Explanatory Memorandum to COM(2017)344 - Centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (ECRIS-TCN system)

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of

the proposal

The European Criminal Records Information System (ECRIS) established by Framework Decision 2009/315/JHA and Council Decision 2009/316/JHA1, provides for an electronic exchange of criminal record information on a decentralised basis between Member States. The ECRIS system is operational since April 2012 and allows Member State's criminal records authorities to obtain complete information on previous convictions of an EU national from the Member State of that person's nationality.

Although it is possible to exchange information on convictions concerning third country nationals and stateless persons (hereinafter: TCN)2 through ECRIS today, there is no procedure or mechanism in place to do so efficiently. As it transpires from the Commission's Statistical report on the use of ECRIS3, adopted on the same day as this proposal, Member States are reluctant to use the current system for TCN. One of the reasons for such low levels of usage with respect to TCN is the fact that Member States wishing to receive such information have to send blanket requests to all Member States, including (the majority of) the Member States not holding the requested information. The administrative burden caused by having to respond to blanket requests has been identified as the most costly element (estimated at up to € 78 million) of the ECRIS workflow, if Member States were to systematically send such requests. As ECRIS is inefficient with regard to TCN, in practice, Member States often rely only on information stored in their own national criminal record registers. Thus, complete information on the criminal history of convicted TCN is not always available to courts, law enforcement authorities, and other entitled authorities.

The European Council and the Justice and Home Affairs Council have reiterated at several occasions the importance of improving the existing ECRIS. The improvement of the existing ECRIS with regard to third country nationals is part of a set of coordinated measures spelled out in the European Agenda on Security.4

To this end, on 19 January 2016, the Commission proposed a Directive (COM(2016) 07 final) aimed at amending Council Framework Decision 2009/315/JHA as regards the ECRIS system and as regards the exchange of information on third country nationals and stateless people (TCN) and replacing Council Decision 2009/316/JHA.5 However, developments since then

OJ L 93, 7.4.2009, p. 23, and, p. 33.

1.

In line with the Commission's 2016 proposal (COM(2016) 07 final), the current proposal equally


applies to third country nationals also holding the nationality of a Member State, in order to ensure that

the information can be found whether or not the additional nationality is known. See page 12 of the

explanatory memorandum on that proposal.

2.

Report from the Commission concerning the exchange through the European Criminal Records


Information System (ECRIS) of information extracted from criminal records between the Member

States.

3.

'European Agenda on Security' - Communication from the Commission to the European Parliament, the


Council, the European Economic and Social Committee and the Committee of the Regions of 28 April

2015 (COM (2015)185 final).

4.

The proposal was accompanied by an Impact Assessment (SWD(2016) 4. It is still being negotiated in


the Council. The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE)

adopted its report on the Commission's 2016 proposal for a Directive on 27 June 2016.


3

4

5

have demonstrated that further action is necessary through a supplementary legislative proposal to establish a centralised system for the processing of identity information on TCN. This centralised system will allow the Member State's authorities to identify which other Member States hold criminal records on the TCN concerned, so that they can then use the existing ECRIS sytem to address requests for conviction information only to these Member States. These developments can be summarised as follows.

Firstly, further horrific terrorist attacks in European cities have led to security issues becoming even more prominent. The political stance regarding systematic use of fingerprints for secure identification and generally the attitude towards data sharing and security has changed6, focussing on effectiveness and efficiency and the need to exploit synergies between different European information exchange systems. The creation of a centralised ECRIS-TCN system containing both fingerprints and other identity information can support this approach, since it would make it possible to create a shared biometric matching service and a common identity repository for the interoperability of information systems, if so decided by the legislators in the future. A decentralised solution would not create the same opportunities for future synergies.

Secondly, the Communication 'Stronger and Smarter Information Systems for Borders and Security'7 contains concrete and practical suggestions to further develop existing tools, but also concrete suggestions and ideas on new forms of interoperability. The Commission calls for more efficiency and interoperability of existing European databases and electronic information exchange systems, including an ECRIS-TCN system. The work to follow up on the Communication was led by the High Level Expert Group on Interoperability8, and the ECRIS-TCN system proposed here is one of the systems that is part of this interoperability initiative. Such interoperability would not be possible if a decentralised solution as proposed in January 2016 would have been pursued.

