legal requirements of investigators’ work, so the proper functioning of a JIT is not jeopardised by the platform;
·the security of the platform – the level of protection is of crucial importance so practitioners can be confident that outcomes of their national investigations that are shared through the platform would not be disclosed in an uncontrolled way.
Some discussions have also taken place on the entity in charge of the platform’s future development and management. The following scenarios were considered:
·creation of the platform by the Commission and making it available to the Member States to implement when needed within their own infrastructure;
·creation of the platform and its establishment at the Commission;
·creation of the platform and its establishment at one of the JHA agencies directly involved in supporting the Member State’s authorities in combating crime (e.g. Eurojust);
·creation of the platform and its establishment at eu-LISA.
All stakeholders consulted, including Eurojust and Europol, supported the option to entrust the platform’s development and maintenance to eu-LISA. They all recognised eu-LISA’s expertise in the area as well as its experience with large-scale IT systems meeting state-of-the-art security standards. Also, this option takes into account, that JITs can be conducted without the financial support or operational involvement of either Eurojust or Europol.
Undoubtedly, the two key functions of the platform debated the most during the targeted consultations were a possible coverage by the platform of a JIT set-up process and the central storage.
Administrative process to set-up a JIT
The starting point for this discussion was the final report of the Digital Criminal Justice study, which recommends that the JITs collaboration platform covers also the pre-operational phase of JITs, i.e. the administrative process to set up a JIT. There are many advantages of such a solution, including:
·the possibility to securely and efficiently exchange documents cross-border, leading to the signature of a JIT agreement;
·a machine translations function;
·an inventory of the procedures to be followed during the JIT set-up process;
·support for various electronic signatures.
However, it has been established during the stakeholder consultations that in most Member States, actors participating in the JIT set-up process are completely different from those who are members of JITs once they are established. Moreover, the decision to join a JIT is very often taken by someone who will not necessarily be a member of the JIT itself, e.g. the Prosecutor General or even the Minister of Justice. Therefore, the inclusion of the administrative JIT set-up process in the platform would require a complete departure from the above-described model of isolated JIT spaces, as well as a separate access rights management workflow. Such a scenario would heavily complicate the envisaged easy-to-use concept of the platform and would require implementation of rather incomprehensible and time-consuming administrative workflows.
Therefore, following the targeted consultations, the recommended scenario would be to cover the JIT set-up process within the e-Evidence Digital Exchange System (eEDES) that is currently being implemented by the Commission. This solution would on the one-hand cover administrative needs of the stakeholders and, on the other, not complicate the daily functioning of the future platform.
Central storage
One of the most crucial functions of the platform will be to exchange information and evidence among the JIT members and other participants. That function could be implemented in three different ways:
1.A plain upload/download function - data would be uploaded on the platform by one member/participant of the JIT and would be stored centrally only until the other JIT member(s)/participant(s) download(s) it.
2.A temporary flexible storage – in addition to the plain upload/download, data could be optionally stored at the platform for some period of time, e.g. one week, one month, etc. The member/participant uploading the data would define duration and access rights.
3.A permanent storage – all exchanged data would be stored throughout the JIT’s lifespan – precise access rights to the data would be defined by the member/participant uploading the data. This option would constitute a "common JIT case-file".
Though JITs allow for the direct communication, cooperation and coordinated action, the underlying national investigations remain separate and independent. The possibility to create a common case-file to supplement national investigations is not envisaged by the current legal framework. Therefore, almost all stakeholders rejected the permanent storage option (option 3). Indeed, the creation of such a common case-file would raise serious questions related to criminal procedures in certain Member States since not all JIT information is necessarily shared among all members of the JIT. Investigators from one country often do not need access to all relevant information from the investigation of the other country participating in the same JIT.
Whereas the other two options had more or less the same degree of support among the practitioners, a preferred option is to equip the platform with the plain upload/download function (option 1). This function would prevent platform’s users to view the data before downloading it. It would also prevent any central storage of exchanged data, i.e. the data would be stored centrally until it is downloaded by the other party, but for not more than four weeks. The main reason for that has been a concern that any storage of operational data, going beyond a technical requirement to send it from one party to another, would lead to at least a temporary common file and to possible follow–up questions. For example, access requests to that file. However, this instrument should not change the separate investigations and separate national files, to which the respective national rules still apply.
