Explanatory Memorandum to COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.
source COM(2023)244
date 11-05-2023


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Directive (EU) 2016/6801 (the Data Protection Law Enforcement Directive – LED) entered into force on 6 May 2016 and Member States had until 6 May 2018 to transpose it into national law. It repealed and replaced Council Framework Decision 2008/977/JHA2, but is a much more comprehensive personal data protection instrument. Notably, it applies to both domestic and cross-border processing of personal data by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences and executing criminal penalties, including safeguarding against and preventing threats to public security (Article 1(1)).

Article 62(6) LED requires the Commission to review, by 6 May 2019, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.

The Commission set out the results of its review in a Communication on Way forward on aligning the former third pillar acquis with data protection rules (24 June 2020)3, which specifies ten legal acts that should be aligned with the LED. The list includes Council Decision 2009/917/JHA on the use of information technology for customs purposes4.

The proposal aims at aligning the data protection rules in Council Decision 2009/917/JHA with the principles and rules laid down in the LED, in order to provide a strong and coherent personal data protection framework in the Union.

Consistency with existing policy provisions in the policy area

The Customs Information System (CIS) established under the Council Decision 2009/917/JHA is an automated information system for customs purposes, which aims to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. The proposal aims to align the data protection rules in Council Decision 2009/917/JHA with the principles and rules laid down in the LED, in order to provide a strong and coherent personal data protection framework in the Union.

Consistency with other Union policies

Contents

1.

n/a


2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The protection of natural persons in relation to the processing of their personal data is a fundamental right laid down in Article 8 i of the Charter of Fundamental Rights of the European Union (‘Charter’).

The proposal is based on Article 16(2) of the Treaty on the Functioning of the European Union (TFEU), which is the most appropriate legal basis since both the objective and the substance of the proposed amendment is clearly limited to the protection of personal data.

Article 16(2) TFEU allows for rules to be adopted on the protection of individuals with regard to the processing of personal data by the competent authorities in Member States when carrying out activities to prevent, investigate, detect or prosecute criminal offences or execute criminal penalties that fall within the scope of EU law. It also allows for rules to be adopted on the free movement of personal data, including for personal data exchanges by competent authorities within the EU.

According to Article 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark will not be bound by rules laid down on the basis of Article 16 TFEU which relate to the processing of personal data when carrying out activities falling within the scope of Chapter 4 and 5 of Title IV of Part Three of the TFEU. Therefore, Denmark will not be bound by the Regulation now proposed and will continue to apply the Council Decision as it stands today, that is, without the amendments now proposed.

That implies, inter alia, that the Joint Supervisory Authority referred to in Article 25 of the Council Decision will formally continue to exist, only in respect of Denmark. At the same time, due to the proposed deletion of that article and the proposed amendment to Article 26 introducing the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725, said existence has no effects in respect of the other Member States or the Customs Information System as such. As the present proposal is limited to aligning the Council Decision to the LED, this outcome is an unavoidable consequence of the alignment exercise required under the LED and the constraints resulting from Protocol No 22. When in the future a broader assessment of the Council Decision is warranted, the Commission will review this issue.

According to Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, Ireland is not bound by rules laid down on the basis of Article 16 TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16. As Ireland participates in Council Decision 2009/917/JHA, it will thus also take part in the adoption of this proposal.

Subsidiarity (for non-exclusive competence)

The subject matter of this Regulation falls within the domain of exclusive competence of the Union, since only the Union can adopt rules governing the processing of personal data by the competent authorities for law enforcement purposes. Only the Union can align EU acts to the rules laid down in the LED. Therefore, only the Union can adopt a legislative act amending Council Decision 2009/917/JHA.

Proportionality

The proposal is limited to what is necessary to align Council Decision 2009/917/JHA with Union legislation on the protection of personal data (LED) without changing the Council Decision’s scope in any way. The proposal does not go beyond what is necessary to achieve the objectives pursued, in accordance with Article 5 i of the Treaty on European Union.

Choice of the instrument

2.

The proposal aims at amending a Council Decision, which was adopted before the entry into

force of the Treaty of Lisbon in 2009. The relevant provisions of Council Decision 2009/917/JHA which establish the Customs Information System and set out the rules for the operation and use of the system are directly applicable.

Therefore, the most appropriate instrument to amend this Council Decision under Article 16(2) of the TFEU is through a Regulation of the European Parliament and of the Council.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

The proposal follows the results of the Commission’s review under Article 62(6) of the LED, as presented in the 2020 Communication on Way forward on aligning the former third pillar acquis with data protection rules. This Communication lists six specific points on which alignment of Council Decision 2009/917/JHA with the LED is required, namely:

- In relation to the ‘serious contraventions’ to which the Council Decision applies;

- Clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence;

- Provide for additional requirements related to security of processing aligning the list of required security measures with Article 29 of the LED, i.e. by adding requirements on system recovery, reliability and integrity;

- Restrict the subsequent processing of personal data recorded in CIS for purposes other than for which the personal data were collected, so that it can occur only under the conditions provided for in the LED;

- Make the processing of personal data under Council Decision 2009/917/JHA subject to the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/17255. The Council Decision is the only remaining legal act whereby the supervision of processing of personal data is carried out by the Joint Supervisory Authority which has now become obsolete;

- Update the general reference to Council Framework Decision 2008/977/JHA with the reference to the applicability of the LED. Any provision that overlaps with the LED (such as definitions or the provisions on the rights of the data subjects or availability of judicial remedy and liability) should be removed as outdated and obsolete. References to specific provisions of Council Framework Decision 2008/977/JHA should be updated with specific corresponding references to the LED.

