Explanatory Memorandum to COM(2005)475 - Protection of personal data processed in the framework of police and judicial co-operation in criminal matters - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2005)475 - Protection of personal data processed in the framework of police and judicial co-operation in criminal matters. |
---|---|
source | COM(2005)475 |
date | 04-10-2005 |
- Grounds for and objectives of the proposal
On 4 November 2004, the European Council adopted The Hague Programme on strengthening freedom, security and justice in the European Union.[1] In this programme the Commission is invited to submit proposals by the end of 2005 at the latest for the implementation of the principle of availability in order to improve the cross-border exchange of law-enforcement information between the Member States. The Hague Programme stresses that key conditions in the area of data protection should be strictly observed in these proposals.
In June 2005, the Council and the Commission adopted the Action Plan implementing the Hague Programme.[2] It was based on the Communication from the Commission to the Council and the European Parliament - The Hague Programme: Ten priorities for the next five years. The Partnership for European renewal in the field of Freedom, Security and Justice.[3] According to the Action Plan the Commission shall submit proposals in 2005 on i the establishment of a principle of availability of law enforcement relevant information and i on adequate safeguards and effective legal remedies for the transfer of personal data for the purpose of police and judicial cooperation in criminal matters. On 13 July 2005, the Council (Justice and Home Affairs) in its Declaration on the EU response to the London bombings[4] called on the Commission to present these proposals by October 2005.
This Framework Decision shall ensure the protection of personal data processed in the framework of police and judicial co-operation in criminal matters between the Member States of the European Union (TEU, Title VI). It aims at improving this cooperation, in particular regarding preventing and combating terrorism, and with the strict observance of key conditions in the area of data protection. It shall ensure that fundamental rights, with special attention to the right to privacy and to the protection of personal data, will be respected throughout the European Union, in particular, in view of the implementation of the principle of availability. It shall also ensure that the exchange of relevant information between the Member States will not be hampered by different levels of data protection in the Member States.
- General context
Further to the initiative of Italy i the protection of personal data in the third pillar was already discussed in 1998. At that time, the Justice and Home Affairs Council adopted the so-called Vienna Action Plan.[6] It stipulated that - with regard to horizontal problems in the context of police and judicial cooperation in criminal matters - the possibilities for harmonised rules on data protection should be examined within two years from the entry into force of the Treaty. However, in 2001 a draft resolution on the personal data protection rules in instruments under the third pillar of the European Union failed to be adopted.[7] In June 2003 the Greek Presidency proposed a set of general principles on the protection of personal data in the third pillar i that were inspired by the Data Protection Directive 95/46/EC and the Charter of Fundamental Rights of the European Union. In 2005, the Data Protection Authorities of the Member States of the European Union and the European Data Protection Supervisor (hereafter: EDPS) expressed strong support for a new legal instrument for the protection of personal data in the third pillar i. The European Parliament recommended harmonising existing rules on the protection of personal data in the instruments of the third pillar, bringing them together in a single instrument that guarantees the same level of data protection as provided for under the first pillar i.
According to The Hague Programme, the introduction of the principle of availability is dependent on key conditions in the area of data protection. Obviously, the European Council acknowledged that data protection provisions presently existing at European level would not be sufficient in view of the implementation of the principle of availability, which might include modalities such as reciprocal access to or interoperability of national databases or direct (on-line) access.
Concerns about a sufficient level of data protection were also reflected in a cooperation agreement signed by seven Member States on 27 May 2005 in Prüm (Germany, Austria, Belgium, the Netherlands, Luxembourg, France, and Spain) and which they recommend as a model for the exchange of information between the Member States of the Union in general. The agreement provides, subject to specific conditions, for direct automated access for the law enforcement authorities of one Contracting Party to personal data held by another Contracting Party. But this form of cooperation shall not apply until the data protection provisions of the agreement have been transposed into the national law of the Parties.
- Existing provisions in the area of the proposal
The Charter of Fundamental Rights of the European Union i explicitly recognises the right to privacy (Article 7) and the right to the protection of personal data (Article 8). Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.
The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data i contains fundamental rules on the lawfulness of the processing of personal data as well as on the rights of the data subject. It includes provisions concerning judicial remedies, liability and sanctions, the transfer of personal data to third countries, codes of conduct, specific supervisory authorities and a working party and finally community implementing rules. However, the Directive does not apply to activities that fall outside the scope of Community law such as those provided for by Title VI of the Treaty on European Union (TEU). Accordingly Member States are allowed to decide themselves on appropriate standards for data processing and protection. In the context of Title VI TEU the protection of personal data is set out in different specific instruments. In particular, in instruments that establish common information systems at European level, such as: the Convention implementing the Schengen Agreement of 1990 including specific data protection provisions applicable to the Schengen Information System;[13] the Europol Convention of 1995 i and, inter alia, the Rules governing the transmission of personal data by Europol to third States and third bodies;[15] the Decision setting up Eurojust of 2002 i and the Rules of procedure on the processing and protection of personal data at Eurojust;[17] the Convention on the use of information technology for customs purposes of 1995, including personal data protection provisions applicable to the Customs Information System;[18] and the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union of 2000, in particular Article 23.[19] With regard to the Schengen Information System particular attention has to be paid to the establishment, operation and use of the second generation Schengen information system (SIS II), for which the Commission already submitted proposals for a Council Decision i and for two Regulations.[21]
Furthermore, attention has to be paid to Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and to the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981, to its Additional Protocol of 2001 regarding supervisory authorities and transborder data flows and to the Recommendation No. R (87) 15 of 1987 regulating the use of personal data in the police sector. All Member States are parties to the Convention but not all are parties to the Additional Protocol.