Although the lack of central storage would prevent including in the platform various additional technical functions, e.g. an interface with a crime analysis tool, a search tool, a text to speech converter, a speech to text converter, Optical Character Recognition, etc., stakeholders took the view that such functions would duplicate the tools already provided by other agencies (primarily by Europol). It also must be underlined that even in the absence of a central storage of information and evidence, some basic information would be stored centrally to allow the JIT members to trace the exchanged data.
7Assessment of the preferred option
The preferred option is discussed and assessed hereunder against the following criteria:
·effectiveness: measured against the general and specific objectives;
·technical and operational feasibility;
·efficiency: the total costs incurred for eu-LISA, Eurojust and for the Member States as well as the administrative costs incurred for the Member States and the Commission;
·impact on fundamental rights: in particular on data protection;
·information control and security;
·proportionality.
7.1Effectivenes
General objective: to provide technological support to those involved in JITs to increase the efficiency and effectiveness of their cross-border investigations and prosecutions.
The establishment of the platform is expected to render cooperation within JITs more efficient and effective. All future functionalities of the platform, starting with the communication tools, through exchange of data mechanism, to collaborative management of JITs, are intended to save time and cost of the JIT members and participants. Although voluntary in nature, it is anticipated that those involved in JITs will quickly realise the platform’s added value and systematically use it in cross-border cases. The platform would allow speeding up the flow of information among its users, increase security of the exchanged data as well as enhance transparency. In addition, impacts on simplification and administrative burdens are anticipated. Consequently, more efficient functioning of JITs would improve overall collaboration between Member States in investigating and prosecuting cross-border crime.
Specific objectives:
·To ensure that that the members and participants of JITs can more easily share information and evidence collected in the course of the JIT activities.
The envisaged upload/download mechanism for the exchange of operational information and evidence, including large files, would be a crucial step forward towards a secure and unified process to exchange data collected by the JIT members in the course of the JIT activities and at the same time allow for the traceability of the exchanged evidence. The data would flow between JIT members using a secure channel and a highly secure central data storage, designed to keep the data stored centrally only for a limited period of time necessary for technical reasons. The exchanged data would be properly encrypted in transit and at rest. The option would facilitate exchanges of large amounts of data, e.g. content of hard drives or CD-ROMs, which currently cannot be efficiently transferred.
·To ensure that the members and participants of JITs can more easily and more safely communicate with each other in the context of the JIT activities.
A set of communication tools, consisting of an instant messaging system, a chat feature, audio/video-conferencing and a functionality replacing regular emails, would clearly increase the safety and effectiveness of the communication among the JIT members and participants. Since all the above features would guarantee a top level of security, the safety of the exchanged data would increase radically compared to the currently used non-secure communication channels, such as the most popular instant messaging and video call commercial tools. The possibility to have a single set of communication tools, available in one place for all members and participants of JITs, would undoubtedly foster the communication process and improve the efficiency of the exchanges. In addition, the platform could also provide for a speedy process to book online and offline meetings.
·To facilitate the joint daily management of a JIT, including planning and coordination of parallel activities, enhanced traceability of shared evidence and coordination with third countries, especially where physical meetings are too expansive or time consuming.
Thanks to the platform, all JIT members and participants would be able to jointly cooperate and manage the JIT through one unified IT tool. Activities like planning, coordination of parallel activities, task management, collaborative editing of documents, or machine translation of documents could be carried out in a much more efficient way than it is currently the case. In addition, exchange and communication with third countries, especially when they are not direct neighbouring countries, would be facilitated because of one standard technical mean that could be used by all entities involved in a JIT.
