Explanatory Memorandum to COM(2020)791 - Amendment of regulation on the Schengen Information System (SIS) on police cooperation and judicial cooperation in criminal matters as regards the entry of alerts by Europol - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2020)791 - Amendment of regulation on the Schengen Information System (SIS) on police cooperation and judicial cooperation in criminal ...
source	COM(2020)791
date	09-12-2020

1. CONTEXTOFTHE PROPOSAL

• Reasons for and objectives of the proposal

Crime and terrorism operate across borders, as criminals and terrorists exploit the advantages brought about by globalisation and mobility. Consequently, the information that third countries share with the EU on criminal and terrorist activity is increasingly relevant for EU internal security, at the EU external border as well as within the territory of the Union. However, there are currently limits in the sharing of third-country sourced information on persons who have been suspected or convicted of criminal and terrorist offences within the EU.¹ More specifically, there are limits in the sharing of third-country sourced information with frontline officers in the Member States (police officers and border guards) when and where they need it. The same applies to information shared by international organisations with Europol.

For example, this problem arises in the context of on-going efforts to detect foreign terrorist fighters. Europol’s Terrorism Situation and Trend report² of June 2020 states that while many foreign terrorist fighters are believed to have been either killed or confined in detention or refugee camps in north-eastern Syria, there are a substantial number of foreign terrorist fighters still unaccounted for. According to the report, chaos and lack of information from the conflict zone have resulted in the information available to Member States about foreign terrorist fighters being limited and unverifiable. Likewise, the June 2020 Council Conclusions on EU external action on preventing and countering terrorism and violent extremism recognise that “foreign terrorist fighters will remain a major common security challenge for the years to come”, calling for enhanced and timely cooperation and information sharing among Member States, with Europol and other relevant EU actors.³ However, the information that Europol puts into its information systems, notably the result of its own analysis of third-country sourced data, does not reach end-users in the same way as information that Member States provide to the Schengen Information System (SIS).

Europol estimates that currently information on approximately 1000 non-EU foreign terrorist fighters, provided by trusted third countries to Europol and individual Member States, has not been inserted into SIS. As the most widely used information-sharing database in the EU, SIS provides frontline officers real-time with direct access to alerts on persons and objects, including alerts on suspects and criminals. In the absence of alerts in SIS on the 1000 non-EU foreign terrorist fighters, there is a risk that border guards do not detect them when they seek to enter the EU, or when police officers check them within the territory of the EU. This constitutes a considerable security gap.

In this context, the reference to ‘suspects and criminals’ covers: (a) Persons who are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence. (b) Persons regarding whom there are factual indications or reasonable grounds to believe that they will commit criminal offences in respect of which Europol is competent.

www.europol.europa.eu/activities-services">https://www.europol.europa.eu/activities-services.

www.consilium.europa.eu/en/press/press-releases">https://www.consilium.europa.eu/en/press/press-releases.

2

3

In that respect, the June 2018 Council Conclusions on strengthening the cooperation and use of SIS to deal with persons involved in terrorism or terrorism-related activities already recalled the need to “ensure that information on FTFs is consistently and systematically uploaded to European systems and platforms”.⁴ The Council referred to a “three-tier information sharing approach regarding FTFs by making optimal and consistent use of SIS and Europol data that Europol processes for cross-checking and for analysis in the relevant Analysis projects.” However, Member States are not always able to enter information from third countries or international organisations on foreign terrorist fighters in SIS to make it available to the frontline officers in other Member States. First, some third countries share data on suspects and criminals only with Europol and possibly with some Member States. Second, even if a Member State receives the information on suspects and criminals directly from the third country or via Europol, it might not be able to issue an alert on the person concerned due to restrictions in national law (e.g. the need to establish a link to national jurisdiction). Third, the Member State may not have the means to sufficiently analyse and verify the received information. This leads to a gap between the information on suspects and criminals that third countries make available to Europol and Member States, and the availability of such information to frontline officers when and where they need it.

