Legal provisions of COM(2021)756 - Collaboration platform to support the functioning of Joint Investigation Teams

Please note

This page contains a limited version of this dossier in the EU Monitor.



Contents

CHAPTER I - General provisions

Article 1 - Subject matter

This Regulation:

(a)establishes an IT platform (the ‘JITs collaboration platform’), to be used on a voluntary basis, to facilitate the cooperation of competent authorities participating in Joint Investigation Teams (‘JITs’) set up on the basis of Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union or on Framework Decision 2002/465/JHA;

(b)lays down rules on the division of responsibilities between the JITs collaboration platform users and the agency responsible for the development and maintenance of the JITs collaboration platform;

(c)sets out conditions, under which the JITs collaboration platform users may be granted access to the JITs collaboration platform;

(d)lays down specific data protection provisions needed to supplement the existing data protection arrangements and to provide for an adequate overall level of data protection, data security and protection of the fundamental rights of the persons concerned.

Article 2 - Scope

1. This Regulation applies to the processing of information, including personal data, within the context of a JIT. That includes the exchange and storage of operational information and evidence as well as non-operational information. This Regulation applies to the operational and post-operational phases of a JIT, starting from the moment the relevant JIT agreement is signed by its members.

2. This Regulation does not amend or otherwise affect the existing legal provisions on the establishment, conduct or evaluation of JITs.

Article 3 - Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘centralised information system’ means a central IT system where storing and processing of JITs related data takes place;

(2) ‘communication software’ means software that facilitates remote access to systems and the exchange of files and messages in text, audio or video formats between JITs collaboration platform users;

(3) ‘competent authorities’ means the authorities competent to set up a JIT as referred to in Article 1 of Framework Decision 2002/465/JHA and Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union on Mutual Assistance in Criminal Matters between the Member States of the European Union, the European Public Prosecutor’s Office when acting pursuant to its competences as provided for by Articles 22, 23 and 25 of Council Regulation (EU) 2017/1939, as well as the competent authorities of a third country where they are party of a JIT agreement on the basis of an additional legal basis;

(4) ‘JIT members’ means representatives of the competent authorities referred to in point 3 of this Article;

(5) ‘JITs collaboration platform users’ means JIT members, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies;

(6) ‘JIT collaboration space’ means an individual isolated space for each JIT hosted on the JITs collaboration platform;

(7) ‘JIT space administrator” means a representative of the competent authorities of the Member State in charge of the JIT collaboration space;

(8) ‘operational data’ means information and evidence processed by the JITs collaboration platform during the operational phase of a JIT to support cross-border investigations and prosecutions;

(9) ‘non-operational data’ means administrative data processed by the JITs collaboration platform, notably to facilitate the management of the JIT and daily cooperation between JITs collaboration platform users.

Article 4 - Technical architecture of the JITs collaboration platform

The JITs collaboration platform shall be composed of the following:

(a)a centralised information system, which allows for temporary central data storage;

(b)a communication software, which allows for local storage of communication data;

(c)a connection between the centralised information system and relevant IT tools, supporting the functioning of JITs and managed by the JIT Secretariat.

Article 5 - Purpose of the JITs collaboration platform

1. The purpose of the JITs collaboration platform shall be to facilitate:

(a)the daily coordination and management of a JIT, through a set of functionalities supporting the administrative and financial processes within the JIT;

(b)the exchange and temporary storage of operational information and evidence, including large files, through an upload and download functionality;

(c)secure communications through a functionality covering instant messaging, chats, audio and video-conferencing;

(d)evidence traceability through a business logging mechanism allowing to keep track of all evidence exchanged through the JITs collaboration platform;

(e)the evaluation of a JIT through a dedicated collaborative evaluation process.

2. The centralised information system shall be hosted by eu-LISA at its technical sites.

CHAPTER II - Development and operational management

Article 6 - Adoption of implementing acts by the Commission

The Commission shall adopt the implementing acts necessary for the technical development of the JITs collaboration platform as soon as possible, and in particular acts concerning:

(a)the list of functionalities required for the daily coordination and management of a JIT;

(b)the list of functionalities required for secure communications;

(c)business specifications of the connection referred to in Article 4, point (c); 

(d)security in accordance with Article 15;

(e)technical logs in accordance with Article 21;

(f)technical statistics in accordance with Article 22;

(g)performance and availability requirements of the JITs collaboration platform.

The implementing acts referred to in the first subparagraph of this Article shall be adopted in accordance with the examination procedure referred to in Article 25.

Article 7 - Responsibilities of eu-LISA

1. The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) shall establish the design of the physical architecture of the JITs collaboration platform including its technical specifications and evolution. That design shall be approved by its Management Board, subject to a favourable opinion of the Commission.

2. eu-LISA shall be responsible for the development of the JITs collaboration platform in accordance with the principle of data protection by design and by default. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

3. eu-LISA shall make the communication software available to the JITs collaboration platform users.

