EUROPEAN COMMISSION
Brussels, 1.12.2021
COM(2021) 767 final
2021/0399(COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Council Decision 2005/671/JHA, as regards its alignment with Union rules on the protection of personal data
EXPLANATORY MEMORANDUM
1.Reasons for and objectives of the proposal
1.1.Reasons for the proposal
Directive (EU) 2016/680 1 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to turn it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA 2 . Its scope is very comprehensive, as it is the first instrument that takes a comprehensive approach for data processing in law enforcement. It applies to both domestic and cross-border processing of personal data by competent authorities to prevent, investigate, detect or prosecute criminal offences and execute criminal penalties, including safeguarding against and preventing threats to public security.
Article 62(6) of the LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes. The purpose of this review is to assess the need to align them with the LED and to submit proposals for amending them to ensure consistency with data protection within the scope of the LED.
The Commission set out the findings of its review in its Communication on the way forward on aligning the former third pillar body of EU law with data protection rules (24 June 2020) 3 , which identifies the legal acts that should be aligned with the LED. The list includes Council Decision 2005/671/JHA so the Commission indicated that it would put forward targeted amendments.
Under Article 6 of the LED, Member States must ensure that competent authorities make a clear distinction between the personal data of different categories of data subjects, including:
·persons where there are serious grounds for believing that they have committed or are about to commit a criminal offence;
·persons convicted of a criminal offence;
·victims of a criminal offence or other parties to a criminal offence.
Under Article 8(1) of the LED, Member States must ensure that processing is lawful. This means that a competent authority can only process personal data to the extent necessary for the performance of a task set out in the LED. Article 8(2) of the LED requires that national law regulating processing data under the scope of the LED must state at least the objectives of processing, the personal data to be processed and the purposes of the processing.
To combat terrorism effectively, efficient exchange of information considered to be relevant by the competent authorities for the prevention, detection, investigation or prosecution of terrorist offences between competent authorities and Union agencies, is crucial. Such information exchange must be carried out in full respect of the right to data protection and in line with the conditions set by the LED.
Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences 4 states that to combat terrorism, it is essential to have the most complete and up to date information possible. The persistence and complexity of the terrorist threat gives rise for more information sharing.
Against this background, Council Decision 2005/671/JHA provides that Member States must collect all relevant information concerning and resulting from criminal investigations linked to terrorist offences which affect or may affect two or more Member States and send it to Europol 5 . Member States must also collect all relevant information concerning prosecutions and convictions for terrorist offences, which affect or may affect two or more Member States and send it to Eurojust. Each Member State must also make available all relevant information gathered by its competent authorities in criminal proceedings connected with terrorist offences. This information must be swiftly made available to the competent authorities of another Member State where the information could be used to prevent, detect, investigate or prosecute terrorist offences.
Since 2005, the importance of sharing information between Member States and with Europol and Eurojust has only become more evident. Directive (EU) 2017/541 on combating terrorism 6 amended Council Decision 2005/671/JHA, to ensure that information is shared between Member States in an effective and timely manner, taking into account the serious threat posed by terrorist offences.
Recital 7 of Council Decision 2005/671/JHA acknowledges that the Decision complies with fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union. Article 8 of the Charter of Fundamental Rights of the European Union enshrines the protection of personal data as a fundamental right. Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) also establishes the principle that everyone has the right to the protection of personal data concerning them. Moreover, Article 16(2) TFEU introduced a specific legal basis for adopting rules on the protection of personal data.
Union rules on data protection have developed since the adoption of Council Decision 2005/671/JHA. Notably, as mentioned above, based on Article 16(2) of the TFEU, the European Parliament and the Council adopted the LED, which entered into force on 6 May 2016. The LED is a comprehensive horizontal data protection instrument. Importantly, it applies to all processing operations carried out by competent authorities for law enforcement purposes (both domestic and cross-border processing).
1.2.Objective of the proposal
The proposal aims at aligning Council Decision 2005/671/JHA with the principles and rules laid down in the LED, in order to ensure consistent approach to protection afforded to persons regarding the processing of personal data. According to the Commission’s Communication of 24 June 2020, the alignment of Decision 2005/671/JHA should address the following:
·Specify that the processing of personal data under Council Decision 2005/671/JHA can only take place for the prevention, investigation, detection and prosecution of terrorist offences, in line with the purpose limitation principle;
·The categories of personal data that can be exchanged should be defined more precisely by Union or Member State law, in line with the requirements under Article 8(2) of the LED, taking due account of the operational needs of the authorities concerned.
1.3.Consistency with existing policy provisions in the policy area
The present proposal for a Directive takes into account the amendments of Decision 2005/671/JHA deriving from the proposal for a Regulation on the digital information exchange in terrorism cases, which the Commission tabled together with the present proposal. That proposed Regulation is part of the digitalisation of justice package, prepared by the Commission following the Communication on the Digitalisation of Justice 7 . Once adopted, it removes the provisions on the exchange of information on cross-border terrorism cases relating to Eurojust from Decision 2005/671/JHA and inserts them into the Eurojust Regulation (Regulation (EU) 2018/1727 8 ). As consequential amendment, it also removes the references to Eurojust from Council Decision 2005/671/JHA. Close coordination will be necessary throughout the legislative process to ensure consistency of the amendments contained in that proposed Regulation and in the present proposed Directive.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
2.1.Legal basis
The alignment of Council Decision 2005/671/JHA with the LED is based on Article 16(2) TFEU. Article 16(2) TFEU allows for rules to be adopted on the protection of individuals with regard to the processing of personal data by the competent authorities in Member States when carrying out activities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties that fall within the scope of EU law. It also allows for rules to be adopted on the free movement of personal data, including for personal data exchanges by competent authorities within the EU.