In terms of a possible EU-level solution, it is widely acknowledged that Europol holds valuable information on suspects and criminals that it received from third countries and international organisations. Once Europol analysed information it received from third countries and international organisations on suspects and criminals, including by cross checking it against information it already holds in its databases to confirm the accuracy of the information and complement it with other data, Europol needs to make the result of its analysis available to all Member States. To that end, Europol uses its information systems to make an analysis of third-country sourced information on suspects and criminals available to Member States. Europol will also enter third-country sourced information into the watchlist of the European Travel Information and Authorisation System (ETIAS) for third-country nationals exempt from the requirement to be in possession of a visa when crossing the EU external borders.⁵ The watchlist will support Member States in assessing whether a person applying for a travel authorisation poses a security risk.

However, Europol is not able to provide directly and in real time frontline officers in the Member States with the third-country sourced information it holds on suspects and criminals. Frontline officers do not have immediate access to Europol’s information systems or to the data entered by Europol in the ETIAS watchlist. Europol’s information systems support the work of investigators, criminal intelligence officers and analysts in the Member States. While it is for each Member State to decide which competent national authorities are allowed to cooperate directly with Europol⁶, there is typically no possibility for frontline officers to access Europol’s information systems.

While Europol is able to check persons in SIS, and from March 2021 will be informed about hits on terrorism-related alerts issued by other Member States, Europol is not able to issue alerts in SIS as the most widely used information-sharing database in the EU that is directly accessible for border guards and police officers. Crucial third-country sourced information held by Europol on suspects and criminals might therefore not reach the end-users at national level when and where they need it. This includes Europol’s analysis of data it received from

www.consilium.europa.eu/media/36284">https://www.consilium.europa.eu/media/36284.

Regulation (EU) 2018/1240.

Article 7(5) of Regulation (EU) 2016/794.

4

5

6

third countries and international organisations on foreign terrorist fighters, but also on persons involved in organised crime (e.g. drugs trafficking) or serious crime (e.g. child sexual abuse).

Reflecting the differences in purpose between Europol’s information systems and SIS, there is a major difference in the outreach of these systems.

	Europol Information System	Schengen Information System
Users	8 587 users (end of 2019)	Every frontline officer in the Member States⁷ (border guards and police officers)
Number of checks (in 2019)⁸	5.4 million	6.6 billion

In order to address this security gap, the objective of this proposal is to establish a new alert category specifically for Europol, in order to provide information directly and in realtime to front-line officers. To this end, it is necessary for both Regulation (EU) 2016/794 European Union Agency for Law Enforcement Cooperation (Europol)⁹ and Regulation (EU) 2018/1862 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters to be amended.¹⁰ Due to variable geometry, whereas different Member States participate in these two Regulations, the amendments are presented in two separate, but logically linked proposals.

The present proposal concerns the amendment of Regulation (EU) 2018/1862. The proposal is intended to enable Europol to issue ‘information alerts’ on suspects and criminals as a new alert category in SIS, for exclusive use by Europol in specific and well-defined cases and circumstances. This is an important paradigm change for SIS, as until now, only Member States could enter, update and delete data in SIS and Europol had ‘read-only’ access covering all alert categories. Europol would be able to issue alerts on the basis of its analysis of third-country sourced information or information from international organisations, within the

25 Member States participate in the Schengen Information System (Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden). Ireland and Cyprus are in the process of being connected to the system in 2021. Four Schengen Associated Countries are connected to the system (Iceland, Liechtenstein, Norway and Switzerland). Europol, teams deployed by the EBCGA and the EU Agency for criminal justice cooperation Eurojust have access to specific parts of the system but cannot issue alerts in the system. For the Schengen Information System, the table shows all checks carried out in 2019 by all users who have access to the system. When checking the Schengen Information System, users are checking data against those alerts to which they have access (which does not in all cases include law enforcement alerts).

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).

8

9

10

scope of crimes falling under Europol’s mandate and only on third-country nationals who are not beneficiaries of free movement rights.

The purpose of the new alert category is that in case of a ‘hit’, the alert would inform the frontline officer that the person concerned is suspected of being involved in a criminal offence falling within the competence of Europol. As an action to be taken, the fact that the person was located and the place, time and reason for the check would be reported back to Europol (via the national SIRENE Bureau). Beyond this reporting there would be no further obligation on the Member State where the ‘hit’ occurred. Nevertheless, the Member State executing the alert would be able to determine, on a case-by-case basis, including based on the background information received from Europol, whether further measures need to be taken with regard to the person under national law and at the full discretion of that Member State.

As the exchange of information from third-countries or international organisations on suspects and criminals includes the processing of personal data, the assessment of policy options to address the identified problem takes full account of the obligation to respect Fundamental Rights and notably the right to the protection of personal data.

