Explanatory Memorandum to COM(2021)756 - Collaboration platform to support the functioning of Joint Investigation Teams - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)756 - Collaboration platform to support the functioning of Joint Investigation Teams. |
|---|---|
| source | COM(2021)756  |
| date | 01-12-2021 |
1. CONTEXT OF THE PROPOSAL
·Reasons for and objectives of the proposal
Contents
- Introduction
- Problems the proposal tackles
- Objectives of the proposal
- The proposed solution
- Key functions
- Other functions
- Access rights
- Administrative process to set-up a JIT
- Central storage
- Chapter I General provisions
- Chapter II: Development and operational management
- Chapter III: Access to the JITs collaboration platform
- Chapter IV: Security and liability
- Chapter V: Data protection
- Chapter VI: Final provisions
Joint Investigation Teams (JITs) are teams set up for specific criminal investigations and for a limited period of time. They are set up by the competent authorities of two or more Member States and possibly non-EU countries (third countries), to carry out together criminal investigations that cross borders. A JIT can be set up, in particular, when a Member State's investigations into criminal offences require difficult and demanding investigations having links with other Member States or third countries. It can also be set up when a number of Member States are conducting investigations into criminal offences in which the circumstances of the case necessitate coordinated, concerted action in the Member States involved.
The legal basis for setting up a JIT are Article 13 of the European Union (EU) Convention on Mutual Assistance in Criminal Matters 1 and Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams 2 . Third countries can be parties in JITs if the legal basis allow for this. For example, Article 20 of the Second Additional Protocol of the 1959 Council of Europe Convention 3 and Article 5 of the Agreement on Mutual Legal Assistance between the European Union and the United States of America 4 .
JITs are one of the most successful tools for cross-border investigations and prosecutions in the EU. They enable direct cooperation and communication between judicial and law enforcement authorities of several States to organise their actions and investigations to efficiently investigate cross-border cases.
However, practice shows that JITs have been facing several technical difficulties preventing them from being efficient in their daily work and from fostering their operations. The main difficulties concern secure electronic exchange of information and evidence (including large files), secure electronic communication with other JIT members and the competent Union bodies, offices and agencies such as Eurojust, Europol and the European Anti-Fraud Office (OLAF), as well as a joint daily management of a JIT.
The second evaluation report on JITs 5 , prepared in 2018 by the Network of National Experts on Joint Investigation Teams (the JITs Network), a body established to support Member States and share best practices and experience in the area of JITs, already indicated that the JITs’ work could be improved and sped up if supported by a dedicated IT platform. The IT platform would enable its members to securely communicate among themselves, and share information and evidence. The Digital Criminal Justice study 6 confirmed the findings of that report and recommended creating an IT platform for JITs to ensure that JITs function more efficiently and more securely.
Following these findings, the Commission announced plans 7 to propose legislation establishing a dedicated ‘collaboration platform to support the functioning of Joint Investigation Teams’ (the platform).
The general objective of the proposal is to provide technological support to those involved in JITs to increase the efficiency and effectiveness of their cross-border investigations and prosecutions.
The specific objectives of the proposal are to:
Ensure that the members and participants of JITs can more easily share information and evidence collected in the course of the JIT activities.
Ensure that the members and participants of JITs can more easily and more safely communicate with each other in the context of the JIT activities.
Facilitate the joint daily management of a JIT, including planning and coordination of parallel activities, enhanced traceability of shared evidence and coordination with third countries, especially where physical meetings are too expansive or time consuming.
To meet those objectives and to tackle the underlying problems, a dedicated IT platform consisting of both centralised and decentralised components – the JITs collaboration platform – is proposed. The platform would be accessible to all actors involved in JIT proceedings, i.e. Member States’ representatives fulfilling the role of members of a given JIT, representatives of third countries invited to cooperate in the context of a given JIT, and the competent Union bodies, offices and agencies such as Eurojust, Europol, the European Public Prosecutor’s Office and OLAF.