4. eu-LISA shall develop and implement the JITs collaboration platform as soon as possible after the entry into force of this Regulation and following the adoption by the Commission of the implementing acts pursuant to Article 6.

5. eu-LISA shall ensure that the JITs collaboration platform is operated in accordance with this Regulation, with the implementing act referred to in Article 6, as well as in accordance with Regulation (EU) 2018/1725.

6. eu-LISA shall be responsible for the operational management of the JITs collaboration platform. The operational management of the JITs collaboration platform shall consist of all the tasks necessary to keep the JITs collaboration platform operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that the JITs collaboration platform functions at a satisfactory level in accordance with the technical specifications.

7. eu-LISA shall ensure  the provision of training on the practical use of the JITs collaboration platform.

8. eu-LISA shall not have access to the JIT collaboration spaces.

9. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 28 , eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the centralised information system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 8 - Responsibilities of the Member States

Each Member State shall make the technical arrangements necessary for access of its competent authorities to the JITs collaboration platform in accordance with this Regulation.

Article 9 - Responsibilities of competent Union bodies, offices and agencies

1. Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies shall make the necessary technical arrangements to enable them to access the JITs collaboration platform.

2. Eurojust shall be responsible for the necessary technical adaptation of its systems, required to establish the connection referred to in Article 4, point (c).

Article 10 - Programme Management Board

1. Prior to the design and development phase of the JITs collaboration platform, the Management Board of eu-LISA shall establish a Programme Management Board.

2. The Programme Management Board shall be composed of ten members as follows:

(a)eight members appointed by the Management Board; 

(b)the Chair of the Advisory Group referred to in Article 11; 

(c)one member appointed by the Commission.

3. The Management Board of eu-LISA shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial authorities.

4. eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of the JITs collaboration platform and on any other related work and activities.

5. The Programme Management Board shall meet at least once every three months, and more often as necessary. It shall ensure the adequate management of the design and development phase of the JITs collaboration platform. The Programme Management Board shall submit written reports regularly to the Management Board of eu-LISA, and where possible every month, on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the eu-LISA Management Board.

6. The Programme Management Board shall establish its rules of procedure which shall include in particular rules on chairmanship, meeting venues, preparation of meetings, admission of experts to the meetings, communication plans ensuring that non-participating Members of the eu-LISA Management Board are kept fully informed.

7. The chairmanship of the Programme Management Board shall be held by a Member State.

8. The Programme Management Board's secretariat shall be ensured by eu-LISA.

Article 11 - Advisory Group

1. eu-LISA shall establish an Advisory Group in order to obtain expertise related to the JITs collaboration platform, in particular in the context of preparation of its annual work programme and its annual activity report.

2. During the design and development phase of the JITs collaboration platform, the Advisory Group shall be composed of the representatives of the Member States, the Commission and the JIT Secretariat. It shall be chaired by eu-LISA. It shall: 

(a)meet regularly, where possible at least once a month, until the start of operations of the JITs collaboration platform; 

(b)report after each meeting to the Programme Management Board; 

(c)provide the technical expertise to support the tasks of the Programme Management Board.

CHAPTER III - Access to the JITs collaboration platform

Article 12 - Access to the JIT collaboration spaces by Member States’ competent authorities

1. Following the signature of a JIT agreement, a JIT collaboration space shall be created within the JITs collaboration platform for each JIT.

2. The JIT collaboration space shall be opened by the JIT space administrator or administrators, with the technical support of eu-LISA.

3. The JIT space administrator or administrators shall establish the access rights of the JITs collaboration platform users to the JIT collaboration space, on the basis of the JIT agreement.

Article 13 - Access to the JIT collaboration spaces by competent Union bodies, offices and agencies

1. The JIT space administrator or administrators may decide to grant Eurojust, including the JIT Secretariat, access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU) 2018/1727 of the European Parliament and of the Council 29 . In particular, the JIT space administrator or administrators may decide to grant the JIT Secretariat access to a JIT collaboration space for the purpose of technical and administrative support, including access rights management.

2. The JIT space administrator or administrators may decide to grant Europol access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU) 2016/794 of the European Parliament and of the Council 30 .

3. The JIT space administrator or administrators may decide to grant OLAF access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council 31 .

4. The JIT space administrator or administrators may decide to grant the European Public Prosecutor’s Office access to a JIT collaboration space for the purpose of fulfilling its tasks set out in Council Regulation (EU) 2017/1939.

5. The JIT space administrator or administrators may decide to grant other competent Union bodies, offices and agencies access to a JIT collaboration space for the purpose of fulfilling tasks set out in their basic acts.

Article 14 - Access to the JIT collaboration spaces by third countries’ competent authorities

1. For the purposes listed in Article 5, the JIT space administrator or administrators may decide to grant access to a JIT collaboration space to the competent authorities of third countries which have signed a particular JITs agreement. 

