Explanatory Memorandum to COM(2012)10 - Protection of individuals with regard to the processing of personal data for criminal justice purposes, and the free movement of such data

Please note

This page contains a limited version of this dossier in the EU Monitor.

1. CONTEXT OF THE PROPOSAL

This explanatory memorandum further details the approach for the new legal framework for the protection of personal data in the EU as presented in Communication COM (2012) 9 final. The legal framework consists of two legislative proposals:

– a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and

– a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.

This explanatory memorandum concerns the latter legislative proposal.

The centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC i, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by several instruments providing specific data protection rules in the area of police and judicial co-operation in criminal matters[2] (ex-third pillar), including Framework Decision 2008/977/JHA[3].

The European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives i. In its resolution on the Stockholm Programme, the European Parliament[5] welcomed a comprehensive data protection scheme in the EU and among others called for the revision of the Framework Decision. The Commission stressed in its Action Plan implementing the Stockholm Programme i the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies. The Action Plan underlined that “in a global society characterised by rapid technological change where information exchange knows no borders, it is particularly important that privacy must be preserved. The Union must ensure that the fundamental right to data protection is consistently applied. We need to strengthen the EU’s stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention as well as in our international relations.”

In its Communication on “A comprehensive approach on personal data protection in the European Union”[7], the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.

Framework Decision 2008/977/JHA has a limited scope of application, since it only applies to cross-border data processing and not to processing activities by the police and judiciary authorities at purely national level. This is liable to create difficulties for police and other competent authorities in the areas of judicial co-operation in criminal matters and police co-operation. They are not always able to easily distinguish between purely domestic and cross-border processing or to foresee whether certain personal data may become the object of a cross-border exchange at a later stage(see Section 2 below). Moreover, because of its nature and content, the Framework Decision leaves a large room for manoeuvre to Member States' national laws in implementing its provisions. Additionally, it does not contain any mechanism or advisory group similar to the Article 29 Working Party supporting common interpretation of its provisions, nor foresees any implementing powers for the Commission to ensure a common approach in its implementation.

Article 16 i of the Treaty on the Functioning of the European Union (TFEU) establishes the principle that everyone has the right to the protection of personal data. Moreover, with Article 16 (2) TFEU, the Lisbon Treaty introduces a specific legal basis for the adoption of rules on the protection of personal data that also applies to judicial co-operation in criminal matters and police co-operation. Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data as a fundamental right. Article 16 TFEU requires the legislator to lay down rules relating to the protection of individuals with regard to the processing of personal data also in the areas of judicial co-operation in criminal matters and police co-operation, covering both cross-border and domestic processing of personal data. This will allow protecting the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data, ensuring at the same time the exchange of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. This will contribute to facilitating the co-operation in the fight against crime in Europe.

Due to the specific nature of the field of police and judicial co-operation in criminal matters it was acknowledged in Declaration 21[8] that specific rules on the protection of personal data and the free movement of such data in the fields of judicial co-operation in criminal matters and police co-operation based on Article 16 TFEU may prove necessary.

1.

RESULTS OF CONSULTATIONS WITH THE INTERESTED PARTIES AND IMPACT ASSESSMENTS



This initiative is the result of extensive consultations with all major stakeholders on a review of the existing legal framework for the protection of personal data, which included two phases of public consultation:

– From 9 July to 31 December 2009, the Consultation on the legal framework for the fundamental right to the protection of personal data. The Commission received 168 responses, 127 from individuals, business organisations and associations and 12 from public authorities. The non-confidential contributions can be consulted on the Commission’s website[9].

– From 4 November 2010 to 15 January 2011, the Consultation on the Commission's comprehensive approach on personal data protection in the European Union. The Commission received 305 responses, of which 54 from citizens, 31 from public authorities and 220 from private organisations, in particular business associations and non-governmental organisations. The non-confidential contributions can be consulted on the Commission’s website[10].

Whereas those consultations focused largely on the review of Directive 95/46/EC, targeted consultations were conducted with law enforcement stakeholders; in particular, a workshop was organised on 29 June 2010 with Member States' authorities on the application of data protection rules to public authorities, including in the area of police co-operation and judicial co-operation in criminal matters. Furthermore, on 2 February 2011, the Commission convened a workshop with Member States' authorities to discuss the implementation of Framework Decision 2008/977/JHA and, more generally, data protection issues in the area of police co-operation and judicial co-operation in criminal matters.

