Legal provisions of COM(2021)782 - Information exchange between law enforcement authorities of Member States - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)782 - Information exchange between law enforcement authorities of Member States. |
|---|---|
| document | COM(2021)782  |
| date | May 10, 2023 |
Contents
- CHAPTER I - GENERAL PROVISIONS
- CHAPTER II - EXCHANGE OF INFORMATION THROUGH SINGLE POINTS OF CONTACT
- CHAPTER III - OTHER EXCHANGES OF INFORMATION
- CHAPTER IV - ADDITIONAL RULES ON THE PROVISION OF INFORMATION UNDER CHAPTERS II AND III
- CHAPTER V - SINGLE POINT OF CONTACT FOR THE EXCHANGE OF INFORMATION BETWEEN MEMBER STATES
- CHAPTER VI - FINAL PROVISIONS
CHAPTER I - GENERAL PROVISIONS
Article 1
Subject matter and scope
1. This Directive establishes harmonised rules for the adequate and rapid exchange of information between the competent law enforcement authorities for the purpose of preventing, detecting or investigating criminal offences.
In particular, this Directive establishes rules on:
| (a) | requests for information submitted to the Single Points of Contact established or designated by the Member States, in particular on the content of such requests, the provision of information pursuant to such requests, the working languages of the Single Points of Contact, mandatory time limits for providing requested information and the reasons for the refusal of such requests; |
| (b) | the provision by a Member State, on its own initiative, of relevant information to the Single Points of Contact or to the competent law enforcement authorities of other Member States, in particular the situations and the manner in which such information is to be provided; |
| (c) | the default channel of communication to be used for all exchanges of information under this Directive and the information to be provided to the Single Points of Contact in relation to the exchange of information directly between the competent law enforcement authorities; |
| (d) | the establishment or designation and the organisation, tasks, composition and capabilities of each Member State’s Single Point of Contact, including on the deployment and operation of a single electronic case management system for carrying out their tasks under this Directive. |
2. This Directive shall not apply to exchanges of information between the competent law enforcement authorities for the purpose of preventing, detecting or investigating criminal offences that are specifically regulated by other Union legal acts. Without prejudice to their obligations under this Directive or other Union legal acts, Member States may adopt or maintain provisions further facilitating the exchange of information with the competent law enforcement authorities of other Member States for the purpose of preventing, detecting or investigating criminal offences, including by means of bilateral or multilateral arrangements.
3. This Directive does not impose any obligation on Member States to:
| (a) | obtain information by means of coercive measures; |
| (b) | store information for the sole purpose of providing it to the competent law enforcement authorities of other Member States; |
| (c) | provide information to the competent law enforcement authorities of other Member States to be used as evidence in judicial proceedings. |
4. This Directive does not establish any right to use the information provided in accordance with this Directive as evidence in judicial proceedings. The Member State providing the information may consent to its use as evidence in judicial proceedings.
Article 2
Definitions
For the purpose of this Directive:
| (1) | ‘competent law enforcement authority’ means any police, customs or other authority of the Member States competent under national law to exercise authority and to take coercive measures for the purpose of preventing, detecting or investigating criminal offences or any authority that takes part in joint entities set up between two or more Member States for the purpose of preventing, detecting or investigating criminal offences, but excludes agencies or units dealing especially with national security issues and liaison officers seconded pursuant to Article 47 of the Convention implementing the Schengen Agreement; |
| (2) | ‘designated law enforcement authority’ means a competent law enforcement authority that is authorised to submit requests for information to the Single Points of Contact of other Member States in accordance with Article 4(1); |
| (3) | ‘serious criminal offence’ means any of the following:
|
| (4) | ‘information’ means any content concerning one or more natural or legal persons, facts or circumstances relevant to competent law enforcement authorities for the purpose of carrying out their tasks under national law of preventing, detecting or investigating criminal offences, including criminal intelligence; |
| (5) | ‘information available’ means directly accessible information and indirectly accessible information; |
| (6) | ‘directly accessible information’ means information held in a database that can be directly accessed by the Single Point of Contact or a competent law enforcement authority of the Member State from which information is requested; |
| (7) | ‘indirectly accessible information’ means information that a Single Point of Contact or a competent law enforcement authority of the Member State from which information is requested can obtain from other public authorities or from private parties established in that Member State, where permitted by and in accordance with national law, without coercive measures; |
| (8) | ‘personal data’ means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680. |
Article 3
Principles regarding the exchange of information
Each Member State shall, in connection with all exchanges of information under this Directive, ensure that:
