Annexes to COM(2022)364 - First report on application and functioning of the Data Protection Law Enforcement Directive (EU) 2016/680 (‘LED’) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)364 - First report on application and functioning of the Data Protection Law Enforcement Directive (EU) 2016/680 (‘LED’). |
|---|---|
| document | COM(2022)364  |
| date | July 25, 2022 |
In addition, the EDPB has also contributed to the development of this instrument by clarifying the legal standard through guidance on the elements that must be considered when assessing adequacy in the law enforcement context, with the issuance of its Adequacy Referential under the LED 152 . In particular, the third country must ensure enforceable individual rights, effective judicial redress and independent supervision.
The Commission is actively promoting the possibility of adequacy findings with other key international partners, in particular with those countries with which close and swift cooperation is required in the fight against crime and terrorism and with which significant personal data exchanges are already taking place 153 . While no other adequacy decisions have been adopted so far, this is mainly because this instrument has only recently been introduced. In addition, and unlike for data processing by commercial operators, global convergence of data protection rules in the area of criminal law enforcement is only now starting to develop (driven, for instance, by multilateral arrangements such as the modernised Council of Europe Convention 108 or the Second Additional Protocol to the ‘Budapest’ Convention on Cybercrime). Nevertheless, the experience gained from the adoption of the adequacy decision with the United Kingdom will help to pave the way for similar initiatives in the coming years. The Commission will, as part of its international strategy, consider other possible candidates for future adequacy decisions under the LED and will do so in direct contact with the other relevant EU institutions and bodies 154 . To this end, and in accordance with Recital 68 of the LED, the Commission will pay close attention to the international commitments of the assessed countries relating to the protection of personal data, including accession to the beforementioned multilateral arrangements or to other law enforcement instruments providing appropriate data protection safeguards.
3.5.2Appropriate safeguards
The LED contains other transfer instruments in addition to the comprehensive solution of an adequacy decision. The flexibility of this ‘toolbox’ is reflected in Article 37 LED, which regulates data transfers based on ‘appropriate safeguards’ regarding the protection of personal data. Such appropriate safeguards may be provided either by a legally binding instrument, or when the controller, based on an assessment of all the circumstances surrounding the transfer, concludes that appropriate safeguards exist (the so-called “self-assessment” for transfers).
In the first years of the LED’s application, the Commission in particular worked on binding legal instruments in the form of international agreements providing appropriate safeguards. Such agreements play an important role both in the context of ‘traditional’ (i.e. cooperation between competent authorities) and other forms of law enforcement cooperation (i.e. cooperation involving third parties such as private companies). They can also serve as a basis for data transfers by Europol and Eurojust under their respective legal frameworks whose rules on international transfers are very similar to the ones under the LED.
Concerning traditional forms of law enforcement cooperation, the Commission is reviewing international agreements adopted before the LED entered into force in order to ensure consistency with the EU’s modernised data protection regime 155 .
Firstly, the Commission is assessing the data protection provisions contained in Europol’s existing cooperation agreements 156 with third countries concluded prior to 1 May 2017, as mandated by Regulation (EU) 2016/794 on the European Union Agency for Law Enforcement Cooperation (hereinafter ‘the Europol Regulation) 157 . In line with Article 9 of Protocol No 36 to the Treaty on European Union 158 and the TFEU (on transitional provisions), the legal effects of these agreements have been preserved until those agreements are repealed, annulled or amended 159 . The Commission will inform the European Parliament and the Council of the outcome of this assessment and will, if appropriate, submit to the Council a recommendation for a decision authorising the opening of negotiations to amend the respective agreement(s) in accordance with Article 218 TFEU. This is a complex task which involves the assessment of 18 agreements and was delayed by the disruptions caused by the Covid-19 pandemic. The Commission expects to complete its assessment in the second half of 2022.
Consistency of all law enforcement cooperation mechanisms with the rules of the LED is a guiding principle that the Commission also follows when negotiating new agreements for the transfer of personal data by Europol to third countries or international organisations. Since the current Europol Regulation entered into force in 2017, Article 218 TFEU has been the legal basis for such international agreements ensuring adequate safeguards. In 2018 and 2019, the Council adopted nine mandates for the Commission to start negotiations with third countries on behalf of the Union. The Commission has also been authorised to start negotiations on a cooperation agreement with Interpol to cover the exchange of data with several EU bodies and agencies. In all these cases, the Council has addressed negotiating directives to the Commission with a view to ensuring that the necessary safeguards for the protection of personal data and other fundamental rights and freedoms of individuals are included. On this basis, the Commission has already concluded the negotiations with New Zealand, leading to the signing of a cooperation agreement on 30 June 2022. In addition, progress has been achieved in the negotiations with Israel. As regards Turkey, the negotiations are at an advanced stage, but cannot be concluded until Turkey adopts the necessary reforms in its data protection legislation. Similar authorisations were granted in March 2021 for the negotiation of cooperation agreements to allow the exchange of data by Eurojust with 13 third countries.
