Explanatory Memorandum to COM(2021)784 - Automated data exchange for police cooperation (“Prüm II”)

Please note

This page contains a limited version of this dossier in the EU Monitor.



CONTEXT OF THE PROPOSAL

Reasons for the proposal

Criminality across Europe undermines EU citizens’ security and well-being. Law enforcement authorities need robust and performant tools to fight crime effectively. Cooperation and information sharing are the most powerful means to combat crime and pursue justice. 1 In 2021, more than 70% of organised crime groups were found to be present in more than three Member States. 2 Even the seemingly most local crime may have links to other places in Europe where the same perpetrator carried out his/her criminal acts. Similarly, links of presumably local crime to organised crime structures and operations are often not obvious. Therefore, to be able to effectively fight crime, law enforcement authorities need to be able to exchange data in a timely manner. The EU has already provided law enforcement with a range of tools to facilitate the exchange of information, which have proven crucial in uncovering criminal activities and networks, 3 but there are still information gaps that need to be addressed. Moreover, with data stored separately in various national IT systems as well as large-scale IT systems at the EU level, there is a need to ensure the systems can communicate with each other.

In an area without internal border controls (the ‘Schengen’ area), there are still borders and obstacles when it comes to data exchange between law enforcement authorities, 4 which leads to blind spots and loopholes for numerous criminals and terrorists that act in more than one Member State. This initiative, together with the proposal, adopted in parallel, for a Directive on information exchange between law enforcement authorities of Member States, 5 aim to reinforce the exchange of information between Member States and therefore provide EU law enforcement authorities with enhanced tools to fight crime and terrorism. 6

For more than ten years, the Prüm framework has enabled law enforcement authorities across the EU to exchange information. The Prüm Decisions, 7 adopted in 2008 with the aim of supporting cross-border police and judicial cooperation related to criminal matters, provide for the automated exchange of specific data (DNA profiles, fingerprints and vehicle registration data) between authorities responsible for the prevention, detection and investigation of criminal offences. The Prüm framework is successfully contributing to fighting crime and terrorism in the EU, but there are still loopholes in the field of information exchange and therefore there is room for further improvement.

The Council Conclusions on the implementation of the Prüm Decisions ten years after their adoption underlined the importance of the automated searching and comparison of DNA profiles, dactyloscopic data and vehicle registration data for tackling terrorism and cross-border crime. The Council also invited the Commission to consider revising the Prüm Decisions with a view to broadening their scope and to updating the necessary technical and legal requirements. 8

Prüm II builds on the existing Prüm framework, reinforcing and modernising the framework and allowing interoperability with other EU information systems. It will ensure that all the relevant data that is available for law enforcement authorities in a Member State can be used by law enforcement authorities in other Member States. It will also ensure that Europol can provide support to Member States in the context of the Prüm framework. This initiative provides for the creation of a new architecture that allows for easier and faster exchange of data between Member States and that ensures a high level of protection of fundamental rights.

Objectives of the proposal

The general objective of this proposal results from the Treaty-based goal of contributing to the internal security of the European Union. Among measures to do so, the collection, storage, processing, analysis and exchange of relevant information is listed. 9 The general objective of this instrument is thus to improve, streamline and facilitate the exchange of information for the purpose of the prevention, detection and investigation of criminal and terrorist offences between Member States’ law enforcement authorities, but also with Europol as the EU criminal information hub.

1.

The specific policy objectives of this proposal are to:


(a)Provide a technical solution for efficient automated exchange of data between law enforcement authorities to make them aware of relevant data that is available in the national database of another Member State;

(b)Ensure that more relevant data (in terms of data categories) from national databases in other Member States is available to all competent law enforcement authorities;

(c)Ensure that relevant data (in terms of sources of data) from Europol’s databases is available to law enforcement authorities;

(d)Provide law enforcement authorities with efficient access to the actual data corresponding to a ‘hit’ that is available in the national database of another Member State.

Consistency with existing policy provisions in the policy area

The recent Schengen Strategy 10 announced several measures to step up police cooperation and information exchange between law enforcement authorities to enhance security in an inherently interdependent area without internal borders. Together with the proposal for a Directive on information exchange between law enforcement authorities of Member States, this proposal contributes to the objectives of this strategy by ensuring that law enforcement authorities in one Member State have access to the same information that is available to their colleagues in another Member State.