The key functions, described in detail below, will ease electronic communication, allow information and evidence to be shared, including large amounts of data, ensure traceability of evidence as well as planning and coordination of JIT operations.
The design, development, technical management and maintenance of the platform would be entrusted to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), which is the Union agency in charge of large-scale IT systems in the in the Area of Freedom, Security and Justice.
The platform would be of a voluntary nature, so the authorities involved in JITs would have full discretion in deciding whether they want to use the platform for a specific JIT. In addition, the JIT members and participants would be free to use other tools while making use of the platform. For instance, if they decide to pass on evidence in person at a working meeting or through the Secure Information Exchange Network Application (SIENA), managed by Europol.
The platform’s architecture would enable the creation of (non-interoperable) sessions in silo, the ‘JIT collaboration spaces,’ specific to each JIT and open only for the duration of the JIT. There would be no cross-cutting functions or any interactions between different JITs hosted by the platform.
The platform would support the functioning of JITs throughout their operational and post-operational phases. In practical terms, an individual JIT collaboration space could be created on the platform as soon as all establishing parties sign the JIT agreement. The space would be closed following the end of the evaluation process.
Access to the platform would be granted through regular computers (desktops, laptops, etc.) as well as through mobile devices. Its interface would be made available in all EU languages.
From a technical perspective, the platform would be composed of two distinctive elements, (i) a centralised information system, which would allow for a temporary central storage of data, and (ii) a communication software, a mobile application, which would enable communication and local communication data storage.
From a security perspective, while the platform will operate over the internet to offer flexible means of accessing it, the focus will be to guarantee confidentiality by design. This will be achieved by using robust end-to-end encryption algorithms to encrypt data in transit or at rest (i.e. stored on a physical storage). This feature is crucial for gaining the trust of JITs practitioners who deal with sensitive data and must be reassured regarding any risk of uncontrolled disclosure. In addition, appropriate multi-step identification and authentication mechanisms will be put in place to ensure that only authorised JIT members and participants have access to the platform.
When designing the JITs collaboration platform, eu-LISA should ensure technical interoperability with SIENA.
The platform will offer the following key functions:
·secure, untraceable communication stored locally at the devices of the users, including a communication tool offering an instant messaging system, a chat feature, audio/video-conferencing and a function replacing standard emails;
·exchange of information and evidence, including large files, through an upload/download system designed to store the data centrally only for the limited time needed to technically transfer the data. As soon as the data are downloaded by all addresses, it would be automatically deleted from the platform;
·evidence traceability – an advanced logging mechanism logging a trail of who did what and when regarding all evidence shared through the platform, and supporting the need to ensure admissibility of evidence before a court.
Apart from these key functions, the platform will also offer the following:
·functions related to daily management of the JIT during its operational and post-operational (evaluation) phase;
·support for the administrative and financial processes;
·various technical capabilities supporting operational and administrative processes, including the integration with the JITs-related electronic services already hosted at Eurojust and managed by the JIT Secretariat, i.e. JITs Funding, JITs Evaluation and JITs Restricted Area, allowing relevant information and documents to be obtained without needing to connect separately to the platform and the services offered by the JIT Secretariat.
Particular attention will be given to the platform’s access rights. The platform’s starting principle will be that the management of access rights rests with the JIT space administrator(s) from the JITs participating Member States. They will be in charge of granting access, during the operational and post-operational phases of the JIT, to:
·representatives of the other Member States participating in the JIT;
·representatives of third countries which are also members of a given JIT;
·representatives of Eurojust, Europol, the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices and agencies; and
·representatives of the JIT Secretariat.
In addition, the JIT space administrator(s) will have the option to limit access to parts of information and evidence only to those who are concerned by it, including case-by-case granular access permissions. This restriction would concern all users of the JITs collaboration platform, be it the Member States, third countries, the competent Union bodies, offices and agencies or the JIT Secretariat.
It must be underlined that eu-LISA, as the hosting provider, will not have access to the data stored or exchanged through the platform. It will also not be involved in the access rights management, except for the initial process of granting access rights to JIT space administrator(s) based on the signed JIT agreement. The platform’s architecture must offer sufficient guarantees for this to happen.