2. The JIT space administrator or administrators shall ensure that the exchanges of operational data with the competent authorities of third countries that have been granted access to a JIT collaboration space are limited to what is required for the purposes of the JIT agreement and subject to the conditions laid therein.

3. Member States shall ensure that their transfers of personal data to third countries that have been granted access to a JIT collaboration space only take place where the conditions laid down in Chapter V of Directive 2016/680 are met.

CHAPTER IV - Security and liability

Article 15 - Security

1. eu-LISA shall take the necessary technical and organisational measures to ensure a high level of cyber security of the JITs collaboration platform and the information security of data within the JITs collaboration platform, in particular in order to ensure the confidentiality and integrity of operational and non-operational data stored in the centralised information system.

2. eu-LISA shall prevent unauthorised access to the JITs collaboration platform and shall ensure that persons authorised to access the JITs collaboration platform have access only to the data covered by their access authorisation.

3. For the purposes of paragraphs 1 and 2, eu-LISA shall adopt a security plan, a business continuity and disaster recovery plan, to ensure that the centralised information system may, in case of interruption, be restored.

4. eu-LISA shall monitor the effectiveness of the security measures referred to in this Article and shall take the necessary organisational measures related to self-monitoring and supervision to ensure compliance with this Regulation.

Article 16 - Liability

1. Where a Member State, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency, as a consequence of a failure on their part to comply with their obligations under this Regulation, cause damage to the JITs collaboration platform, that Member State, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or other competent Union body, office or agency respectively, shall be held liable for such damage, insofar as eu-LISA fails to take reasonable measures to prevent the damage from occurring or to minimise its impact.

2. Claims for compensation against a Member State for the damage referred to in paragraph 1 shall be governed by the law of the defendant Member State. Claims for compensation against Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency for the damage referred to in paragraph 1 shall be governed by their respective founding acts.

CHAPTER V - Data protection

Article 17 - Retention period for storage of operational data

1. Operational data pertaining to each JIT collaboration space shall be stored in the centralised information system for as long as needed for all concerned JITs collaboration platform users to complete the process of its downloading. The retention period shall not exceed four weeks.

2. Upon expiry of the retention period referred to in paragraph 1, the data record shall be automatically erased from the centralised system.

Article 18 - Retention period for storage of non-operational data

1. Where an evaluation of the JIT is envisaged, non-operational data pertaining to each JIT collaboration space shall be stored in the centralised information system until the JIT evaluation has been completed. The retention period shall not exceed five years.

2. Upon expiry of the retention period referred to in paragraph 1, the data record shall be automatically erased from the centralised system.

Article 19 - Data controller and data processor

1. Each competent national authority of a Member State, and where appropriate, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency shall be considered to be data controllers in accordance with applicable Union data protection rules for the processing of personal data under this Regulation.

2. With regard to data uploaded to the JITs collaboration platform by the competent authorities of third countries, one of the JIT space administrators is to be considered data controller as regards the personal data exchanged through, and stored in the JITs collaboration platform.

3. eu-LISA shall be considered to be data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data exchanged through, and stored in the JITs collaboration platform.

4. The JITs collaboration platform users shall be jointly responsible for managing non-operational data in the JITs collaboration platform.

Article 20 - Purpose of the processing of personal data

1. The data entered into the JITs collaboration platform shall only be processed for the purposes of:

(a)the exchange of operational information and evidence between the JITs collaboration platform users;

(b)the exchange of non-operational data between the JITs collaboration platform users, for the purposes of managing the JIT.

2. Access to the JITs collaboration platform shall be limited to duly authorised staff of the competent Member States’ and third country authorities, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices or agencies, to the extent needed for the performance of their tasks in accordance with the purposes referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

Article 21 - Technical logs 

1. eu-LISA shall ensure that a log is kept of all access to the centralised information system and all data processing operations in the centralised information system, in accordance with paragraph 2.

2. The logs shall show: 

(a)the date, time zone and exact time of accessing the centralised information system; 

(b)the identifying mark of JIT’s collaboration platform user who accessed the centralised information system;

(c)the date, time zone and access time of the operation carried out by the JIT’s collaboration platform user;

(d)the operation carried out by the JIT’s collaboration platform user.

3. The logs shall be protected by appropriate technical measures against unauthorised access and shall be kept for three years or for such longer period as required for the termination of ongoing monitoring procedures.

4. On request, eu-LISA shall make the logs available to the competent authorities of the Member States without undue delay.

5. Within the limits of their competences and for the purpose of fulfilling their duties, the national supervisory authorities responsible for monitoring the lawfulness of data processing shall have access to logs upon request.