Thirdly, over the course of 2016 it has become clear that the decentralised system proposed in January 2016 poses technical problems, notably with respect to decentralised exchanges of pseudonymised fingerprints. Such technical problems do not exist for a centralised system, considering that the fingerprints would only be collected in one database, under the management of eu-LISA, and supervised by the European Data Protection Supervisor.

Adoption of a new ECRIS-TCN Regulation to better protect the security of our citizens is one of the legislative priorities included in the Joint Declaration of the Commission, the Council and the European Parliament on the EU's legislative priorities for 2017, which mentions ECRIS specifically.

5.

In the impact assessment accompanying the Commission's 2016 proposal, the option of creating a fully


centralised database containing the identity information of the convicted persons, as well as the

complete conviction information, was briefly discussed, but quickly discarded. The reason for that was

that through consultation with the Member States, in particular at the September 2014 ECRIS Expert

Meeting, it became clear that this was not a politically feasible option, since it was only supported by

very few Member States.

COM(2016) 205 final, 6.4.2016.

The final report of the High Level Expert Group was published on 11 May. It is available at:

ec.europa.eu/transparency/regexpert

1

6

Consistency with existing policy provisions in the policy area

The proposal supplements the Commission's 2016 proposal for a Directive to amend the ECRIS Framework Decision and to repeal the ECRIS Council Decision. The supplementary proposal focuses on establishing and regulating a central ECRIS- TCN system, whilst the 2016 proposal regulates the decentralised exchanges of conviction information on TCN that should take place after it is established which Member State has conviction information via the ECRIS- TCN system. Once both proposals have been adopted by the legislators, there will be two separate legal instruments regulating both ECRIS and the ECRIS- TCN system: the ECRIS Framework Decision 2009/315/JHA and Council Decision 2009/316/JHA, as amended by the Directive, and the ECRIS-TCN Regulation establishing the centralised ECRIS-TCN system.

This proposal also corresponds to the Commissions proposal on eu- LISA that repeals the current eu-LISA Regulation, proposed on the same date as this proposal, as the management of the ECRIS- TCN system will be entrusted to eu-LISA. Both proposals contain corresponding provisions concerning the tasks of eu-LISA with respect to the ECRIS- TCN system. Dependent on the speed with which both proposals will be adopted by the co-legislators consistency needs to be ensured between both texts when it comes to eu - LISA s tasks.

This proposal aims at supplementing the Commission proposal for a Directive of January 2016 by creating a centralised system to efficiently identify which Member State(s) hold conviction information on TCN. The proposed hit/no hit search system, based on alphanumeric data and fingerprints of TCN convicted in the Member States, will allow Member States to quickly identify other Member State(s) having convicted a particular TCN. The requesting Member State should then request those identified Member States to provide the actual conviction information through the existing ECRIS system as improved by January 2016 proposal.

The necessary amendments to Framework Decision 2009/315 allowing for these exchanges on TCN via ECRIS are already included in the Commission's proposal of January 2016. This means that both proposals complement and supplement each other: whereas the focus of this proposal is to establish a new centralised system, the 2016 proposal for amendments to the 2009 Framework Decision is focused on ensuring that the exchange of full criminal records information can be carried out for TCN and EU nationals alike. At the technical level, the interface software for using the central ECRIS- TCN system will be fully integrated with the existing ECRIS Reference Implementation, so that users of the system will only need to make use of one software programme to interface both with the Central ECRIS- TCN Syste m and with criminal records authorities in other Member States. The ECRIS reference implementation software was developed by the Commission in the implementation of Council Decision 2009/316.9 It is currently used by 24 Member States to exchange criminal records information in accordance with Framework Decision 2009/315.

Other EU tools or databases for combating and preventing crime would not solve or alleviate the problem of the inefficient criminal record information exchange regarding convicted TCN. There is no alternative to improve the way of information exchange regarding criminal convictions on TCN through ECRIS by means of any other instrument of information exchange mentioned in the European Agenda on Security (such as SIS II, Prüm and Eurodac), as these are designed to serve different purposes.

See Article 3 of Council Decision 2009/316.

9

Consistency with other Union policies

Improving ECRIS with regard to TCN is part of the European Agenda on Security.

The initiative is also a part of the the new approach set out by the Commission to the management of data for borders and security whereby all centralised EU information systems for security, border and migration management are interoperable in full respect of fundamental rights so that:

the systems can be searched simultaneously using a European search portal, in full compliance with purpose limitations and access rights, to make better use of existing information systems, possibly with more streamlined rules for law enforcement access;

the systems use one shared biometric matching service to enable searches across different information systems holding biometric data, possibly with hit/no-hit flags indicating the connection with related biometric data found in another system;

the systems share a common identity repository with alphanumeric identity data, to detect if a person is registered under multiple identities in different databases.