| (a) | information available can be provided to the Single Point of Contact or the competent law enforcement authorities of other Member States (‘principle of availability’); |
| (b) | the conditions for requesting information from and providing information to the Single Points of Contact and the competent law enforcement authorities of other Member States are equivalent to those applicable for requesting and providing similar information within that Member State (‘principle of equivalent access’); |
| (c) | it protects information provided to its Single Point of Contact or competent law enforcement authorities that is marked as confidential in accordance with the requirements set out in its national law offering a similar level of confidentiality as the national law of the Member State that provided the information (‘principle of confidentiality’); |
| (d) | where the requested information was initially obtained from another Member State or a third country, it only provides such information to another Member State or to Europol with the consent of, and in accordance with the conditions imposed on its use by, the Member State or third country that initially provided the information (‘principle of data ownership’); |
| (e) | personal data exchanged under this Directive that are found to be inaccurate, incomplete or no longer up to date are erased or rectified or that their processing is restricted, as appropriate, and that any recipient is notified without delay (‘principle of data reliability’). |
CHAPTER II - EXCHANGE OF INFORMATION THROUGH SINGLE POINTS OF CONTACT
Article 4
Requests for information to Single Points of Contact
1. Member States shall ensure that requests for information submitted by their Single Point of Contact and, where their national law so provides, the designated law enforcement authorities to the Single Point of Contact of another Member State comply with the requirements set out in paragraphs 2 to 6.
Member States shall submit to the Commission a list of their designated law enforcement authorities. Member States shall inform the Commission where there are changes to that list. The Commission shall publish online a compilation of those lists and keep it up to date.
Member States shall ensure that where their designated law enforcement authorities submit a request for information to the Single Point of Contact of another Member State, at the same time, they send a copy of that request to their Single Point of Contact.
2. Member States may permit their designated law enforcement authorities not to send, on a case-by-case basis, a copy of a request for information to their Single Point of Contact at the same time as submitting it to the Single Point of Contact of another Member State in accordance with paragraph 1 where it would jeopardise one or more of the following:
| (a) | an ongoing highly sensitive investigation for which the processing of information requires an appropriate level of confidentiality; |
| (b) | terrorism cases not involving emergency or crisis management situations; |
| (c) | the safety of an individual. |
3. Member States shall ensure that requests for information are submitted to the Single Point of Contact of another Member State only where there are objective reasons to believe that:
| (a) | the requested information is necessary for and proportionate to achieving the purpose referred to in Article 1(1), first subparagraph; and |
| (b) | the requested information is available to that other Member State. |
4. Member States shall ensure that any request for information submitted to the Single Point of Contact of another Member State specifies whether it is urgent and, if so, gives reasons for the urgency. Such requests for information shall be considered urgent where, having regard to all relevant facts and circumstances of the case at hand, there are objective reasons to believe that the requested information is one or more of the following:
| (a) | essential for the prevention of an immediate and serious threat to the public security of a Member State; |
| (b) | necessary in order to prevent an imminent threat to life or the physical integrity of a person; |
| (c) | necessary to adopt a decision that might involve the maintenance of restrictive measures amounting to a deprivation of liberty; |
| (d) | at imminent risk of losing relevance if not provided urgently and is considered important for the prevention, detection or investigation of criminal offences. |
5. Member States shall ensure that requests for information submitted to the Single Point of Contact of another Member State contain all necessary details to allow for their adequate and rapid processing in accordance with this Directive, including at least the following:
| (a) | a specification of the requested information that is as detailed as reasonably possible under the given circumstances; |
| (b) | a description of the purpose for which the information is requested, including a description of the facts and indication of the underlying offence; |
| (c) | the objective reasons for which it is believed that the requested information is available to the requested Member State; |
| (d) | an explanation of the connection between the purpose for which the information is requested and any natural or legal person or entity to which the information relates, where applicable; |
| (e) | the reasons for which the request is considered urgent, where applicable, in accordance with paragraph 4; |
| (f) | restrictions on the use of the information contained in the request for purposes other than those for which it has been submitted. |
6. Member States shall ensure that requests for information are submitted to the Single Point of Contact of another Member State in one of the languages included in the list established by that other Member State in accordance with Article 11.