The proposal comes within the wider landscape of the large-scale EU information systems that has developed substantially since the adoption of the Prüm framework. This includes the three EU central information systems that are in operation: the Schengen Information System (SIS), the Visa Information System (VIS) and the Eurodac system. 11 In addition, three new systems are currently in development phase: the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN system). 12 All these current and future systems are linked through the interoperability framework for the EU information systems 13 for security, border and migration management, adopted in 2019, and which is currently being put in place. The revisions included in this proposal seek to align the Prüm framework with the interoperability framework, notably when it comes to the exchange of data and the overall architecture provided by the interoperability of EU information systems. This would provide for fast and controlled access to the information that law enforcement officers need to perform their tasks and for which they have access rights.

The SIS already contains alerts on missing persons and allows searches based on fingerprints. The SIS is a hit/no hit, actionable centralised information system directly accessible to a large number of frontline end-users containing alerts and providing immediate response on the spot, with actions to be taken related to the subject of the alert. The SIS is mostly used at police, border and custom checks, and by visa and immigration authorities in their routine procedures and checks.

In contrast, the Prüm framework does not have any central component/database at EU level and it is used only in criminal investigations. It allows other Member States to access the de-personalised sub-sets of national criminal DNA and fingerprint databases of all connected Member States. This access is granted to national contact points only. While the hit/no hit response is provided within seconds or minutes, it may take weeks or even months to receive the corresponding personal data related to the hit.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis of this proposal are the following provisions of the Treaty on the Functioning of the European Union (TFEU): Article 16 i, Article 87(2)(a) and Article 88 i.

Under Article 16 i, the Union has the power to adopt measures relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and by Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Under point (a) of Article 87 i, the Union has the power to adopt measures on the collection, storage, processing, analysis and exchange of relevant information to ensure police cooperation among Member States’ competent authorities, including police, customs and other specialised enforcement services in relation to the prevention, detection and investigation of criminal offences. Under Article 88 i, the European Parliament and the Council can determine Europol’s structure, operation, field of action and tasks.

Subsidiarity

The improvement of information exchange among police and law enforcement authorities within the EU cannot be sufficiently achieved by Member States in isolation, owing to the cross-border nature of crime fighting and security issues. Member States must rely on one another in these matters.

Through several implementation projects at EU level, 14 Member States have tried to take action to address the shortcomings of the current Prüm framework. 15 Despite all these actions, many of the shortcomings remained the same as the ones described in the 2012 report on the implementation of the Prüm Decision. 16 This shows the need for EU action as measures implemented by Member States alone have not proved sufficient to address the limitations of the current Prüm framework.

Moreover, common EU level rules, standards and requirements facilitate information exchanges while providing compatibility between different national systems. This in turn allows for a certain level of automation in information exchange workflows that release law enforcement officers from labour-intensive manual activities.

Proportionality

As explained in full detail in the impact assessment accompanying this proposed Regulation, the policy choices made in this proposal are considered proportionate. This is because they do not go beyond what is necessary to achieve the identified objectives.

The proposal envisages the creation of central routers (the Prüm II router and EPRIS) that would each act as a connecting point between Member States. This is a hybrid approach between a decentralised and centralised solution without any data storage at central level. It will imply that national databases in each Member State will all connect to the central router instead of connecting to one another. These routers would serve as message brokers forwarding search transactions and replies to national systems, without creating new data processes, enlarging access rights or replacing national databases. This approach would ensure that law enforcement authorities have fast and controlled access to the information that they need to perform their tasks, in line with their access rights. The router would facilitate the implementation by Member States of existing and future data exchanges in the context of the Prüm framework.

The automated exchange of additional data categories, such as facial images and police records, is crucial for effective criminal investigations and for identifying criminals. The introduction of these additional data categories would not lead to storing new categories of data as Member States already collect them under national law and store them in national databases. The exchange of these new data categories would constitute a new processing of data. However, it would be limited to the extent necessary to achieve its purpose and it would only allow for comparison of data in case-by-case situations. A set of several safeguards (e.g. sharing full data only if there is a “hit” following a query) are also foreseen in the proposal.

With this proposal, Europol will form an integral part of the Prüm framework, firstly by enabling Member States to automatically check third country-sourced biometric data held at Europol. Secondly, Europol could also check third country-sourced data against Member States’ national databases. These two aspects of Europol’s involvement in the new Prüm framework, in accordance with Europol’s tasks as set out in Regulation (EU) 2016/794, would guarantee that no gaps occur in relation to data related to serious crime and terrorism received from third countries. In an open society in a globalised world, data provided by third countries on criminals and terrorists is crucial. It would allow for the potential identification of criminals known by countries outside the EU, while at the same time benefitting from strong safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals established in the Europol cooperation agreements with third countries.