Further discussions and work has been launched on the implementation of this approach, including on which of these elements would be implemented with respect to the ECRIS- TCN system .

In addition, the exchange of criminal records information supports the application of Council Framework Decision 2008/675/JHA11 , which stipulates that Member States judicial authorities should, during criminal proceedings, take into account previous convictions handed down against the same person for different facts in other Member States, irrespective of the nationality of the person concerned.

As indicated in the Communication on a more effective return policy in the European Union (C(2017) 200 final), Member States' competent authorities should also take into account previous convictions in relation to decisions of ending legal stay, return and refusal of entry concerning third country nationals posing a threat to public policy or public security or national security. Where applicable, alerts based on such decisions should be entered in the SIS in accordance with Article 24 of Regulation 1987/2006 [Commission proposal COM(2016) 882 final] [and Article 3 of Commission proposal COM(2016) 881 final].

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal

basis

The proposed legal instrument is a Regulation based on Article 82(1)(d) of the Treaty on the Functioning of the European Union. Article 82(1)(d) is the legal basis for the Union’s right to act in the field of judicial cooperation in criminal matters to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal

10

11

COM(2017) 261 final, 16.5.2017.

Council Framework Decision 2008/675/JHA of 24 July 2008 on taking account of convictions in the Member States of the European Union in the course of new criminal proceedings, OJ L 220, 15.8.2008, p. 32.


matters and the enforcement of decisions. The proposed action falls squarely within this area and supplements existing relevant EU legislation.

Subsidiarity (for non - e xcl usive competence)

Establishing a centralised system to exchange criminal record information on convicted TCN cannot be done at Member State level. A common system aiming at a standardised, rapid, coordinated and efficient information exchange between Member States requires concerted act ion. This can neither be achieved unilaterally at Member State level nor bilaterally between Member States. It is by its nature a task to be underta ken at EU level.

Proportionality

Efficient exchange of criminal record information is instrumental in combating cross-border crime and contributes considerably to putting into practice the principle of mutual recognition of judgments and judicial decisions in a common area of justice and security where people move freely. Action at EU level is therefore proportionate to the objectives of the initiative. The proposed changes do not go beyond what is necessary to achieve the objective of cross-border jud icial cooperation, and build on what is already applied in the existing ECRIS for EU nationals.

In the proposed option, the identity information of convicted TCN is centralised in an EU-wide system established for the purpose of dealing with ECRIS TCN which will be developed and managed by eu-LISA. A Member State wishing to identify the Member State(s) holding

criminal record information on a particular TCN can do so by performing a “hit/no hit” search

in the central TCN system.

Compared to the Commission's proposal of 2016 for a decentralised system, the proportionality of the proposed solution is only different with respect to the central processing of personal data. With regard to non - discri m inati on between EU-nationals and TCN, the proposed solution centralises at EU-level identity data of TCN, whereas data of EU-nationals are kept and processed at Member State level. This is justified and proportionate, because the difference in treatment does not lead to any substantial disadvantages for TCN and the objectives of the initiative could not be achieved equally well in a decentralised manner.

Following the identification of unexpected technical issues with the exchange of pseudonym ised fingerprints after the adoption of the Commissions 2016 proposal, further analysis has revealed that alternative decentralised options are far costlier to implement, and more complex as well, increasing the risk of technical problems during the implementation phase. Although there are some differences between the centralised and decentralised options, these differences are not so im portant that they would justify spending significantly more on the creation of a decentralised solution.

Choice of the instrument

The Commission puts forward a proposal for a Regulation, as the proposed legal instrument establishes a central system at EU level, managed by the European agency eu-LISA, as well as amends Regulation (EU) No 1077/201112. The Regulation is directly applicable in all Member States and binding in its entirety and therefore guarantees a uniform application of the rules across the Union and their entry into force at the same ti me. It ensures legal certainty by avoiding divergent interpretations in the Member States, thus preventing legal frag m entation.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

The Report on the implementation of Council Framework Decision 2009/315/JHA of 201613 notes that significant progress has been made in the exchange of criminal record information between the Member States, and that the most vital provisions have been implemented satisfactorily, while some other provisions are unevenly transposed. The Report points out the shortcomings of Article 7 i of the Framework Decision and the need for establishing an efficient mechanism for information exchanges on TCN.