- Consistency with the other policies and objectives of the Union
The specificities of data processing and data protection in the framework of Title VI of the Treaty on European Union have to be recognised. On the one hand, they should not hamper consistency with the general policy of the Union in the area of privacy and data protection on the basis of the EU Charter for Fundamental Rights and of Directive 95/46/EC. The fundamental principles of data protection apply to data processing in the first and in the third pillar. Moreover, consistency must be ensured with other instruments providing for specific obligations related to information that is likely to be relevant for the purpose of preventing and combating crime. Attention has to be paid to the development regarding the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism. Particular reference has to be made to the close relation between the proposed Framework Decision and the Commission’s Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC.[22]
- Consultation of interested parties
Consultation methods, main sectors targeted and general profile of respondents
On 22 November 2004 and on 21 June 2005, the Commission invited and consulted experts of the Governments of the Member States, Iceland, Norway and Switzerland, and on 11 January 2005 experts of the Data Protection Authorities of these States. The EDPS, Europol, Eurojust, and the Secretariat of the Joint Supervisory Bodies were also represented. The main purpose of the consultations was to find out the need for a legal instrument on the processing and protection of personal data in the third pillar and, if so, what the main content of such an instrument should be. The Commission asked the consulted parties, inter alia, on the basis of a questionnaire and a discussion paper, about their position concerning the general approach of a new legal instrument and its relation to existing instruments, the legal basis, the possible scope, the principles relating to data quality, the criteria for making data processing by police or judicial authorities legitimate, personal data of non-suspects, the requirements for the transmission of personal data to competent authorities in other Member States and in third countries, the rights of the data subject, supervisory authorities and a possible advisory body for data protection in the third pillar.
The Working Party set up according to Article 29 of Directive 95/46/EC was regularly informed about the ongoing developments. On 12 April and 21 June 2005, the Commission attended meetings of the Police Working Party of the Conference of the European Data Protection Authorities. On 31 January 2005, the Commission participated in a "Public Seminar: Data protection and citizens' security: what principles for the European Union?” held by the Committee on Civil Liberties, Justice and Home Affairs. The Commission took into account the results of the Spring Conference of the European Data Protection Authorities, Krakow, 25-26 April 2005, and the position of the European Parliament as set out, inter alia, in the European Parliament recommendation to the European Council and the Council on the exchange of information and cooperation concerning terrorist offences (2005/2046(INI)), adopted on 7 June 2005.2
Both the European Parliament and the Data Protection Authorities in the European Union strongly support a legal instrument on the protection of personal data in the third pillar. Representatives of the Governments of the Member States and of Iceland, Norway and Switzerland, and of Europol and Eurojust did not express a common position in that regard. However, the Commission could conclude that there was no principal opposition to the idea of such an instrument. There seemed to be agreement that the implementation of the principle of availability has to be accompanied by appropriate counterbalancing rules in the area of data protection. Some Member States stated that the way information is exchanged in the future should be defined first and that rules for the protection of personal data should be laid down subsequently. Some preferred a set of specific provisions to be included in the act on the principle of availability.
Having weighed up the different positions the Commission takes the position that the implementation of the principle of availability will further develop and fundamentally change the quality and intensity of the exchange of information between the Member States. Such development will greatly affect personal data and the right to data protection. It needs to be appropriately counterbalanced. Recent initiatives aiming at direct automated access, at least, on a hit/no hit basis are likely to increase the risk of exchanging illegitimate, inaccurate or non up-dated data and have to be taken into account. These initiatives imply that the data controller will no longer be able to verify in each individual case the legitimacy of a transmission and the accuracy of the data concerned. Consequently, this has to be accompanied by strict obligations to constantly ensure and verify the quality of data to which direct automated access is granted.
With special attention being paid to the impact of the implementation of the principle of availability, provisions just addressing individual aspects of data protection are not sufficient. A legal instrument on the protection of personal data in the third pillar can, in principle, contribute to fostering police and judicial cooperation in criminal matters with regard to its efficiency as well as its legitimacy and compliance with fundamental rights, in particular the right to protection of personal data.
