Considerations on COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
dossier COM(2023)244 - Amendment of Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.
document COM(2023)244
date March 13, 2024
 
(1) Directive (EU) 2016/680 of the European Parliament and of the Council9 provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to, public security. That Directive requires the Commission to review relevant other acts of Union law in order to assess the need to align them with that Directive and to make, where necessary, the proposals to amend those acts to ensure a consistent approach to the protection of personal data falling within the scope of that Directive.

(2) Council Decision 2009/917/JHA10 on the use of information technology for customs purposes establishes the Customs Information System (CIS) to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680. In particular, the personal data protection rules should respect the principle of purpose specification, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision model as introduced by Article 62 of Regulation (EU) 2018/172511.

(3) In particular, in order to ensure a clear and consistent approach ensuring adequate protection of personal data, the term ‘serious contraventions’ should be replaced by ‘criminal offences’, bearing in mind that the fact that a given conduct is prohibited under the criminal law of a Member State in itself implies a certain degree of seriousness of the contravention. Moreover, the objective of the CIS should remain limited to assisting in connection to the prevention, investigation, detection or prosecution of the criminal offences under national laws as defined in Council Decision 2009/917/JHA, that is, national laws in respect of which national customs administrations are competent and that are therefore particularly relevant in the context of customs. Therefore, whereas qualification as a criminal offence is a necessary requirement, not all criminal offences should be considered to be covered. By way of example, the covered criminal offences include illicit drugs trafficking, illicit weapons trafficking and money laundering. Furthermore, other than the introduction of the term ‘criminal offences’, this amendment should not be understood as affecting the specific requirements set out in that Council Decision regarding the establishment and sending of a list of criminal offences under national laws that meet certain conditions, those requirements relating only to the particular purpose of the customs files identification database.

(4) It is necessary to clarify the respective roles of the Commission and of the Member States with regard to the personal data. The Commission is considered the processor acting on behalf of the national authorities designated by each Member State, which are considered the controllers of the personal data.

(5) To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review data annually and by setting a maximum retention period of five years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.

(6) In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland is bound by Council Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation.

(7) In accordance with Articles 1, 2 and 2a of Protocol No 22 on the Position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(8) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on XX/XX/202X.

(9) Council Decision 2009/917/JHA should therefore be amended accordingly.