EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 52023PC0244
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data
COM/2023/244 final
EUROPEAN COMMISSION
Brussels, 11.5.2023
COM(2023) 244 final
2023/0143(COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Directive (EU) 2016/680 1 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to transpose it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA 2 , but is a much more comprehensive personal data protection instrument. Notably, it applies to both domestic and cross-border processing of personal data by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences and executing criminal penalties, including safeguarding against and preventing threats to public security (Article 1(1)).
Article 62(6) LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.
The Commission set out the results of its review in a Communication on Way forward on aligning the former third pillar acquis with data protection rules (24 June 2020) 3 , which specifies ten legal acts that should be aligned with the LED. The list includes Council Decision 2009/917/JHA on the use of information technology for customs purposes 4 .
The proposal aims at aligning the data protection rules in Council Decision 2009/917/JHA with the principles and rules laid down in the LED, in order to provide a strong and coherent personal data protection framework in the Union.
•Consistency with existing policy provisions in the policy area
The Customs Information System (CIS) established under the Council Decision 2009/917/JHA is an automated information system for customs purposes, which aims to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. The proposal aims to align the data protection rules in Council Decision 2009/917/JHA with the principles and rules laid down in the LED, in order to provide a strong and coherent personal data protection framework in the Union.
•Consistency with other Union policies
n/a
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
The protection of natural persons in relation to the processing of their personal data is a fundamental right laid down in Article 8(1) of the Charter of Fundamental Rights of the European Union (‘Charter’).
The proposal is based on Article 16(2) of the Treaty on the Functioning of the European Union (TFEU), which is the most appropriate legal basis since both the objective and the substance of the proposed amendment is clearly limited to the protection of personal data.
Article 16(2) TFEU allows for rules to be adopted on the protection of individuals with regard to the processing of personal data by the competent authorities in Member States when carrying out activities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties that fall within the scope of EU law. It also allows for rules to be adopted on the free movement of personal data, including for personal data exchanges by competent authorities within the EU.
According to Article 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark will not be bound by rules laid down on the basis of Article 16 TFEU which relate to the processing of personal data when carrying out activities falling within the scope of Chapter 4 and 5 of Title IV of Part Three of the TFEU. Therefore, Denmark will not be bound by the Regulation now proposed and will continue to apply the Council Decision as it stands today, that is, without the amendments now proposed.
That implies, inter alia, that the Joint Supervisory Authority referred to in Article 25 of the Council Decision will formally continue to exist, only in respect of Denmark. At the same time, due to the proposed deletion of that article and the proposed amendment to Article 26 introducing the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725, said existence has no effects in respect of the other Member States or the Customs Information System as such. As the present proposal is limited to aligning the Council Decision to the LED, this outcome is an unavoidable consequence of the alignment exercise required under the LED and the constraints resulting from Protocol No 22. When in the future a broader assessment of the Council Decision is warranted, the Commission will review this issue.
According to Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, Ireland is not bound by rules laid down on the basis of Article 16 TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16. As Ireland participates in Council Decision 2009/917/JHA, it will thus also take part in the adoption of this proposal.
•Subsidiarity (for non-exclusive competence)
The subject matter of this Regulation falls within the domain of exclusive competence of the Union, since only the Union can adopt rules governing the processing of personal data by the competent authorities for law enforcement purposes. Only the Union can align EU acts to the rules laid down in the LED. Therefore, only the Union can adopt a legislative act amending Council Decision 2009/917/JHA.
•Proportionality
The proposal is limited to what is necessary to align Council Decision 2009/917/JHA with Union legislation on the protection of personal data (LED) without changing the Council Decision’s scope in any way. The proposal does not go beyond what is necessary to achieve the objectives pursued, in accordance with Article 5(4) of the Treaty on European Union.
•Choice of the instrument
The proposal aims at amending a Council Decision, which was adopted before the entry into
force of the Treaty of Lisbon in 2009. The relevant provisions of Council Decision 2009/917/JHA which establish the Customs Information System and set out the rules for the operation and use of the system are directly applicable.