Article 5
Provision of information pursuant to requests to Single Points of Contact
1. Member States shall ensure that their Single Point of Contact provides the information requested in accordance with Article 4 as soon as possible and in any event within the following time limits, as applicable:
| (a) | eight hours in the case of urgent requests relating to directly accessible information; |
| (b) | three calendar days in the case of urgent requests relating to indirectly accessible information; |
| (c) | seven calendar days in the case of all other requests. |
The time limits set out in the first subparagraph shall commence as soon as the request for information is received.
2. Where, under its national law in accordance with Article 9, a Member State can provide the requested information only after having obtained a judicial authorisation, that Member State may deviate from the time limits set out in paragraph 1 of this Article in so far as necessary for the purpose of obtaining such an authorisation. In such cases, Member States shall ensure that their Single Point of Contact does both of the following:
| (a) | immediately inform the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State of the expected delay, specifying the length of the expected delay and the reasons therefor; |
| (b) | subsequently keep the Single Point of Contact, or where applicable, the designated law enforcement authority of the requesting Member State updated and provide the requested information as soon as possible after obtaining the judicial authorisation. |
3. Member States shall ensure that their Single Point of Contact provides the information requested in accordance with Article 4 to the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State in the language in which that request for information was submitted in accordance with Article 4(6).
Member States shall ensure that their Single Point of Contact sends a copy of the requested information to the Single Point of Contact of the requesting Member State at the same time as providing the requested information to the designated law enforcement authority of that Member State.
Member States may permit their Single Point of Contact not to send, at the same time as providing information to the designated law enforcement authorities of another Member State in accordance with this Article, a copy of that information to the Single Point of Contact of that other Member State where it would jeopardise one or more of the following:
| (a) | an ongoing highly sensitive investigation for which the processing of information requires an appropriate level of confidentiality; |
| (b) | terrorism cases not involving emergency or crisis management situations; |
| (c) | the safety of an individual. |
Article 6
Refusals of requests for information
1. Member States shall ensure that their Single Point of Contact only refuses to provide the information requested in accordance with Article 4 in so far as any of the following reasons applies:
| (a) | the requested information is not available to the Single Point of Contact and the competent law enforcement authorities of the requested Member State; |
| (b) | the request for information does not meet the requirements set out in Article 4; |
| (c) | the judicial authorisation required under the national law of the requested Member State in accordance with Article 9 was refused; |
| (d) | the requested information constitutes personal data other than those falling within the categories of personal data referred to in Article 10, point (b); |
| (e) | the requested information has been found to be inaccurate, incomplete or no longer up to date and cannot be provided in accordance with Article 7(2) of Directive (EU) 2016/680; |
| (f) | there are objective reasons to believe that the provision of the requested information would:
|
| (g) | the request pertains to:
|
| (h) | the requested information was initially obtained from another Member State or a third country and that Member State or third country has not consented to the provision of the information. |
Member States shall exercise due diligence in assessing whether the request for information submitted to their Single Point of Contact is in accordance with the requirements set out in Article 4, in particular as to whether there is a manifest breach of fundamental rights.
Any refusal of a request for information shall affect only the part of the requested information to which the reasons set out in the first subparagraph relate and shall, where applicable, not affect the obligation to provide the other parts of the information in accordance with this Directive.
2. Member States shall ensure that their Single Point of Contact informs the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State of the refusal of the request for information, specifying the reasons therefor, within the time limits set out in Article 5(1).
3. Where relevant, Member States shall ensure that their Single Point of Contact immediately requests, from the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State, clarification or specifications needed to process a request for information that otherwise would have to be refused.
The time limits set out in Article 5(1) shall be suspended from the moment that the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State receives the request for clarification or specifications until the moment the requested clarification or specifications are provided.