The access rights of the competent Union bodies, offices and agencies should be defined in view of the operational support they provide to JITs, covering all steps of the proceedings, from the moment of the signed JIT agreement until the end of the evaluation phase. On the latter, the platform must provide for access rights for the JIT Secretariat, which plays an important role in that process. The JIT Secretariat could also be in charge of the platform’s administrative support, including access rights management, as long as the JIT space administrator(s) of each individual JIT envisage such a role.
Keeping in mind the increasing role of third countries in the successful prosecution of serious organised crime and terrorism, the platform will also be available to them, if they are part of a JIT agreement. However, specific access rights will depend on their role in a given JIT and should be set out by the JIT space administrator(s) for each respective JIT. To guarantee the respect for fundamental rights, including data protection, and in line with the currently applicable procedures, before granting access to a specific third country, the JIT space administrator(s) will need to thoroughly assess the data protection aspects against the applicable rules, notably Directive 2016/680 8 .
·Consistency with existing policy provisions in the policy area
Strengthening cross-border criminal investigations and prosecutions carried out by JITs is a crucial part of creating an area of freedom, security and justice.
This proposal has been announced in the Commission’s Communication on the digitalisation of justice in the EU 9 , as part of a broader initiative to enable the secure electronic communication and exchange of information and documents between courts, national authorities, and justice and home affairs agencies. It also constitutes part of the digitalisation of justice package contained in the Commission’s work programme for 2021 under the heading ‘A New Push for European Democracy’ 10 .
·Consistency with other Union policies
The proposal is in line with the EU Security Union strategy 11 , the counter-terrorism agenda for the EU 12 and the EU strategy to tackle organised crime 13 .
Given the highly sensitive nature of the information exchanged, it is essential that the implementation of the toolbox approach on the digitalisation of justice, including through this proposal, takes place in a way that guarantees strong cybersecurity standards. This is consistent with the approach outlined in the EU's Cybersecurity Strategy and the Commission’s proposal for a Directive on measures for a high common level of cybersecurity across the Union (NIS2), aiming to improve further the cybersecurity capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. While judiciary in Member States is not in the scope of NIS2 proposal it is of essence that Member States will put in place national measures that would ensure a comparable level of cybersecurity.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
·Legal basis
The legal basis for the proposal is Article 82(1)(d) of the Treaty on the Functioning of the European Union (TFEU). In line with that Article, the EU has the power to adopt measures to ease cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters.
In line with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty of the European Union (TEU) and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
In line with Articles 1 to 3 of Protocol No 21 on the position of Ireland, annexed to the TEU and to the TFEU, Ireland may notify the President of the Council in writing that it wishes to take part in the adoption and application of any such proposed measure, where it will be entitled to do so. The notice must be within three months after a proposal or initiative has been presented to the Council under Title V of Part Three of the Treaty on the Functioning of the European Union.
·Subsidiarity (for non-exclusive competence)
According to the principle of subsidiarity laid down in Article 5(3) of the TEU, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU. Furthermore, there is a need to match the nature and intensity of a given measure to the identified problem.
The creation of a common Union wide IT platform to support JITs, allowing the Member States to make use of a technology solution that does not depend on the national IT infrastructure, can neither be achieved unilaterally at Member State level nor bilaterally between the Member States. It is by its nature a task to be undertaken at EU level. Therefore, it is also for the Union to establish a legally binding instrument to create such a system and to lay down the conditions under which that system will function.
·Proportionality
According to the principle of proportionality laid down in Article 5 i of the TEU, there is a need to match the nature and intensity of a given measure to the identified problem.
All problems described in this document require EU-level support to tackle them effectively. Addressing the problems individually, for instance by creating separate tools tackling the communication issue, the lack of data exchange mechanism, etc. would be much more costly and would create an administrative burden for the JITs. The Union wide IT platform is the only way to provide JITs with a common modern technical solution that will allow them to carry out their cross-border investigations more efficiently.