In particular with a view to the implementation of the principle of availability such an instrument is particularly necessary and must be developed hand in hand with the implementation of this principle. The Framework Decision should follow the spirit and structure of Directive 95/46/EC as far as possible while taking into account the specific needs of police and judicial cooperation in criminal matters and in the light of the principle of proportionality. The Recommendation Nr R(87)15 regulating the use of personal data in the police sector of the Council of Europe of 1987 has been taken into account in order to transpose its main principles into legally binding provisions at EU level. Clear rules should be established for the protection of personal data that shall be or have been made available to competent authorities of other Member States. This implies a system ensuring the quality of processing of the data concerned. Such a system must include provisions laying down appropriate rights of the data subject and powers of the supervisory authorities as exercising those rights and powers is likely to contribute to the quality of the data concerned.
- Impact assessment
The following options were considered: applicability of Directive 95/46/EC; no or later proposal for provisions on the protection of personal data in the third pillar; limited set of specific provisions in a legal act concerning the exchange of information under the principle of availability; Framework Decision on the protection of personal data in the third pillar. With regard to the latter it has been examined if such an instrument should also apply to the exchange of information through information systems and by bodies established at EU level.
The fundamental and comprehensive provisions of Directive 95/46/EC are not applicable in the third pillar as set out in its Article 3 i. Even the deletion of this article could not automatically result in the applicability of the Directive on police and judicial cooperation in criminal matters. Firstly, the specificities of this cooperation are not fully taken into account in the Directive and would require some more precision. Secondly, the requirements for legislation, falling within the ambit of Title VI of the Treaty of the European Union, which aims at fostering police and judicial cooperation in criminal matters, have to be respected The option of no or a later proposal for provisions on the processing and protection of personal data in the third pillar has to be excluded. This option is likely to imply that new forms of exchange of information are introduced with the implementation of the principle of availability without ensuring strict observance of key conditions in the area of data protection. A limited set of specific provisions in a legal act concerning the exchange of information under the principle of availability is not sufficient given the probable impact of the latter. A Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters is the only fully satisfying option. This option is unlikely to generate considerable, if any, administrative costs for the Member States.
The Commission carried out an impact assessment; which is listed in the Work Programme and the impact assessment report is available on europa.eu.int/comm/dgs/justice_home/evaluation
3)
Contents
- Summary of the proposed action
The proposed Framework Decision includes general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing (transmission and making available of personal data to the competent authorities of other Member States, further processing, in particular further transmission, of data received from or made available by the competent authorities of other Member States), rights of the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, supervisory authorities and a working party on the protection of individuals with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences. Particular attention must be paid to the principle that personal data are only transferred to those third countries and international bodies that ensure an adequate level of protection. The Framework Decision provides for a mechanism aiming at EU wide compliance with this principle.
- Legal basis
This Framework Decision shall be based on Articles 30, 31 and 34 i (b) of the Treaty on European Union. In particular in the light of the implementation of the principle of availability, appropriate provisions regarding the processing and protection of personal data, including common standards for the transmission of personal data to third countries and international bodies, are essential to improve police and judicial cooperation in criminal matters, in particular for the fight against terrorism and serious crimes. Moreover, Member States will only fully trust each other if there are clear and common rules for the possible further transmission of exchanged data to other parties, in particular to third countries. The proposed provisions will ensure that the exchange of information between the competent authorities is not prejudiced by different levels of data protection in the Member States.
- Subsidiarity and proportionality principle
This Framework Decision addresses situations that are particularly relevant for police and judicial cooperation in criminal matters between the Member States, in particular for the exchange of information in order to ensure and promote efficient and lawful measures to prevent and combat crime, in particular serious crime and terrorism, in all Member States. National, bilateral or multilateral solutions might be helpful for individual Member States but would disregard the necessity of ensuring internal security for the whole Union. The information need of law enforcement authorities is largely determined by the level of integration between countries. The exchange of information for law-enforcement purposes between Member States is estimated to increase and therefore needs to be complemented by consistent rules on data processing and data protection. This Framework Decision respects the principle of subsidiarity provided for by Article 2 of the Treaty on European Union and Article 5 of the Treaty establishing the European Community insofar as it aims to approximate the laws and regulations of the Member States, which cannot be done adequately by the Member States acting unilaterally and requires concerted action within the European Union. In accordance with the principle of proportionality, as set out in the latter Article, this Decision does not go beyond what is necessary in order to achieve that objective. In particular, this decision only refers to the processing of personal data as far as relevant for police and judicial co-operation in criminal matters.
- Choice of instruments
Proposed instrument: framework decision. This legal instrument aims at the approximation of the laws and regulations of the Member States regarding the protection of personal data processed for the purpose of preventing and combating crime.
4)
The implementation of the proposed Framework Decision would entail only low additional administrative expenditure, to be charged to the budget of the European Communities, for meetings of and the secretarial services for the committee and the advisory body to be established according to Articles 16 and 31.