Considerations on COM(2021)784 - Automated data exchange for police cooperation (“Prüm II”)

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
dossier COM(2021)784 - Automated data exchange for police cooperation (“Prüm II”).
document COM(2021)784 EN
date March 13, 2024
 
(1) The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective should be achieved by means of, among others, appropriate measures to prevent and combat crime, including organised crime and terrorism.

(2) That objective requires that law enforcement authorities exchange data, in an efficient and timely manner, in order to effectively fight crime.

(3) The objective of this Regulation is therefore to improve, streamline and facilitate the exchange of criminal information between Member States’ law enforcement authorities, but also with the European Union Agency for Law Enforcement Cooperation established by Regulation (EU) No 2016/794 of the European Parliament and of the Council 30 (Europol) as the Union criminal information hub.

(4) Council Decisions 2008/615/JHA 31 and 2008/616/JHA 32  laying down rules for the exchange of information between authorities responsible for the prevention and investigation of criminal offences by providing for the automated transfer of DNA profiles, dactyloscopic data and certain vehicle registration data, have proven important for tackling terrorism and cross-border crime.

(5) This Regulation should lay down the conditions and procedures for the automated transfer of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. This should be without prejudice to the processing of any of these data in the Schengen Information System (SIS) or the exchange of supplementary information related to them via the SIRENE bureaux or to the rights of individuals whose data is processed therein.

(6) The processing of personal data and the exchange of personal data for the purposes of this Regulation should not result in discrimination against persons on any grounds. It should fully respect human dignity and integrity and other fundamental rights, including the right to respect for one's private life and to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union.

(7) By providing for the automated search or comparison of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records, the purpose of this Regulation is also to allow for the search of missing persons and unidentified human remains. This should be without prejudice to the entry of SIS alerts on missing persons and the exchange of supplementary information on such alerts under Regulation (EU) 2018/1862 of the European Parliament and of the Council. 33

(8) The Directive (EU) …/… [on information exchange between law enforcement authorities of Member States] provides a coherent Union legal framework to ensure that law enforcement authorities have equivalent access to information held by other Member States when they need it to fight crime and terrorism. To enhance information exchange, that Directive formalises and clarifies the procedures for information sharing between Member States, in particular for investigative purposes, including the role of the ‘Single Point of Contact’ for such exchanges, and making full use of Europol’s information exchange channel SIENA. Any exchange of information beyond what is provided for in this Regulation should be regulated by Directive (EU) …/… [on information exchange between law enforcement authorities of Member States].

(9) For the automated searching of vehicle registration data, Member States should use the European Vehicle and Driving Licence Information System (Eucaris) set up by the Treaty concerning a European Vehicle and Driving Licence Information System (EUCARIS) designed for this purpose. Eucaris should connect all participating Member States in a network. There is no central component needed for the communication to be established as each Member State communicates directly to the other connected Member States.

(10) The identification of a criminal is essential for a successful criminal investigation and prosecution. The automated searching of facial images of suspects and convicted criminals should provide for additional information for successfully identifying criminals and fighting crime.

(11) The automated search or comparison of biometric data (DNA profiles, dactyloscopic data and facial images) between authorities responsible for the prevention, detection and investigation of criminal offences under this Regulation should only concern data contained in databases established for the prevention, detection and investigation of criminal offences.

(12) Participation in the exchange of police records should remain voluntary. Where Member States decide to participate, in the spirit of reciprocity, it should not be possible for them to query other Member States’ databases if they do not make their own data available for queries by other Member States.

(13) In recent years, Europol has received a large amount of biometric data of suspected and convicted terrorists and criminals from several third countries. Including third country-sourced data stored at Europol in the Prüm framework and thus making this data available to law enforcement authorities is necessary for better prevention and investigation of criminal offences. It also contributes to building synergies between different law enforcement tools.