Secondly, the Commission is conducting the first joint review of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (the Umbrella Agreement). The Umbrella Agreement, which entered into force in February 2017, contains a comprehensive and harmonised set of data protection rules that apply to all transatlantic exchanges between competent authorities. It complements existing EU-US and EU Member State-US agreements between law enforcement authorities, sets a standard of high level of protection for future agreements in this field, and strengthens law enforcement cooperation by facilitating the exchange of information. The joint review seeks to assess the effective implementation of the Umbrella Agreement, in particular as regards the provisions on onward transfer, individual rights and judicial redress. The timeline for the joint review was affected by the disruptions linked to the Covid-19 pandemic, as well as the parallel negotiations on the Second Additional Protocol to the Council of Europe ‘Budapest’ Convention on Cybercrime 160 . The Commission expects that it will be completed in the second half of 2022.
As the first bilateral international agreement with a comprehensive catalogue of data protection rights and obligations, the Umbrella Agreement a reference point for negotiating similar framework agreements with important criminal law enforcement partners 161 . In doing so, the Commission will also take into account relevant developments, including EDPB guidance, case law from the CJEU and the outcome of international negotiations on data protection safeguards in this area (such as, for instance, the Second Additional Protocol to the Budapest Convention on Cybercrime or the Europol agreement with New Zealand 162 ).
Thirdly, the Commission has identified the Agreement between the European Union and Japan on mutual legal assistance in criminal matters (the EU-Japan MLAT) 163 as an EU act regulating data processing (transfers) for criminal law enforcement purposes that needs to be amended to ensure appropriate data protection safeguards in line with the LED. Following the Council’s adoption of a decision 164 authorising the opening of negotiations to amend the EU-Japan MLAT, the Commission continues to engage with the Japanese authorities with a view to starting negotiations as soon as possible.
Moreover, other forms of cooperation adapted to the specific challenges and needs of criminal investigations in today’s digital economy are now also increasingly relied upon. These mainly concern enhanced cooperation in the field of cybercrime and for the collection of evidence in electronic form concerning criminal offences. This cooperation, including direct cooperation with private parties for access to electronic evidence.
The Commission has also engaged with international partners with a view to ensure that these other (important) forms of cooperation can take place based on appropriate data protection safeguards.
Firstly, the Commission represented the EU during the negotiations 165 within the framework of the Council of Europe on a Second Additional Protocol to the ‘Budapest’ Convention on Cybercrime 166 .The Protocol, which was approved by the Council of Europe’s Committee of Ministers on 17 November 2021, contains strong safeguards for the protection of fundamental rights, including an article 167 containing detailed provisions on the protection of personal data transferred under the Protocol. These provisions cover all the essential data protection principles, rights and obligations recognised in EU law. These guarantees are complemented by a monitoring provision and by the possibility to suspend transfers in the event of a systematic or material breach of the safeguards contained in the Protocol, for instance, the absence of effective judicial remedies. Through these provisions, it provides appropriate safeguards in line with the requirements of Article 37(1)(a) LED 168 . This is a significant achievement, given the diverse membership of the Budapest Convention, which currently has 66 state parties representing different legal backgrounds and traditions. It will allow Member States’ competent authorities to benefit from effective cross-border cooperation in the fight against cybercrime, while ensuring respect for EU values as reflected in the EU Charter of Fundamental Rights, the EU Treaties and EU secondary law. Given the large number of parties to the Budapest Convention, which currently includes countries from around the world, the Protocol will also help to promote high data protection standards for data processing in the area of criminal law enforcement at a global level. The Protocol was opened for signature on 12 May 2022, with a total of 22 Parties to the Budapest Convention (including 13 EU Member States) already signing it.
Secondly, the Commission has initiated negotiations on a bilateral agreement with the United States on cross-border access to electronic evidence for judicial cooperation in criminal matters. 169 This agreement seeks to cover electronic evidence in the form of both non-personal and personal data, including traffic and content data. Importantly, the negotiations also aim at the inclusion of additional data protection safeguards that would complement those in the Umbrella Agreement, taking into account, in particular, the sensitivity of the categories of data concerned as well as the requirements of the transfer of electronic evidence directly by service providers. Progress on these negotiations will largely depend on the progress of the ongoing legislative process on the EU’s e-evidence package 170 .
These various initiatives by the Commission to develop international instruments facilitating law enforcement cooperation with international partners while also ensuring appropriate data protection safeguards have been supported by the work of the EDPB and the EDPS. This work includes the EDPB’s statement on the draft Second Additional Protocol to the Budapest Convention 171 and the EDPS’s opinions on the draft negotiating mandates for international agreements under Article 218 TFEU that would allow Europol and Eurojust to exchange personal data with third countries or international organisations 172 . The EDPB also issued a statement inviting Member States to assess and, where necessary, review international agreements involving international transfers of personal data 173 . This statement concerns agreements that were concluded prior to before 6 May 2016, including in the area of criminal law enforcement), and invites Member States to determine whether further alignment with EU data protection legislation and case law is required.
Article 37 of the LED also permits international data transfers based on self-assessment by a competent authority as to whether a third country (or an international organisation) has appropriate data protection safeguards. In these cases, the authority has to document the transfer (including its date and time, information on the receiving authority, justification of the transfer and the personal data transferred) and the documentation must be made available to the supervisory authority on request (Article 37(3) LED). Feedback provided by Member States 174 indicates that this tool has rarely been used.