• Consistency with existing policy provisions in the policy area and with other

Union policies

This proposal is closely linked with and complements other Union policies, namely:

internal security, in particular the ‘Counter-Terrorism package’ this proposal forms part of;

data protection, insofar as this proposal ensures the protection of fundamental rights of individuals whose personal data is processed in SIS;

the Union’s external policies, notably the work of EU delegations and counter-terrorism/security policy in third countries.

This proposal is also closely linked with and complements existing Union legislation, namely:

on Europol, insofar as this proposal grants Europol additional rights to process and exchange data, within its mandate, in SIS;

on the management of the external borders: the proposal complements the principle in the Schengen Borders Code¹¹ of conducting systematic checks against relevant databases of all travellers upon entry and exit to the Schengen area, as established in response to the phenomenon of foreign terrorist fighters;

on the European Travel Information and Authorisation System (ETIAS) which provides for a thorough security assessment, including a check in SIS, of third country nationals who intend to travel to the EU;

on the Visa Information System (VIS)¹² including a check in SIS, of third country nationals who apply for a visa.

Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p.

1).

Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60–81).

11

12

Furthermore, the proposal includes additional amendments to Regulation (EU) 2018/1862 in order to align its provisions concerning data protection, in particular the right of access, rectification of inaccurate data and erasure of unlawfully stored data, remedies and liability with Regulation (EU) 2016/794 and Regulation (EU) 2018/1725 insofar as those alignments are necessary due to the new alert category to be entered by Europol.

Finally, as a consequence of this proposal, Union legislation on both ETIAS and the VIS will need to be assessed to determine whether to include, as part of the advance security assessment, the new SIS alert category within the automated processing carried out by ETIAS and VIS. It is not possible to carry out this assessment at this stage, as the regulations on ETIAS and VIS are currently under negotiation in the European Parliament and Council. The Commission will present consequential amendments for each of these instruments after the negotiations have been concluded.

2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY

• Legal basis

This proposal amends Regulation (EU) 2018/1862 and uses one of its legal bases, namely Article 88(2)(a) of the Treaty on the Functioning of the European Union (TFEU) as the legal basis. Article 88 of the TFEU refers to the mandate of Europol and point (2)(a) of this Article specifically to the collection, storage, processing, analysis and exchange of information, in particular that forwarded by the authorities of the Member States or third countries or bodies.

• Variable geometry

This proposal builds upon the provisions of the Schengen acquis related to police cooperation and judicial cooperation in criminal matters. Therefore, the following consequences in relation to the various protocols and agreements with associated countries have to be considered:

Denmark: In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the TEU and to the TFEU, Denmark will not take part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation will build upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

Ireland: Ireland is taking part in this Regulation in accordance with Article 5(1) of Protocol No 19 annexed to the TEU and to the TFEU and Article 6(2) of Council Decision 2002/192/EC¹³ and Council Implementing Decision (EU) 2020/1745¹⁴.

Iceland and Norway: this Regulation will constitute a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen

Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

Council Implementing Decision (EU) 2020/1745 of 18 November 2020 on the putting into effect of the provisions of the Schengen acquis on data protection and on the provisional putting into effect of certain provisions of the Schengen acquis in Ireland (OJ L 393, 23.11.2020, p.

3).

3

4

acquis¹⁵, which fall within the area referred to in Article 1, point (G) of Council Decision 1999/437/EC¹⁶.

Switzerland: this Regulation will constitute a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis¹⁷, which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA¹⁸.

Liechtenstein: this Regulation will constitute a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis¹⁹, which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU²⁰.

Bulgaria and Romania: this Regulation will constitute an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU²¹ and (EU) 2018/934²².

Croatia: this Regulation will constitute an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733²³.

2. 15 16

3. 17 18

4. 19 20

OJ L 176, 10.7.1999, p. 36.

5. Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the

Agreement concluded by the Council of the European Union and the Republic of Iceland and the

Kingdom of Norway concerning the association of those two States with the implementation,

application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

OJ L 53, 27.2.2008, p. 52.

6. Council Decision 2008/149/JHA of 28 January 2008 on the conclusion on behalf of the European Union

of the Agreement between the European Union, the European Community and the Swiss Confederation

on the Swiss Confederation's association with the implementation, application and development of the

Schengen acquis (OJ L 53, 27.2.2008, p. 50).