7.2Technical and operational feasibility
The envisaged solution is fully feasible from a technical and operational point of view. The platform’s implementation would be based on a commercially available off-the-shelf product, customised in order to provide all required functionalities. The so-called software as a service (SaaS) model would be used. It is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. The platform would offer a collection of services such as collaborative tools with workflow capabilities, decentralised secure communication tools, upload/download mechanism and logging capabilities. The users would be accessing the platform through the internet using the “EU Login” authentication service while their access rights in the platform would be defined following a flexible fine grained role definition at the level of every JIT collaboration space. Data in the platform, categorised as sensitive not classified, would be managed under strict security requirements including data encryption in both transit and while temporarily stored at server side.
The platform would guarantee high availability since it would be operational from two geographically diverse locations, namely eu-LISA’s operational site in Strasbourg/France and the back-up site in Sankt Johann/Austria.
7.3Efficiency
Costs (set-up and recurring)
The establishment of the platform is envisaged to incur the following costs:
·development of the platform – the one-off cost incurred for eu-LISA;
·technical maintenance and operation of the platform – the recurring cost incurred for eu-LISA;
·development of the necessary technical adaptations of the relevant IT systems hosted at Eurojust, i.e. JITs Funding, JITs Evaluation and JITs Restricted Area to partially integrate them with the platform – the one-off cost incurred for Eurojust;
·technical maintenance and operations concerning on the adaptations of the IT systems hosted at Eurojust - the recurring cost incurred for Eurojust;
·administrative support to the platform’s users on behalf of the JIT space administrator(s) - the recurring cost incurred for Eurojust (the JIT Secretariat).
As far as Member States’ access to the platform is concerned, no technical costs are envisaged because of the web-based nature of the centralised component of the platform. It would not require any adaptations of the national technical infrastructure. The same applies to the communication software, which would simply need to be downloaded on each device of the JIT platform’s users. Access to the platform for the competent Union bodies, offices and agencies would be driven by the same principles and would not incur any costs for them.
The costs for eu-LISA and Eurojust are explained in detail below. They would be borne by the Union general budget and would need to be reflected in the budget of both agencies. The costs for eu-LISA apply to hosting of the platform in its operational site in Strasbourg/France and the back-up site in Sankt Johann/Austria. The costs cover the period between 2024, when the proposal is expected to be adopted, and 2027, when the current EU's multiannual financial framework (MFF) finishes.
eu-LISA costs
eu-LISA would require the following financial resources to cover the costs related to the activities to be performed:
|
Year
2024
|
Year
2025
|
Year
2026
|
Year
2027
|
TOTAL 2024-2027
|
Phase 1 – development of the JITs collaboration platform
|
3.000
|
5.400
|
|
|
8.400
|
Phase 2 - maintainance and operation of the JITs collaboration platform
|
|
|
1.700
|
1.700
|
3.400
|
TOTAL (EUR million)
|
3.000
|
5.400
|
1.700
|
1.700
|
11.800
|
eu-LISA would also require the following human resources:
|
Year
2024
|
Year
2025
|
Year
2026
|
Year
2027
|
TOTAL FTEs per type
|
Temporary agents (AD grades)
|
4
|
4
|
|
|
8
|
Contractual staff
|
|
|
2
|
|
2
|
TOTAL FTEs
|
10
|
The total estimated number of resources is ten (10) FTEs (2 CA and 8 AD). Eight (8) FTEs combining expertise in IT Architecture, Testing, Security & Data Protection, Project & Programme Management and Infrastructure Management would work on the elaboration of specifications as well as on all analysis and design tasks in cooperation with the contractors. They would perform the necessary assessments (including data protection, risk assessments etc.), would kick off all work packages and would ultimately conclude this part of implementation with the production of the detailed design of the solution. A combination of transversal resources (procurement, finance, HR, business relationship & stakeholders’ management) is also included. For the “build & run” and “operations” phases, on top of the expertise described above eu-LISA would additionally require two (2) resources, adding expertise on product management, change management and release & deployment. Building a customised commercial off-the-shelf product with additional modules installed on desktops and smartphones would require a combination of skills in the area of infrastructure, networking, security and testing. These resources would be supplemented by 1st level and 2nd level support staff in order to properly monitor, operate and debug the platform, to meet the agreed level of the required service level agremeents and to respond to intense monitoring and security requirements.
