Considerations on COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data. |
|---|---|
| document | COM(2023)244  |
| date | March 13, 2024 |
| (2) | Council Decision 2009/917/JHA (3) establishes the Customs Information System (CIS), the purpose of which is to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and thereby to increase the effectiveness of the customs administrations of the Member States. The CIS consists of a central database facility which stores personal data, such as names and forenames, addresses, numbers of identity papers, related to commodities, means of transport, businesses or persons and detained, seized or confiscated items and cash. The central database facility is managed by the Commission, which does not have access to the personal data stored in it. The authorities designated by the Member States have the right of access to the central database facility and can enter and consult the information stored in it. The European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Agency for Criminal Justice Cooperation (Eurojust) have, within their respective mandates and for the fulfilment of their tasks, the right to access the data entered in the central database facility by the authorities designated by the Member States and to search those data. |
| (3) | In order to ensure a consistent approach to the protection of personal data in the Union, Decision 2009/917/JHA should be amended in order to align it with Directive (EU) 2016/680. In particular, the personal data protection rules laid down in that Decision should respect the principle of purpose limitation, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision of the operation of the CIS by the European Data Protection Supervisor and the national supervisory authorities in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council (4). |
| (4) | In order to ensure a clear and consistent approach to the adequate protection of personal data, the term ‘serious contraventions’ used in Decision 2009/917/JHA should be replaced by ‘criminal offences’ as referred to in Directive (EU) 2016/680, bearing in mind the fact that where particular conduct is prohibited under the criminal law of a Member State, that in itself implies a certain degree of seriousness of the contravention. Moreover, the purpose of the CIS should remain limited to assisting in the prevention, investigation, detection or prosecution of criminal offences under national laws as defined in Decision 2009/917/JHA, that is, national laws in respect of which the customs administrations of the Member States are competent and which are therefore particularly relevant in the context of customs. Therefore, whereas qualification as a criminal offence is a necessary requirement, not all criminal offences under national laws are covered by Decision 2009/917/JHA. For instance, the criminal offences of illicit drug trafficking, illicit weapons trafficking and money laundering are covered by Decision 2009/917/JHA. Furthermore, the replacement of the term ‘serious contraventions’ with the term ‘criminal offences’ should not be understood as affecting the specific requirements set out in Decision 2009/917/JHA regarding the establishment and sending by each Member State of a list of criminal offences under their national laws that meet certain conditions for the purposes of the customs files identification database. |
| (5) | When processing personal data under Decision 2009/917/JHA, without prejudice to specific rules contained in that Decision, Member States are subject to their national provisions adopted pursuant to Directive (EU) 2016/680, the Commission is subject to the rules laid down in Regulation (EU) 2018/1725, Europol is subject to the rules laid down in Regulation (EU) 2016/794 of the European Parliament and of the Council (5) and Eurojust is subject to the rules laid down in Regulation (EU) 2018/1727 of the European Parliament and of the Council (6). Those acts govern, inter alia, the obligations and responsibilities of controllers, joint controllers, processors and the relationship between them with regard to the protection of personal data. National supervisory authorities responsible for monitoring and ensuring the application of Directive (EU) 2016/680 in each Member State should be competent for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the competent authorities of each Member State. The European Data Protection Supervisor should be responsible for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the Commission, Europol, and Eurojust. |
| (6) | In order to ensure the optimal preservation of the data in the CIS, while reducing the administrative burden for the competent authorities, and in line with Council Regulation (EC) No 515/97 (7), the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review annually the need for the retention of personal data and by setting a maximum retention period of five years which can be increased by an additional period of two years provided that such an increase is justified. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the necessity of the data for the conduct of joint customs operations and of investigations. |
| (7) | The processing of personal data under Decision 2009/917/JHA involves the processing, exchange and subsequent use of relevant information for the purposes set out in Article 87 of the Treaty on the Functioning of the European Union (TFEU). In the interests of consistency and the effective protection of personal data, the processing of personal data under Decision 2009/917/JHA should comply with Union and national law on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against, and the prevention of, threats to public security. |
| (8) | In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation. |
| (9) | In accordance with Articles 1, 2 and 2a of Protocol No 22 on the position of Denmark annexed to the TEU and the TFEU, Denmark is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation. |
| (10) | The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 4 July 2023. |
| (11) | Decision 2009/917/JHA should therefore be amended accordingly, |