OJ L 160, 18.6.2011, p. 21.

7. Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of

the Protocol between the European Union, the European Community, the Swiss Confederation and the

Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement

between the European Union, the European Community and the Swiss Confederation on the Swiss

Confederation's association with the implementation, application and development of the Schengen

acquis, relating in particular to judicial cooperation in criminal matters and police cooperation (OJ L

160, 18.6.2011, p.

1).

8. Council Decision 2010/365/EU of 29 June 2010 on the application of the provisions of the Schengen

acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L

166, 1.7.2010, p. 17).

9. Council Decision (EU) 2018/934 of 25 June 2018 on the putting into effect of the remaining provisions

of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and

Romania (OJ L 165, 2.7.2018, p. 37).

10. Council Decision (EU) 2017/733 of 25 April 2017 on the application of the provisions of the Schengen

acquis relating to the Schengen Information System in the Republic of Croatia (OJ L 108, 26.4.2017, p.

31).

21

22

23

• Subsidiarity (for non-exclusive competence)

According to the principle of subsidiarity laid down in Article 5(3) TEU, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU.

This proposal will develop and build upon the existing SIS, which has been operational since 1995. The original intergovernmental framework was replaced by Union instruments on 9 April 2013 [Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA]. On 28 November 2018, three new Regulations were adopted on SIS: Regulation (EU) 2018/1860²⁴ on the use of SIS in the field of return, Regulation (EU) 2018/1861²⁵ on the use of SIS in the field of borders and Regulation (EU) 2018/1862 on the use of SIS in the field of police cooperation and judicial cooperation in criminal matters. These Regulations will repeal and replace the previous legal framework governing SIS at the end of 2021.

A full subsidiarity analysis has been carried out on previous occasions; this initiative is focused on introducing a new alert category to be entered in SIS by Europol, by amending Regulation (EU) 2018/1862.

The considerable level of information exchange between Member States and Europol through SIS cannot be achieved via decentralised solutions. By reason of the scale, effects and impacts of the action, this proposal can be better achieved at Union level. The objectives of this proposal encompasses, inter alia, the procedural and legal requirements for Europol to enter alerts in SIS as well as technical requirements for Europol to establish a technical interface through which it can enter, update and delete alerts.

If existing limitations to SIS are not addressed, there is a risk that numerous opportunities for maximised efficiency and EU added value are missed and that there are blind spots concerning security threats impeding the work of competent authorities.

• Proportionality

According to the principle of proportionality laid down in Article 5 i TEU, there is a need to match the nature and intensity of a given measure to the identified problem. All problems addressed in this initiative call, in one way or another, for EU-level support for Member States to tackle these problems effectively:

The proposed initiative constitutes an amendment of SIS in relation to police cooperation and judicial cooperation in criminal matters. In terms of the right to protection of personal data, this proposal complies with the proportionality principle as it provides for specific procedures and safeguards when entering alerts by Europol as well as specific alert deletion rules and does not require the collection and storage of data for longer than is absolutely necessary to allow the system to function and meet its objectives. SIS alerts entered by Europol will contain only the data which is required to identify a person. All other additional details are provided via the SIRENE Bureaux enabling the exchange of supplementary information. In addition, the proposal provides for the implementation of all necessary safeguards and mechanisms required for the effective protection of the fundamental rights of the data subjects, particularly the protection of their private life and personal data.

11. The envisaged measure is proportionate in that it does not go beyond what is necessary in terms of action at EU level to meet the defined objectives. The alert entered by Europol will

²⁴ OJ L 312, 7.12.2018, p. 1.

²⁵ OJ L 312, 7.12.2018, p. 14.

be a ‘last resort’ solution in cases when Member States are not able to or do not intend to enter alerts on the person concerned, to which recourse is possible only in cases when entering the alert is necessary and proportionate. The action to be taken will be limited to providing information on the place and time of the check in which the hit on the Europol alert occurred.

Choice

of the instrument

The proposed revision will take the form of a Regulation and will amend Regulation (EU) 2018/1862 in order to introduce a new alert category to be entered in SIS by Europol. The legal base of this proposal is point (a) of Article 88(2) the TFEU which is also the legal basis of Regulation (EU) 2018/1862 that it will amend.