To allow Member States to make full use of the LED’s transfer toolbox, it is important that the EDPB intensifies its ongoing work on the various transfer mechanisms. Among other things it should provide guidance on the mechanisms included in Article 37(1) LED, notably on the transfers based on self-assessments by competent authorities. The Council has also stressed this need 175 .
3.5.3Use of derogations
Finally, the so-called ‘derogations’ provide an important ground for transfers under certain conditions, laid down in Article 38 of the LED. These conditions strike a balance between privacy considerations and the operational needs of competent authorities. In particular, Article 38(1) allows for transfers, and even categories of transfers, of personal data where this is necessary for the prevention of an immediate and serious threat to public security 176 or, in individual cases, for the prevention, investigation, detection or prosecution of criminal offences 177 . In contrast to derogations under Article 49 of the GDPR, no guidance currently exists for derogations under Article 38 of the LED.
3.5.4Effective police and judicial cooperation across borders
The LED has become an international reference point for data protection in the law enforcement context and has acted as a catalyst for countries around the world to consider introducing modern privacy rules in this area. This is a very positive development that brings new opportunities to better protect individuals in the EU when their data is transferred abroad for law enforcement purposes while, at the same time, facilitating data flows that can help fighting against crime.
More generally, it is important to ensure that when companies active in the European market receive direct cooperation requests to share data for law enforcement purposes, they can do so without facing conflicts of law and in full respect of EU fundamental rights 178 . To improve such transfers, the Commission is committed to developing appropriate legal frameworks with its international partners to avoid conflicts of law and support effective forms of cooperation, notably by providing for the necessary data protection safeguards and thereby contributing to a more effective fight against crime.
Against this backdrop, the Commission has engaged in bilateral, regional and multilateral settings to actively promote international convergence in data protection standards for criminal law enforcement cooperation. During its dialogues with several foreign partner countries on ongoing reforms of data protection laws, the Commission’s services have engaged in different ways (e.g. submissions in response to public consultations, participation in parliamentary hearings, and dedicated meetings with government representatives and policy-makers) on the development of rules on the processing of personal data by competent authorities.
In a regional and multilateral setting, the Commission, for example, supports capacity-building projects in the context of the implementation of the Council of Europe’s Budapest Convention on Cybercrime 179 These projects include the GLACY+ programme to strengthen states’ capacity to apply legislation on cybercrime and to enhance their ability for effective international cooperation in line with the Budapest Convention and its additional protocols. This also involves developing data protection legislation for data processing in this area. The programme currently supports 17 priority and hub countries in Africa, the Asia-Pacific, Latin America and the Caribbean region.
The Commission has also engaged with Ameripol, a police cooperation organisation bringing together 18 countries of Latin America, in the context of the development a data protection framework for the exchange of information between Ameripol and its member states. This engagement is taking place through EL PAcCTO: Support to Ameripol, a project whose purpose is to improve the level of international cooperation between the police, judicial and prosecutor bodies of the partner countries in the fight against organised crime.
The Commission also promotes the modernised Convention 108 (known as Convention 108+) 180 , which is also applicable to data processing activities for criminal law enforcement purposes. This Convention, which is also open to non-members of the Council of Europe, is important not only because it is the only multilateral binding agreement on data protection, but also because through its Convention Committee it provides a forum for the exchange of best practices and the setting of global standards 181 . As part of its international strategy on data flows, the Commission encourages accession by third countries to Convention 108+.
Lastly, the Commission encourages greater convergence at international level by sharing our experience with partners on the data protection aspects of criminal law enforcement cooperation. The Commission’s “Data Protection Academy”, a part of the project “International Digital Cooperation - Enhanced Data Protection and Data Flows”, financed by the Foreign Policy Instrument, is a key tool in this endeavour. The Academy was established to foster exchanges between European and third country regulators and to improve cooperation on the ground. The academy’s activities cover all aspects of data protection supervision, including in the field of law enforcement.
4The way forward
In order to ensure an efficient EU security policy that fully respects the fundamental right to the protection of personal data, the Commission will continue to check that the Member States have correctly transposed the LED and to monitor the application of its provisions.
The LED has significantly contributed to a more harmonised and higher level of protection of individuals’ rights and a more coherent legal framework for competent authorities.
The LED has generally been transposed in a satisfactory manner, but a number of issues have been identified. The Commission has already launched infringement procedures regarding both the non-transposition and the non-conformity of national laws with the LED. It will continue to work to ensure full and correct transposition.
The LED has resulted in a higher level of awareness and attention on data protection by national competent authorities, also as regards the security of processing.
Active supervision by data protection supervisory authorities is pivotal to ensure that the objectives of the LED are met in practice. The authorities therefore need to be given all the types of powers required by the LED, together with adequate resources.
At this stage, the focus should be on realising the full potential of the LED. In this context, and given the limited experience with these new rules, the Commission believes that it is too early to consider revising the LED.
The Commission will continue to actively work with all relevant parties in the perspective of the next evaluation due by 2026. It will in the meantime continue to work on ensuring consistency with other EU legislation that is relevant to the processing of personal data for criminal law enforcement purposes.