Therefore, it can be concluded that the action at EU level to establish the platform to support functioning of JITs is proportionate to the identified problems that JITs encounter in their daily work.
·Choice of the instrument
The Commission is putting forward a proposal for a Regulation as the proposed legal instrument establishes a central system at EU level managed by the European agency eu-LISA. The proposal also amends Regulation (EU) No 2018/1726. A Regulation is directly applicable in all Member States and binding in its entirety. It therefore guarantees a common application of the rules across the Union and their entry into force at the same time. It ensures legal certainty by avoiding different interpretations in the Member States, thus preventing legal fragmentation.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
·Stakeholder consultations
Whereas no public consultations were conducted due to a specific character of the proposal, the Commission has carried out an extensive targeted consultation campaign to ensure that all stakeholders concerned have an opportunity to express their views. The campaign has involved:
·prosecutors, judges and law enforcement representatives from the Member States;
·Member States’ national authorities;
·experts from the JITs network;
·academics and practitioners in EU criminal law;
·data protection experts;
·representatives of Eurojust, Europol and OLAF.
Stakeholders have had an opportunity to voice their opinion through bilateral contacts, expert meetings, online surveys and written contributions.
The targeted consultations organised between March and July 2021, gathered views on the platform related elements of the Digital Criminal Justice study, functions that are to be covered by the future platform, as well as the applicable data protection regime(s).
First and foremost, all stakeholders welcomed the initiative and provided a positive opinion about establishment of a platform as a much-needed step towards the digitalisation of JITs cooperation.
As far as cross-cutting issues are concerned, most stakeholders focused on:
·the simplicity of the platform so that it can be used by all practitioners concerned – a too cumbersome tool with complex workflows could create problems for the users and would be a main reason for not using it;
·the prevention of an impact on the substantial or legal requirements of investigators’ work, so the proper functioning of a JIT is not jeopardised by the platform;
·the security of the platform – the level of protection is of crucial importance so practitioners can be confident that outcomes of their national investigations that are shared through the platform would not be disclosed in an uncontrolled way.
Some discussions have also taken place on the entity in charge of the platform’s future development and management. The following scenarios were considered:
·creation of the platform by the Commission and making it available to the Member States to implement when needed within their own infrastructure;
·creation of the platform and its establishment at the Commission;
·creation of the platform and its establishment at one of the JHA agencies directly involved in supporting the Member State’s authorities in combating crime (e.g. Eurojust);
·creation of the platform and its establishment at eu-LISA.
All stakeholders consulted, including Eurojust and Europol, supported the option to entrust the platform’s development and maintenance to eu-LISA. They all recognised eu-LISA’s expertise in the area as well as its experience with large-scale IT systems meeting state-of-the-art security standards. Also, this option takes into account, that JITs can be conducted without the financial support or operational involvement of either Eurojust or Europol.
Undoubtedly, the two key functions of the platform debated the most during the targeted consultations were a possible coverage by the platform of a JIT set-up process and the central storage.
The starting point for this discussion was the final report of the Digital Criminal Justice study, which recommends that the JITs collaboration platform covers also the pre-operational phase of JITs, i.e. the administrative process to set up a JIT. There are many advantages of such a solution, including:
·the possibility to securely and efficiently exchange documents cross-border, leading to the signature of a JIT agreement;
·a machine translations function;
·an inventory of the procedures to be followed during the JIT set-up process;
·support for various electronic signatures.
However, it has been established during the stakeholder consultations that in most Member States, actors participating in the JIT set-up process are completely different from those who are members of JITs once they are established. Moreover, the decision to join a JIT is very often taken by someone who will not necessarily be a member of the JIT itself, e.g. the Prosecutor General or even the Minister of Justice. Therefore, the inclusion of the administrative JIT set-up process in the platform would require a complete departure from the above-described model of isolated JIT spaces, as well as a separate access rights management workflow. Such a scenario would heavily complicate the envisaged easy-to-use concept of the platform and would require implementation of rather incomprehensible and time-consuming administrative workflows.
