Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 32023L2123

Directive (EU) 2023/2123 of the European Parliament and of the Council of 4 October 2023 amending Council Decision 2005/671/JHA as regards its alignment with Union rules on the protection of personal data

PE/30/2023/REV/1

OJ L, 2023/2123, 11.10.2023, ELI: http://data.europa.eu/eli/dir/2023/2123/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/dir/2023/2123/oj

European flag

Official Journal
of the European Union

EN

Series L

2023/2123

11.10.2023

DIRECTIVE (EU) 2023/2123 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 4 October 2023

amending Council Decision 2005/671/JHA as regards its alignment with Union rules on the protection of personal data

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1)

Directive (EU) 2016/680 of the European Parliament and of the Council (2) provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to public security. In accordance with that Directive, Member States should process personal data in a manner that ensures the appropriate security of the personal data. That Directive also requires the Commission to review other relevant legal acts adopted by the Union in order to assess the need to align them with that Directive and to make, where appropriate, the necessary proposals to amend those acts to ensure a consistent approach to the protection of personal data within the scope of that Directive.

(2)

Council Decision 2005/671/JHA (3) lays down specific rules on the exchange of information and cooperation concerning terrorist offences. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended in order to align it with Directive (EU) 2016/680. In particular, that Decision should specify, in a manner that is consistent with Directive (EU) 2016/680, the purpose of the processing of personal data and indicate the categories of personal data that can be exchanged, in accordance with the requirements of Article 8(2) of Directive (EU) 2016/680, taking due account of the operational needs of the authorities concerned.

(3)

In the interest of clarity, the references contained in Decision 2005/671/JHA to the legal instruments governing the operation of the European Union Agency for Law Enforcement Cooperation (Europol) should be updated.

(4)

The application of Decision 2005/671/JHA, which involves the processing, including the exchange and subsequent use, of information concerning terrorist offences, involves the processing of personal data. In the interests of consistency and of the effective protection of such personal data, it is important that the processing of personal data carried out under Decision 2005/671/JHA comply with Union law, including with the rules set out in Directive (EU) 2016/680, and be in accordance with the security requirements, safeguards and data protection guarantees set out in other instruments of Union law that contain provisions on data protection, including Regulations (EU) 2016/794 (4) and (EU) 2018/1725 (5) of the European Parliament and of the Council, as well as national law.

(5)

In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), Ireland is not bound by the rules laid down in this Directive which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 TFEU.

(6)

In accordance with Articles 2 and 2a of Protocol No 22 on the Position of Denmark, as annexed to the TEU and to the TFEU, Denmark is not bound by, or subject to the application of, the rules laid down in this Directive which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.

(7)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 25 January 2022,

HAVE ADOPTED THIS DIRECTIVE:

Article 1

Decision 2005/671/JHA is amended as follows:

(1)

Article 1 is amended as follows:

(a)

point (b) is deleted;

(b)

point (d) is replaced by the following:

‘(d)

“group or entity”: terrorist group as defined in Article 2, point (3), of Directive (EU) 2017/541 and the groups and entities listed in the Annex to Council Common Position 2001/931/CFSP (*1).

(*1)  Council Common Position 2001/931/CFSP of 27 December 2001 on the application of specific measures to combat terrorism (OJ L 344, 28.12.2001, p. 93).’;"

(2)

Article 2 is amended as follows:

(a)

the heading is replaced by the following:

‘Provision of information concerning terrorist offences to Europol and the Member States’;

(b)

the following paragraph is added:

‘3a.   Each Member State shall ensure that personal data are processed pursuant to paragraph 3 of this Article only for the purposes of the prevention, investigation, detection or prosecution of terrorist offences and other criminal offences for which Europol is competent, as listed in Annex I of Regulation (EU) 2016/794. Such processing shall be without prejudice to the limitations applicable to the processing of data under Regulation (EU) 2016/794.’

;

(c)

in paragraph 4, the following subparagraph is added:

‘The categories of personal data to be transmitted to Europol for the purposes referred to in paragraph 3a shall remain limited to those referred to in Section B, point 2, of Annex II to Regulation (EU) 2016/794.’;

(d)

in paragraph 6, the following subparagraph is added:

‘The categories of personal data that may be exchanged between Member States for the purposes referred to in the first subparagraph shall remain limited to those referred to in Section B, point 2, of Annex II to Regulation (EU) 2016/794.’.

Article 2

1.   Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 1 November 2025. They shall immediately inform the Commission thereof.

When Member States adopt those measures, they shall contain a reference to this Directive or shall be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

2.   Member States shall communicate to the Commission the text of the main measures of national law which they adopt in the field covered by this Directive.

Article 3

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 4

This Directive is addressed to the Member States in accordance with the Treaties.

Done at Strasbourg, 4 October 2023.

For the European Parliament

The President

R. METSOLA

For the Council

The President

J. M. ALBARES BUENO

(1)  Position of the European Parliament of 12 July 2023 (not yet published in the Official Journal) and decision of the Council of 18 September 2023.

(2)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(3)  Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences (OJ L 253, 29.9.2005, p. 22).

(4)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(5)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

ELI: http://data.europa.eu/eli/dir/2023/2123/oj

ISSN 1977-0677 (electronic edition)

Top