EU citizens were consulted through a Eurobarometer survey held in November-December 2010[11]. A number of studies were also launched.[12] The “Article 29 Working Party”[13] provided several opinions and useful input to the Commission[14]. The European Data Protection Supervisor also issued a comprehensive opinion on the issues raised in the Commission's November 2010 Communication.[15]

The European Parliament approved by its resolution of 6 July 2011 a report that supported the Commission’s approach to reforming the data protection framework.[16] The Council of the European Union adopted conclusions on 24 February 2011 in which it broadly supports the Commission's intention to reform the data protection framework and agrees with many elements of the Commission's approach. The European Economic and Social Committee likewise supported the Commission's general thrust to ensure a more consistent application of EU data protection rules across all Member States and an appropriate revision of the Directive 95/46/EC.[17]

In line with its “Better Regulation” policy, the Commission conducted an impact assessment of policy alternatives[18]. The impact assessment was based on the three policy objectives of improving the internal market dimension of data protection, making the exercise of data protection rights by individuals more effective and creating a comprehensive and coherent framework covering all areas of Union competence, including police co-operation and judicial co-operation in criminal matters. As regards this latter objective in particular, two policy options were assessed: a first one basically extending the scope of data protection rules in this area and addressing the gaps and other issues raised by the Framework Decision, and a second more far-reaching one with very prescriptive and stringent rules, which would also entail the immediate amendment of all other 'former third pillar' instruments. A third 'minimalistic' option based largely on interpretative Communications and policy support measures, such as funding programmes and technical tools, with minimum legislative intervention, was not considered appropriate to address the issues identified in this area in relation to data protection.

According to the Commission's established methodology, each policy option was assessed, with the help of an inter-service steering group, against its effectiveness to achieve the policy objectives, its economic impact on stakeholders (including on the budget of the EU institutions), its social impact and effect on fundamental rights. Environmental impacts were not observed.

The analysis of the overall impact led to the development of the preferred policy option which is incorporated in the present proposal. According to the assessment, its implementation will lead to further strengthening data protection in this policy area in particular by including domestic data processing, thereby also enhancing legal certainty for competent authorities in the areas of judicial co-operation in criminal matters and police co-operation.

The Impact Assessment Board (IAB) delivered an opinion on the draft impact assessment on 9 September 2011. Following the IAB’s opinion, in particular the following changes were made to the impact assessment:

– The objectives of the current legal framework (to what extent they were achieved and to what extent they were not), as well as the objectives of the envisaged reform, were clarified;

– More evidence and additional explanations/clarifications were added to the problems' definition section.

The Commission also prepared an Implementation Report related to Framework Decision 2008/977/JHA, based on its Article 29(2), which is to be adopted as part of the present data protection package[19]. The findings of the report, based on input from Member States, also fed into the preparation of the Impact Assessment.

3.

3. LEGAL ELEMENTS OF THE PROPOSAL 3.1. Legal Basis


The proposal is based on Article 16(2) TFEU, which is a new, specific legal basis introduced by the Lisbon Treaty for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.

The proposal aims to ensure a consistent and high level of data protection in this field, thereby enhancing mutual trust between police and judicial authorities of different Member States and facilitating the free flow of data and co-operation between police and judicial authorities.

4.

3.2. Subsidiarity and proportionality


According to the principle of subsidiarity (Article 5(3) TEU), action at Union level shall be taken only if and in so far as the objectives envisaged cannot be achieved sufficiently by Member States, but can rather, by reason of the scale or effects of the proposed action, be better achieved by the Union. In the light of the problems outlined above, the analysis of subsidiarity indicates the necessity of EU-level action in the areas of police and criminal justice on the following grounds:

– The right to the protection of personal data, enshrined in Article 8 of the Charter of Fundamental Rights and in Article 16 i TFEU, requires the same level of data protection throughout the Union. It requires the same level of protection for data exchanged and data processed at domestic level.

– There is a growing need for law enforcement authorities in Member States to process and exchange at rapidly increasing rates for the purposes of preventing and combating transnational crime and terrorism. In this context, clear and consistent rules on data protection at EU level will help fostering co-operation between such authorities.

– In addition, there are practical challenges to enforcing data protection legislation and a need for co-operation between Member States and their authorities, which need to be organised at EU level to ensure unity of application of Union law. In certain situations, the EU is best placed to ensure effectively and consistently the same level of protection for individuals when their personal data are transferred to third countries.

