Explanatory Memorandum to COM(2022)207 - Signing of Agreement with New Zealand on the exchange of personal data between Europol and the designated authorities of New Zealand - Main contents
This page contains a limited version of this dossier in the EU Monitor.
|dossier||COM(2022)207 - Signing of Agreement with New Zealand on the exchange of personal data between Europol and the designated authorities of New ...|
1. THE SUBJECT OF THE PROPOSAL
The present proposal concerns the signature, in the interest of the European Union, of the Agreement with New Zealand on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the authorities of New Zealand competent for fighting serious crime and terrorism.
The aim of the Agreement is to allow the transfer of personal data between Europol and the competent authorities of New Zealand, in order to support and strengthen the action by the authorities of the Member States of the European Union and those of New Zealand, as well as their mutual cooperation in preventing and fighting criminal offences, including serious crime and terrorism, while ensuring appropriate safeguards with respect to the human rights and fundamental freedoms of individuals, including privacy and data protection. Cross-border information exchange between all relevant law enforcement agencies, within the European Union and with global partners, should be prioritised in order to prevent and combat terrorism, disrupting organised crime, and fight cybercrime. In this sense, the cooperation with New Zealand in the field of law enforcement is paramount to help the European Union to further protect its security interests.
• Reasons for and objectives of the proposal
In a globalised world where serious crime and terrorism are increasingly transnational and polyvalent, law enforcement authorities should be fully equipped to cooperate with external partners to ensure the security of their citizens. Europol should therefore be able to exchange personal data with law enforcement authorities of third countries to the extent necessary for the accomplishment of its tasks within the framework of the requirements set out in the Regulation 2016/794 of 11 May 2016 1 .
Europol can exchange personal data with third countries or international organizations on the basis of:
·Cooperation agreements concluded between Europol and the partner countries before the entry into application of the current Europol Regulation on 1 May 2017.
·A Commission decision finding that the country or international organisation in question ensures an adequate level of data protection (‘adequacy decision’);
·In the absence of an adequacy decision, an international agreement adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Under the current legal basis, the Commission is now responsible, on behalf of the Union, for negotiating such international agreements.
In so far as necessary for the performance of its tasks, Europol may also establish and maintain cooperating relations with external partners through working and administrative arrangements that cannot be by themselves a legal basis for the exchange of personal data.
In the 11th progress report towards a genuine and effective Security Union 2 , the Commission identified eight priority countries 3 in the Middle East/North Africa (MENA) Regions on the basis of the terrorist threat, migration-related challenges, and Europol’s operational needs to start negotiations. Taking into account the political strategy as outlined in the European Agenda on Security 4 , Council Conclusions 5 , and the Global Strategy 6 , the operational needs of law enforcement authorities across the European Union, and the potential benefits of closed cooperation between Europol and the competent authorities of New Zealand in this area, as also demonstrated by the follow up to the Christchurch attack of March 2019, the Commission considers it necessary that Europol can exchange personal data with the authorities in New Zealand competent for fighting serious crime and terrorism.
Europol and New Zealand Police signed a working arrangement in April 2019 7 . This provided a framework for a structured cooperation, including a secure line allowing direct communication between both parties and the deployment by New Zealand of a liaison officer at Europol. However, that working arrangement does not provide for a legal basis for the exchange of personal data. In light of this, on 30 October 2019, the Commission presented a recommendation, proposing that the Council authorises the opening of negotiations for an agreement between the European Union and New Zealand on the exchange of personal data between Europol and the New Zealand authorities competent for fighting serious crime and terrorism 8 . On 13 May 2020, the Council authorized the Commission to open negotiations with New Zealand and adopted negotiation directives 9 10 .
Negotiations began in April 2021 in a friendly and constructive atmosphere. After the fourth and last round of negotiations, which was held in September 2021, both Parties came to terms vis-à-vis the provisions of the Agreement. The chief negotiators initialled the draft text of the Agreement in November 2021.
• Consistency with existing Union policies
The Agreement was negotiated in line with the comprehensive negotiating directives adopted by the Council on 13 May 2020. The present Agreement is also consistent with existing Union policy in the domain of law enforcement cooperation. In recent years, progress was made to improve the exchange of information cooperation between Member States and to close down the space in which terrorists and serious criminals operate. Existing Commission strategic documents underpin the necessity of improving the efficiency and effectiveness of law enforcement cooperation in the EU, as well as of expanding the cooperation with third countries. These include, among others, the Security Union Strategy 11 , the Counter-terrorism agenda for the EU 12 and the EU Strategy to tackle organised crime 13 .