The form of a Regulation of the European Parliament and of the Council has to be chosen because the provisions are to be binding and directly applicable in all Member States as well as by Europol. The proposal will build on an existing centralised system through which Member States cooperate, something which requires a common architecture and binding operating rules.

The legal basis requires the use of the ordinary legislative procedure.

Furthermore, the proposal provides for directly applicable rules enabling data subjects' access to their own data and remedies without requiring further implementing measures in this respect. As a consequence, only a Regulation can be chosen as a legal instrument.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

Contents

CONSULTATIONS

15 16

17 18

19 20

Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the

Council Decision 2008/149/JHA of 28 January 2008 on the conclusion on behalf of the European Union

Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of

Council Decision 2010/365/EU of 29 June 2010 on the application of the provisions of the Schengen

Council Decision (EU) 2018/934 of 25 June 2018 on the putting into effect of the remaining provisions

Council Decision (EU) 2017/733 of 25 April 2017 on the application of the provisions of the Schengen

The envisaged measure is proportionate in that it does not go beyond what is necessary in terms of action at EU level to meet the defined objectives. The alert entered by Europol will

T o ensure that the general public interest is properly considered in the Commission s approach

Clear data review timeframes have been set out in this proposal for the new alert category. The review period is set at maximum one year, which is the shortest review period applied in

frontline officer that Europol holds information on the person. More specifically, the alert would inform that Europol holds information giving grounds to consider that the person is

1.

CONSULTATIONS

ANDIMPACTASSESSMENTS

Stakeholder

consultations

12. T o ensure that the general public interest is properly considered in the Commission s approach

to strengthening Europol’s mandate, including the task to enter alerts in SIS, the Commission

services identified relevant stakeholders and consul ted them throughout the preparation of this initiative. The Commission services sought views from a wide range of subject m atter ex perts, national authorities, civil society organisations, and from members of the public on their expectations and c on cern s re latin g to enha ncing Europol’s capabilities in supporting Member States to effectively prevent and investigate crime.

During the consultation process, the Commission services applied a variety of methods and forms of consultation.²⁶ They included:

• the consultation on the Inception I mpa ct Assessm e nt, which sought views from all interested parties;

• targeted stakeholder consultation by way of a questionnaire;

• expert interviews; and

• targeted thematic stakeholder workshops that focused on subject matter experts, including practitioners at national level. Taking into account the technicalities and

It should be noted that consultation activities used served to collect information and arguments. They are not surveys, as they refer to non-representative samples of the stakeholders or the general population and thus do not allow for conclusions.

26

specificities of the subject, the Commission services focused on targeted consultations, addressing a broad range of stakeholders at national and EU level.

The diversity of perspectives proved valuable in supporting the Commission to ensure that its initiative addresses the needs, and took account of the concerns, of a wide range of stakeholders. Moreover, it allowed the Commission to gather necessary and indispensable data, facts and views on the relevance, effectiveness, efficiency, coherence and EU added value of this initiative.

Taking into consideration the Covid-19 pandemic and the related restrictions and inability to interact with relevant stakeholders in physical settings, the consultation activities focused on applicable alternatives such as online surveys, semi-structured phone interviews, as well as meetings via video conference.

Stakeholders are generally supportive of strengthening Europol’s legal mandate to support

Member States in preventing and combatting serious crime and terrorism.

The results of the consul tation activities were incorporated throughout the impact assessment and the preparation of the initiative.

• Im pact assessment

In line with Better Regulation requirements, an Impact Assessment has been prepared accompanying the proposal for a Regulation on the European Union Agency for Law Enforcement Cooperation (Europol) amending Regulation (EU) No 2016/794. This report has assessed the issue of introducing a new alert category in SIS exclusively for Europol,

reflecting Europol’s role and competences, as well as the necessary safeguards.

Several legislative policy options have been considered. The following policy options have been assessed in full detail:

• Policy option 1: enabling Europol to issue ‘discreet check’ alerts in SIS;

• Policy option 2: introducing a new alert category in SIS to be used exclusively by Europol.

Following a detailed assessment of the impact of these policy options, it was concluded that the preferred policy option is option 2. This preferred policy option is reflected in this initiati ve.

The preferred policy option 2 responds effectively to the identified problems and would

enhance Europol’s capability to provide frontline officers with its analysis of third-country

sourced information on suspects and criminals.