Legal framework
The Commission will:
-continue to assess the Member States’ transposition of the LED and take appropriate action when necessary (including launching infringement procedures);
-pursue bilateral exchanges with Member States;
-ensure that future legislative proposals are consistent with the LED.
Member States should:
-ensure the full and correct transposition of the LED at national level including by specifying the necessary LED requirements when the national data protection acts transposing the LED does not do so.
Supervision by data protection supervisory authorities
Member States should:
-provide data protection supervisory authorities sufficient resources to perform their LED-enforcement tasks;
-ensure that data protection supervisory authorities can exercise all the types of powers set out in the LED;
-systematically consult their data protection supervisory authorities on draft legislation and administrative measures of general application that relate to the protection of personal data, and take due account of their opinions (particularly in the case of new technologies).
Data protection supervisory authorities are invited to:
-make full use of their investigative powers, including by conducting own-initiative inspections;
-collect specific statistics relating to their supervisory activities under the LED;
-make use of the mutual assistance tools and develop practical measures to facilitate requests for assistance, including through the planned EDPB guidelines.
The EDPB is invited to:
-expand the Support Pool of Experts 182 for LED-related tasks.
Supporting competent authorities
The Commission will:
-facilitate discussions and the sharing of experience between Member States and the Commission in the LED Member States Expert Group;
-facilitate the exchange of views between data protection officers through the Network of Data Protection Officers.
Member States are invited to:
-continue efforts to provide training on data protection requirements to competent authorities, including in relation to new technologies.
The EDPB and the data protection supervisory authorities are invited to:
-strengthen their efforts to adopt relevant guidelines (e.g. on the role of consent in the context of processing personal data for criminal law enforcement purposes, and on data subjects’ rights including their possible limitations), either by adopting new self-standing guidelines or by supplementing the guidelines already adopted for the GDPR.
Cross-border data transfers
The Commission intends to:
-actively promote possible new adequacy decisions with key international partners;
-negotiate new cooperation agreements between Europol and Eurojust, on the one hand, and third countries, on the other hand. Where necessary, it will seek to renegotiate existing Europol cooperation agreements to ensure that they include appropriate data protection safeguards;
-engage in negotiations with Japan with a view to amend the existing EU-Japan Mutual Legal Assistance Agreement to ensure appropriate data protection safeguards;
-pursue and conclude the negotiation of a bilateral agreement with the United States on cross-border access to electronic evidence for judicial cooperation in criminal matters, including by complementing the data protection safeguards guaranteed by the EU-US Umbrella Agreement to reflect the specific context of direct cooperation between law enforcement authorities and service providers;
-explore the possibility of concluding data protection framework agreements for data processing in the area of criminal law enforcement with important criminal law enforcement partners, building on the example of the EU-US Umbrella Agreement.
The EDPB is invited to:
-adopt guidelines in order to further clarify the notion and content of ‘appropriate safeguards’ (Article 37 of the LED) as well as the use of derogations (Article 38 of the LED).
Promoting convergence and developing international cooperation
The Commission will:
-expand its engagement with international partners with a view to strengthen convergence of data protection rules in the area of criminal law enforcement, including by promoting accession to Convention 108+ as the only binding global agreement on data protection;
-promote bilateral, regional and multilateral cooperation and support capacity-building projects in the field of data protection and police cooperation. This will include training and the exchange of knowledge and best practices through the Data Protection Academy.
The Member States are invited to:
-swiftly ratify the Second Additional Protocol to the Council of Europe’s ‘Budapest’ Convention on Cybercrime, as soon as they are authorised by a Council Decision to do so.
(1)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
(2)
Article 1(1) LED.
(3)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1).
(4)
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(5)
The Charter of Fundamental Rights of the European Union (OJ C 202, 7.6.2016, p. 389).
(6)
A consolidated version of the Treaty on the Functioning of the European Union (OJ C 202, 7.6.2016, p. 47).
(7)
Article 63(1) LED.
(8)
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60).
(9)
For example, legal acts regulating the Schengen Information System and other Schengen acquis instruments contained specific provisions regulating matters such as data subject rights.
(10)
These include lawfulness and fairness; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability (Article 4 LED).
(11)
Articles 6, 7, 25 and 29 LED respectively.
(12)
Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon. (OJ C 115, 9.5.2008, p. 345–345).
(13)
Explanatory memorandum to the proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM(2012) 10 final, 25 January 2012.
(14)
Communication from the Commission to the European Parliament and the Council ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation, COM(2020) 264 final, 24 June 2020’.
(15)
Article 62(6) LED required the Commission to review, by 6 May 2019, other EU legal acts that regulate the processing of personal data for law enforcement purposes, in order to assess the need for alignment with the LED and, where appropriate, propose amendments to those other EU legal acts in order to ensure a consistent approach to the protection of personal data within the scope of the LED.
(16)
Communication from the Commission to the European Parliament and the Council ‘Way forward on aligning the former third pillar acquis with data protection rules’, COM(2020) 262 final, 24 June 2020.
(17)
Chapters 4 and 5 of Title V of Part Three of the TFEU.
(18)
This has already been addressed by the 2020 Commission proposal on amending the Europol Regulation.