4. Refusals of requests for information, reasons for such refusals and requests for clarification or specifications and clarification or specifications as referred to in paragraph 3 of this Article, as well as any other communications relating to the requests for information submitted to the Single Point of Contact of another Member State, shall be transmitted in the language in which that request was submitted in accordance with Article 4(6).
CHAPTER III - OTHER EXCHANGES OF INFORMATION
Article 7
Own-initiative provision of information
1. Member States may provide, on their own initiative, through their Single Point of Contact or through their competent law enforcement authorities, information available to it or them to the Single Points of Contact or to the competent law enforcement authorities of other Member States where there are objective reasons to believe that such information could be relevant to those other Member States for the purpose of preventing, detecting or investigating criminal offences.
2. Member States shall ensure that their Single Point of Contact or their competent law enforcement authorities provide, on its or their own initiative, information available to it or them to the Single Points of Contact or to the competent law enforcement authorities of other Member States where there are objective reasons to believe that such information could be relevant to those other Member States for the purpose of preventing, detecting or investigating serious criminal offences. However, no such obligation shall exist in so far as the reasons referred to in Article 6(1), point (c) or (f), apply in respect of such information.
3. Member States shall ensure that, where their Single Point of Contact or their competent law enforcement authorities provide information on its or their own initiative to the Single Point of Contact of another Member State in accordance with paragraph 1 or 2, they do so in one of the languages included in the list established by that other Member State in accordance with Article 11.
Member States shall ensure that, where their Single Point of Contact provides information on its own initiative to the competent law enforcement authority of another Member State, it sends, at the same time, a copy of that information to the Single Point of Contact of that other Member State.
Member States shall ensure that, where their competent law enforcement authorities provide information on their own initiative to another Member State, they send, at the same time, a copy of that information to the Single Point of Contact of their Member State and, where appropriate, to the Single Point of Contact of that other Member State.
4. Member States may permit their competent law enforcement authorities not to send, at the same time as providing information to the Single Point of Contact or the competent law enforcement authorities of another Member State in accordance with this Article, a copy of that information to the Single Point of Contact of their Member State or to the Single Point of Contact of that other Member State where it would jeopardise one or more of the following:
| (a) | an ongoing highly sensitive investigation for which the processing of information requires an appropriate level of confidentiality; |
| (b) | terrorism cases not involving emergency or crisis management situations; |
| (c) | the safety of an individual. |
Article 8
The exchange of information upon requests submitted directly to competent law enforcement authorities
1. Member States shall ensure that, where their Single Point of Contact submits a request for information directly to a competent law enforcement authority of another Member State, at the same time, it sends a copy of that request to the Single Point of Contact of that other Member State. Member States shall ensure that, where one of their competent law enforcement authorities provides information pursuant to such a request, it sends, at the same time, a copy of that information to the Single Point of Contact of its Member State.
2. Member States shall ensure that, where one of their competent law enforcement authorities submits a request for information or provides information pursuant to such a request directly to a competent law enforcement authority of another Member State, at the same time, it sends a copy of that request or that information to the Single Point of Contact of its Member State and to the Single Point of Contact of that other Member State.
3. Member States may permit their Single Point of Contact or competent law enforcement authorities not to send copies of requests or information as referred to in paragraph 1 or 2 where it would jeopardise one or more of the following:
| (a) | an ongoing highly sensitive investigation for which the processing of information requires an appropriate level of confidentiality; |
| (b) | terrorism cases not involving emergency or crisis management situations; |
| (c) | the safety of an individual. |
CHAPTER IV - ADDITIONAL RULES ON THE PROVISION OF INFORMATION UNDER CHAPTERS II AND III
Article 9
Judicial authorisation
1. A Member State shall not require a judicial authorisation in order to provide information to the Single Point of Contact or to the competent law enforcement authorities of other Member States under Chapter II or III where its national law does not require such a judicial authorisation for providing similar information within that Member State.
2. Member States shall ensure that, where a judicial authorisation is required under their national law in order to provide information to the Single Point of Contact or to the competent law enforcement authorities of other Member States under Chapter II or III, their Single Point of Contact or their competent law enforcement authorities immediately take all the necessary steps, in accordance with their national law, to obtain such a judicial authorisation as soon as possible.
3. Requests for judicial authorisation as referred to in paragraph 2 shall be assessed and decided upon in accordance with the national law of the Member State of the competent judicial authority.