Stakeholder

consultations

An extensive consultation strategy was developed to ensure a wide participation throughout the policy cycle of the Commission's 2016 proposal. Consultations included bilateral contacts, stakeholder and experts meetings, and written contributions, providing the Commission with knowledgeable and representative opinions. The Commission has sought a wide and balanced range of views on this issue by giving the opportunity to all relevant parties (Member States, national authorities, lawyers and academics, fundamental rights stakeholders, data protection stakeholders) to express their opinions, in particular the European Union Agency for Fundamental Rights (FRA), the European Data Protection Supervisor (EDPS) and the Article 29 Working Party, composed of Member States' data protection supervisory authorities. Further consultation with the EDPS and the Member States has also taken place in the preparation of the current proposal. In addition, the issue was discussed in the Commission's Criminal Law Expert Group, consisting of academics and practitioners in the field of criminal law, on 23 March 2017.

The views of fundamental rights stakeholders, which were consulted prior to the Commission's proposal of January 2016, continue to remain valid. They acknowledged in general the positive effects of a future ECRIS-TCN mechanism from an overall justice perspective through its contribution to appropriate sentencing and protecting children from abuse, as well as the positive effects as regards legal certainty for persons with a clean criminal record. They advocated in principle for a decentralised system that would, in their opinion, entail less interference with the right to the protection of personal data in comparison with a central system at EU level.

12 OJ L 286, 1.11.2011, p.1.

13 COM(2016) 6 final, 19.1.2016.


These stakeholders have also pointed out that introducing a TCN-specific system that would treat TCN differently from EU nationals is possible from the point of view of the principle of equality, to the extent that it respects the essence of this principle and is objectively justified as necessary and proportional. TCN-specific factors need to be taken into account here, as creating a centralised system entails some risk of adverse impacts on the fundamental rights of T CN, which should be mitigated. The stakeholders drew attention to the safeguards needed to address the specific situation of TCN in the context of migration, the use of fingerprints, the rights of the child, as well as the rights of data subjects and effective rem edies.

In its Opinion 3/2016 on the Commission’s proposal of 19 January 2016, the EDPS

appreciated pseudonym i sation as an appropriate safeguard to limit the interferences to the right to private life and the right to personal data protection on the individuals concerned. He also appreciated the decentralised approach chosen by the Commission in its proposal of 19 January 2016, without excluding a centralised option. In the Expert meeting of 10-11 January 2017, the Member States supported a central system containing identity data of convicted TCN, but rejected further centralisation of data, such as identity data of EU nationals, and the inclusion of conviction data in the centralised database.

During the same Expert meeting the Commission also consulted the Member States on the possible repercussions of the work of the High Level Expert Group on Information Systems and Interoperability on the legislation underway. According to the Member States the emphasis should lie on quickly creating the ECRIS- TCN system. Whilst the other concepts were interesting, and the system should be designed to take possible future interconnections into consideration, the Member States confirmed that the one element which they could immediately support would be the use of a shared biometric matching service. In addition, Member States indicated that the possibility to store facial images should be created from the start, so that at a later stage facial recognition software could be deployed for even more effective identification.

Collection and use of expertise

In addition to the studies and data used in the preparation of the 2016 proposal, a study on the feasibility/cost assessment of using fingerprints14 was commissioned in March 2016. Also, a complementing study on the costs impacts of a centralised option including fingerprints allowed for solid assessment of the chosen scenario, as well as reflections on the possible use of the shared biometric matching system and the future proofing of the centralised system for interoperability.15

Im pact assessment

The Commission conducted an Impact Assessment16 to accompany the Commission's proposal for a Directive of 19 January 2016 (COM (2016) 7 final). The c urrent s uppl em entary proposal is accompanied by an Analytical Note, which builds on that Impact assessment.

In the Analytical Note, the Commission further analyses the preferred solution for creating an ECRIS- TCN system which meets the functional requirements, while avoiding the technical difficulties regarding pseudonym ise d fingerprints. The impact of this solution on the set-up costs, administrative costs, fundamental rights and data protection was analysed, taking

14 ec.europa.eu/newsroom/just

15 ec.europa.eu/newsroom/just

16 SWD(2016) 4 final

account of the results of the targeted stakeholder consultation conducted prior to the adoption of the proposal for a Directive in January 2016, and the results of the two studies conducted in 2016 and 2017, mentioned above. The results of the High Level Working Group on Information Systems and Interoperability were also considered, as well as the results of the ECRIS expert meeting of 10-11 January 2017. Further in-depth assessment of costs, especially with regard to the preferred solution, has taken place and is reflected in the note.

