Explanatory Memorandum to COM(2021)21 - Amendment of Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)21 - Amendment of Directive 2014/41/EU, as regards its alignment with EU rules on the protection of personal data. |
|---|---|
| source | COM(2021)21  |
| date | 20-01-2021 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
Directive (EU) 2016/680 1 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to transpose it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA 2 , but is a much more comprehensive and general data protection instrument. Importantly, it applies to both the domestic and the cross‑border processing of personal data by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences and executing criminal penalties, including safeguarding against and preventing threats to public security (Article 1(1)).
Article 62(6) LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.
The Commission set out the results of its review in a Communication on Way forward on aligning the former third pillar acquis with data protection rules (24 June 2020) 3 , which specifies ten legal acts that should be aligned with the LED and a timetable for doing so. The list includes Directive 2014/41/EU of the European Parliament and of the Council regarding the European Investigation Order in criminal matters 4 . The Commission indicated that it would put forward targeted amendments of that Directive in the last quarter of 2020; that is the purpose of this proposal.
This initiative is not part of the regulatory fitness programme (REFIT).
• Consistency with existing policy provisions in the policy area
The proposal aims to align the data protection rules in Directive 2014/41/EU with the principles and rules laid down in the LED, in order to provide a strong and coherent data protection framework in the Union.
• Consistency with other Union policies
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
This proposal is based on Article 16(2) of the Treaty on the Functioning of the European Union (TFEU).
The original act was based on ex-Article 34(2)(b) of the former Treaty on European Union, which rather corresponds to Article 82 i TFEU. However, both the objective and the substance of the proposed amendment is clearly limited to the protection of personal data.
In that regard, Article 16(2) TFEU is the most appropriate legal basis. It allows for the adoption of rules on the protection of individuals with regard to the processing of personal data by Member States when carrying out activities under Union law and the rules on the free movement of personal data.
According to Article 2a of Protocol No 22, Denmark will not be bound by rules laid down on the basis of Article 16 TFEU which relate to the processing of personal data when carrying out activities falling within the scope of Chapter 4 and 5 of Title IV of Part Three of the TFEU. The same is true for Ireland according to Article 6a of Protocol No 21.
•Subsidiarity (for non-exclusive competence)
Only the Union can adopt a legislative act amending Directive 2014/41/EU.
• Proportionality
This proposal is limited to what is necessary to align Directive 2014/41/EU with Union legislation on the protection of personal data (in particular the LED) without changing the Directive’s scope in any way. This Directive does not go beyond what is necessary to achieve the objectives pursued, in accordance with Article 5 i of the Treaty on European Union.
• Choice of instrument
To amend Directive 2014/41/EU, the most appropriate instrument is a directive.
3. RESULTS OF EX POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex post evaluations/fitness checks of existing legislation
This proposal follows the results of the Commission’s review under Article 62(6) LED, as presented in the Communication on Way forward on aligning the former third pillar acquis with data protection rules. That Communication lists points on which alignment is necessary. In particular, it identifies the need to clarify that any processing of personal data under Directive 2014/41/EU is subject to either the LED or Regulation (EU) 2016/679 5 (General Data Protection Regulation – GDPR), depending on whether it takes place in the context of criminal or non-criminal proceedings. The alignment should clarify that data obtained under Directive 2014/41/EU may be processed for purposes other than those for which they are collected only under the conditions laid down in the LED (Articles 4(2) or 9(1)) or the GDPR (Article 6).
By proposing the deletion of Article 20 of Directive 2014/41/EU, this proposal is limited to what is necessary to address the above points.
•Stakeholder consultations
• Collection and use of expertise
In its review, the Commission took account of a study carried out as part of the pilot project on a ‘fundamental rights review of EU data collection instruments and programmes’ 6 . The study mapped Union acts covered by Article 62(6) LED and identified provisions potentially requiring alignment on data protection issues.
• Impact assessment
The impact of this proposal is limited to competent authorities’ processing of personal data in the specific instances regulated by Directive 2014/41/EU. The impact of the new obligations arising from the LED was assessed in the context of the preparatory work for the LED. This renders a specific impact assessment for this proposal unnecessary.
•Regulatory fitness and simplification
•Fundamental rights
The right to the protection of personal data is laid down in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 TFEU. As underlined by the Court of Justice of the European Union 7 , the right to the protection of personal data is not absolute, but must be considered in relation to its function in society 8 . Data protection is also closely linked to respect for private and family life, as protected by Article 7 of the Charter.
This proposal ensures that any processing of personal data under Directive 2014/41/EU is subject to the ‘horizontal’ principles and rules of EU data protection legislation, thus further implementing Article 8 of the Charter. That legislation aims to ensure a high level of protection of personal data and clarifying that the principles and rules of Directive 2016/680 apply to data processing under the Directive will have a positive impact as regards the fundamental rights to privacy and data protection.
4. BUDGETARY IMPLICATIONS
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
• Explanatory documents (for directives)
This proposal does not require explanatory documents on transposition, as it involves deleting one article of Directive 2014/41/EU.
• Detailed explanation of the specific provisions of the proposal
Article 1 deletes Article 20 of Directive 2014/41/EU. In doing so, this proposal is limited to what is necessary to address the above points. Article 20 requires that any processing of personal data under the Directive comply with Council Framework Decision 2008/977/JHA and the principles of the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (28 January 1981) and its Additional Protocol.
The LED repealed the Framework Decision with effect from 6 May 2018. Under Article 59 LED, references to the Framework Decision are to be construed as references to the LED.
Under its Article 2 i, the LED applies to the processing of personal data by competent authorities for the purposes set out in its Article 1 i, i.e. preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, including safeguarding against and preventing threats to public security. However, Directive 2014/41/EU also applies to certain types of non-criminal proceedings – these are regulated by the GDPR.
The fact that Article 20 of Directive 2014/41/EU refers to the Framework Decision could result in confusion as to whether the LED also applies to the processing of personal data relating to European investigation orders in the context of non-criminal proceedings (which do not lie within the scope of the LED). Deleting Article 20 is sufficient to remedy this situation. The LED continues to apply to the processing of personal data under Directive 2014/41/EU within its scope.
As the LED and the GDPR (each within its scope) apply to the processing of personal data under Directive 2014/41/EU, the processing of such data for purposes other than that for which they are collected will be carried out in accordance with the LED (Articles 4(2) and 9(1)) or the GDPR (Article 6(4)). No new provision is needed to that effect.
Article 20 of Directive 2014/41/EU also requires that access to personal data be restricted, without prejudice to the rights of the data subject, and that only authorised persons have access to such data. The LED and the GDPR establish a comprehensive framework on data subjects’ rights and the data controller’s obligations, including as regards data protection by design and by default, and security of processing. The second paragraph of Article 20 is therefore redundant.
Since Directive 2014/41/EU does not contain specific data protection rules, no further data protection related amendments are required.
Article 2 sets the deadline for transposing the proposed new Directive.
Article 3 sets the date of entry into force of this Directive.
Article 4 provides that this Directive is addressed to Member States.