The proposal is limited to what is necessary to address the above points.

Stakeholder consultations

3.

n/a


Collection and use of expertise

In its review under Article 62(6) of the LED, the Commission took account of a study carried out as part of the pilot project on a ‘fundamental rights review of EU data collection instruments and programmes’6. The study mapped Union acts covered by Article 62(6) of the LED and identified provisions potentially requiring alignment on data protection issues.

Impact assessment

The impact of this proposal is limited to competent authorities’ processing of personal data in the specific instances regulated by Council Decision 2009/917/JHA. The impact of the new obligations arising from the LED was assessed in the context of the preparatory work for the LED. This renders a specific impact assessment for this proposal unnecessary.

Regulatory fitness and simplification

The proposal is not part of the regulatory fitness programme (REFIT).

Fundamental rights

The right to the protection of personal data is laid down in Article 8 of the Charter and Article 16 of the TFEU. As underlined by the Court of Justice of the European Union7, the right to the protection of personal data is not absolute, but must be considered in relation to its function in society8. Personal data protection is also closely linked to respect for private and family life, as protected by Article 7 of the Charter.

This proposal ensures that any processing of personal data under Council Decision 2009/917/JHA is subject to the ‘horizontal’ principles and rules of EU personal data protection legislation, thus further implementing Article 8 of the Charter. That legislation aims to ensure a high level of protection of personal data. Clarifying that the rules of the LED apply, as well as specifying how they apply, to personal data processing under the Council Decision will have a positive impact as regards the fundamental rights to privacy and personal data protection.

4. BUDGETARY IMPLICATIONS

4.

n/a


5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

5.

n/a


Detailed explanation of the specific provisions of the proposal

Article 1 identifies the relevant provisions of Council Decision 2009/917/JHA that need to be amended based on the review made by the Commission under Article 62(6) of the LED and presented in its 2020 Communication. These provisions are the following:

- Article 1 – Paragraph 2 is amended to replace the concept of ‘serious contraventions of national laws’ by the reference to ‘criminal offences under national laws’, so as to increase clarity whilst aligning with the LED.

- Article 2 – Point 2 on the definition of ‘personal data’ is deleted since the definition of personal data as defined in point i of Article 3 of the LED applies.

- Article 3 – Paragraph 2 is amended to clarify the respective roles of the Commission and of the Member States with regard to the personal data. A recital is also introduced for this purpose.

- Article 4 – Paragraph 5 is updated to replace the reference to the list of certain categories of personal data that cannot be entered into the system under Framework Decision 2008/977/JHA by a reference to the corresponding list under the LED.

- Article 5 – Paragraph 2 is updated to clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit one of the criminal offences under national laws covered.

- Article 7 – Paragraph 3 is updated to clarify the conditions in which access to the CIS by international or regional organisations may be permitted under the LED.

- Article 8 – Paragraph 1 is updated to restrict the subsequent processing of personal data recorded in the CIS, in line with the principle of purpose limitation as regulated under the LED. It further clarifies the conditions in which non-personal data can be processed for other purposes. Paragraph 4 is redrafted to clarify the conditions in which the transmissions and international transfers of personal data and non-personal data can take place.

- Article 14 on the retention of personal data is updated in order to introduce a maximum retention period in accordance with Article 4(1)(e) of the LED and simplify the previous procedure. A recital is also introduced to further explain the rationale of this update.

- Article 15 – Paragraph 3 is replaced to align the concept of ‘serious contraventions of national laws’ with the reference to ‘criminal offences under national laws’, as introduced in the new Paragraph 2 of Article 1.

- Article 20 – This article is replaced to update the general reference to Framework Decision 2008/977/JHA with the reference to the LED.

- Article 22 on the rights of access, to rectification, erasure or blocking is deleted as outdated and obsolete.

- Article 23 on the rights of the data subjects at national level is deleted as outdated and obsolete.

- Article 24 on the designation of a national supervisory authority or authorities is deleted as outdated and obsolete.

- Article 25 on the set up of a Joint Supervisory Authority is deleted as outdated and obsolete.

- Article 26 – This article is updated to make the processing of personal data subject to the coordinated supervision model laid down in Article 62 of Regulation (EU) 2018/1725.

- Article 28 – Paragraph 2 is amended to provide for additional requirements related to security of processing aligning the list of required security measures with Article 29 of the LED, i.e. by adding requirements on system recovery, reliability and integrity.

- Article 30 – Paragraph 1 is deleted as outdated and obsolete.

Article 2 sets the date of entry into force of this Regulation.