The centralised system including both alphanumeric data and fingerprints is the preferred solution. This option proved to be the most cost efficient, and technically less complex and easier to maintain compared to the others. With regard to n on - discri m inati on between EU-nationals and TCN, although this option centralises identity data of TCN at EU-level, whereas data of EU-nationals are kept and processed at Member State level, this is justified and proportionate, because the difference in treatment does not lead to any substantial disadvantages for TCN. In addition, creating a centralised system offers the additional advantages of making the ECRIS-TCN system suitable for participating in a future shared biometric matching service and a common identity repository, facilitating direct access for Eurojust, Europol, [and the European Public Prosecutor's Office] and creating a central contact point at Eurojust for third States requiring information on convicted TCN. It also makes it possible to create a system which can be futu re-pr oofed for further interoperability with other EU level systems, if so decided by the legislators.

There would be the following impact on the EU and national budgets: one-off costs for the EU Of approximately €13,002,000, for the Member States approx. €13.344.000 (a total of

approx. €26.346.000); on-going costs for the EU of approximately €2.133.000; for the

6.

Member States, the on-going costs are expected to gradually increase over the years, starting


at €6.087.000 and increasing up to a maximum €15.387.000. This means that the total ongoing costs are expected to increase gradually over the years, starting at €8.220.000 and increasing up to maximum €17.520.000.

Member States currently use ECRIS to search for TCN only in 5% of the cases, for the reasons explained above. The benefits of the proposed solution are expected to increase the use of ECRIS considerably. If Member States were to systematically send blanket requests, the administrative burden in responding to them has been identified as the most costly

element (estimated up to €78 million) of the ECRIS-workflow; the proposed solution saves

such costs.

Fundamental rights

Article 6(1) of the Treaty on European Union states that the Union recognises the rights, freedoms and principles set out in the Charter of Fundamental Rights.

The proposed measures include legal provisions to ensure that information related to convicted th ir d - country nationals is exchanged more efficiently. These provisions are in line with relevant provisions of the Charter, including the protect ion of personal data, the principle of equality before the law, and the general prohibition of discrimination.

The proposed measures are without prejudice to the right to private and family life, the right to an effective remedy and to a fair trial and the presumption of innocence. The proposed measures are also without prejudice to the principle of non - refoulem ent, protection in the event of removal, expulsion or extradition and other relevant standards and guarantees enshrined in EU law on asylum, return and borders.

The provisions do not affect fundamental rights, including the right to protection of personal data, any more than what is strictly necessary to achieve the objective of judicial cooperation in criminal matters, in line with the requirements of Article 52(1) of the Charter.

Creating a centralised system containing personal data at the level of the Union requires supplementing the Commission's 2016 proposal for a Directive with a legislative act to regulate its establishment, the division of responsibilities between the Member State and the organisation responsible for its development and operational management, as well any specific data protection provisions needed to supplement the already existing data protection arrangements and provide for an adequate overall level of data protection and data security. The fundamental rights of the persons concerned must be protected as well.

The chosen option is characterised by the processing of personal data at both national and EU level. Therefore, the existing data protection rules for the current ECRIS decentralised system at Member State level have to be complemented with specific rules for the processing of personal data at EU level. An additional data protection regime – similar to the one used for other already existing centralised information exchange systems at EU level – must therefore be put in place, which must be compliant with Regulation (EC) No 45/2001[, or its successor Regulation]. The processing of personal data by eu-LISA is currently already covered by Regulation (EC) No 45/2001.

Regarding data protection and security, there are no significant differences between the different possible solutions, even if the chosen central option necessitates clear rules and a delineation of tasks between the Member States and the EU-level. An EU level data protection regime can offer the same protection as national regimes for national databases. Proven technology for security measures exists and is already in place for a number of large scale EU databases such as the SIS, the VIS and Eurodac.