Therefore, the most appropriate instrument to amend this Council Decision under Article 16(2) of the TFEU is through a Regulation of the European Parliament and of the Council.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Ex-post evaluations/fitness checks of existing legislation
The proposal follows the results of the Commission’s review under Article 62(6) of the LED, as presented in the 2020 Communication on Way forward on aligning the former third pillar acquis with data protection rules. This Communication lists six specific points on which alignment of Council Decision 2009/917/JHA with the LED is required, namely:
–In relation to the ‘serious contraventions’ to which the Council Decision applies;
–Clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence;
–Provide for additional requirements related to security of processing aligning the list of required security measures with Article 29 of the LED, i.e. by adding requirements on system recovery, reliability and integrity;
–Restrict the subsequent processing of personal data recorded in CIS for purposes other than for which the personal data were collected, so that it can occur only under the conditions provided for in the LED;
–Make the processing of personal data under Council Decision 2009/917/JHA subject to the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725 5 . The Council Decision is the only remaining legal act whereby the supervision of processing of personal data is carried out by the Joint Supervisory Authority which has now become obsolete;
–Update the general reference to Council Framework Decision 2008/977/JHA with the reference to the applicability of the LED. Any provision that overlaps with the LED (such as definitions or the provisions on the rights of the data subjects or availability of judicial remedy and liability) should be removed as outdated and obsolete. References to specific provisions of Council Framework Decision 2008/977/JHA should be updated with specific corresponding references to the LED.
The proposal is limited to what is necessary to address the above points.
•Stakeholder consultations
n/a
•Collection and use of expertise
In its review under Article 62(6) of the LED, the Commission took account of a study carried out as part of the pilot project on a ‘fundamental rights review of EU data collection instruments and programmes’ 6 . The study mapped Union acts covered by Article 62(6) of the LED and identified provisions potentially requiring alignment on data protection issues.
•Impact assessment
The impact of this proposal is limited to competent authorities’ processing of personal data in the specific instances regulated by Council Decision 2009/917/JHA. The impact of the new obligations arising from the LED was assessed in the context of the preparatory work for the LED. This renders a specific impact assessment for this proposal unnecessary.
•Regulatory fitness and simplification
The proposal is not part of the regulatory fitness programme (REFIT).
•Fundamental rights
The right to the protection of personal data is laid down in Article 8 of the Charter and Article 16 of the TFEU. As underlined by the Court of Justice of the European Union 7 , the right to the protection of personal data is not absolute, but must be considered in relation to its function in society 8 . Personal data protection is also closely linked to respect for private and family life, as protected by Article 7 of the Charter.
This proposal ensures that any processing of personal data under Council Decision 2009/917/JHA is subject to the ‘horizontal’ principles and rules of EU personal data protection legislation, thus further implementing Article 8 of the Charter. That legislation aims to ensure a high level of protection of personal data. Clarifying that the rules of the LED apply, as well as specifying how they apply, to personal data processing under the Council Decision will have a positive impact as regards the fundamental rights to privacy and personal data protection.
4.BUDGETARY IMPLICATIONS
n/a
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
n/a
•Detailed explanation of the specific provisions of the proposal
Article 1 identifies the relevant provisions of Council Decision 2009/917/JHA that need to be amended based on the review made by the Commission under Article 62(6) of the LED and presented in its 2020 Communication. These provisions are the following:
·Article 1 – Paragraph 2 is amended to replace the concept of ‘serious contraventions of national laws’ by the reference to ‘criminal offences under national laws’, so as to increase clarity whilst aligning with the LED.
·Article 2 – Point 2 on the definition of ‘personal data’ is deleted since the definition of personal data as defined in point (1) of Article 3 of the LED applies.
·Article 3 – Paragraph 2 is amended to clarify the respective roles of the Commission and of the Member States with regard to the personal data. A recital is also introduced for this purpose.
·Article 4 – Paragraph 5 is updated to replace the reference to the list of certain categories of personal data that cannot be entered into the system under Framework Decision 2008/977/JHA by a reference to the corresponding list under the LED.
·Article 5 – Paragraph 2 is updated to clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit one of the criminal offences under national laws covered.
