Explanatory Memorandum to COM(2021)767 - Amendment of Council Decision 2005/671/JHA, as regards its alignment with Union rules on the protection of personal data

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. Reasons for and objectives of the proposal

1.1.Reasons for the proposal

Directive (EU) 2016/680 1 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to turn it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA 2 . Its scope is very comprehensive, as it is the first instrument that takes a comprehensive approach for data processing in law enforcement. It applies to both domestic and cross-border processing of personal data by competent authorities to prevent, investigate, detect or prosecute criminal offences and execute criminal penalties, including safeguarding against and preventing threats to public security.

Article 62(6) of the LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes. The purpose of this review is to assess the need to align them with the LED and to submit proposals for amending them to ensure consistency with data protection within the scope of the LED.

The Commission set out the findings of its review in its Communication on the way forward on aligning the former third pillar body of EU law with data protection rules (24 June 2020) 3 , which identifies the legal acts that should be aligned with the LED. The list includes Council Decision 2005/671/JHA so the Commission indicated that it would put forward targeted amendments.

1.

Under Article 6 of the LED, Member States must ensure that competent authorities make a clear distinction between the personal data of different categories of data subjects, including:


·persons where there are serious grounds for believing that they have committed or are about to commit a criminal offence;

·persons convicted of a criminal offence;

·victims of a criminal offence or other parties to a criminal offence.

Under Article 8(1) of the LED, Member States must ensure that processing is lawful. This means that a competent authority can only process personal data to the extent necessary for the performance of a task set out in the LED. Article 8(2) of the LED requires that national law regulating processing data under the scope of the LED must state at least the objectives of processing, the personal data to be processed and the purposes of the processing.

To combat terrorism effectively, efficient exchange of information considered to be relevant by the competent authorities for the prevention, detection, investigation or prosecution of terrorist offences between competent authorities and Union agencies, is crucial. Such information exchange must be carried out in full respect of the right to data protection and in line with the conditions set by the LED.

Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences 4 states that to combat terrorism, it is essential to have the most complete and up to date information possible. The persistence and complexity of the terrorist threat gives rise for more information sharing.

Against this background, Council Decision 2005/671/JHA provides that Member States must collect all relevant information concerning and resulting from criminal investigations linked to terrorist offences which affect or may affect two or more Member States and send it to Europol 5 . Member States must also collect all relevant information concerning prosecutions and convictions for terrorist offences, which affect or may affect two or more Member States and send it to Eurojust. Each Member State must also make available all relevant information gathered by its competent authorities in criminal proceedings connected with terrorist offences. This information must be swiftly made available to the competent authorities of another Member State where the information could be used to prevent, detect, investigate or prosecute terrorist offences.

Since 2005, the importance of sharing information between Member States and with Europol and Eurojust has only become more evident. Directive (EU) 2017/541 on combating terrorism 6 amended Council Decision 2005/671/JHA, to ensure that information is shared between Member States in an effective and timely manner, taking into account the serious threat posed by terrorist offences.

Recital 7 of Council Decision 2005/671/JHA acknowledges that the Decision complies with fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union. Article 8 of the Charter of Fundamental Rights of the European Union enshrines the protection of personal data as a fundamental right. Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) also establishes the principle that everyone has the right to the protection of personal data concerning them. Moreover, Article 16(2) TFEU introduced a specific legal basis for adopting rules on the protection of personal data.

Union rules on data protection have developed since the adoption of Council Decision 2005/671/JHA. Notably, as mentioned above, based on Article 16(2) of the TFEU, the European Parliament and the Council adopted the LED, which entered into force on 6 May 2016. The LED is a comprehensive horizontal data protection instrument. Importantly, it applies to all processing operations carried out by competent authorities for law enforcement purposes (both domestic and cross-border processing).