The costs related to the above staff expenditures are as follows:
|
Year
2024
|
Year
2025
|
Year
2026
|
Year
2027
|
TOTAL 2024-2027
|
Temporary agents (AD Grades)
|
0.608
|
1.216
|
1.216
|
1.216
|
4.256
|
Contractual staff
|
|
|
0.164
|
0.164
|
0.328
|
TOTAL (EUR million)
|
0.608
|
1.216
|
1.380
|
1.380
|
4.584
|
Staff required for phase 1 - development of the JITs collaboration platform:
Profile
|
No.
|
Type
|
IT Officer - Architecture
|
1
|
TA (AD)
|
Test Management
|
1
|
TA (AD)
|
Network Management
|
1
|
TA (AD)
|
Security Management
|
1
|
TA (AD)
|
Infrastructure Management
|
0.5
|
TA (AD)
|
Programme and Project management
|
1
|
TA (AD)
|
System & Application Administration
|
0.5
|
TA (AD)
|
Transversal Services (Finance & Procurement and HR)
|
1
|
TA (AD)
|
Business Relationship & Stakeholders’ Management
|
1
|
TA (AD)
|
TOTAL
|
8
|
-
|
Staff required for phase 2 – maintenance and operation of the JITs collaboration platform:
Profile
|
No.
|
Type
|
IT Officer - Architecture
|
0.5
|
TA (AD)
|
Test Management
|
0.5
|
TA (AD)
|
Release & Change Management
|
0.5
|
TA (AD)
|
Network Management
|
1
|
TA (AD)
|
Security Management
|
1
|
TA (AD)
|
1st level support operator (24x7)
|
1
|
CA
|
2nd level support administrator (24x7)
|
1
|
CA
|
Infrastructure Management
|
0.5
|
TA (AD)
|
Product/Service Owner
|
1
|
TA (AD)
|
System & Application Administration
|
1
|
TA (AD)
|
Transversal Services (Finance & Procurement and HR)
|
1
|
TA (AD)
|
Business Relationship & Stakeholders’ Management
|
1
|
TA (AD)
|
TOTAL
|
10
|
-
|
Description of the profiles:
IT Officer – Architecture - to work with the contractors on the design documents and validate (at solution and application level). Also, to be involved in any business/use cases/architectural assessments and Implementing & Delegated Acts.
|
Test Management – to test the overall solution
|
Release & Change Management – to ensure the transition management including Software Development Lifecycle Development (SDLC)
|
Network Management – to administer and to architect the network
|
Security Management - to work on the security architecture and all the security controls/solution to be put in place, including data protection.
|
1st level support operator (24x7) – to ensure the 1st level support for the JITs collaboration platform, as per SLA
|
2nd level support administrator (24x7) - to ensure the 2nd level support for the JITs collaboration platform, as per SLA
|
Infrastructure Management – to be in charge of the infrastructure
|
Programme and Project management - to take care of the coordination of the overall programme/project management
|
Product/Service Owner – to be in charge of the product once operational
|
System & Application Administration – to take care of the infrastructure (hardware, software, application) build & further administration
|
Transversal Services (Finance & Procurement and HR) – to work on horizontal aspects related with transversal services.
|
Business Relationship & Stakeholders’ Management - to work on business requirements, the implementing acts, stakeholders’ meetings (e.g. Advisory Group, Expert Group, etc.).
|
Eurojust costs
The following costs pertain to Eurojust (including the work of the JIT Secretariat):
·concerning development maintenance and operations of the necessary technical adaptations of relevant IT systems hosted at Eurojust, i.e. JITs Funding, JITs Evaluation and JITs Restricted Area, in order to partially integrate them with the platform: 0.250 EUR million in 2025 (one-off) and 1 FTE – a technical profile – as of 2025 onwards;
·concerning administrative support of the JIT Secretariat to the platform’s users on behalf of JIT space administrator(s): 2 FTEs as of 2026 onwards.