Therefore, following the targeted consultations, the recommended scenario would be to cover the JIT set-up process within the e-Evidence Digital Exchange System (eEDES) that is currently being implemented by the Commission. This solution would on the one-hand cover administrative needs of the stakeholders and, on the other, not complicate the daily functioning of the future platform.
One of the most crucial functions of the platform will be to exchange information and evidence among the JIT members and other participants. That function could be implemented in three different ways:
A plain upload/download function – data would be uploaded on the platform by one member/participant of the JIT and would be stored centrally only until the other JIT member(s)/participant(s) download(s) it.
A temporary flexible storage – in addition to the plain upload/download, data could be optionally stored at the platform for some period of time, e.g. one week, one month, etc. The member/participant uploading the data would define duration and access rights.
A permanent storage – all exchanged data would be stored throughout the JIT’s lifespan – precise access rights to the data would be defined by the member/participant uploading the data. This option would constitute a ‘common JIT case-file.’
Though JITs allow for the direct communication, cooperation and coordinated action, the underlying national investigations remain separate and independent. The possibility to create a common case-file to supplement national investigations is not envisaged by the current legal framework. Therefore, almost all stakeholders rejected the permanent storage option (option 3). Indeed, the creation of such a common case-file would raise serious questions related to criminal procedures in certain Member States since not all JIT information is necessarily shared among all members of the JIT. Investigators from one country often do not need access to all relevant information from the investigation of the other country participating in the same JIT.
Whereas the other two options had more or less the same degree of support among the practitioners, a preferred option is to equip the platform with the plain upload/download function (option 1). This function would prevent platform’s users to view the data before downloading it. It would also prevent any central storage of exchanged data, i.e. the data would be stored centrally until it is downloaded by the other party, but for not more than four weeks. The main reason for that has been a concern that any storage of operational data, going beyond a technical requirement to send it from one party to another, would lead to at least a temporary common file and to possible follow–up questions. For example, access requests to that file. However, this instrument should not change the separate investigations and separate national files, to which the respective national rules still apply.
Although the lack of central storage would prevent including in the platform various additional technical functions, e.g. an interface with a crime analysis tool, a search tool, a text to speech converter, a speech to text converter, Optical Character Recognition, etc., stakeholders took the view that such functions would duplicate the tools already provided by other agencies (primarily by Europol). It also must be underlined that even in the absence of a central storage of information and evidence, some basic information would be stored centrally to allow the JIT members to trace the exchanged data.
·Collection and use of expertise
The proposal is based on the findings of the Digital Criminal Justice study 14 . The study reviewed the needs and options to create a ‘Cross-Border digital criminal justice project,’ a fast, reliable and secure IT ecosystem to enable national prosecution authorities in Member States to interact with their national counterparts, Justice and Home Affairs (JHA) agencies and EU bodies in the JHA area.
·Impact assessment
No impact assessment was conducted, as the proposal only aims at establishing a technical solution supporting the functioning of JITs, without changing the main principles that underpin the legal frameworks for setting up a JIT.
The proposal is accompanied by a Commission staff working document 15 , which contains a detailed problem description and sets out the objectives of the proposal. It also analyses the proposed solution in the light of its efficacy, indicates the benefits of the initiative and also its potential impact on fundamental rights.
The staff working document explains that the establishment of the platform is expected to render cooperation within JITs more efficient and effective. All future functionalities of the platform, starting with the communication tools, through exchange of data mechanism, to collaborative management of JITs, are intended to save time and cost of those involved in JITs. Although voluntary in nature, it is anticipated that practitioners will quickly realise the platform’s added value and systematically use it in cross-border cases. The platform would allow speeding up the flow of information among its users, increase security of the exchanged data as well as enhance transparency. In addition, impacts on simplification and administrative burdens are anticipated. Consequently, more efficient functioning of JITs would improve overall collaboration between Member States in investigating and prosecuting cross-border crime.