The revised hit-follow-up exchange process would contribute to the internal security of the European Union by simplifying and streamlining the exchange of law enforcement information. Compared to the current situation where the exchange of information following a hit is governed by national law and is thereby subject to different rules and procedures, common rules harmonising this second step of the Prüm process would give predictability to all users, as they would all know what data they would get in this step. The exchange of data would be facilitated through partial automation, which means that human intervention would still be needed before any comprehensive follow-up data exchange can take place. Member States would retain ownership/control over their data.

Choice of the instrument

A Regulation of the European Parliament and the Council is proposed. The proposed legislation builds on an existing framework of Council Decisions contributing to cross-border cooperation between EU Member States in the fields of justice and home affairs. 17

In view of the need for the proposed measures to be directly applicable and uniformly applied across Member States, as well as to enhance the exchange of information, a Regulation is therefore the appropriate choice of legal instrument.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations of existing legislation

Overall, the evaluation of the Prüm framework 18 showed that searching and comparing DNA, fingerprint and vehicle registration data in other Member States’ databases for the prevention and investigation of criminal offences, are of paramount importance for safeguarding the internal security of the EU and the safety of its citizens. The evaluation further demonstrated that the Prüm Decisions have helped to establish common EU level rules, standards and requirements, to facilitate information exchange and provide compatibility between different national systems.

However, since the expiration of the deadline for the implementation of the Prüm framework ten years ago, the EU has adopted several other measures on the facilitation of the exchange of information between law enforcement authorities, 19 including the interoperability framework. 20 Additionally, provisions on the technical specifications of queries, security measures and communication have not been updated since the adoption of the Prüm Decisions in 2008. 21 Some of these rules are outdated as forensic science and technology have significantly developed in the past decade.

The evaluation also found that the implementation of the Prüm Decisions in the past ten years has been slow and that not all Member States have taken the necessary steps to implement the Decisions. 22 As a consequence, a number of bilateral connections have not been established, and queries cannot be launched to some Member States’ databases. Findings of the evaluation also showed that the follow-up to hits occurs based on national law and therefore falls outside the scope of the Prüm Decisions. Differences in national rules and procedures can cause, in several instances, significant time-lags for competent authorities to receive information following a hit. This state of play affects the functioning of the Prüm system as well as the effective exchange of information between Member States by decreasing the possibility that criminals are identified, and cross-border links between crimes are detected.

The findings of the evaluation supported the preparation of the impact assessment and of this proposal.

Stakeholder consultations

The preparation of this proposal involved targeted consultations of concerned stakeholders, including end-users of the system, namely Member States’ authorities using the Prüm automated data exchange ranging from law enforcement and judicial authorities, national vehicle registration authorities, to national database custodians and forensic laboratories. Europol and eu-LISA were also consulted in view of their respective expertise and their potential role in the new Prüm framework.

The FRA, as well as non-governmental organisations such as EDRi (European Digital Rights) and intergovernmental organisations (Eucaris – European car and driving licence information systems) also provided input in light of their expertise.

Consultation activities in the context of the preparation of the impact assessment underpinning this proposal gathered feedback from stakeholders in various fora. These activities included notably an inception impact assessment, a public consultation and a series of technical workshops. A feasibility study was conducted based on desk research, interviews with subject matter experts, questionnaires and three expert workshops, and examined the feasibility of improving information exchange under the Prüm Decisions.

Regular discussions on law enforcement information exchange and specifically on the Prüm Decisions in the Council Working Party DAPIX/IXIM 23 also contributed to preparing this proposal.

An inception impact assessment was published for feedback from August to October 2020, with a total of six contributions received. 24

A public consultation advertised on the European Commission’s website targeted the general public. Replies confirmed that the existing Prüm framework is relevant for the prevention and investigation of criminal offences, and has improved the exchange of data between Member States’ law enforcement authorities. By preventing the need to query each Member State bilaterally, the automated data exchange under the Prüm framework has also brought efficiency gains. Replies further confirmed the coherence of the framework with EU and international actions in this field, and that it has added-value compared to what Member States could achieve in the field of law enforcement information exchange in the absence of the Prüm framework. In terms of strengthening the current framework, most respondents agreed that the fact that some data categories are not covered by the framework and are therefore exchanged by sending manual queries is a shortcoming.

The Commission’s services also organised a series of targeted informal technical workshops with experts from Member States and Schengen Associated Countries. The workshops aimed at bringing together end-users for an exchange of views on the options, which were being envisaged and assessed to strengthen the Prüm framework, from a technical perspective.

The accompanying impact assessment sets out a more detailed description of the stakeholder consultation (Annex 2).

Impact assessment

The proposal is supported by an impact assessment as presented in the accompanying Staff Working Document [Prüm impact assessment reference]. The Regulatory Scrutiny Board reviewed the draft impact assessment at its meeting of 14 July 2021 and delivered its positive opinion on 16 July 2021.