– Member States cannot alone reduce the problems in the current situation, particularly those due to the fragmentation in national legislations. Thus, there is a specific need to establish a harmonised and coherent framework allowing for a smooth transfer of personal data across borders within the EU while ensuring effective protection for all individuals across the EU.

– The proposed EU legislative action is likely to be more effective than similar actions at the level of Member States because of the nature and scale of the problems, which are not confined to the level of one or several Member States.

The principle of proportionality requires that any intervention is targeted and does not go beyond what is necessary to achieve the objectives. This principle has guided the preparation of this proposal, from the identification and evaluation of alternative policy options to the drafting of the legislative proposal.

A Directive is therefore the best instrument to ensure harmonisation at EU level in this area while at the same time leaving the necessary flexibility to Member States when implementing the principles, the rules and their exemptions at national level. Given the complexity of the current national rules for the protection of personal data processed in the area of police co-operation and judicial co-operation in criminal matters, and the objective of comprehensive harmonisation of these rules by way of this Directive, the Commission will need to request Member States to provide explanatory documents explaining the relationship between the components of the Directive and the corresponding parts of national transposition instruments in order to be able to carry out its task of overseeing the transposition of this Directive.

5.

3.3. Summary of fundamental rights issues


The right to protection of personal data is established by Article 8 of the Charter on Fundamental Rights of the EU and Article 16 TFEU as well in Article 8 of the ECHR. As underlined by the Court of Justice of the EU[20], the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society[21]. Data protection is closely linked to respect for private and family life protected by Article 7 of the Charter. This is reflected in Article 1 i of Directive 95/46/EC, which provides that Member States shall protect fundamental rights and freedoms of natural persons and in particular their right to privacy with respect of the processing of personal data.

Other potentially affected fundamental rights enshrined in the Charter are the prohibition of any discrimination amongst others on grounds such as race, ethnic origin, genetic features, religion or belief, political opinion or any other opinion, disability or sexual orientation (Article 21); the rights of the child (Article 24) and the right to an effective remedy before a tribunal and a fair trial (Article 47).

3.4. Detailed explanation of the proposal 3.4.1. CHAPTER I – GENERAL PROVISIONS

Article 1 defines the subject matter of the Directive, i.e. rules relating to processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal offences, and sets out the Directive's two-fold objective, i.e. to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data while guaranteeing a high level of public safety, and to ensure the exchange of personal data between competent authorities within the Union.

Article 2 defines the scope of application of the Directive. The scope of the Directive is not limited to cross-border data processing but applies to all processing activities carried out by competent authorities (as defined in Article 3(14)) for the purposes of the Directive. The Directive applies neither to processing in the course of an activity which falls outside the scope of Union law, nor to processing by Union institutions, bodies, offices and agencies, which is subject to Regulation (EC) No 45/2001 and other specific legislation.

Article 3 contains definitions of terms used in the Directive. While some definitions are taken over from Directive 95/46/EC and Framework Decision 2008/977/JHA, others are modified, complemented with additional or newly introduced elements. New definitions are those of ‘personal data breach’, ‘genetic data’ and ‘biometric data’, ‘competent authorities’ (based on Article 87 TFEU and Article 2(h) of Framework Decision 2008/977/JHA) and, of a 'child’, based on the UN Convention on the Rights of the Child[22].

3.4.2. CHAPTER II – PRINCIPLES

Article 4 sets out the principles relating to processing of personal data reflecting Article 6 of Directive 95/46/EC and Article 3 of Framework Decision 2008/977/JHA, while adjusting them to the particular context of this Directive.

Article 5 requires the distinction, as far as possible; between personal data of different categories of data subjects. This is a new provision, included neither in Directive 95/46/EC nor in Framework Decision 2008/977/JHA, but which had been proposed by the Commission in its original proposal for the Framework Decision[23]. It is inspired by the Council of Europe's Recommendation No R (87)15. Similar rules already exist for Europol[24] and Eurojust[25].

Article 6 on different degrees of accuracy and reliability reflects principle 3.2 of Council of Europe Recommendation No R (87)15. Similar rules, as also included in the Commission's proposal for the Framework Decision, exist for Europol[26].