·Fundamental rights
No major impact on fundamental rights is expected, as the legal basis for the exchanges of information and evidence within a JIT would not be changed. However, as explained in more detail below, the proposed solution will comply with fundamental rights and freedoms enshrined, in particular, in the Charter of Fundamental Rights of the European Union 16 , including the right to protection of personal data. In this regard, it will also comply with the European Convention for the Protection of Human Rights and Fundamental Freedoms, the International Covenant on Civil and Political Rights, and other human rights obligations under international law.
Since establishing the platform at EU level would imply the processing of personal data, appropriate data protection safeguards must be put in place. The platform would fully comply with Union data protection rules on the legality of exchanging information and evidence. Directive (EU) 2016/680 of the European Parliament and of the Council would apply to the processing of personal data by competent national authorities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties, including safeguarding against and preventing threats to public security. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies would also apply. These legal safeguards would need to dovetail with the alignment of the data protection approach for JITs with the current data protection rules, as proposed by the Commission on 20 January 2021 17 .
On the centralised component of the platform, i.e. the upload/download mechanism allowing temporarily storing of the operational data until the moment it is downloaded, the impact on data protection is considered to be limited because:
·the personal data would be exchanged by a very limited group of individuals who are part of an isolated JIT collaboration space;
·the personal data would be stored centrally only for technical reasons and would be deleted as soon as it is downloaded by all addresses;
·the retention period would be set at a maximum of four weeks and would be enforced automatically;
·exchange of personal data would be limited to serve the purpose for which it was obtained;
·eu-LISA would not have access to the data and would fulfil the role of data processor;
·a separate data controller for each entity uploading the personal data, apart from third countries, would be warranted;
·exchanges of personal data that qualify as international transfers to third countries that are part of a given JIT would always require a legal basis in union or Member State law applicable to such transfers;
·personal data uploaded to JIT collaboration space by third countries would be under the responsibility of a JIT space administrator who would need to check such data before it can be downloaded by other users.
4. BUDGETARY IMPLICATIONS
The proposal for a Regulation establishing the platform is envisaged to incur the following costs:
·development of the platform – the one-off cost incurred for eu-LISA;
·technical maintenance and operation of the platform – the recurring cost incurred for eu-LISA;
·development of the necessary technical adaptations of the relevant IT systems hosted at Eurojust, i.e. JITs funding, JITs evaluation and JITs restricted area to partially integrate them with the platform – the one-off cost incurred for Eurojust;
·technical maintenance and operations on the adaptations of the IT systems hosted at Eurojust – the recurring cost incurred for Eurojust;
·administrative support to the platform’s users on behalf of the JIT space administrator(s) – the recurring cost incurred for Eurojust (the JIT Secretariat).
As far as Member States’ access to the platform is concerned, no technical costs are envisaged because of the web-based nature of the centralised component of the platform. It would not require any adaptations of the national technical infrastructure. The same applies to the communication software, which would simply need to be downloaded on each device of the JIT platform’s users. Access to the platform for the competent Union bodies, offices and agencies would be driven by the same principles and would not incur any costs for them.
The costs for eu-LISA and Eurojust are explained in detail in the accompanying legal financial statement. In total, eu-LISA would require the following financial and human resources to develop, maintain and operate the JITs collaboration platform:
·one-off build cost – EUR 8.4 million;
·annual maintenance and operation cost – EUR 1.7 million;
·staff – 4 TA FTE as of 2024, 4 TA FTE as of 2025 and 2 CA FTE as of 2026 (10 in total).
The costs for eu-LISA apply to hosting the platform in its operational site in Strasbourg/France and the back-up site in Sankt Johann/Austria.
In total, Eurojust (including the JIT Secretariat) would require the following financial and human resources:
·for development maintenance and operations of the required technical adaptations of Eurojust IT systems, i.e. JITs funding, JITs evaluation and JITs restricted area, in order to partially integrate them with the platform: EUR 0.250 million in 2025 (one-off) and 1 FTE – a technical profile – as of 2025 onwards;
·for administrative support of the JIT Secretariat to the platform’s users on behalf of JIT space administrator(s): 2 FTEs as of 2026 onwards.