·Article 7 – Paragraph 3 is updated to clarify the conditions in which access to the CIS by international or regional organisations may be permitted under the LED.
·Article 8 – Paragraph 1 is updated to restrict the subsequent processing of personal data recorded in the CIS, in line with the principle of purpose limitation as regulated under the LED. It further clarifies the conditions in which non-personal data can be processed for other purposes. Paragraph 4 is redrafted to clarify the conditions in which the transmissions and international transfers of personal data and non-personal data can take place.
·Article 14 on the retention of personal data is updated in order to introduce a maximum retention period in accordance with Article 4(1)(e) of the LED and simplify the previous procedure. A recital is also introduced to further explain the rationale of this update.
·Article 15 – Paragraph 3 is replaced to align the concept of ‘serious contraventions of national laws’ with the reference to ‘criminal offences under national laws’, as introduced in the new Paragraph 2 of Article 1.
·Article 20 – This article is replaced to update the general reference to Framework Decision 2008/977/JHA with the reference to the LED.
·Article 22 on the rights of access, to rectification, erasure or blocking is deleted as outdated and obsolete.
·Article 23 on the rights of the data subjects at national level is deleted as outdated and obsolete.
·Article 24 on the designation of a national supervisory authority or authorities is deleted as outdated and obsolete.
·Article 25 on the set up of a Joint Supervisory Authority is deleted as outdated and obsolete.
·Article 26 – This article is updated to make the processing of personal data subject to the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725.
·Article 28 – Paragraph 2 is amended to provide for additional requirements related to security of processing aligning the list of required security measures with Article 29 of the LED, i.e. by adding requirements on system recovery, reliability and integrity.
·Article 30 – Paragraph 1 is deleted as outdated and obsolete.
Article 2 sets the date of entry into force of this Regulation.
2023/0143 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Directive (EU) 2016/680 of the European Parliament and of the Council 9 provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to, public security. That Directive requires the Commission to review relevant other acts of Union law in order to assess the need to align them with that Directive and to make, where necessary, the proposals to amend those acts to ensure a consistent approach to the protection of personal data falling within the scope of that Directive.
(2)Council Decision 2009/917/JHA 10 on the use of information technology for customs purposes establishes the Customs Information System (CIS) to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680. In particular, the personal data protection rules should respect the principle of purpose specification, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision model as introduced by Article 62 of Regulation (EU) 2018/1725 11 .
(3)In particular, in order to ensure a clear and consistent approach ensuring adequate protection of personal data, the term ‘serious contraventions’ should be replaced by ‘criminal offences’, bearing in mind that the fact that a given conduct is prohibited under the criminal law of a Member State in itself implies a certain degree of seriousness of the contravention. Moreover, the objective of the CIS should remain limited to assisting in connection to the prevention, investigation, detection or prosecution of the criminal offences under national laws as defined in Council Decision 2009/917/JHA, that is, national laws in respect of which national customs administrations are competent and that are therefore particularly relevant in the context of customs. Therefore, whereas qualification as a criminal offence is a necessary requirement, not all criminal offences should be considered to be covered. By way of example, the covered criminal offences include illicit drugs trafficking, illicit weapons trafficking and money laundering. Furthermore, other than the introduction of the term ‘criminal offences’, this amendment should not be understood as affecting the specific requirements set out in that Council Decision regarding the establishment and sending of a list of criminal offences under national laws that meet certain conditions, those requirements relating only to the particular purpose of the customs files identification database.
(4)It is necessary to clarify the respective roles of the Commission and of the Member States with regard to the personal data. The Commission is considered the processor acting on behalf of the national authorities designated by each Member State, which are considered the controllers of the personal data.
(5)To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review data annually and by setting a maximum retention period of five years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.
(6)In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland is bound by Council Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation.
(7)In accordance with Articles 1, 2 and 2a of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(8)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on XX/XX/202X.
(9)Council Decision 2009/917/JHA should therefore be amended accordingly,
HAVE ADOPTED THIS REGULATION:
Article 1
Council Decision 2009/917/JHA is amended as follows:
(1)Paragraph 2 of Article 1 is replaced by the following:
‘2. The objective of the Customs Information System is to assist the competent authorities in the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.’