Fundamental rights

This proposal adds a new alert category – to be entered by Europol – to an existing system, and hence builds upon important and effective safeguards that have already been put in place. Nevertheless, as the syste m will process data for a new purpose, there are potential im pacts on an individuals fundamental rights. These have been thoroughly considered, and additional safeguards have been put in place to limit the processing of data by Europol to what is strictly necessary and operationally required.

13. Clear data review timeframes have been set out in this proposal for the new alert category. The review period is set at maximum one year, which is the shortest review period applied in

SIS. There is explicit recognition of and provision for individuals' rights to access and rectify data relating to them, and to request deletion in line with their fundamental rights.

The development and continued effectiveness of SIS will contribute to the security of persons within society.

The proposal guarantees the data subject's right to effective remedies available to challenge any decisions, which shall in any case include an effective remedy before a court or tribunal in line with Article 47 of the Charter of Fundamental Rights.

4. BUDGETARYIMPLICATIONS

The present proposal widens the scope of application of the current SIS by introducing a new alert category for Europol.

The financial statement attached to this proposal reflects the changes required for establishing this new alert category in Central SIS by eu-LISA, the EU Agency responsible for the management and development of Central SIS. On the basis of an assessment of the various aspects of the work required in relation to the Central SIS by eu-LISA the proposed Regulation will require a global amount of EUR 1,820,000 for the period 2021-2022.

The proposal will also have an impact on the Member States requiring them to update their national systems, connected to Central SIS, to be able to display the Europol alert to their end-users. The expenses related to the development of the national systems connected to Central SIS are to be covered by the resources available to the Member States under the new Multiannual Financial Framework 2021-2027 for the development and maintenance of SIS.

The proposal will also require Europol to set up a technical interface for entering, updating and deleting data in Central SIS. The financial statement attached to the proposal to amend the Europol regulation covers the expenses related to the set-up of this interface by Europol.

5. OTHERELEMENTS

• Implementation plans and monitoring, evaluation and reporting arrangements

On the basis of Regulation (EU) 2018/1862, the Commission, Member States and eu-LISA will regularly review and monitor the use of SIS, to ensure that it continues to function effectively and efficiently.

The Commission will be assisted by the SIS-SIRENE Committee (Police formation) to implement technical and operational measures as described in the proposal by amending the relevant Commission Implementing Decisions.

Article 51 of Regulation (EU) 2018/1862 foresees the evaluation of the use of SIS by Europol, Eurojust and the European Border and Coast Guard Agency carried out by the Commission at least every five years. This evaluation will cover the procedures of Europol to enter data in SIS. Europol will have to ensure adequate follow-up to the findings and recommendations stemming from the evaluation. A report on the results of the evaluation and follow-up to it will be sent to the European Parliament and to the Council.

In addition, Regulation (EU) 2018/1862 includes provisions in Article 74 i for a formal, regular review and evaluation process that will be also applicable to the new alert category introduced by this amendment.

Every four years, the Commission is required to conduct, and share with the Parliament and the Council, an overall evaluation of SIS and the exchange of information between Member States. This will:

• examine results achieved against objectives;

• assess whether the underlying rationale for the syste m remains vali d;

• examine how the Regulation is being applied to the central system;

• evaluate the security of the central system;

• explore implications for the future functioning of the system.

Every two years, eu-LISA is required to report to the European Parliament and the Council on the technical functioning – including security – of SIS, the communication infrastructure supporting it, and the bilateral and multilateral exchange of supplementary information between Member States as well as the Automated Fingerprint Identification System.

eu-LISA is also charged with providing daily, monthly and annual statistics on the use of SIS, ensuring continuous monitoring of the system and its functioning against objectives.

• Detailed explanation of the specific provisions of the proposal

The proposal enables Europol to issue ‘information alerts’ on suspects and criminals as a new

alert category in SIS, for exclusive use by Europol in specific and well-defined cases and circumstances. Europol would be able to issue such alerts on the basis of its analysis of third-country sourced information or information from international organisations, and within the

scope of crimes falling under Europol’s competence and only on third-country nationals.²⁷

This specific objective limits in the sharing of thi rd - c ountry sourced information to suspects and criminals.