These costs would be borne by the Union general budget and would need to be reflected in the budget of both agencies.
5. OTHER ELEMENTS
·Implementation plans and monitoring, evaluation and reporting arrangements
Monitoring and evaluating the development and technical functioning of the JITs collaboration platform is vital and will be applied by following the principles outlined in the common approach on decentralised agencies 18 .
Once the development of the JITs collaboration platform is finalised, eu-LISA will submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved.
Two years after the start of operations of the JITs collaboration platform and every year after that, eu-LISA will submit, to the Commission, a report on the technical functioning of the JITs cooperation platform, including its security.
Four years after the start of operations of the JITs collaboration platform and every four years after that, the Commission will conduct an overall evaluation of the JITs collaboration platform. The Commission will send the evaluation report to the European Parliament and the Council.
·Detailed explanation of the specific provisions of the proposal
Article 1 sets out the subject matter of the Regulation. The ‘JITs collaboration platform’ is a centralised IT platform at EU level for those involved in JITs to collaborate, securely communicate among themselves, and share information and evidence. The Regulation also lays down rules on the division of responsibilities between the JITs collaboration platform users and eu-LISA, the organisation responsible for developing and maintaining the JITs collaboration platform. It sets out conditions, under which the JITs collaboration platform users may be granted access to a JIT collaboration space. It also lays down specific data protection provisions needed to supplement the existing data protection arrangements and to provide for an overall adequate level of data protection, data security and protection of the fundamental rights of the persons concerned.
Article 2 defines the scope of the Regulation. The Regulation applies to the processing of information, including personal data, within the context of a JIT. This includes the exchange and storage of operational information and evidence as well as non-operational information. This Regulation covers the operational and post-operational phases of a JIT, starting from the moment the relevant JIT agreement has been signed by its members.
Article 3 defines the terms used in the Regulation.
Article 4 describes the technical architecture of the JITs collaboration platform. The JITs collaboration platform must be composed of a centralised information system, which allows for a temporary central data storage; a communication software, which allows for local storage of communication data; and a connection between the centralised information system and relevant IT tools, supporting functioning of JITs, hosted at Eurojust and managed by the JIT Secretariat and.
Article 5 sets out the purpose of the JITs collaboration platform, which is to ease the daily coordination and management of a JIT; the exchange of operational information and evidence; secure communications; evidence traceability; and the evaluation of a JIT. The centralised information system is to be hosted by eu-LISA at its technical sites.
Article 6 confers implementing powers on the Commission to establish conditions for the technical development and implementation of the JITs collaboration platform. Those powers should be exercised in line with Regulation (EU) No 182/2011. The comitology procedure chosen is the examination procedure. Article 25 supplements Article 6 on the establishment of this procedure.
Article 7 grants eu-LISA the task of designing, developing and operating the JITs collaboration platform, given its experience with managing large-scale systems in the area of justice and home affairs. Its mandate should be amended to reflect those new tasks. eu-LISA should be equipped with the appropriate funding and staffing to meet its responsibilities under this Regulation.
Article 8 requires Member States to put in place technical arrangements so that their competent authorities can access the JITs collaboration platform in line with this Regulation.
Article 9 states that the competent Union bodies, offices and agencies must put in place technical arrangements so that they can access the JITs collaboration platform in line with this Regulation. In addition, Eurojust is responsible for the technical adaptation of its systems to establish a connection between the centralised information system and relevant IT tools, supporting functioning of JITs and managed by the JIT Secretariat, in line with Article 4(c).
Article 10 defines the mandate, composition and organisational aspects of a Programme Management Board to be set up by the eu-LISA Management Board. This Programme Management Board must adequately manage the design and development phase of the JITs collaboration platform.
Article 11 defines the mandate, composition and organisation aspects of an Advisory Group to be established by eu-LISA. The Advisory Group will provide expertise related to the JITs collaboration platform, in particular in the context of preparation of its annual work programme and its annual activity report.