(2)Point 2 of Article 2 is hereby deleted.
(3)After the first sentence of paragraph 2 of Article 3, a new sentence is added as follows:
‘In relation to the processing of personal data in the Customs Information System, the Commission shall be considered the processor, within the meaning of point (12) of Article 3 of Regulation (EU) 2018/1725, acting on behalf of the national authorities designated by each Member State, which shall be considered the controllers of the personal data.’
(4)Paragraph 5 of Article 4 is replaced by the following:
‘5. In no case shall personal data referred to in Article 10 of Directive (EU) 2016/680 be entered into the Customs Information System.’
(5)Paragraph 2 of Article 5 is replaced by the following:
‘2. For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit criminal offences under national laws.’
(6)Paragraph 3 of Article 7 is replaced by the following:
‘3. Notwithstanding paragraphs 1 and 2, the Council may exceptionally, by a unanimous decision and after consultation of the European Data Protection Board, permit access to the Customs Information System by international or regional organisations, provided that both of the following conditions are met:
(a)the access complies with the general principles for transfers of personal data set out in Article 35 or, where applicable, Article 39 of Directive (EU) 2016/680;
(b)the access is based either on an adequacy decision adopted under Article 36 of that Directive or is subject to appropriate safeguards under Article 37 thereof.’
(7)Paragraph 1 of Article 8 is replaced by the following:
‘1. Member States, Europol and Eurojust may process personal data obtained from the Customs Information System only in order to achieve the aim stated in Article 1(2), in accordance with the applicable rules of Union law on the processing of personal data.
Member States, Europol and Eurojust may process non-personal data obtained from the Customs Information System in order to achieve the aim stated in Article 1(2) or for other purposes, including administrative ones, in compliance with any conditions imposed by the Member State which entered the non-personal data in that system.’
(8)Paragraph 4 of Article 8 is replaced by the following:
‘4. Personal data obtained from the Customs Information System may, with the prior authorisation of, and subject to compliance with any conditions imposed by, the Member State which entered that data into that system, be:
(a)transmitted to, and further processed by, national authorities other than those designated under paragraph 2, in accordance with the applicable rules of Union law on the processing of personal data; or
(b)transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Chapter V of Directive (EU) 2016/680 and, where relevant, with Chapter V of Regulation (EU) 2018/1725.
Non-personal data obtained from the Customs Information System may be transferred to, and further processed by national authorities other than those designated under paragraph 2, third countries, and international or regional organisations, in compliance with any conditions imposed by the Member State which entered the non-personal data in that system.’
(9)Article 14 is replaced by the following:
‘Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the aim stated in Article 1(2) and may not be retained for more than five years. However, exceptionally, that data may be kept for an additional period of at most two years, where and insofar as a strict need to do so in order to achieve that aim is established in an individual case.
(10)Paragraph 3 of Article 15 is replaced by the following:
‘3. For the purposes of the customs files identification database, each Member State shall send the other Member States, Europol, Eurojust and the Committee referred to in Article 27 a list of criminal offences under its national laws.
This list shall comprise only criminal offences that are punishable:
(a)by deprivation of liberty or a detention order for a maximum period of not less than 12 months; or
(b)by a fine of at least EUR 15 000.’
(11)Article 20 is replaced by the following:
‘Directive (EU) 2016/680 shall apply to the processing of personal data under this Decision.’
(12)Articles 22, 23, 24 and 25 are hereby deleted.
(13)Article 26 is replaced by the following:
'Coordinated supervision among national supervisory authorities and the European Data Protection Supervisor shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.’
(14)In paragraph 2 of Article 28, the following points are added:
‘(i) to ensure that installed systems may, in the case of interruption, be restored;
(j) to ensure that the functions of the system perform, that the appearance of faults in the functions is reported and that stored personal data cannot be corrupted by means of a malfunctioning of the system.’
(15)Paragraph 1 of Article 30 is hereby deleted.
Article 2
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President