2.

The impact assessment concluded that:


To meet the objective of providing a technical solution for efficient automated exchange of data, a hybrid solution between a decentralised and a centralised approach without data storage at central level should be applied.

To meet the objective of ensuring that more relevant data (in terms of data categories) is available to law enforcement authorities, the exchange of facial images and police records should be introduced.

To meet the objective of ensuring that relevant data from Europol’s databases is available to law enforcement authorities, Member States should be able to check automatically third country-sourced biometric data at Europol as part of the Prüm framework. Europol should also be able to check third country-sourced data against Member States’ national databases.

To meet the objective of providing efficient access to the actual data corresponding to a ‘hit’ that is available in the national database of another Member State or at Europol, the follow-up process should be regulated at EU level with a semi-automated exchange of the actual data corresponding to a ‘hit’.

The major positive impact of this proposal will be to respond effectively to the identified problems and reinforce the current Prüm framework with targeted and strong additional capabilities to step up its support to Member States in reinforcing information exchange with the final objective of preventing and investigating criminal and terrorist offences, in full compliance with fundamental rights.

The ultimate beneficiaries of all preferred options are the citizens, who will directly and indirectly benefit from better crime fighting and lower crime rates. In terms of efficiency, the main beneficiaries are national law enforcement authorities.

The immediate financial and economic impacts of the proposal will require investments at both EU and Member States’ level. It is expected that the projected investments costs will be outweighed by benefits and savings, notably at the Member States’ level. Despite the initial investments, the creation of the central Prüm router will save costs for Member States as the router would not require each Member State to create (and maintain) as many connections as there are Member States and data categories.

Fundamental rights

In accordance with the EU Charter of Fundamental Rights, to which EU institutions and Member States are bound when they implement EU law (Article 51 i of the Charter), and with the principle of non-discrimination, the opportunities offered by the options presented need to be balanced with the obligation to ensure that interferences with fundamental rights that may derive from them are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality (Article 52 i of the Charter).

The proposed solutions offer the opportunity to adopt targeted preventive measures to enhance security. As such, they can contribute pursue the legitimate objective of facilitating the fight against crime, which also implies a positive obligation on authorities to take preventive operational measures to protect an individual whose life is at risk, if they know or ought to have known of the existence of an immediate risk. 25

Protection of personal data

Exchange of information has an impact on the right to the protection of personal data. This right is established by Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the European Union, and in Article 8 of the European Convention on Human Rights. As underlined by the Court of Justice of the EU, 26 the right to the protection of personal data is not an absolute right but must be considered in relation to its function in society. Data protection is closely linked to respect for private and family life protected by Article 7 of the Charter.

As regards Prüm, the applicable data protection legislation is Directive (EU) 2016/680. Indeed, the Prüm framework provides for processing of personal data carried out in the context of the exchange of information between law enforcement authorities responsible for the prevention and investigation of criminal offences.

The free movement of data within the EU is not to be restricted for reasons of data protection. However, a series of principles must be met. Indeed, to be lawful, any limitation on the exercise of the fundamental rights protected by the Charter must comply with the following criteria, laid down in its Article 52 i:

it must be provided for by law;

it must respect the essence of the rights;

it must genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;

it must be necessary; and

it must be proportional.

This proposal embeds all these data protection rules, as set out in full detail in the impact assessment accompanying this proposed Regulation. The proposal is based on the principles of data protection by design and by default. It includes all appropriate provisions limiting data processing to what is necessary for the specific purpose and granting data access only to those entities that ‘need to know’. Access to data is reserved exclusively for duly authorised staff of Member States’ authorities or EU bodies that are competent for the specific purposes of the revised Prüm framework and limited to the extent that the data are required for the performance of tasks in accordance with these purposes.

The Commission will, at the time of publishing the report assessing the effect given to [Council Recommendation on operational police cooperation] by the Member States referred to under point 9(d) of that Recommendation, decide whether there is a need for EU legislation on cross-border operational police cooperation. Should there be a need for such legislation, the Commission will make a legislative proposal on cross-border operational police cooperation, which will also ensure the alignment of the provisions of Decision 2008/615/JHA and Decision 2008/616/JHA which were not covered under this proposal with Directive 2016/680, in line with the results of the assessment under Article 62(6) of Directive 2016/680. Should there not be a need for EU legislation on cross-border operational police cooperation, the Commission will make a legislative proposal to ensure this same alignment, in line with the results of the assessment under Article 62(6) of Directive 2016/680.