1.2.Objective of the proposal

The proposal aims at aligning Council Decision 2005/671/JHA with the principles and rules laid down in the LED, in order to ensure consistent approach to protection afforded to persons regarding the processing of personal data. According to the Commission’s Communication of 24 June 2020, the alignment of Decision 2005/671/JHA should address the following:

·Specify that the processing of personal data under Council Decision 2005/671/JHA can only take place for the prevention, investigation, detection and prosecution of terrorist offences, in line with the purpose limitation principle;

·The categories of personal data that can be exchanged should be defined more precisely by Union or Member State law, in line with the requirements under Article 8(2) of the LED, taking due account of the operational needs of the authorities concerned.

1.3.Consistency with existing policy provisions in the policy area

The present proposal for a Directive takes into account the amendments of Decision 2005/671/JHA deriving from the proposal for a Regulation on the digital information exchange in terrorism cases, which the Commission tabled together with the present proposal. That proposed Regulation is part of the digitalisation of justice package, prepared by the Commission following the Communication on the Digitalisation of Justice 7 . Once adopted, it removes the provisions on the exchange of information on cross-border terrorism cases relating to Eurojust from Decision 2005/671/JHA and inserts them into the Eurojust Regulation (Regulation (EU) 2018/1727 8 ). As consequential amendment, it also removes the references to Eurojust from Council Decision 2005/671/JHA. Close coordination will be necessary throughout the legislative process to ensure consistency of the amendments contained in that proposed Regulation and in the present proposed Directive.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

2.1.Legal basis

The alignment of Council Decision 2005/671/JHA with the LED is based on Article 16(2) TFEU. Article 16(2) TFEU allows for rules to be adopted on the protection of individuals with regard to the processing of personal data by the competent authorities in Member States when carrying out activities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties that fall within the scope of EU law. It also allows for rules to be adopted on the free movement of personal data, including for personal data exchanges by competent authorities within the EU.

2.2.Subsidiarity (for non-exclusive competence)

Only the EU can align EU acts to the rules laid down in the LED. Therefore, only the EU can adopt a legislative act amending Council Decision 2005/671/JHA.

2.3.Proportionality

This proposal aims at aligning an existing EU legal act to a subsequent EU legal act, as provided by the latter, without changing its scope. In line with the principle of proportionality, to achieve the basic objectives of ensuring a high level of protection of natural persons regarding the processing of personal data and the free flow of personal data across the EU, it is necessary to set rules on the processing of personal data by Member States’ competent authorities to prevent, investigate, detect or prosecute criminal offences. This includes safeguarding against, and preventing threats to public security. The proposal does not go beyond what is necessary for achieving the objectives pursued under Article 5 i of the TEU.

2.4.Choice of the instrument

This proposal aims at amending a Council Decision, which was adopted before the entry into force of the Treaty of Lisbon in 2009. The legal basis for Council Decision 2005/671/JHA, Article 34(2)(c) of the TEU as applicable in 2005, no longer exists. The relevant provisions of Decision 2005/671/JHA set obligations for the Member States similar to a Directive rather than self-standing rules that would be directly applicable. Therefore, the most appropriate instrument to amend this Council Decision under Article 16(2) of the TFEU is through a Directive of the European Parliament and of the Council.

3. Explanation of the specific provisions of the proposal

2.

This proposal amends Council Decision 2005/671/JHA on the following points:


To define the purposes of the processing of personal data, Article 1(2)(a) of the proposal introduces a new subparagraph in Article 2(3) of the Council Decision, which specifies that personal data are processed to prevent, investigate, detect or prosecute terrorist offences.

To define the categories of data to be processed, Article 1(2)(b) and (c) of the proposal add new subparagraphs to Article 2 of the Council Decision, which specify that the categories of personal data that may be exchanged with Europol, must be those specified in the Europol Regulation, and that the categories of personal data that may be exchanged between Member States for the purposes of prevention, investigation, detection or prosecution of terrorist offences shall be those specified under the respective national laws.

In addition, in order to update the Council Decision in view of subsequent legal developments and in particular to ensure that the above amending provision refers to the correct legal instrument, the proposal deletes point (b) of Article 1 of the Council Decision. That point (b) refers to the Europol Convention. The relevant provisions of the Council Decision, as amended, instead refer to the Europol Regulation.