One particular set of safeguards, notably those reflected in Chapter II of the Agreement, concerns the protection of personal data, which is a fundamental right enshrined in the EU Treaties and in the Charter of Fundamental Rights of the European Union. In accordance with Article 25(1) point (b) of the Europol Regulation, Europol may transfer personal data to an authority of a third country or to an international organisation on the basis of an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Chapter II of the Agreement provides for such safeguards, including in particular provisions ensuring a number of data protection principles and obligations that must be respected by the Parties (Articles 3,4,5,7,8,11,12,13,14 and 15), as well as provisions ensuring enforceable individual rights (Articles 6, 10 and 11), independent supervision (Article 16) and effective administrative and judicial redress for violations of the rights and safeguards recognised in the Agreement resulting from the processing of personal data (Article 17).
It is necessary to strike a balance between enhancing security and safeguarding human rights, including data and privacy. The Commission ensured that the Agreement adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, as well as a legal ground for the exchange of personal data for fighting serious crime and terrorism.
Moreover, the European Union and New Zealand are close partners. The EU-New Zealand Partnership Agreement on Relations and Cooperation, signed on 5 October 2016, reflects a strengthened partnership between the Parties, which deepens and enhances cooperation on issues of mutual interest, reflecting shared values and common principles. The Agreement not only covers provisions to facilitate trade, but also contains a number of provisions where the Parties commit to cooperate in areas such as law enforcement, the prevention and combating of organised crime and corruption, drugs, cybercrime, money laundering, terrorism and terrorist financing, migration, and asylum. The European Union and New Zealand are also partners within the Global Counter Terrorism Forum (GCTF), which is an international forum of 29 countries and the Union with an overarching mission of reducing the worldwide vulnerability of people to terrorism by preventing, combating, and prosecuting terrorist acts and countering incitement and recruitment to terrorism. Furthermore, the European Union and New Zealand closely cooperate on foreign and security issues and engage in regular political and security dialogues. These dialogues includes frequent consultations at ministerial and senior officials’ level. New Zealand also took part in some EU crisis management operations, for instance in Operation Atalanta (piracy at the Horn of Africa) in 2014.
3. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
This proposal is based on Article 16(2) and Article 88, in conjunction with Article 218(5) of the Treaty on the Functioning of the European Union.
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA 14 , (hereafter “Europol Regulation”), lays down specific rules regarding transfers of personal data by Europol outside of the EU. Article 25(1) thereof lists a number of legal grounds, based on which Europol can lawfully transfer personal data to authorities of third countries. One possibility is an adequacy decision of the Commission in accordance with Article 36 of Directive (EU) 2016/680 finding that the third country to which Europol transfers personal data ensures an adequate level of protection. Since neither an adequacy decision nor an agreement on operational cooperation is currently in place with New Zealand, the other alternative for structural transfers of personal data by Europol to New Zealand is the conclusion of a binding international agreement between the EU and New Zealand, adducing adequate safeguards with respect to the protection of privacy and other fundamental rights and freedoms of individuals.
The Agreement thus falls within the exclusive external competence of the Union. The signature of the Agreement, on behalf of the Union, may thus take place on the basis of Article 218(5) of the Treaty on the Functioning of the European Union (TFEU).
• Subsidiarity (for non-exclusive competence)
The Union’s objectives with regard to this proposal as set out above can only be achieved by entering into a binding international agreement providing for the necessary cooperation measures, while ensuring appropriate protection of fundamental rights. The provisions of the agreement are limited to what is necessary to achieve its main objectives. Unilateral action does not represent an alternative, as it would not provide a sufficient basis for the police cooperation with non-EU countries and could not ensure the necessary protection of fundamental rights.
• Choice of the instrument
4. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations/fitness checks of existing legislation
• Stakeholder consultations
• Collection and use of expertise
In the process of the negotiation, the Commission did not use external expertise.
• Impact assessment
• Regulatory fitness and simplification
• Fundamental rights
The exchange of personal data is likely to have an impact on data protection; however, as provided for in the Agreement, it will be subject to the same robust rules and procedures already in place to process such data, in line with EU law.
Chapter II provides for the protection of personal data. On that basis, Article 3 and Articles 4 to 17 set out fundamental data protection principles, including purpose limitation, data quality and rules applicable to the processing of special categories of data, obligations applicable to controllers, including on retention, keeping of records, security and as regards onward transfers, enforceable individual rights, including on access, rectification and automated decision-making, independent and effective supervision as well as administrative and judicial redress. The safeguards cover all forms of processing of personal data in the context of the cooperation between Europol and New Zealand. The exercise of certain individual rights can be delayed, limited or refused where necessary, reasonable and proportionate, taking into account the fundamental rights and interests of the data subject, in particular to prevent risk to an ongoing criminal investigation or prosecution, which is also in line with Union law.
Also, both the European Union and New Zealand will ensure that an independent public authority responsible for data protection (supervisory authority) oversees matters affecting the privacy of individuals in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
Article 29 strengthens the effectiveness of the safeguards in the Agreement by providing for joint reviews of its implementation at regular intervals. The evaluations teams shall include relevant experts on data protection and law enforcement.