Member States are obliged to ensure that the provisions are implemented in full respect of fundamental rights and principles as enshrined in the Charter, including as regards their responsibilities in collecting and using the data. Member States must also ensure that data subjects have the right to access data in order to have it rectified, and that effective remedies are in place to allow data subjects to challenge inaccurate criminal records, in full compliance with the standards stemming from the right to an effective remedy, including as regards the availability of legal aid, interpretation and translation services.

When reporting on the application of the provisions, the Commission will also assess the impact of the proposed measures and of their implementation on fundamental rights. Its assessment will include an evaluation of the impact on the fundamental rights of third-country nationals in comparison with the effect on the fundamental rights of EU nationals. The Commission's review will pay particular attention to the necessity and proportionality of the use of fingerprints, other biometric data and identification data in light of the experience gained and the tools and techniques used to avoid the risk of false matches. Any proposals for the future revision of the system must take the outcome of this assessment into account.

This proposal is without prejudice to the Member States' responsibilities under their national laws, including rules on entering convictions against minors and children into the national criminal record register. Similarly, it does not prevent the application of Member States' constitutional law or international agreements to which they are bound, in particular those deriving from the European Convention on Human Rights and Fundamental Freedoms, to which all Member States are party.

4. BUDGETARYIMPLICATIONS

The financial envelope foreseen for the implementation of the Regulation for the EU is €13.002.000 as far as the one-off costs are concerned. The proposed envelope is compatible with the current Multi-annual Financial Framework and costs will be met through the Justice

programme for the period 2018-2020. From 2021 onwards, the cost will be reduced and stabilise to cover maintenance activities. Further details are provided in the legislative financial statement accompanying this proposal. The Commission envisages entrusting the implementation and the mainte nance of the ECRIS TCN system to eu-LISA. The execution of the activities will require additional human resources for eu-LISA. Five contract agents will be recruited as from 201 8 for the development phase

5. OTHERELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

Three years after the start of operations of the ECRIS- TCN system and every four years thereafter, the Commission will conduct an evaluation of its functioning, including its effectiveness in increasing the exchange of information on convicted TCN, and any technical issues related to its efficiency. At that stage the Commission will also re-evaluate whether the system should be expanded to include further data. On the basis of this evaluation, the Commission will decide any appropriate follow-up

The implementation of the new system will be constantly monitored both through the Management Board of eu-LISA and through the existing ECRIS expert group. This group will also continue to provide a forum for establishing best practices on the exchange of information on criminal records at EU level, in particular also related to convicted TCN.

The Commission will define monitoring indicators such as the level of exchanges of TCN criminal records as compared to the number of convictions involving TCN as well as others relevant ones. Regular statistics will be provided by both the Member States and eu-LISA which will allow for continuous monitoring of the developments of the syste m .

Detailed explanation of the specific provisions of the proposal

Article 1 sets out the subject matter of the Regulation.

The ECRIS- TCN central system should ensure that the competent authorities can find out quickly and efficiently in which other Member State (s) criminal record information on a third country national is stored.

Article 2 defines the scope of the Regulation. The Regulation applies to processing the identity information of third country nationals, not to the conviction information that is regulated by the Framework Decision 2009/315/JHA, as amended by the Directive proposed by the Commission in 2016. The ECRIS-TCN system should process only the identity information of third country nationals who were subject to final decisions of criminal courts within the European Union in order to obtain information on such previous convictions through the European Criminal Records Information System established by Council Framework Decision 2009/315/JHA.

Article 3 contains a list of definitions for terms used in the Regulation. While some definitions already exist in the relevant acquis, other concepts are defined here for the first time.

A definition of third country national is added to clarify that for the purposes of this Regulation this group of persons includes also stateless persons and persons whose nationality is not known to the convicting Member State. This definition should be the same as the one used in the Framework Decision, as amended by the Directive proposed by the Commission in 2016.

In the context of the application of this Regulation, the ‘competent authorities’ means the central authorities of the Member States, as well as Eurojust, Europol, [and the European Public Prosecutor 's Office.]17

Article 4 describes the technical architecture of the ECRIS-TCN system. The Communication Infrastructure used should be the secure Trans European Services for Telematics between Administrations (sTESTA) or any further development thereof. The Article also clarifies that the interface software for the new system will be integrated into the existing ECRIS Reference Implementation, in order to create a seamless and convenient user experience.

Article 5 sets an obligation for the convicting Member State to create a data record in the Central ECRIS-TCN System for each convicted TCN as soon as possible after the conviction was entered into the national criminal records register.