(19)
Communication from the Commission to the European Parliament and to the Council - First Progress Report on the EU Security Union Strategy, COM(2020) 797 final, 9 December 2020.
(20)
Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM (2020) 605 final, 24 July 2020.
(21)
Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts, COM(2021) 206 final, 21 April 2021.
(22)
Electronic information and evidence is needed in about 85% of investigations into serious crimes, and 65% of the total number of requests are made to providers based in another jurisdiction. See the Commission Staff Working Document (‘Impact Assessment Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters and Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings’), SWD(2018) 118 final.
(23)
See also recital 25 LED.
(24)
Contribution by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs to the European Commission’s upcoming report on the evaluation and review of the LED, 7 February 2022.
(25)
Council position and findings on the application of the LED (Council document 13943/21 of 18 November 2021 https://www.consilium.europa.eu/media/54304/st_13943_2021_init_en.pdf ).
(26)
Contribution of the EDPB to the European Commission’s evaluation of the LED under Article 62 LED, adopted on 14 December 2021 (‘EDPB contribution to the evaluation of the LED’).
https://edpb.europa.eu/system/files/2021-12/edpb_contribution_led_review_en.pdf .
(27)
Out of the 804 civil society organisations approached by the European Union Agency for Fundamental Rights (FRA), 88 replied. However, only 17 of the contributions could be considered on account of the fact that 61 contributions were not related to the LED, or indicated that the organisation concerned do not work on fundamental rights protection in the area of criminal law enforcement or is not at all familiar with the LED.
(28)
Call for Evidence, data protection in law enforcement – report on the Law Enforcement Directive, 24 January 2022. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13288-Data-protection-in-law-enforcement-report-on-the-Law-Enforcement-Directive_en .
(29)
Commission expert group on Regulation (EU) 2016/679 and Directive (EU) 2016/680 (E03461); https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?do=groupDetail.groupDetail&groupID=3461
(30)
Report by the Presidency of the Council of the European Union on the exchange of police data with third countries - experiences in the application of Article 37 of the Law Enforcement Directive, December 2020.
(31)
See recitals 101-103 LED.
(32)
EDPB contribution to the evaluation of the LED, paragraph 4.
(33)
Council position and findings on the application of the LED, paragraph 7.
(34)
For example, the authorities in Denmark, Lithuania, Norway, Austria and several authorities in Germany do not keep separate statistics on LED data breaches. Six authorities have also reported that they received no breach notifications under the LED.
(35)
For example, the authorities in Denmark and Austria and several of the authorities in Germany do not keep separate statistics for LED complaints.
(36)
EDPB contribution to the evaluation of the LED, paragraph 43.
(37)
See footnote 29.
(38)
Judgment of 25 February 2021, European Commission v Kingdom of Spain, C-658/19, EU:C:2017:548.
(39)
In April 2022 the Commission launched infringement procedures against Greece, Finland and Sweden on the grounds that their national transposing laws are not in conformity with the LED. The case against Greece relates to a number of points, including, inter alia, the non-application of the national law transposing the LED to the processing of personal data by judicial-prosecutorial authorities and by authorities acting under their supervision for the majority of criminal offences; the transposition of provisions on data storage and review (Article 5); the legal basis for data processing (Article 8); and safeguards in the context of automated decision-making (Article 11). The infringement procedures against Finland and Sweden were launched because their laws do not provide data subjects with access to an effective remedy before a court or a tribunal. The Commission opened an infringement procedure against Germany in May 2022 because several national laws transposing the LED fail to provide effective corrective powers at federal and Länder level.
(40)
Judgment of 12 May 2021, WS v Bundesrepublik Deutschland, C-505/19, EU:C:2021:376. The case concerned, among other issues, the lawfulness of processing personal data (Article 4(1)(a) and Article 8 LED) in the specific context of a red notice issued by Interpol. The Court did not preclude the processing of personal data appearing in a red notice issued by Interpol as being lawful until it has been established in a final judicial decision that the ne bis in idem principle applies in respect of the acts on which that notice is based.
(41)
Judgment of 22 June 2021, B v Latvijas Republikas Saeima, C‑439/19, EU:C:2021:504. The CJEU interpreted the definition of the competent authority under Article 3(7) and the concept of crime. See also the section below.
(42)
See Minutes of the meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680 5 May 2021 https://ec.europa.eu/transparency/expert-groups-register/screen/meetings/consult?lang=en&meetingId=25283&fromExpertGroups=true
(43)
EDPB contribution to the evaluation of the LED, paragraph 7.
(44)
The data protection supervision authorities of Ireland, France and Hungary raised this as a concern.
(45)
Article 2(1) LED and recitals 12-14 LED.
(46)
Article 1 LED.
(47)
Article 3(7) LED.
(48)
Article 41 of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, which regulates the operation by the Financial Intelligence Units, explicitly states that the processing of personal data under this Directive is subject to Regulation (EU) 2016/679.
(49)
Judgment of 22 June 2021, B v Latvijas Republikas Saeima, C‑439/19, EU:C:2021:504, paragraph 87.
(50)
Request for a preliminary ruling in C.G. v Bezirkshauptmannschaft Landeck, C-548/21.