Article 7 sets out the grounds for lawful processing, when necessary for the performance of a task carried out by a competent authority based on national law, to comply with a legal obligation to which the data controller is subject, in order to protect the vital interests of the data subject or another person or to prevent an immediate and serious threat to public security. The other grounds for lawful processing in Article 7 of Directive 95/46/EC are not appropriate for the processing in the area of police and criminal justice.

Article 8 sets out a general prohibition of processing special categories of personal data and the exceptions from this general rule, building on Article 8 of Directive 95/46/EC and adding genetic data, following ECtHR case law[27].

Article 9 establishes a prohibition of measures based solely on automated processing of personal data if not authorised by law providing appropriate safeguards, in line with Article 7 of Framework Decision 2008/977/JHA.

6.

3.4.3. CHAPTER III - RIGHTS OF THE DATA SUBJECT


Article 10 introduces the obligation for Member States to ensure easily accessible and understandable information, inspired in particular by principle 10 of the Madrid Resolution on international standards on the protection of personal data and privacy[28], and to oblige controllers to provide procedures and mechanisms for facilitating the exercise of the data subject's rights. This includes the requirement that the exercise of the rights shall be in principle free of charge.

Article 11 specifies the obligation for Member States to ensure the information towards the data subject. These obligations are building on Articles 10 and 11 of Directive 95/46/EC, without separate articles differentiating whether the information is collected from the data subject or not, and enlarging the information to be provided. It lays down exemptions from the obligation to inform, when such exemptions are proportionate and necessary in a democratic society for the exercise of the tasks of competent authorities (inspired by Article 13 of Directive 95/46/EC and Article 17 Framework Decision 2008/977/JHA).

Article 12 provides the obligation for Member States to ensure the data subject's right of access to their personal data. It follows Article 12(a) of Directive 95/46/EC, adding new elements for the information of the data subjects (on the storage period, their rights to rectification, erasure, or restriction and to lodge a complaint).

Article 13 provides that Member States may adopt legislative measures restricting the right of access if required by the specific nature of data processing in the areas of police and criminal justice, and on the information of the data subject on a restriction of access, following Article 17(2) and (3) of Framework Decision 2008/977/JHA.

Article 14 introduces the rule that in cases where direct access is restricted, the data subject must be informed on the possibility of indirect access via the supervisory authority, which should exercise the right on their behalf and must inform the data subject on the outcome of its verifications.

Article 15 on the right to rectification follows Article 12(b) of Directive 95/46/EC, and, as regards the obligations in case of a refusal, Article 18 i of Framework Decision 2008/977/JHA.

Article 16 on the right to erasure follows Article 12(b) of Directive 95/46, and, as regards the obligations in case of a refusal, Article 18 i of Framework Decision 2008/977/JHA. It integrates also the right to have the processing marked in certain cases, replacing the ambiguous terminology 'blocking', used by Article 12(b) of Directive 95/46/EC and Article 18 i of Framework Decision 2008/977/JHA.

Article 17 on the rectification, erasure and restriction of processing in judicial proceedings provides clarification based on Article 4 i of Framework Decision 2008/977/JHA.

7.

3.4.4. CHAPTER IV - CONTROLLER AND PROCESSOR 3.4.4.1. SECTION 1 GENERAL OBLIGATIONS


Article 18 describes the responsibility of the controller to comply with this Directive and to ensure compliance, including the adoption of policies and mechanisms for ensuring compliance.

Article 19 sets out that the Member States must ensure the compliance of the controller with the obligations arising from the principles of data protection by design and by default.

Article 20 on joint controllers clarifies the status of joint controllers as regards their internal relationship.

Article 21 clarifies the position and obligation of processors, following partly Article 17(2) of Directive 95/46/EC, and adding new elements, including that a processor that processes data beyond the controller's instructions is to be considered a co-controller.

Article 22 on processing under the authority of the controller and processor follows Article 16 of Directive 95/46/EC.

Article 23 introduces the obligation for controllers and processors to maintain documentation of all processing systems and procedures under their responsibility.

Article 24 concerns the keeping of records, in line with Article 10 i of Framework Decision 2008/977, whilst providing further clarifications.

Article 25 clarifies the obligations of the controller and the processor regarding co-operation with the supervisory authority.

Article 26 concerns the cases where consultation with the supervisory authority is mandatory prior to the processing, based on Article 23 of Framework Decision 2008/977/JHA.

8.

