JHA, as regards the digital information exchange in terrorism cases - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2021)757 - Amendment of Regulation 2018/1727 Council Decision 2005/671/JHA, as regards the digital information exchange in terrorism ...
document	COM(2021)757
date	October 4, 2023

Article 1

Amendments to Regulation (EU) 2018/1727

Regulation (EU) 2018/1727 is amended as follows:

(1)

in Article 3, paragraph 5 is replaced by the following:

‘5. Eurojust may also assist with investigations and prosecutions that only affect a Member State and a third country or a Member State and an international organisation, provided that a cooperation agreement or arrangement establishing cooperation pursuant to Article 52 has been concluded with that third country or that international organisation, or provided that in a specific case there is an essential interest in providing such assistance.

The decision as to whether and how Member States provide judicial assistance to a third country or to an international organisation shall remain solely with the competent authority of the Member State concerned, subject to applicable national, Union or international law.’

;

(2)

Article 20 is amended as follows:

(a)

the following paragraph is inserted:

‘2a. Each Member State shall designate a competent national authority as Eurojust national correspondent for terrorism matters. That national correspondent for terrorism matters shall be a judicial or other competent authority. Where the national legal system so requires, it shall be possible for a Member State to designate more than one competent national authority as Eurojust national correspondent for terrorism matters. The national correspondent for terrorism matters shall have access to all relevant information in accordance with Article 21a(1). It shall be competent to collect such information and to send it to Eurojust, in compliance with national and Union law, in particular national criminal procedural law and applicable data protection rules.’

;

(b)

paragraph 8 is replaced by the following:

‘8. In order to meet the objectives referred to in paragraph 7 of this Article, the persons referred to in paragraph 3, points (a), (b) and (c), of this Article shall be connected to the case management system in accordance with this Article and with Articles 23, 24, 25 and 34. The cost of connection to the case management system shall be borne by the general budget of the Union.’

;

(3)

Article 21 is amended as follows:

(a)	paragraph 9 is replaced by the following: ‘9. This Article shall not affect other obligations regarding the transmission of information to Eurojust.’ ;

(b)	paragraph 10 is replaced by the following: ‘10. The competent national authorities shall not be obliged to provide information as referred to in this Article where such information has already been transmitted to Eurojust in accordance with other provisions of this Regulation.’ ;

(4)

the following Article is inserted:

‘Article 21a

Exchange of information on terrorism cases

1. As regards terrorist offences, the competent national authorities shall inform their national members of any ongoing or concluded criminal investigations supervised by judicial authorities as soon as the case is referred to the judicial authorities in accordance with national law, in particular national criminal procedural law, of any ongoing or concluded prosecutions and court proceedings, and of any court decisions on terrorist offences. That obligation shall apply to all criminal investigations related to terrorist offences regardless of whether there is a known link to another Member State or a third country unless the criminal investigation, due to its specific circumstances, clearly affects only one Member State.

2. Paragraph 1 shall not apply where:

(a)	the sharing of information would jeopardise an ongoing investigation or the safety of an individual; or

(b)	the sharing of information would be contrary to essential security interests of the Member State concerned.

3. Terrorist offences for the purpose of this Article are offences referred to in Directive (EU) 2017/541 of the European Parliament and of the Council (*1).

4. The information transmitted in accordance with paragraph 1 shall include the operational personal data and non-personal data set out in Annex III. Such information may include personal data in accordance with Annex III, point (d), but only if such personal data are held by or can be communicated to the competent national authorities in accordance with national law and if the transmission of those data is necessary to identify reliably a data subject under Article 27(5).

5. Subject to paragraph 2, the competent national authorities shall inform their national members about any changes to the information transmitted under paragraph 1 without undue delay and, where possible, no later than 10 working days after such changes.

6. The competent national authority shall not be obliged to provide such information where it has already been transmitted to Eurojust.

7. The national competent authority may at any stage request the support of Eurojust in the follow-up action as regards links identified on the basis of information provided under this Article.

(*1) Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).’;"

(5)

the following Articles are inserted:

‘Article 22a

Secure digital communication and data exchange between competent national authorities and Eurojust

1. Communication between the competent national authorities and Eurojust under this Regulation shall be carried out through the decentralised IT system. The case management system referred to in Article 23 shall be connected with a network of IT systems and interoperable e-CODEX access points, which operate under the individual responsibility and management of each Member State and Eurojust, enabling the secure and reliable cross-border exchange of information (“the decentralised IT system”).