(51)
Section 1 of Chapter VI LED.
(52)
Recitals 7 and 82 LED.
(53)
See also paragraph 23 of the EDPB’s contribution to the evaluation of the LED: 24 Member States provided for the power to obtain access to any premises of the controller and the processor, and to any data processing equipment and means; 21 Member States provided for an audit process and 9 Member States provided for other powers (e.g. seizure of objects, request for a hearing before the data protection supervisory authority and request for executive assistance from the police).
(54)
Points (a) to (c) of Article 47(2) LED.
(55)
18 Member States provided that possibility: Bulgaria, Czechia, Estonia, Greece, Croatia, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, Netherlands, Austria, Portugal, Romania, Slovakia and Sweden. The data protection supervisory authorities in three Member States (Estonia, Latvia and Austria) may impose fines on natural persons (e.g. employees) or on private entities (i.e. private entities that are data processors).
(56)
Article 52 LED.
(57)
Article 53 LED.
(58)
Finland and Sweden.
(59)
Article 53(2) LED.
(60)
Article 54 LED.
(61)
Article 55 LED.
(62)
Article 5 LED.
(63)
Request for a preliminary ruling in NG v Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR - Sofia, C-118/22.
(64)
Article 8(2) LED.
(65)
Article 10 LED.
(66)
Article 11(1) LED.
(67)
Article 11(2) LED.
(68)
Article 11(3) LED.
(69)
Article 15(1) LED.
(70)
Articles 13(3) and 16(4).
(71)
Article 17 LED.
(72)
Article 18 LED.
(73)
Request for a preliminary ruling in TX v Bundesrepublik Deutschland, C-481/21.
(74)
Article 6 LED.
(75)
Request for a preliminary ruling in Ministerstvo na vatreshnite raboti v B.C., C-205/21.
(76)
Article 7 LED.
(77)
Germany has made use of the option for certain laws transposing the LED at federal and Länder level.
(78)
Article 63(2) LED.
(79)
Article 25 LED.
(80)
Council position and findings on the application of the LED, paragraph 15.
(81)
Article 15 LED.
(82)
Article 16 LED.
(83)
Article 13 LED.
(84)
Article 17 LED.
(85)
Four data protection supervisory authorities do not collect statistics on requests received under Article 17 LED.
(86)
These concern requests made since the transposition of the LED until December 2021. EDPB contribution to the evaluation of the LED (individual DPA answers).
(87)
EDPB contribution to the evaluation of the LED, paragraph 50.
(88)
EDPB contribution to the evaluation of the LED, paragraph 33.
(89)
Three organisations (in the context of the replies to the questionnaires sent to them by the Fundamental Rights Agency) reported that they had received one request and one organisation reported that it had received more than one request.
(90)
EDPB contribution to the evaluation of the LED, paragraph 31.
(91)
Article 15 LED.
(92)
Article 16 LED.
(93)
Article 13 LED.
(94)
Council position and findings on the application of the LED, paragraph 21.
(95)
EDPB contribution to the evaluation of the LED (individual DPA answers).
(96)
EDPB contribution to the evaluation of the LED, paragraph 40 and Council position and findings on the application of the LED, p. 9.
(97)
EDPB contribution to the evaluation of the LED paragraph 70.
(98)
EDPB contribution to the evaluation of the LED paragraph 70.
(99)
Article 46(1)(d) LED.
(100)
EDPB contribution to the evaluation of the LED, (individual DPA answers).
(101)
EDPB contribution to the evaluation of the LED, paragraphs 41-42.
(102)
Articles 32-34 LED.
(103)
Council position and findings on the application of the LED, paragraph 22.
(104)
Council position and findings on the application of the LED, paragraph 25.
(105)
EDPB contribution to the evaluation of the LED, paragraphs 70 and 71, and individual DPA responses (Germany, Finland, France, Hungary, Malta).
(106)
Council position and findings on the application of the LED, paragraph 26.
(107)
Articles 30 and 31 of the LED.
(108)
The figures include all the data breaches reported between the transposition of the LED and December 2021. The data was gathered from the data protection supervisory authorities in December 2021.
(109)
Spain, Croatia, Lithuania, Portugal, Slovakia and Slovenia.
(110)
Commission Staff Working Document, Communication from the Commission to the European
Parliament and the Council, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation, COM(2020) 264 final.
(111)
EDPB Guideline 01/2021 on examples regarding personal data breach notification, adopted on 14 December 2021. https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf
(112)
Article 42(4) LED.
(113)
Communication from the Commission to the European Parliament and the Council, ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation’, COM(2020) 264 final.
(114)
Council position and findings on the application of the LED, paragraph 12.
(115)
Contribution of the EDPB to the evaluation of the GDPR under Article 97, 18 February 2020, pp. 26-29.
https://edpb.europa.eu/sites/default/files/files/file1/edpb_contributiongdprevaluation_20200218.pdf ;
EDPB overview on resources made available by Member States to the data protection authorities and on enforcement actions by the data protection authorities (‘EDPB overview on resources’), 5 August 2021, pp. 4-5.
https://edpb.europa.eu/our-work-tools/our-documents/other-guidance/overview-resources-made-available-member-states-data_en .