Article 10
Additional rules for information constituting personal data
Member States shall ensure that, where their Single Point of Contact or their competent law enforcement authorities provide information under Chapter II or III that constitutes personal data:
| (a) | the personal data are accurate, complete and up to date, in accordance with Article 7(2) of Directive (EU) 2016/680; |
| (b) | the categories of personal data provided per category of data subject remain limited to those listed in Section B of Annex II to Regulation (EU) 2016/794 and are necessary for and proportionate to achieving the purpose of the request; |
| (c) | their Single Point of Contact or their competent law enforcement authorities also provide, at the same time and in so far as possible, the necessary elements enabling the Single Point of Contact or the competent law enforcement authority of the other Member State to assess the degree of accuracy, completeness and reliability of the personal data and the extent to which the personal data are up to date. |
Article 11
List of languages
1. Member States shall establish and keep up to date a list indicating one or more of the languages in which their Single Point of Contact is able to exchange information. That list shall include English.
2. Member States shall provide the list referred to in paragraph 1 and any updates thereto to the Commission. The Commission shall publish online a compilation of those lists and keep it up to date.
Article 12
Provision of information to Europol
1. Member States shall ensure that, where their Single Point of Contact or their competent law enforcement authorities send requests for information, provide information pursuant to such requests or provide information on its or their own initiative under Chapter II or III of this Directive, the staff of their Single Point of Contact or competent law enforcement authorities also assess, on a case-by-case basis and subject to Article 7(7) of Regulation (EU) 2016/794, whether it is necessary to send a copy of the request for information or of the information provided to Europol, in so far as the information to which the communication relates concerns criminal offences falling within the scope of the objectives of Europol set out in Article 3 of Regulation (EU) 2016/794.
2. Member States shall ensure that, where a copy of a request for information or a copy of information is sent to Europol pursuant to paragraph 1 of this Article, the purposes of the processing of the information and any possible restrictions to that processing pursuant to Article 19 of Regulation (EU) 2016/794 are duly communicated to Europol. Member States shall ensure that information initially obtained from another Member State or a third country is sent to Europol pursuant to paragraph 1 of this Article only where that other Member State or that third country has given its consent.
Article 13
Secure communication channel
1. Member States shall ensure that their Single Point of Contact or their competent law enforcement authorities use Europol’s Secure Information Exchange Network Application (SIENA) to send requests for information, to provide information pursuant to such requests or to provide information on its or their own initiative under Chapter II or III or under Article 12.
2. Member States may permit their Single Point of Contact or their competent law enforcement authorities not to use SIENA to send requests for information, to provide information pursuant to such requests or to provide information on its or their own initiative under Chapter II or III or under Article 12 in one or more of the following cases:
| (a) | the exchange of information requires the involvement of third countries or international organisations or there are objective reasons to believe that such involvement will be required at a later stage, including through the Interpol communication channel; |
| (b) | the urgency of the request for information requires the temporary use of another communication channel; |
| (c) | an unexpected technical or operational incident prevents their Single Point of Contact or their competent law enforcement authorities from using SIENA to exchange the information. |
3. Member States shall ensure that their Single Point of Contact, and all their competent law enforcement authorities that might be involved in the exchange of information under this Directive, are directly connected to SIENA, including, where appropriate, through mobile devices.
CHAPTER V - SINGLE POINT OF CONTACT FOR THE EXCHANGE OF INFORMATION BETWEEN MEMBER STATES
Article 14
Establishment or designation and tasks and capabilities of Single Points of Contact
1. Each Member State shall establish or designate a Single Point of Contact. The Single Point of Contact shall be the central entity responsible for coordinating and facilitating the exchange of information under this Directive.