2.2.Subsidiarity (for non-exclusive competence)
Only the EU can align EU acts to the rules laid down in the LED. Therefore, only the EU can adopt a legislative act amending Council Decision 2005/671/JHA.
2.3.Proportionality
This proposal aims at aligning an existing EU legal act to a subsequent EU legal act, as provided by the latter, without changing its scope. In line with the principle of proportionality, to achieve the basic objectives of ensuring a high level of protection of natural persons regarding the processing of personal data and the free flow of personal data across the EU, it is necessary to set rules on the processing of personal data by Member States’ competent authorities to prevent, investigate, detect or prosecute criminal offences. This includes safeguarding against, and preventing threats to public security. The proposal does not go beyond what is necessary for achieving the objectives pursued under Article 5(4) of the TEU.
2.4.Choice of the instrument
This proposal aims at amending a Council Decision, which was adopted before the entry into force of the Treaty of Lisbon in 2009. The legal basis for Council Decision 2005/671/JHA, Article 34(2)(c) of the TEU as applicable in 2005, no longer exists. The relevant provisions of Decision 2005/671/JHA set obligations for the Member States similar to a Directive rather than self-standing rules that would be directly applicable. Therefore, the most appropriate instrument to amend this Council Decision under Article 16(2) of the TFEU is through a Directive of the European Parliament and of the Council.
3.Explanation of the specific provisions of the proposal
This proposal amends Council Decision 2005/671/JHA on the following points:
To define the purposes of the processing of personal data, Article 1(2)(a) of the proposal introduces a new subparagraph in Article 2(3) of the Council Decision, which specifies that personal data are processed to prevent, investigate, detect or prosecute terrorist offences.
To define the categories of data to be processed, Article 1(2)(b) and (c) of the proposal add new subparagraphs to Article 2 of the Council Decision, which specify that the categories of personal data that may be exchanged with Europol, must be those specified in the Europol Regulation, and that the categories of personal data that may be exchanged between Member States for the purposes of prevention, investigation, detection or prosecution of terrorist offences shall be those specified under the respective national laws.
In addition, in order to update the Council Decision in view of subsequent legal developments and in particular to ensure that the above amending provision refers to the correct legal instrument, the proposal deletes point (b) of Article 1 of the Council Decision. That point (b) refers to the Europol Convention. The relevant provisions of the Council Decision, as amended, instead refer to the Europol Regulation.
2021/0399 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Council Decision 2005/671/JHA, as regards its alignment with Union rules on the protection of personal data
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Directive (EU) 2016/680 of the European Parliament and of the Council 9 provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to public security. The Directive requires the Commission to review relevant other acts of Union law in order to assess the need to align them with that Directive and to make, where necessary, the proposals to amend those acts to ensure a consistent approach to the protection of personal data falling within the scope of that Directive.
(2)Council Decision 2005/671/JHA 10 lays down specific rules on the exchange of information and cooperation concerning terrorist offences. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680. In particular, that Decision should specify, in a manner that is consistent with Directive (EU) 2016/680, the purpose of the processing of personal data and indicate the categories of personal data that can be exchanged, in accordance with the requirements of Article 8(2) of Directive (EU) 2016/680, taking due account of the operational needs of the authorities concerned.
(3)In the interest of clarity, the references contained in Decision 2005/671/JHA to the legal instruments governing the operation of the European Union Agency for Law Enforcement Cooperation (Europol) should be updated.
(4)In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Ireland is bound by Decision 2005/671/JHA and is therefore taking part in the adoption of this Directive.
(5)In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.
(6)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council 11 and delivered an opinion on XX/XX 20XX,
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Decision 2005/671/JHA is amended as follows:
(1)in Article 1, point (b) is deleted;
(2)Article 2 is amended as follows:
(a)in paragraph 3, the following subparagraph is added:
“Each Member State shall ensure that personal data is processed pursuant to the first subparagraph only for the purpose of the prevention, investigation, detection or prosecution of terrorist offences.”
(b)in paragraph 4, the following subparagraph is added:
“The categories of personal data to be transmitted to Europol for the purposes referred to in paragraph 3 shall remain limited to those referred to in Section B, point 2, of Annex II to Regulation (EU) 2016/794.”;
(c)in paragraph 6, the following subparagraph is added:
“The categories of personal data that may be exchanged between Member States for the purposes referred to in the first subparagraph shall remain limited to those specified in Section B, point 2, of Annex II to Regulation (EU) 2016/794.”
Article 2
1.Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by [one year after adoption] at the latest. They shall forthwith communicate to the Commission the text of those provisions.
When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
2.Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.
Article 3
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 4
This Directive is addressed to the Member States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President