(14) Europol should be able to search Member States’ databases under the Prüm framework with data received from third countries in order to establish cross-border links between criminal cases. Being able to use Prüm data, next to other databases available to Europol, should allow establishing more complete and informed analysis on the criminal investigations and should allow Europol to provide better support to Member States’ law enforcement authorities. In case of a match between data used for the search and data held in Member States’ databases, Member States may supply Europol with the information necessary for it to fulfil its tasks.

(15) Decisions 2008/615/JHA and 2008/616/JHA provide for a network of bilateral connections between the national databases of Member States. As a consequence of this technical architecture, each Member State should establish at least 26 connections, that means a connection with each Member State, per data category. The router and the European Police Records Index System (EPRIS) established by this Regulation should simplify the technical architecture of the Prüm framework and serve as connecting points between all Member States. The router should require a single connection per Member State in relation to biometric data and EPRIS should require a single connection per Member State in relation to police records. 

(16) The router should be connected to the European Search Portal established by Article 6 of Regulation (EU) 2019/817 of the European Parliament and of the Council 34 and Article 6 of Regulation (EU) 2019/818 of the European Parliament and of the Council 35  to allow Member States’ authorities and Europol to launch queries to national databases under this Regulation simultaneously to queries to the Common Identity Repository established by Article 17 of Regulation (EU) 2019/817 and Article 17 of Regulation (EU) 2019/818 for law enforcement purposes.

(17) In case of a match between the data used for the search or comparison and data held in the national database of the requested Member State(s), and upon confirmation of this match by the requesting Member State, the requested Member State should return a limited set of core data via the router within 24 hours. The deadline would ensure fast communication exchange between Member States’ authorities. Member States should retain control over the release of this limited set of core data. A certain degree of human intervention should be maintained at key points in the process, including for the decision to release personal data to the requesting Member State in order to ensure that there would be no automated exchange of core data.

(18) Any exchange between Member States’ authorities or with Europol at any stage of one of the processes described under this Regulation, which is not explicitly described in this Regulation, should take place via SIENA to ensure that a common, secure and reliable channel of communication is used by all Member States.

(19) The universal message format (UMF) standard should be used in the development of the router and EPRIS. Any automated exchange of data in accordance with this Regulation should use the UMF standard. Member States’ authorities and Europol are encouraged to use the UMF standard also in relation to any further exchange of data between them in the context of the Prüm II framework. The UMF standard should serve as a standard for structured, cross-border information exchange between information systems, authorities or organisations in the field of Justice and Home Affairs. 

(20) Only non-classified information should be exchanged via the Prüm II framework.

(21) Certain aspects of the Prüm II framework cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical arrangements and specifications for automated searching procedures, the standards for data exchange and the data elements to be exchanged. In order to ensure uniform conditions for the implementation of this Regulation implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council. 36  

(22) As this Regulation provides for the establishment of the new Prüm framework, relevant provisions of Decisions 2008/615/JHA and 2008/616/JHA should be deleted. Those Decisions should therefore be amended accordingly.

(23) As the router should be developed and managed by the European Union Agency for the Operational Management of Large-Scale Information Systems in the Area of Freedom, Security and Justice established by Regulation (EU) 2018/1726 of the European Parliament and of the Council 37 (eu-LISA), it is therefore necessary to amend Regulation (EU) 2018/1726 by adding that to the tasks of eu-LISA. In order to allow for the router to be connected to the European Search Portal to carry out simultaneous searches of the router and the Common Identity Repository it is therefore necessary to amend Regulation (EU) 2019/817. In order to allow for the router to be connected to the European Search Portal to carry out simultaneous searches of the router and the Common Identity Repository and in order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is therefore necessary to amend Regulation (EU) 2019/818. Those Regulations should therefore be amended accordingly.

(24) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(25) [In accordance with Article 3 of the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Ireland has notified its wish to take part in the adoption and application of this Regulation.] OR [In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.]

(26) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council 38 and delivered an opinion on [XX] 39 .