The purpose of the new alert category is that in case of a ‘hit’, the alert would inform the

14. frontline officer that Europol holds information on the person. More specifically, the alert would inform that Europol holds information giving grounds to consider that the person is

intending to commit or is committing one of the offences falling under Europol’s competence,

or that an overall assessment of the information available to Europol gives reason to believe that the person may commit such offence in future.

The proposal sets out detailed provisions on the procedural requirements that Europol is required to fulfil prior to entering an alert in SIS. These procedural steps ensure the legality of entering the alert as well as the priority of alerts entered by Member States and that any objection by Member States s taken into account.

First, Europol is to analyse the information received by third countries or international organisations, e.g. by way of checking it against other available information, to verify its accuracy and to complement the information picture. If necessary, Europol has to carry out further information exchange with the third country or international organisation. Europol also has to assess whether entering the alert is necessary for achieving its objectives as laid down in Regulation (EU) 2016/794.

In line with Article 36 of Regulation (EU) 2018/1862, this would cover persons where there is a clear indication that they intend to commit or are committing any of the crimes for which Europol is competent, or persons where an overall assessment (in particular on the basis of past criminal offences) gives reasons to believe that they may commit in future one of the crimes for which Europol is competent.

2

Second, Europol has to check that there is no existing alert in SIS on the same person.

Third, Europol has to share the information collected on the person concerned with all Member States and carry out a prior consultation in order to confirm that no Member State intends to enter the alert themselves based on the information collected by Europol and that Member States do not object to the alert being entered by Europol. These provisions ensure that if a Member State considers that they have sufficient information and grounds to fulfil the requirements of Regulation (EU) 2018/1862 as well as their national provisions for entering the alert themselves, then they have the possibility to do so and this alert takes precedence. In this case, Member States have the possibility to determine the relevant alert category available to them, based on Regulation (EU) 2018/1862 and issue an alert. Member States also have the possibility to object to the alert being entered by Europol, in justified cases, in particular, if their national security so requires or when it is likely that the alert would represent a risk for official or legal inquiries, investigations or procedures or if they obtain new information about the person who is the subject of the alert which changes the assessment of the case.

In order to ensure data protection monitoring by the European Data protection Supervisor, Europol shall keep detailed records relating to the entry of the alert in SIS and the grounds for such entry that permit verification of compliance with the substantive and procedural requirements.

Finally, Europol has to inform all Member States of the entry of the alert in SIS through the exchange of supplementary information.

In addition, the proposals aligns the obligations and requirements of Europol when entering alerts in SIS with alert issuing Member States. These requirements concern: categories of data, proportionality, minimum data content for an alert to be entered, entering biometric data, general data processing rules, quality of the data in SIS as well as rules on distinguishing between persons with similar characteristics, misused identity and links.

As an action to be taken, the frontline officer would be required to report immediately the occurrence of the ‘hit’ to the national SIRENE Bureau, which would in turn contact Europol. The frontline officer would only report that the person who is subject of an alert was located and would indicate the place, time and reason for the check carried out. Beyond this reporting obligation as a non-coercive measure, there would be no further obligation on the Member State where the ‘hit’ occurred. The ‘information alert’ would not impose an obligation on Member States’ frontline officers to discreetly check the person under alert and collect a set of detailed information if they encounter him/her at the external border or within the territory of the EU. Rather, the Member State executing the alert would be free to determine, on a case-by-case basis, including based on the background information received from Europol, whether further measures need to be taken with regard to the person concerned. Such further measures would take place under national law and subject to the full discretion of the Member State.

Similarly to other alert categories, the proposal defines the review period for alerts entered by Europol as well as the alert deletion rules which are specific to this type of alert. As a general rule, an alert should be kept only for the time that is necessary to achieve the purpose for which it was entered. An alert entered by Europol in SIS should be deleted, in particular, if the person who is the subject of the alert no longer falls under the scope of this alert category, a Member State objects the insertion of such alert, another alert is entered in SIS by a Member State or if Europol becomes aware that the information received from the third country or international organisation was incorrect or was communicated to Europol for unlawful purposes, for example if sharing the information on the person was motivated by political

reasons.

The proposal includes amendments to Regulation (EU) 2018/1862 in order to align its provisions concerning data protection, in particular the right of access, rectification of inaccurate data and erasure of unlawfully stored data, remedies and liability with Regulation (EU) 2016/794 and Regulation (EU) 2018/1725 insofar as those alignments are necessary due to the new alert category to be entered by Europol.