2. Where exchange of information in accordance with paragraph 1 is not possible due to the unavailability of the decentralised IT system or due to exceptional circumstances, it shall be carried out by the swiftest, most appropriate alternative means. Member States and Eurojust shall ensure that the alternative means of communication are reliable and provide an equivalent level of security and data protection.

3. The competent national authorities shall transmit the information referred to in Articles 21 and 21a of this Regulation to Eurojust in a semi-automated and structured manner from national registers. The arrangements for such transmission shall be determined by the Commission, in consultation with Eurojust, in an implementing act, in accordance with Article 22b of this Regulation. In particular, that implementing act shall determine the format of the data transmitted pursuant to Annex III, point (d), to this Regulation and the necessary technical standards with regard to the transmission of such data, and shall set out the digital procedural standards as defined in Article 3, point 9, of Regulation (EU) 2022/850 of the European Parliament and of the Council (*2).

4. The Commission shall be responsible for the creation, maintenance and development of reference implementation software which Member States and Eurojust may choose to apply as their back-end system. That reference implementation software shall be based on a modular setup, meaning that the software is packaged and delivered separately from the e-CODEX components needed to connect it to the decentralised IT system. That setup shall enable Member States to reuse or enhance their existing national judicial communication infrastructures for the purpose of cross-border use and Eurojust to connect its case management system to the decentralised IT system.

5. The Commission shall provide, maintain and support the reference implementation software free of charge. The creation, maintenance and development of the reference implementation software shall be financed from the general budget of the Union.

6. Member States and Eurojust shall bear their respective costs for establishing and operating an authorised e-CODEX access point as defined in Article 3, point 3, of Regulation (EU) 2022/850, and for establishing and adjusting their relevant IT systems to make them interoperable with the access points.

Article 22b

Adoption of implementing acts by the Commission

1. The Commission shall adopt the implementing acts necessary for the establishment and use of the decentralised IT system for communication under this Regulation, setting out the following:

(a)	the technical specifications defining the methods of communication by electronic means for the purposes of the decentralised IT system;

(b)	the technical specifications for communication protocols;

(c)	the information security objectives and relevant technical measures ensuring minimum information security standards and a high level of cybersecurity standards for the processing and communication of information within the decentralised IT system;

(d)	the minimum availability objectives and possible related technical requirements for the services provided by the decentralised IT system;

(e)	the establishment of a steering committee comprising representatives of the Member States to ensure the operation and maintenance of the decentralised IT system in order to meet the objectives of this Regulation.

2. The implementing acts referred to in paragraph 1 of this Article shall be adopted by 1 November 2025 in accordance with the examination procedure referred to in Article 22c(2).

Article 22c

Committee Procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (*3).

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), third subparagraph, of Regulation (EU) No 182/2011 shall apply.

(*2) Regulation (EU) 2022/850 of the European Parliament and of the Council of 30 May 2022 on a computerised system for the cross-border electronic exchange of data in the area of judicial cooperation in civil and criminal matters (e-CODEX system), and amending Regulation (EU) 2018/1726 (OJ L 150, 1.6.2022, p. 1)."

(*3) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).’;"

(6)

Articles 23, 24 and 25 are replaced by the following:

‘Article 23

Case management system

1. Eurojust shall establish a case management system for the processing of operational personal data listed in Annex II, data listed in Annex III and non-personal data.

2. The purposes of the case management system shall be to:

(a)	support the management and coordination of investigations and prosecutions for which Eurojust is providing assistance;

(b)	ensure secure access to and exchange of information on ongoing investigations and prosecutions;

(c)	allow for the cross-checking of information and identifying links;

(d)	allow for the extraction of data for operational and statistical purposes;

(e)	facilitate monitoring to ensure that the processing of operational personal data is lawful and complies with this Regulation and the applicable data protection rules.

3. The case management system may be linked to the secure telecommunications connection referred to in Article 9 of Council Decision 2008/976/JHA (*4) and other secure communication channels in accordance with applicable Union law.

4. Where Eurojust has been granted access to data in or from other Union information systems established under other Union legal acts, it may use the case management system to access data in or to connect to such information systems for the purpose of retrieving and processing information, including personal data, provided that it is necessary for the performance of its tasks and is in line with the Union legal acts establishing such information systems.

5. Paragraphs 3 and 4 do not extend the access rights granted to Eurojust to other Union information systems under the Union legal acts establishing those systems.