As a further safeguard, pursuant to Article 19, paragraph 15, in the event of a material breach or of non-fulfilment of the obligations stemming from the provisions of the Agreement, the Agreement can be suspended. Any personal data transferred prior to suspension shall continue to be treated in accordance with the Agreement. In addition, in case of termination of the Agreement, personal data transferred prior to its termination shall continue to be processed in accordance with the provisions of the Agreement.
Furthermore, the Agreement guarantees that the exchange of personal data between Europol and New Zealand is consistent with both the principle of non-discrimination and Article 52(1) of the Charter, which ensure that interferences with fundamental rights that may derive from them are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality.
5. BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
6. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
There is no need for an implementation plan, as the Agreement will enter into force on the date of the receipt of the last written notification by which the European Union and New Zealand have notified each other through diplomatic channels that their own procedures have been completed.
With regards to monitoring, the European Union and New Zealand shall jointly review the implementation of the Agreement one year after its entry into force, and at regular intervals thereafter, and additionally if requested by either party and jointly decided.
• Detailed explanation of the specific provisions of the proposal
Article 1 includes the objective of the Agreement.
Article 2 includes the definitions of the Agreement.
Article 3 includes the purposes for processing personal data.
Article 4 provides the general data protection principles that the European Union and New Zealand must respect.
Article 5 provides for special categories of personal data and different categories of data subject, such as personal data in respect of victims of a criminal offence, witnesses or other persons who can provide information concerning criminal offences, or in respect of persons under the age of 18.
Article 6 provides for the automated processing of personal data.
Article 7 provides a basis for onward transfer of the personal data received.
Article 8 provides for the assessment of reliability of the source and accuracy of the information.
Article 9 provides for the right of access, ensuring that the data subject has the right, at reasonable intervals, to obtain information on whether personal data relating to him or her are processed under the Agreement.
Article 10 provides for the right to rectification/correction, erasure/deletion, and restriction, which ensures the data subject has the right to request the competent authorities to correct/rectify inaccurate personal data concerning the data subject transferred under the Agreement.
Article 11 provides for the notification of a personal data breach affecting personal data transferred under the Agreement, ensuring that the respective competent authorities notify each other as well as their respective supervisory authority of that breach without delay, and to take measures to mitigate its possible adverse effects.
Article 12 provides for the communication of a personal data breach to the data subject, ensuring that the competent authorities of both Parties of the Agreement communicate the data subject without undue delay in the event of a personal data breach likely to have serious adverse effect upon his or hers rights and freedoms.
Article 13 provides for storage, review, correction, and deletion of personal data.
Article 14 provides for the keeping of logs of the collection, alteration, access, disclosure including onward transfers, combination and erasure of personal data.
Article 15 provides for data security, ensuring the implementation of technical and organizational measures to protect personal data exchanged under this Agreement.
Article 16 provides for the supervisory authority, ensuring that there is an independent public authority responsible for data protection (supervisory authority) to oversee matters affecting the privacy of individuals, including the domestic rules relevant under the Agreement to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
Article 17 provides for administrative and judicial redress, ensuring that data subjects have the right to effective administrative and judicial redress for violations of the rights and safeguards recognized in the Agreement resulting from the processing of their personal data.
Article 18 provides for the settlement of disputes, ensuring that all disputes that may emerge in connection with the interpretation, application, or implementation of the Agreement and any matters related thereto will give rise to consultations and negotiations between representatives of the EU and New Zealand with a view to reaching a mutually agreeable solution.
Article 19 provides for a suspension clause.
Article 20 provides for the termination of the Agreement.
Article 21 provides for the relation with other international instruments, ensuring that the Agreement will not prejudice or affect the legal provisions with regard to the exchange of information foreseen in any treaty, agreement, or arrangement between New Zealand and any Member State of the European Union.
Article 22 provides for the implementing administrative arrangements.
Article 23 provides for the administrative arrangements on confidentiality, which ensures that an Administrative Arrangement on Confidentiality, concluded between Europol and the competent authorities of New Zealand, will regulate the exchange of EU classified information, if necessary under the Agreement.
Article 24 provides for the national contact points and liaison officers.
Article 25 provides for the expenses of the Agreement.
Article 26 provides for the notification of implementation of the Agreement.
Article 27 provides for entry into force and application of the Agreement.
Article 28 provides for amendments and supplements of the Agreement.
Article 29 provides for the review and evaluation of the Agreement.
Article 30 provides for the territorial applicability of the Agreement, ensuring it applies to the territory in which and in so far as the Treaty on European Union and the Treaty on the Functioning of the European Union are applicable and to the territory of New Zealand.