Administrative costs
The impact on administrative costs would be rather limited. As far as the Member States are concerned, their administrative costs would be related to appointment of staff for the project’s governing bodies, i.e. the Programme Management Board and the Advisory Group. Concerning the Commission, it is estimated that a total of one (1) FTE official staff would be required on a permanent basis to:
·represent the Commission in the Programme Management Board and the Advisory Group;
·carry out collection of business requirements during the design phase of the project;
·prepare and negotiate the required Implementing Acts;
·manage meetings of the respective Expert Group;
·assist eu-LISA throughout the development phase of the project;
·monitor the platform’s operations and maintenance.
7.4Impact on fundamental rights
No major impact on fundamental rights is expected, as the legal basis for the exchanges of information and evidence within a JIT would not be altered. Nevertheless, as explained further below, the preferred option would respect fundamental rights and freedoms enshrined, in particular, in the Charter of Fundamental Rights of the European Union, including the right to protection of personal data. In this regard, it would also respect the European Convention for the Protection of Human Rights and Fundamental Freedoms, the International Covenant on Civil and Political Rights, and other human rights obligations under international law.
Since establishing the platform at EU level would imply the processing of personal data, it must be subject to appropriate data protection safeguards. The platform would fully comply with EU data protection rules on the legality of exchanging information and evidence. Directive (EU) 2016/680 of the European Parliament and of the Council would apply to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies would also apply. These legal safeguards would need to dovetail with the alignment of the data protection approach for JITs with the current data protection rules, as proposed by the Commission on 20 January 2021.
Concerning the centralised component of the platform, i.e. the upload/download mechanism allowing temporarily storing of the operational data until the moment it is downloaded, the impact on data protection is considered to be limited, because:
·the personal data would be exchanged by a very limited group of individuals who are part of an isolated JIT collaboration space;
·the personal data would be stored centrally only for technical reasons and would be deleted right after it is downloaded by all addresses;
·the retention period would be set to maximum 4 weeks and would be enforced automatically;
·exchange of personal data would be limited to serve the purpose for which it was obtained;
·eu-LISA would not have any access to the data and would fulfil the data processor role;
·a separate data controllership of each entity uploading the personal data, apart from third countries, would be warranted;
·exchanges of personal data that qualify as international transfers to third countries that are part of a given JIT would always require a legal ground in EU or Member State law applicable to such transfers;
·personal data uploaded to a JIT collaboration space by third countries would be within responsibility of a JIT space administrator who would need to verify such data before it can be downloaded by other users.
7.5Information control and security.
Appropriate definition of the access right policy is crucial in the context of data integrity and security. Section 5.4 of this document specifies precisely the platform’s access right management and role of each entity involved in that process. Security considerations, equally important, are described in section 5.1 of this document. They would be taken into account during each phase of the development process as well as maintenance and operations, so by no means the exchanged data could be disclosed in an uncontrolled way. Concerning the logging mechanisms, eu-LISA would be entrusted with a task to ensure that accessing the centralised information system and all data processing operations in the centralised information system are properly logged in for the purposes of monitoring data integrity and security, the lawfulness of the data processing as well as for the purposes of self-monitoring.
7.6Proportionality
According to the principle of proportionality laid down in Article 5(4) of the TEU, there is a need to match the nature and intensity of a given measure to the identified problem.
All problems described in this document require EU-level support to tackle them effectively. Addressing the problems individually, for instance by creating separate tools tackling the communication issue, the lack of data exchange mechanism, etc. would be much more costly and would create an administrative burden for the JITs. The Union wide IT platform is the only way to provide JITs with a common modern technical solution that will allow them to carry out their cross-border investigations more efficiently.
Therefore, it can be concluded that the action at EU level to establish the platform to support functioning of JITs is proportionate to the identified problems that JITs encounter in their daily work.
8Impact monitoring
Four years after the start of operations of the platform and every four years thereafter, the Commission shall conduct an overall evaluation of the system. The report established on this basis should contain feedback of the platform’s users, an assessment of the platform’s usage and a list of necessary recommendations.