6. In the performance of their duties, national members may process personal data on the individual cases on which they are working, in accordance with this Regulation or other applicable instruments. They shall allow the Data Protection Officer to have access to the personal data processed in the case management system.

7. For the processing of operational personal data, Eurojust shall not establish any automated data file other than the case management system.

The national members may temporarily store and analyse personal data for the purpose of determining whether such data are relevant to Eurojust’s tasks and can be included in the case management system. Those data may be held for up to three months.

Article 24

Management of the information in the case management system

1. The national member shall store the information transmitted to that national member in accordance with this Regulation or other applicable instruments in the case management system.

The national member shall be responsible for the management of the data processed by that national member.

2. The national member shall decide, on a case-by-case basis, whether to keep access to the information restricted or to give access to it or to parts of it to other national members, to liaison prosecutors seconded to Eurojust, to authorised Eurojust staff or to any other person working on behalf of Eurojust who has received the necessary authorisation from the Administrative Director.

3. The national member shall indicate, in consultation with the competent national authorities, in general or specific terms, any restrictions on the further handling, access and transfer of the information if a link as referred to in Article 23(2), point (c), has been identified.

Article 25

Access to the case management system at national level

1. Persons referred to in Article 20(3), points (a), (b) and (c), shall have access to no more than the following data:

(a)	data controlled by the national member of their Member State;

(b)	data controlled by national members of other Member States and to which the national member of their Member State has received access, unless the national member who controls the data has denied such access.

2. The national member shall, within the limitations provided for in paragraph 1 of this Article, decide on the extent to which access is granted to the persons referred to in Article 20(3), points (a), (b) and (c), in their Member State.

3. Data provided in accordance with Article 21a may be accessed at national level only by national correspondents for Eurojust in terrorism matters as referred to in Article 20(3), point (c).

4. Each Member State may decide, after consultation with its national member, that persons referred to in Article 20(3), points (a), (b) and (c), may, within the limitations provided for in paragraphs 1, 2 and 3 of this Article, enter information in the case management system concerning their Member State. Such contribution shall be subject to validation by the respective national member. The College shall lay down the details of the practical implementation of this paragraph. Member States shall notify Eurojust and the Commission of their decision regarding the implementation of this paragraph. The Commission shall inform the other Member States thereof.

(*4) Council Decision 2008/976/JHA of 16 December 2008 on the European Judicial Network (OJ L 348, 24.12.2008, p. 130).’;"

(7)

Article 27 is amended as follows:

(a)

paragraph 4 is replaced by the following:

‘4. Eurojust may process special categories of operational personal data in accordance with Article 76 of Regulation (EU) 2018/1725. Where such other data refer to witnesses or victims within the meaning of paragraph 2 of this Article, the decision to process them shall be taken by the national members concerned.’

;

(b)

the following paragraph is added:

‘5. Where operational personal data are transmitted in accordance with Article 21a, Eurojust may process the operational personal data listed in Annex III of the following persons:

(a)	persons for whom, in accordance with the national law of the Member State concerned, there are serious grounds for believing that they have committed or are about to commit a criminal offence in respect of which Eurojust is competent;

(b)

persons who have been convicted of such offence.

Unless the competent national authority decides otherwise on a case-by-case basis, Eurojust may continue to process the operational personal data referred to in point (a) of the first subparagraph also after the proceedings have been concluded under the national law of the Member State concerned, even in the event of an acquittal or of a final decision not to prosecute. Where the proceedings did not result in a conviction, processing of operational personal data shall take place only in order to identify links between ongoing, future or concluded investigations and prosecutions as referred to in Article 23(2), point (c).’

;

(8)

Article 29 is amended as follows:

(a)

the following paragraph is inserted:

‘1a. Eurojust shall not store operational personal data transmitted in accordance with Article 21a beyond the first of the following dates:

(a)	the date on which prosecution is barred under the statute of limitations of all the Member States concerned by the investigation or prosecution;

(b)	five years after the date on which the judicial decision of the last of the Member States concerned by the investigation or prosecution became final, or two years in the case of an acquittal or final decision not to prosecute;

(c)	the date on which Eurojust is informed of the decision of the competent national authority pursuant to Article 27(5).’

;

(b)

paragraphs 2 and 3 are replaced by the following:

‘2. Observance of the storage deadlines referred to in paragraphs 1 and 1a shall be reviewed constantly by appropriate automated processing conducted by Eurojust, in particular from the moment Eurojust ceases to provide support.