3.4.4.2. SECTION 2 DATA SECURITY


Article 27 on the security of processing is based on the current Article 17 i of Directive 95/46 on the security of processing, and Article 22 of Framework Decision 2008/977/JHA, extending the related obligations to processors, irrespective of their contract with the controller.

Articles 28 and 29 introduce an obligation to notify personal data breaches, inspired by the personal data breach notification in Article 4(3) of the e-Privacy Directive 2002/58/EC, clarifying and separating the obligations to notify the supervisory authority (Article 28) and to communicate, in qualified circumstances, to the data subject (Article 29). Article 29 also provides for exemptions by referring to Article 11 i.

9.

3.4.4.3. SECTION 3 DATA PROTECTION OFFICER


Article 30 introduces an obligation for the controller to appoint a mandatory data protection officer who should fulfil the tasks listed in Article 32. Where several competent authorities are acting under the supervision of a central authority, functioning as controller, at least this central authority should designate such a data protection officer. Article 18(2) of Directive 95/46/EC provided the possibility for Member States to introduce such requirement as a surrogate to the general notification requirement of that Directive.

Article 31 sets out the standing of the data protection officer.

Article 32 provides the tasks of the data protection officer.

10.

3.4.5. CHAPTER V - TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS


Article 33 sets out the general principles for data transfers to third countries or international organisations in the area of police co-operation and judicial co-operation in criminal matters, including onward transfers. It clarifies that transfers to third countries may take place only if the transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties..

Article 34 lays down that transfers to a third country may take place in relation to which the Commission has adopted an adequacy decision under Regulation …./../201X or specifically in the area of police co-operation and judicial co-operation in criminal matters, or, in the absence of such decisions, where appropriate safeguards are in place. As long as adequacy decisions do not exist, the Directive ensures that transfers can continue to take place on the basis of appropriate safeguards and derogations. It furthermore sets out the criteria for the Commission’s assessment of an adequate or not adequate level of protection, and expressly includes the rule of law, judicial redress and independent supervision. The article also provides for the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country. It introduces that a general adequacy decision adopted, following the procedures under Article 38 of the General Data Protection Regulation, shall be applicable within the scope of this Directive. Alternatively an adequacy decision can be adopted by the Commission exclusively for the purposes of this Directive.

Article 35 defines the appropriate safeguards needed prior to international transfers, in the absence of a Commission adequacy decision. These safeguards may be adduced by a legally binding instrument such as an international agreement. Alternatively, the data controller may on the basis of an assessment of the circumstances surrounding the transfer conclude that they exist.

Article 36 spells out the derogations for data transfer based on Article 26 of Directive 95/46/EC and Article 13 of Framework Decision 2008/977/JHA.

Article 37 obliges Member States to provide that the controller informs the recipient of any processing restrictions and takes all reasonable steps to ensure that these restrictions are met by recipients of the personal data in the third country or international organisation.

Article 38 explicitly provides for international co-operation mechanisms for the protection of personal data between the Commission and the supervisory authorities of third countries, in particular those considered offering an adequate level of protection, taking into account the OECD’s Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy of 12 June 2007.

11.

CHAPTER VI - NATIONAL SUPERVISORY AUTHORITIES


12.

3.4.5.1. SECTION 1 INDEPENDENT STATUS


Article 39 obliges Member States to establish supervisory authorities, following Article 28 i of Directive 95/46/EC and Article 25 Framework Decision 2008/977/JHA, enlarging the mission of these authorities to contribute to the consistent application of the Directive throughout the Union, which may be the supervisory authority established under the General Data Protection Regulation.

Article 40 clarifies the conditions for the independence of supervisory authorities, implementing case law of the Court of Justice of the EU[29], inspired also by Article 44 of Regulation (EC) No 45/2001[30].

Article 41 provides general conditions for the members of the supervisory authority, implementing the relevant case law[31], inspired also by Article 42(2)-(6) of Regulation (EC) 45/2001.

Article 42 sets out rules on the establishment of the supervisory authority, including on conditions for its members, to be provided by the Member States by law.

Article 43 on professional secrecy of the members and staff of the supervisory authority follows Article 28(7) of Directive 95/46/EC and Article 25 i Framework Decision 2008/977/JHA.

13.