2. Member States shall ensure that their Single Point of Contact is equipped and empowered to carry out at least all of the following tasks:
| (a) | receiving and evaluating requests for information submitted in accordance with Article 4 in the languages notified pursuant to Article 11(2); |
| (b) | channelling requests for information to the relevant competent law enforcement authorities and, where necessary, coordinating among them the processing of such requests and the provision of information pursuant to such requests; |
| (c) | coordinating the analysis and structuring of information with a view to providing it to the Single Points of Contact and, where applicable, to the competent law enforcement authorities of other Member States; |
| (d) | providing, on request or on its own initiative, information to other Member States in accordance with Articles 5 and 7; |
| (e) | refusing to provide information in accordance with Article 6 and, where necessary, requesting clarification or specifications in accordance with Article 6(3); |
| (f) | sending requests for information to the Single Points of Contact of other Member States in accordance with Article 4 and, where necessary, providing clarification or specifications in accordance with Article 6(3). |
3. Member States shall ensure that:
| (a) | their Single Point of Contact:
|
| (b) | the judicial authorities competent to grant the judicial authorisations required under national law in accordance with Article 9 are available on call to the Single Point of Contact 24 hours a day, 7 days a week. |
4. Member States shall notify the Commission within one month of the establishment or designation of their Single Point of Contact. They shall inform the Commission where there are changes as regards their Single Point of Contact.
The Commission shall publish those notifications, and any updates thereto, in the Official Journal of the European Union.
Article 15
Organisation, composition and training
1. Member States shall determine the organisation and the composition of their Single Point of Contact in such a manner that it can carry out its tasks under this Directive in an efficient and effective manner.
2. Member States shall ensure that their Single Point of Contact is composed of staff from their competent law enforcement authorities whose involvement is necessary for the adequate and rapid exchange of information under this Directive, including at least the following in so far as the Member State concerned is bound by the relevant law or international agreement to establish or designate such units or bureaux:
| (a) | the Europol national unit established by Article 7 of Regulation (EU) 2016/794; |
| (b) | the SIRENE Bureau established by Article 7(2) of Regulation (EU) 2018/1862; |
| (c) | the Interpol National Central Bureau established by Article 32 of the Constitution of the International Criminal Police Organisation – Interpol. |
3. Member States shall ensure that the staff of their Single Point of Contact are adequately qualified in order to carry out their functions under this Directive. To that end, Member States shall provide the staff of their Single Point of Contact with access to adequate and regular training, in particular as regards the following:
| (a) | the use of data processing tools used within the Single Point of Contact, in particular SIENA and the case management system; |
| (b) | the application of Union and national law relevant for the activities of the Single Point of Contact under this Directive, in particular on the protection of personal data, including Directive (EU) 2016/680, on cross-border cooperation between law enforcement authorities, including this Directive and Regulation (EU) 2016/794, and on the handling of confidential information; |
| (c) | the use of the languages included in the list established by the Member State concerned pursuant to Article 11. |
Article 16
Case management system
1. Member States shall ensure that their Single Point of Contact deploys and operates a single electronic case management system as the repository that allows the Single Point of Contact to carry out its tasks under this Directive. The case management system shall have at least all of the following functions and capabilities:
| (a) | recording incoming and outgoing requests for information as referred to in Articles 5 and 8 and any other communications relating to such requests with Single Points of Contact and, where applicable, the competent law enforcement authorities of other Member States, including information about refusals of requests for information and requests for and the provision of clarification or specifications as referred to in Article 6(2) and (3) respectively; |
| (b) | recording communications between the Single Point of Contact and the competent law enforcement authorities, pursuant to Article 14(2), point (b); |
| (c) | recording provisions of information to the Single Point of Contact and, where applicable, to the competent law enforcement authorities of other Member States in accordance with Articles 5, 7 and 8; |
| (d) | cross-checking incoming requests for information as referred to in Articles 5 and 8 against information available to the Single Point of Contact, including information provided in accordance with Article 5(3), second subparagraph, and Article 7(3), second subparagraph, and other relevant information recorded in the case management system; |
| (e) | ensuring adequate and rapid follow-up to incoming requests for information as referred to in Article 4, in particular with a view to respecting the time limits for the provision of the requested information set out in Article 5; |
| (f) | be interoperable with SIENA, ensuring, in particular, that incoming communications through SIENA can be directly recorded in, and that outgoing communications through SIENA can be directly sent from, the case management system; |
| (g) | generating statistics in respect of exchanges of information under this Directive for evaluation and monitoring purposes, in particular for the purposes of Article 18; |
| (h) | logging access and other processing operations in relation to the information contained in the case management system, for accountability and cybersecurity purposes, in accordance with Article 25 of Directive (EU) 2016/680. |
2. Member States shall ensure that all cybersecurity risks relating to the case management system, in particular as regards its architecture, governance and control, are managed and addressed in a prudent and effective manner and that adequate safeguards against unauthorised access and abuse are provided for.