(116)
EDPB contribution to the evaluation of the LED, paragraph 65 and figure on Q41, p. 20.
(117)
Germany indicated a significant increase from 33 to 53 FTEs between 2017 and 2021.
(118)
EDPB contribution to the evaluation of the LED, figure on Q41, p. 20. EDPB overview on resources, p. 5.
(119)
EDPB contribution to the evaluation of the LED, figure on Q41, p. 19.
(120)
Belgium, Denmark, Ireland, Greece, Latvia, Luxembourg, Hungary, Malta, Austria and Finland.
(121)
Germany and France.
(122)
France and Sweden.
(123)
The Netherlands.
(124)
Ireland received 135 LED-related complaints since 2018, Hungary has received 141 since 2018, and Denmark has received 223 since 2017. By contrast, there have been thousands of GDPR-related complaints (see EDPB overview on resources, p. 10.)
(125)
EDPB contribution to the evaluation of the LED, paragraph 69.
(126)
The data protection supervisory authorities of Ireland, Malta and the Netherlands reported that they conducted investigations on their own initiative. The data protection supervisory authorities of Greece, Spain, Lithuania and Hungary conducted investigations on the basis of complaints. The data protection supervisory authorities of Belgium, Bulgaria, Denmark, Germany, France, Italy, Luxembourg, Austria, Poland, Slovenia and Sweden conducted investigations both on their own initiative and on the basis of complaints.
(127)
The German and Hungarian data protection supervisory authorities stated that they had not received all the necessary information and/or that the controller denied them access to necessary information. The German authorities mentioned that a similar power to Article 58(1)(a) GDPR is not provided.
(128)
EDPB contribution to the evaluation of the LED, paragraph 30, and also the individual replies of the authorities of Austria and Luxembourg.
(129)
The Danish and Lithuanian data protection supervisory authorities reported that they had been consulted only once. The Belgian data protection supervisory authority received 59 prior consultations.
(130)
EDPB contribution to the evaluation of the LED, paragraph 39.
(131)
The data protection supervisory authorities of Czechia, Greece, Croatia Latvia and Sweden reported that they did not issue opinions. The data protection supervisory authorities of Greece, Croatia, Latvia, Poland, Romania, Slovenia and Slovakia were consulted only occasionally.
(132)
This observation is based on the replies received from the data protection supervisory authorities of Belgium, Bulgaria, Germany, Estonia, Ireland, Italy, Hungary, the Netherlands, Austria, Poland, Finland and Sweden.
(133)
Recital 7, LED.
(134)
EDPB Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, adopted 2 February 2021.
https://edpb.europa.eu/sites/default/files/files/file1/recommendations012021onart.36led.pdf_en.pdf .
(135)
EDPB Guideline 05/2022 on the use of facial recognition technology in the area of law enforcement, adopted on 12 May 2022, version for public consultation, available at https://edpb.europa.eu/system/files/2022-05/edpb-guidelines_202205_frtlawenforcement_en_1.pdf .
(136)
Article 29 Working Party Opinion on some key issues of the Law Enforcement Directive (EU 2016/680), WP 258, adopted on 29 November 2017, available at https://ec.europa.eu/newsroom/article29/items/610178/en .
(137)
EDPB Guideline 07/2020 on the concepts of data controller and processor in the GDPR, adopted on 7 July 2021, available at https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf .
(138)
EDPB Guideline 01/2022 on data subject rights - right of access, adopted on 18 January 2022, version for public consultation, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf .
(139)
Article 29 Working Party Guidelines on personal data breach notification under Regulation 2016/679, WP 250rev.01, last revised on 6 February 2018, and endorsed by the EDPB on 25 May 2018, available at https://ec.europa.eu/newsroom/article29/items/612052/en ; EDPB Guidelines 01/2021 on examples regarding personal data breach notification, adopted on 14 December 2021, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf .
(140)
Article 29 Working Party Guidelines on data protection impact assessment (DPIA) and determining whether
processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, WP 248rev.01, last revised on 4 October 2017, and endorsed by the EDPB on 25 May 2018, available at https://ec.europa.eu/newsroom/article29/items/611236 .
(141)
EDPB Guideline 4/2019 on Article 25 data protection by design and by default, adopted on 20 October 2020, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf .
(142)
Article 29 Working Party Guideline on automated individual decision-making and profiling for the purposes of Regulation 2016/679, WP 251rev01, last revised on 6 February 2018, and endorsed by the EDPB on 25 May 2018; available at https://ec.europa.eu/newsroom/article29/items/612053/en .
(143)
Council position and findings on the application of the LED, paragraph 14.
(144)
EDPB contribution to the evaluation of the LED, paragraph 39.
(145)
Article 50 LED.
(146)
EDPB Work Programme 2021 / 2022, edpb_workprogramme_2021-2022_en.pdf (europa.eu) .
(147)
See Article 35(3) and Recital 64 LED. As regards onward transfers, see Article 35(1)(e) and Recital 65 LED.
(148)
Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, available at https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_law_enforcement_directive_en.pdf .
(149)
See Article 35(1)(c), Article 35(2) and Recital 66 LED.
(150)
See Article 525, paragraph 1, of the TCA.