3.4.5.2. SECTION 2 DUTIES AND POWERS


Article 44 sets out the competence of the supervisory authorities, based on Article 28 i of Directive 95/46/EC and Article 25 i Framework Decision 2008/977/JHA. Courts, when acting in their judicial authority, are exempted from the monitoring by the supervisory authority, but not from the application of the substantive rules on data protection.

Article 45 provides the obligation of Member States to provide for the duties of the supervisory authority, including hearing and investigating complaints and promoting the awareness of the public on risk, rules, safeguards and rights. A particular duty of the supervisory authorities in the context of this Directive is, where direct access is refused or restricted, to exercise the right of access on behalf of data subjects and to check the lawfulness of the data processing.

Article 46 provides the powers of the supervisory authority, based on Article 28(3) of Directive 95/46/EC, Article 25(2) and (3) of Framework Decision 2008/977/JHA.Article 47 obliges the supervisory authorities to draw up annual activity reports, based on Article 28(5) of Directive 95/46/EC.

3.4.6. CHAPTER VII – CO-OPERATION

Article 48 introduces rules on mandatory mutual assistance whereas Article 28 (6)2 of Directive 95/46/EC provided simply a general obligation to co-operate, without specifying further.

Article 49 provides that the European Data Protection Advisory Board, established by the General Data Protection Regulation, exercises its tasks also in relation to processing activities within the scope of this Directive. In order to provide complementary support, the Commission will seek the advice of representatives of authorities competent for the prevention, investigation, detection and prosecution of criminal penalties of the Member States, as well as representatives of Europol and Eurojust, by means of an expert group on the law-enforcement related aspects of data protection.

14.

3.4.7. CHAPTER VIII - REMEDIES, LIABILITY AND SANCTIONS


Article 50 provides the right of any data subject to lodge a complaint with a supervisory authority, based on Article 28 i of Directive 95/46/EC, and relates to any infringement of the Directive in relation to the complainant. It also specifies the bodies, organisations or associations which may lodge a complaint on behalf of the data subject and also in case of a personal data breach independently of a data subject's complaint.

Article 51 concerns the right to a judicial remedy against a supervisory authority. It builds on the general provision of Article 28(3) of Directive 95/46/EC and provides specifically that the data subject may launch a court action for obliging the supervisory authority to act on a complaint.

Article 52 concerns the right to a judicial remedy against a controller or processor, based on Article 22 of Directive 95/46/EC and Article 20 of Framework Decision 2008/977/JHA.

Article 53 introduces common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings. The obligation of Member States to ensure rapid court actions is inspired by Article 18 i of the e-Commerce Directive 2000/31/EC[32].

Article 54 obliges Member States to provide for the right to compensation. It builds on Article 23 of Directive 95/46/EC and Article 19 i of Framework Decision 2008/977/JHA, extends this right on damages caused by processors and clarifies the liability of co-controllers and co-processors.

Article 55 obliges Member States to lay down rules on penalties, to sanction infringements of the Directive, and to ensure their implementation.

3.4.8. CHAPTER IX – DELEGATED ACTS AND IMPLEMENTING ACTS

Article 56 contains standard provisions for the exercise of delegations in line with Article 290 TFEU. This allows the legislator to delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of a legislative act (quasi-legislative acts).

Article 57 contains the provision for the Committee procedure needed for conferring implementing powers on the Commission in cases where, in accordance with Article 291 TFEU, uniform conditions for implementing legally binding acts of the Union are needed. The examination procedure applies.

3.4.9. CHAPTER X – FINAL PROVISIONS

Article 58 repeals Framework Decision 2008/977/JHA.

Article 59 sets out that specific provisions with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in Union acts, regulating the processing of personal data or the access to information systems within the scope of the Directive, and adopted prior to the adoption of this Directive, remain unaffected.

Article 60 clarifies the relationship of this Directive with previously concluded international agreements by Member States in the field of judicial co-operation in criminal matters and police co-operation.

Article 61 provides for the obligation of the Commission to evaluate and report on the implementation of the Directive, in order to assess the need to align the previously adopted specific provisions referred to in Article 59 with this Directive.

Article 62 sets out the obligation of the Member States to transpose the Directive in their national law and notify to the Commission the provisions adopted pursuant to the Directive.

Article 63 determines the date of the entry into force of the Directive.

Article 64 lays down the addressees of this Directive.

2.

BUDGETARY IMPLICATIONS



The legislative financial statement accompanying the proposal for the General Data Protection Regulation covers the budgetary impacts for the Regulation and this Directive.