3. Member States shall ensure that the case management system contains personal data only for as long as it is necessary and proportionate for the Single Point of Contact to carry out the tasks assigned to it under this Directive and that the personal data contained therein are subsequently irrevocably deleted.
4. Member States shall ensure that their Single Point of Contact reviews, for the first time at the latest six months after an exchange of information has concluded and subsequently on a regular basis, compliance with paragraph 3.
Article 17
Cooperation between Single Points of Contact
1. Member States shall encourage practical cooperation between their Single Points of Contact and competent law enforcement authorities for the purposes of this Directive.
2. Member States shall ensure that the Heads of the Single Points of Contact meet at least once a year to assess the quality of the cooperation between their services, to discuss necessary technical or organisational measures in the event of any difficulties and to clarify procedures where required.
CHAPTER VI - FINAL PROVISIONS
Article 18
Statistics
1. By 1 March of each year, each Member State shall provide the Commission with statistics on the exchanges of information with other Member States under this Directive which took place during the previous calendar year.
2. Each Member State shall ensure that the statistics referred to in paragraph 1 cover, as a minimum:
| (a) | the number of requests for information submitted by their Single Point of Contact and, where relevant, by their competent law enforcement authorities; |
| (b) | the number of requests for information that their Single Point of Contact and their competent law enforcement authorities received and the number of requests for information to which they replied, broken down by urgent and non-urgent requests and by requesting Member State; |
| (c) | the number of requests for information refused pursuant to Article 6, broken down by requesting Member State and by ground for refusal; |
| (d) | the number of cases in which there was a deviation from the time limits set out in Article 5(1) because it was necessary to obtain a judicial authorisation in accordance with Article 5(2), broken down by the Member States that submitted the requests for information concerned. |
3. The Commission shall compile the minimum statistics provided by Member States under paragraph 2 and make them available to the European Parliament and to the Council.
Article 19
Reporting
1. The Commission shall, by 12 June 2026 and every five years after 12 June 2027, submit a report to the European Parliament and to the Council assessing the implementation of this Directive and containing detailed information on how each Member State has implemented this Directive. In compiling that report, the Commission shall pay particular attention to how efficiently competent law enforcement authorities exchanged information, the grounds for which requests for information were refused, in particular where requests fall outside the scope of the objectives of this Directive, and the compliance with provisions on data protection and the provision of information to Europol.
2. The Commission shall, by 12 June 2027 and every five years thereafter, submit a report to the European Parliament and to the Council assessing the effectiveness of this Directive, in particular its impact on law enforcement cooperation, the obligations laid down in Article 14(3), point (a)(iii), and the protection of personal data. The Commission shall take into account the information provided by Member States and any other relevant information related to the transposition and implementation of this Directive, including, where applicable, practical obstacles that hamper its effective implementation. On the basis of that assessment, the Commission shall decide on appropriate follow-up actions, including, where appropriate, a legislative proposal.
Article 20
Amendments to the Convention implementing the Schengen Agreement
From 12 December 2024, the parts of Articles 39 and 46 of the Convention implementing the Schengen Agreement that have not been replaced by Framework Decision 2006/960/JHA are replaced by this Directive in so far as those Articles relate to the exchange of information falling within the scope of this Directive.
Article 21
Repeal
Framework Decision 2006/960/JHA is repealed from 12 December 2024.
References to the repealed Framework Decision shall be construed as references to this Directive and shall be read in accordance with the correlation table in the Annex.
Article 22
Transposition
1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 12 December 2024. They shall immediately inform the Commission thereof.
By way of derogation from the first subparagraph, Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with Article 13 by 12 June 2027. They shall immediately inform the Commission thereof.
When Member States adopt the measures referred to in the first and second subparagraphs, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by the Member States.
2. Member States shall communicate to the Commission the text of the main measures of national law which they adopt in the field covered by this Directive.
Article 23
Entry into force
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 24
Addressees
This Directive is addressed to the Member States in accordance with the Treaties.