(151)
See paragraphs 172 to 174 of the Decision on the adequate protection of personal data by the United Kingdom: Law Enforcement Directive, 28 June 2021, available at https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-law-enforcement-directive_en
(152)
EDPB, Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, adopted on 2 February 2021. See also Article 36(2) and recital 67 LED.
(153)
See Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, COM(2017), 7 final, pp. 13-14.
(154)
Council position and findings on the application of the LED, paragraph 18.
(155)
In its Communication on a way forward on aligning the former third pillar acquis with data protection rules the Commission has concluded that several existing agreements do not require further alignment with the LED (e.g. the Agreement between the European Union and the Republic of Iceland and the Kingdom of Norway on the application of certain provisions of the Convention of 29 May 2000 on Mutual Assistance in Criminal Matters between the Member States of the European Union and the 2001 Protocol thereto).
(156)
For more information on the existing Europol agreements see Europol’s website at: https://www.europol.europa.eu/partners-collaboration/agreements .
(157)
See Article 25(4) of the Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA OJ L 135, 24.5.2016, p.53-114.
(158)
Consolidated version of the Teary on European Union, OJ C 202, 7.6.2016, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016M%2FTXT-20200301 .
(159)
Recital 35 of the Europol Regulation.
(160)
The Commission, on behalf of the European Union, and the United States were heavily engaged in these negotiations, including in the dedicated data protection subgroup (data protection being one of the most intensely discussed topics).
(161)
See the Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, COM(2017), 7 final, p. 14.
(162)
Agreement between the European Union, of the one part, and New Zealand, of the other part, on the exchange of personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the authorities of New Zealand competent for fighting serious crime and terrorism.
(163)
Agreement between the European Union and Japan on mutual legal assistance in criminal matters (OJ L 39, 12.2.2010, p. 20). https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A22010A0212%2801%29 .
(164)
Council Decision authorising the opening of negotiations with Japan for the amendment of the Agreement between the European Union and Japan on mutual legal assistance matters (document LT 223/21).
(165)
Following the approval of a mandate by the Council of the European Union on 6 June 2019. The mandate is available at https://www.consilium.europa.eu/en/press/press-releases/2019/06/06/council-gives-mandate-to-commission-to-negotiate-international-agreements-on-e-evidence-in-criminal-matters/
(166)
The Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence was approved by the Council of Europe’s Committee of Ministers on 17 November 2021. It was prepared by the Cybercrime Convention Committee (T-CY) between September 2017 and May 2021. The text of the Protocol (certified copy) is available at https://rm.coe.int/1680a4b2e1 . The explanatory report to the Protocol is also available at https://rm.coe.int/1680a49c9d
(167)
See Article 14 of the Additional Protocol, together with paragraphs 220-287 of the explanatory report.
(168)
In its Opinion 1/2022 of 20 January 2022 on the draft Council decisions authorising signature and ratification of the Additional Protocol, the EDPS ‘notes positively the many safeguards that have been included in the Protocol.’
(169)
Council Decision authorising the opening of negotiations with a view to concluding an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters. The mandate is available at the following link: https://data.consilium.europa.eu/doc/document/ST-9114-2019-INIT/en/pdf .
(170)
Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, COM(2018)225 final, and Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM(2018)226 final.
(171)
EDPB, Statement 02/2021 on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), adopted on 2 February 2021, available at https://edpb.europa.eu/our-work-tools/our-documents/statements/statement-022021-new-draft-provisions-second-additional_en
(172)
EDPS, Opinion 04/2021 on the review of Europol’s mandate, adopted on 8 March 2021, available at https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-proposal-amendment-europol-regulation_en .
(173)
EDPB, Statement 04/2021 on international agreements including transfers, adopted on 13 April 2021. It is available at https://edpb.europa.eu/system/files/2021-04/edpb_statement042021_international_agreements_including_transfers_en.pdf
(174)
See the Council Presidency Report on the Exchange of police data with third countries - Experiences in the application of Article 37 of Law Enforcement Directive, The EDPB has announced that it will include the conclusions from the Presidency report along with further information and comments from the Member States in its efforts to develop guidance on Article 37 of the Directive. See the letter from the Chair of the EDPB to the Permanent Representation of the Federal Republic of Germany to the European Union of 26 February 2021 (document 13555/1/20).
(175)
See the Council position and findings on the application of the LED, paragraph 20.
(176)
Article 38(1)(c) LED.
(177)
Article 38(1)(d) LED.
(178)
As an example, the Second Additional Protocol to the Budapest Convention could be considered as an international agreement for the purposes of Article 48 GDPR.
(179)
See: https://www.coe.int/en/web/cybercrime/glacyplus .
(180)
Amending protocol to the Convention for the Protection of Individuals with Regard to the Processing of Personal Data, adopted by the Committee of Ministers at its 128th Session in Elsinore on 18 May 2018 (Convention 108+), available at https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1.
(181)
See, for example, the Practical guide on the use of personal data in the police sector, available at https://rm.coe.int/t-pd-201-01-practical-guide-on-the-use-of-personal-data-in-the-police-/16807927d5 .
(182)
EDPB Document on Terms of Reference of the EDPB Support Pool of Experts, adopted on 15 December 2020.