4. BUDGETARY IMPLICATIONS

This legislative initiative would have an impact on the budget and staff needs of eu-LISA and Europol.

For eu-LISA, it is estimated that an additional budget of around EUR 16 million and around 10 additional posts would be needed for the overall MFF period to ensure that eu-LISA has the necessary resources to enforce the tasks attributed to the Agency in this proposed Regulation. The budget allocated to eu-LISA will be offset against the BMVI.

For Europol, it is estimated that an additional budget of around EUR 7 million and around 5 additional posts would be needed for the overall MFF period to ensure that Europol has the necessary resources to enforce the tasks attributed to the Agency in this proposed Regulation. The budget allocated to Europol will be offset against the ISF.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The Commission will ensure that the necessary arrangements are in place to monitor the functioning of the measures proposed and evaluate them against the main policy objectives. Two years after the new functionalities are put in place and operating, and every two years thereafter, Union Agencies should submit to the European Parliament, the Council and the Commission a report on the technical functioning of the new proposed measures. In addition, three years after the new functionalities are put in place and operating, and every four years thereafter, the Commission should produce an overall evaluation of the measures, including on any direct or indirect impact on fundamental rights. It should examine results achieved against objectives and assess the continuing validity of the underlying rationale and any implications for future options. The Commission should submit the evaluation reports to the European Parliament and the Council.

Detailed explanation of the specific provisions of the proposal

Chapter 1 sets out the general provisions for this Regulation with its subject matter, purpose and scope. It provides a list of definitions and recalls that the processing of personal data for the purposes of this Regulation shall respect the principle of non-discrimination and other fundamental rights.

Chapter 2 sets out the provisions for the exchange of the categories of data under this Regulation, namely the exchange of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. The principles for the exchange, the automated search of data, the rules for requests and answers are detailed in a separate section for each category of data respectively. Chapter 2 also contains common provisions for the exchange of data, the setting up of national contact points and implementing measure.

Chapter 3 sets out the details for the new (technical) architecture for the exchange of data. The first section of this chapter includes provisions describing the central router, the use of the router and the launching of queries. Implementing acts will be needed to specify the technical procedures for these queries. This section also includes provisions on the interoperability between the router and the Common Identity Repository for the purposes of law enforcement access, the keeping of logs of all data processing operations in the router, the quality check and the notification procedures in case of technical impossibility to use the router. A second section provides details on the use of the European Police Records Index System (EPRIS) for the exchange of police records. This section also includes provisions on the keeping of logs of all data processing operations in EPRIS, and the notification procedures in case of technical impossibility to use EPRIS.

Chapter 4 sets out the processes for exchange of data following a match. It includes a provision on the automated exchange of core data, with data limited to what is necessary to enable the identification of the individual concerned, and a provision on the exchange of data at any stage of the process under this Regulation which is not explicitly described under this Regulation.

Chapter 5 contains provisions on the access by Member States to third country-sourced biometric data stored by Europol and on the access by Europol to data stored in Member States’ databases.

Chapter 6 on data protection contains provisions ensuring that data under this Regulation are processed lawfully and appropriately, in line with the provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. 27 It explains who the data processor will be for the processing of data pursuant to this Regulation. It sets out measures required from eu-LISA and Member States’ authorities to ensure the security of data processing, the appropriate handling of security incidents and the monitoring of compliance with the measures in this Regulation. The chapter also sets out the provisions relating to supervision and audit in relation to data protection. It underlines the principle that data processed under this Regulation shall not be transferred or made available to any third country or international organisation in an automated manner.

Chapter 7 details the responsibilities of Member States, Europol, and eu-LISA respectively in the implementation of the measures in this Regulation.

Chapter 8 concerns amendments to other existing instruments, namely Decisions 2008/615/JHA and 2008/616/JHA, Regulation (EU) 2018/1726, Regulation (EU) 2019/817 and Regulation (EU) 2019/818.

Chapter 9 on final provisions sets out the details relating to reporting and statistics, costs, notifications, transitional provisions and derogations. It also sets out the requirements for the start of operations of the measures proposed under this Regulation. The chapter also provides for the setting up of a committee and the adoption of a practical handbook to support implementation and management of this Regulation. It also includes a provision on monitoring and evaluation and a provision on the entry into force and applicability of this Regulation. Notably, this Regulation replaces Articles 2 to 6 and Sections 2 and 3 of Chapter 2 of Council Decision 2008/615/JHA and Chapters 2 to 5 and Articles 18, 20 and 21 of Council Decision 2008/616/JHA which will consequently be deleted from those Council Decisions from the date of application of this Regulation. The effect of those amendments will be that the replaced and deleted provisions no longer apply to any Member State.