The ECRIS-TCN system should contain only the identity information of third country nationals convicted by a criminal court within the European Union. Such identity information should include alphanumeric data, fingerprint data in accordance with Framework Decision 2009/315/JHA as amended by the Directive proposed by the Commission in 2016, and facial images in as far as they are recorded in the national criminal records databases of the Member States.

In order to ensure the maximum effectiveness of the system, this Article also obliges the Member States to create records in the ECRIS-TCN system of historical convictions of third country nationals, i.e. convictions handed down prior to the entry into force of the Regulation. Under Article 25, Member States should complete this process within 24 months after the entry into force of this Regulation. However, Member States should not be obliged to collect information for this purpose which was not already entered into their criminal records prior to the entry into force of the Regulation.

Article 6 addresses the use of facial images. For the moment, facial images included in the ECRIS-TCN system may only be used for the purpose of verification of identification. In the future, it is not excluded that, following the development of the facial recognition software, the facial images might be used for automated biometric matching, provided that the technical requirements to do so have been met.

Article 7 provides for the rules of using of the ECRIS-TCN system in order to identify the Member State(s) holding criminal records information in order to obtain information on such previous convictions through the European Criminal Records Information System established by Council Framework Decision 2009/315/JHA. The purpose limitations included in the Framework Decision as amended by the Directive proposed in 2016 will be applicable to any ensuing exchanges of criminal records information.

It sets up an obligation for the Member States to make use of the ECRIS-TCN system in all cases where they receive a request for information on previous convictions of third country nationals in accordance with national law, and to follow up on any hits with the Member States identified through the ECRIS system. This obligation should concern both requests for information for the purpose of criminal proceedings, as well as for other relevant purposes.

A Member State wishing to identify Member State(s) holding criminal record information on a particular TCN can do so by performing a “hit/no hit” search in the central TCN system using either the alphanumeric data or the fingerprints of that TCN, depending on the

As long as the Regulation establishing the European Public Prosecutor's Office is not adopted, references to it have been placed between sqaure brackets.

17

availability of such data. In case of a 'hit', the name of the Member State(s) which provided the data shall be communicated, together with the reference data, and any associated identity data. This will allow the Member States to make use of the existing ECRIS to verify the identification of the persons concerned before exchanging criminal record information.

A hit indicated by the ECRIS-TCN system should not automatically mean that the third country national concerned was convicted in the indicated Member State(s), nor that the indicated Member State(s) hold criminal record information on that third county national. The existence of previous convictions should only be confirmed based on information received from the criminal records of the Member States concerned.

Article 8 relates to the retention period for data storage.

National provisions on retention of data in criminal records and fingerprint systems vary considerably between the Member States, and this proposal does not aim at harmonising them. The well-established principle of following the retention periods of the convicting Member State is also applicable here in relation to the data transmitted to the Central System. After all, as long as the conviction data are kept in the criminal records of the Member States, they should also be available to be taken into consideration by the authorities of other Member States. This also entails that all data concerning the convicted person should be kept during that period, even if fingerprints which originated from another database than the criminal record would already have been deleted from a national fingerprint database. Conversely, even if fingerprints would continue to be kept at national level, these must be deleted from the Central System if all conviction information is deleted from the national criminal records. The approach is the same here for convictions of TCN as for convictions of EU nationals notified to the Member States of nationality under the Framework Decision.

Article 9 includes obligations for the Member States to verify the accuracy of the data sent to the Central System and to correct them, as well as to amend the data sent to the Central System in case of any subsequent amendment in national criminal records. Again, this follows the logic of the Framework Decision for EU-nationals.

Article 10 confers implementing powers on the Commission in order to ensure uniform conditions for the functioning of the ECRIS-TCN system. Those powers should be exercised in accordance with Regulation (EU) No 182/201118. The comitology procedure chosen is the examination procedure. Article 34 supplements Article 10 as to the establishment of this procedure.

Article 11 entrusts eu-LISA with the task of developing and operationally managing the ECRIS-TCN system, given its experience with managing other large scale centralised systems in the justice and home affairs area. eu-LISA is also entrusted with the task of further developing and maintaining the ECRIS reference implementation in order to ensure the seamless functioning of the ECRIS-TCN system and the ECRIS system as such. The reference implementation provides for the interconnection software currently referred to in Article 3(1)(a) of the ECRIS Council Decision.

Article 12 lists the responsibilities of the Member States in relation to the ECRIS-TCN system. The Member States remain solely responsible for their national criminal records databases.