A review of the need to store the data shall also be carried out every three years after they were entered.

If operational personal data referred to in Article 27(4) are stored for a period exceeding five years, the EDPS shall be informed thereof.

3. Before one of the storage deadlines referred to in paragraphs 1 and 1a expires, Eurojust shall review the need for the continued storage of the operational personal data where and as long as this is necessary to perform its tasks.

It may decide by way of derogation to store those data until the following review. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the continued storage of operational personal data at the time of the review, those data shall be deleted automatically.’

;

(9)

the following Article is inserted:

‘Article 54a

Third-country liaison prosecutors

1. A liaison prosecutor from a third country may be seconded to Eurojust based on a cooperation agreement concluded before 12 December 2019 between Eurojust and that third country or an international agreement concluded between the Union and the third country pursuant to Article 218 TFEU allowing for the secondment of a liaison prosecutor.

2. The rights and obligations of the liaison prosecutor shall be set out in the cooperation agreement or international agreement referred to in paragraph 1 or in a working arrangement concluded in accordance with Article 47(3).

3. Liaison prosecutors seconded to Eurojust shall be granted access to the case management system for the secure exchange of data. In accordance with Articles 45 and 46, Eurojust shall remain liable for the processing of personal data by liaison prosecutors in the case management system.

Transfers of operational personal data to third-country liaison prosecutors through the case management system may only take place under the rules and conditions set out in this Regulation, in the agreement with the respective country or in other applicable legal instruments.

Article 24(1), second subparagraph, and Article 24(2) shall apply mutatis mutandis to liaison prosecutors.

The College shall lay down the detailed conditions of access.’

;

(10)

in Article 80, the following paragraphs are added:

‘9. Eurojust may continue to use the case management system composed of temporary work files and of an index until 1 December 2025, if the new case management system is not yet in place.

10. The competent national authorities and Eurojust may continue to use other channels of communication than those referred to in Article 22a(1) until the first day of the month following the period of two years after the date of entry into force of the implementing act referred to in Article 22b of this Regulation, if the channels of communication referred to in Article 22a(1) are not yet available for direct exchange between them.

11. The competent national authorities may continue to provide information in other ways than semi-automatically in accordance with Article 22a(3) until the first day of the month following the period of two years after the date of entry into force of the implementing act referred to in Article 22b of this Regulation, if the technical requirements are not yet in place.’

;

(11)

the following Annex is added:

‘ANNEX III

(a)

information to identify the suspected, accused, convicted or acquitted person:

For a natural person:

—	surname (family name);

—	first names (given names);

—	any aliases;

—	date of birth;

—	place of birth (town and country);

—	nationality or nationalities;

—	identification document (type and document number);

—

gender;

—	place of residence;

For a legal person:

—	business name;

—	legal form;

—	place of head office;

For both natural and legal persons:

—	telephone numbers;

—	email addresses;

—	details of accounts held with banks or other financial institutions;

(b)

information on the terrorist offence:

—	information concerning legal persons involved in the preparation or commission of a terrorist offence;

—	legal qualification of the offence under national law;

—	applicable form of serious crime from the list referred to in Annex I;

—	any affiliation with a terrorist group;

—	type of terrorism, such as jihadist, separatist, left-wing or right-wing;

—	brief summary of the case;

(c)

information on the national proceedings:

—	status of such proceedings;

—	responsible public prosecutor’s office;

—	case number;

—	date of opening of formal judicial proceedings;

—	links with other relevant cases;

(d)

additional information to identify the suspect:

—	fingerprint data that have been collected in accordance with national law during criminal proceedings;

—	photographs.

Article 2

Amendments to Decision 2005/671/JHA

Decision 2005/671/JHA is amended as follows:

(1)	in Article 1, point (c) is deleted;

(2)

Article 2 is amended as follows:

(a)	paragraph 2 is deleted;

(b)

paragraph 3 is replaced by the following:

‘3. Each Member State shall take the necessary measures to ensure that at least the information referred to in paragraph 4 concerning criminal investigations for terrorist offences which affect or may affect two or more Member States, gathered by the relevant authority, is transmitted to Europol, in accordance with national law and with Regulation (EU) 2016/794 of the European Parliament and of the Council (*5).

(*5) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).’;"

(c)	paragraph 5 is deleted.

Article 3

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.