6. Within the limits of its competences and for the purpose of fulfilling its supervisory duties in accordance with Regulation (EU) 2018/1725, the European Data Protection Supervisor shall have access to logs upon request.

CHAPTER VI - Final provisions

Article 22 - Monitoring and evaluation

1. eu-LISA shall establish procedures to monitor the development of the JITs collaboration platform as regards the objectives relating to planning and costs and to monitor the functioning of the JITs collaboration platform as regards the objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. The procedures referred to in paragraph 1 shall provide for the possibility to produce regular technical statistics for monitoring purposes.

3. In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for the delays and of their impact in terms of timeframes and finances.

4. Once the development of the JITs collaboration platform is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

5. In the event of a technical upgrade of the JITs collaboration platform, which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council before making the upgrade.

6. Two years after the start of operations of the JITs collaboration platform and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of the JITs cooperation platform, including its security.

7. Four years after the start of operations of the JITs collaboration platform and every four years thereafter, the Commission shall conduct an overall evaluation of the JITs collaboration platform. The Commission shall transmit the overall evaluation report to the European Parliament and the Council.

8. The Member States’ competent authorities, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 4 and 7. That information shall not jeopardise working methods or include information that reveals sources, names of staff members or investigations.

9. eu-LISA shall provide the Commission with the information necessary to produce the overall evaluation referred to in paragraph 7.

Article 23 - Costs

The costs incurred in connection with the establishment and operation of the JITs collaboration platform shall be borne by the general budget of the Union.

Article 24 - Start of operations

1. The Commission shall determine the date of the start of operations of the JITs collaboration platform, once it is satisfied that the following conditions are met: 

(a)the relevant implementing acts referred to in Article 6 have been adopted;

(b)eu-LISA has carried out a comprehensive test of the JITs collaboration platform, in cooperation with the Member States, using anonymous test data.

2. Where the Commission has determined the date of start of operations in accordance with paragraph 1, it shall communicate that date to the Member States, Eurojust, Europol, the European Public Prosecutor’s Office and OLAF. 

3. The decision of the Commission determining the date of the start of operations of the JITs collaboration platform, as referred to in paragraph 1, shall be published in the Official Journal of the European Union.

4. The JITs collaboration platform users shall start using the JITs collaboration platform from the date determined by the Commission in accordance with paragraph 1.

Article 25 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this Article, Article 5 of Regulation (EU) No 182/2011 shall apply.

3. Where the committee delivers no opinion, the Commission shall not adopt the draft-implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

Article 26 - Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1) in Article 1, the following paragraph 4a is inserted:

“4a. The Agency shall be responsible for the development and operational management, including technical evolutions, of the Joint Investigation Teams (‘JITs’) collaboration platform”;

(2) the following Article 8b is inserted:

“Article 8b

Tasks related to the JITs collaboration platform

In relation to the JITs collaboration platform, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) No XXX/20XX of the European Parliament and of the Council*;

(b) tasks relating to training on the technical use of the JITs collaboration platform, including provision of online training materials.

__________

* Regulation (EU) No XXX/20XX of the European Parliament and of the Council establishing a centralised collaboration platform to support the functioning of Joint Investigation Teams and amending Regulation (EU) 2018/1726 (OJ L …).”;

(3) in Article 14, paragraph 1 is replaced by the following:

“1.The Agency shall monitor developments in research relevant for the operational management of SIS II, VIS, Eurodac, the EES, ETIAS, DubliNet, ECRIS-TCN, e-CODEX, the JITs collaboration platform and other large-scale IT systems as referred to in Article 1(5).”;

(4) in Article 19(1), point (ff) is replaced by the following:

“(ff) adopt reports on the technical functioning of the following:

(i) SIS pursuant to Article 60(7) of Regulation (EU) 2018/1861 of the European Parliament and of the Council* and Article 74(8) of Regulation (EU) 2018/1862 of the European Parliament and of the Council**;

(ii) VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA;

(iii) EES pursuant to Article 72(4) of Regulation (EU) 2017/2226;

(iv) ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240;

(v) ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(8) of Regulation (EU) 2019/816 of the European Parliament and of the Council***;

(vi) the interoperability components pursuant to Article 78(3) of Regulation (EU) 2019/817 and Article 74(3) of Regulation (EU) 2019/818;

(vii) the e‑CODEX system pursuant to Article 14(1) of Regulation (EU) XXX****;

(viii) the JITs collaboration platform pursuant to Article xx of Regulation (EU) XXX***** [this Regulation];

__________

* Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14).

** Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).

*** Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).

**** Regulation (EU) XXX of … (OJ L …).

***** Regulation (EU) XXX of … (OJ L …).”;

(5) in Article 27(1), the following point (dc) is inserted:

“(dc) the JITs collaboration platform Advisory Group;”.

Article 27 - Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.


This Regulation shall be binding in its entirety and directly applicable in all Member States in accordance with the Treaties.