Article 13

addresses responsibility for the use of data.

18 OJ L 55, 28.2.2011, p.13.

Article 14 nominates Eurojust as the contact point for third countries and international organisations which wish to request conviction information on a TCN. The purpose is to avoid third countries and international organisations having to send requests to multiple Member States. Eurojust should not give any information to the requesting third State or international organisation, including any information on the Member State(s) holding the conviction data – it should only inform the Member State(s) concerned in case of a hit. It would be up to the Member States concerned to decide whether or not to contact the third State or international organisation in order to indicate that information on previous convictions of TCN could be provided in accordance with national legislation.

Article 15 grants direct access to the ECRIS-TCN system to Eurojust, Europol, [and the European Public Prosecutor's Office] for the purpose of fulfilling their statutory tasks. However, these competent authorities should not have access to the ECRIS as such in order to request the conviction information itself, but should make use of their established channels with the national authorities to obtain such information. This approach respects the rules established in the statutory instruments for those organisations concerning their contacts with Member States' authorities.

Article 16 lists the responsibilities of the Eurojust, Europol, [and the European Public Prosecutor's Office] in relation to the ECRIS-TCN system.

Article 17

governs the question of data security.

Article 18 concerns the liability of the Member States towards individuals or other Member States for any unlawful processing operation or any act incompatible with this Regulation. Rules on the liability of the Member States in respect to damage arising from such a breach of this Regulation should be laid down at national level.

Article 19 obliges the Member States to monitor the compliance with this Regulation at national level by their designated central authorities.

Article 20 makes any use of data entered in the ECRIS-TCN system in contravention to this Regulation punishable under national law.

Article 21 indicates the data controllers and data processor.

Article 22 limits the purposes of the processing of personal data in the Central Sytem to the identification of the Member State(s) holding the criminal records information of TCN.

Article 23 gives third country nationals whose data were entered to the ECRIS-TCN system the right of accessing them, correcting and having them deleted when justified by law.

Article 24 regulates the cooperation between central authorities and supervisory authorities to ensure the rights on data protection.

Article 25 addresses the legal remedies available to affected third country nationals.

Articles 26 and 27 set the rules for supervision by the supervisory authorities and by the European Data Protection Supervisor. Article 28 regulates the cooperation between them.

Article 29 governs the question of keeping of logs by eu-LISA and the competent authorities.

Article 30 addresses the use of data for reporting and statistics and makes eu-LISA responsible for preparing statistics in relation to the ECRIS-TCN system and the ECRIS reference implementation. It also lays down an obligation on the Member States to provide eu-LISA with the statistics necessary for the preparation of its statistical compilations and analysis, and to provide the Commission with statistics on the number of convicted TCN, as well as the number of TCN convictions on their territory.

Article 31 regulates the costs. Notwithstanding the possibility of using the Union’s financial programmes in accordance with the applicable rules, each Member State should bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database, and from the implementation, administration, use and maintenance of the technical alterations needed to be able to use the ECRIS-TCN system.

Article 32 stipulates the obligation for Member States to notify their central authorities to eu-LISA and for eu-LISA to publish these.

Article 33 stipulates that it is the Commission which will determine the date from which the ECRIS-TCN system is to start operations and enumerates the pre-conditions to be met before the system can go live.

Article 34 concerns eu-LISA's and the Commission's reporting and reviewing obligations. Three years after the start of operations of the ECRIS-TCN system and every four years thereafter, the Commission will conduct an evaluation of its functioning, including its effectiveness in increasing the exchange of information on convicted TCN, and any technical issues related to its efficiency. At that stage the Commission will also re-evaluate whether the system should be expanded to include further data. On the basis of this evaluation, the Commission will decide any appropriate follow-up.

Article 35 concerns the comitology procedure to be used, based on a standard provision.

Article 36 provides that an Advisory Group will be set up by eu-LISA, which will assist in the development and operations of the ECRIS-TCN system and the ECRIS reference implementation.

Article 37 governs the amendments to Regulation (EU) 1077/2011 as regards the new responsibilities and tasks of eu-LISA.

Article 38 sets out the 24 months deadline after entry into force of the Regulation for the Member States to implement it at national level. The specifications for the development and technical implementation of the ECRIS-TCN system will be set out in the implementing acts.

Article 39 provides that the Regulation will enter into force on the day following that of its publication in the Official Journal of the European Union.