Article 12 governs access to the JIT collaboration spaces by Member States’ competent authorities. Following the signature of the JIT agreement, a JIT collaboration space must be created within the JITs collaboration platform for each JIT. The JIT collaboration space must be opened by the JIT space administrator(s), with the technical support of eu-LISA. Based on the JIT agreement, the JIT space administrator(s) must define the access rights to the JIT collaboration space.
Article 13 states that the JIT space administrator(s) may decide to grant access to the JIT collaboration spaces to the competent Union bodies, offices and agencies for them to fulfil their statutory tasks.
Article 14 states that for the purpose of Article 5, the JIT space administrator(s) may decide to grant access to the JIT collaboration spaces to third countries which have signed a particular JITs agreement. The JIT space administrator(s) must ensure that exchanges of operational information with third countries that have been granted access to a JIT collaboration space are limited to the purpose and subject to the conditions of the JIT agreement. Member States must ensure that transfers of personal data to third countries that have been granted access to a JIT collaboration space only take place when the conditions laid down in Chapter V of Directive 2016/680 are met.
Article 15 requires eu-LISA to take the necessary technical and organisational measures to ensure the security of the JITs collaboration platform and security of the data within the JITs collaboration platform.
Article 16 refers to liability of the Member States or the competent Union bodies, offices or agencies and claims for compensation against them.
Article 17 governs the retention period for storing operational data, as defined in Article 3. Such operational data must be stored in the centralised information system for as long as needed so that all users complete the downloading process. The retention period must not exceed four weeks. Upon expiry of this retention period, the data record must be automatically erased from the centralised system.
Article 18 governs the retention period for the storage of non-operational data, as defined in Article 3. Non-operational data must be stored in the centralised information system until the evaluation has been completed. The retention period must not exceed five years. Upon expiry of this retention period, the data record must be automatically erased from the centralised system.
Article 19 governs the data controllers and the data processor. It clarifies that each Member State competent authority, and where appropriate, Eurojust, Europol, the European Public Prosecutor’s Office, OLAF or any other competent Union body, office or agency , are data controllers in line with applicable Union data protection rules for the processing of the personal data under this Regulation. eu-LISA must be considered as data processor in line with Regulation (EU) 2018/1725 on the personal data exchanged through – and stored in the JITs collaboration platform. Wherever a third country uploads operational information or evidence to the JITs collaboration platform, that information or evidence must be scrutinised by a JIT space administrator before it can be downloaded by other platform users.
Article 20 limits the purposes of the processing of personal data entered into the JITs collaboration platform. Those data must only be processed for exchanging operational information and evidence between the platform users and exchanging of non-operational data between collaboration platform users for managing the JIT. Access to the JITs collaboration platform must be limited to authorised staff of the Member States’ competent authorities and third country authorities, Eurojust, Europol the European Public Prosecutor’s Office, OLAF and other competent Union bodies, offices or agencies. The access must also be limited to the extent needed to perform the tasks in line with the purpose referred to in paragraph 1 of Article 20, and to what is necessary and proportionate to the objectives being pursued.
Article 21 governs keeping logs. It states that eu-LISA must ensure that accessing the centralised information system and all data processing operations in the centralised information system are logged to check the admissibility of requests, to monitor data integrity and security and the lawfulness of the data processing and to self-monitor.
Article 22 sets out eu-LISA's and the Commission's reporting and reviewing obligations. Four years after the start of the JITs collaboration platform’s operations and every four years after that, the Commission will conduct an overall evaluation of the JITs collaboration platform.
Article 23 states that the costs incurred to establish and operate the JITs collaboration platform must be borne by the general budget of the Union.
Article 24 sets out the conditions that need to be met before the Commission determines the date of the start of operations of the JITs collaboration platform.
Article 25 governs the comitology procedure to be used, based on a standard provision.
Article 26 governs the amendments to Regulation (EU) 2018/1726 for the new responsibilities and tasks of eu-LISA.
Article 27 provides that the Regulation will enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.