Regulation 2024/868 - Amendment of Council Decision 2009/917/JHA as regards its alignment with Union rules on the protection of personal data - Main contents
Official Journal of the European Union |
EN L series |
2024/868 |
19.3.2024 |
REGULATION (EU) 2024/868 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 13 March 2024
amending Council Decision 2009/917/JHA as regards its alignment with Union rules on the protection of personal data
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Acting in accordance with the ordinary legislative procedure (1),
Whereas:
(1) |
Directive (EU) 2016/680 of the European Parliament and of the Council (2) provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to, public security. That Directive requires the Commission to review other relevant acts adopted by the Union in order to assess the need to align them with that Directive and to make, where appropriate, the necessary proposals to amend those acts to ensure a consistent approach to the protection of personal data within the scope of that Directive. |
(2) |
Council Decision 2009/917/JHA (3) establishes the Customs Information System (CIS), the purpose of which is to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and thereby to increase the effectiveness of the customs administrations of the Member States. The CIS consists of a central database facility which stores personal data, such as names and forenames, addresses, numbers of identity papers, related to commodities, means of transport, businesses or persons and detained, seized or confiscated items and cash. The central database facility is managed by the Commission, which does not have access to the personal data stored in it. The authorities designated by the Member States have the right of access to the central database facility and can enter and consult the information stored in it. The European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Agency for Criminal Justice Cooperation (Eurojust) have, within their respective mandates and for the fulfilment of their tasks, the right to access the data entered in the central database facility by the authorities designated by the Member States and to search those data. |
(3) |
In order to ensure a consistent approach to the protection of personal data in the Union, Decision 2009/917/JHA should be amended in order to align it with Directive (EU) 2016/680. In particular, the personal data protection rules laid down in that Decision should respect the principle of purpose limitation, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision of the operation of the CIS by the European Data Protection Supervisor and the national supervisory authorities in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council (4). |
(4) |
In order to ensure a clear and consistent approach to the adequate protection of personal data, the term ‘serious contraventions’ used in Decision 2009/917/JHA should be replaced by ‘criminal offences’ as referred to in Directive (EU) 2016/680, bearing in mind the fact that where particular conduct is prohibited under the criminal law of a Member State, that in itself implies a certain degree of seriousness of the contravention. Moreover, the purpose of the CIS should remain limited to assisting in the prevention, investigation, detection or prosecution of criminal offences under national laws as defined in Decision 2009/917/JHA, that is, national laws in respect of which the customs administrations of the Member States are competent and which are therefore particularly relevant in the context of customs. Therefore, whereas qualification as a criminal offence is a necessary requirement, not all criminal offences under national laws are covered by Decision 2009/917/JHA. For instance, the criminal offences of illicit drug trafficking, illicit weapons trafficking and money laundering are covered by Decision 2009/917/JHA. Furthermore, the replacement of the term ‘serious contraventions’ with the term ‘criminal offences’ should not be understood as affecting the specific requirements set out in Decision 2009/917/JHA regarding the establishment and sending by each Member State of a list of criminal offences under their national laws that meet certain conditions for the purposes of the customs files identification database. |
(5) |
When processing personal data under Decision 2009/917/JHA, without prejudice to specific rules contained in that Decision, Member States are subject to their national provisions adopted pursuant to Directive (EU) 2016/680, the Commission is subject to the rules laid down in Regulation (EU) 2018/1725, Europol is subject to the rules laid down in Regulation (EU) 2016/794 of the European Parliament and of the Council (5) and Eurojust is subject to the rules laid down in Regulation (EU) 2018/1727 of the European Parliament and of the Council (6). Those acts govern, inter alia, the obligations and responsibilities of controllers, joint controllers, processors and the relationship between them with regard to the protection of personal data. National supervisory authorities responsible for monitoring and ensuring the application of Directive (EU) 2016/680 in each Member State should be competent for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the competent authorities of each Member State. The European Data Protection Supervisor should be responsible for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the Commission, Europol, and Eurojust. |
(6) |
In order to ensure the optimal preservation of the data in the CIS, while reducing the administrative burden for the competent authorities, and in line with Council Regulation (EC) No 515/97 (7), the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review annually the need for the retention of personal data and by setting a maximum retention period of five years which can be increased by an additional period of two years provided that such an increase is justified. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the necessity of the data for the conduct of joint customs operations and of investigations. |
(7) |
The processing of personal data under Decision 2009/917/JHA involves the processing, exchange and subsequent use of relevant information for the purposes set out in Article 87 of the Treaty on the Functioning of the European Union (TFEU). In the interests of consistency and the effective protection of personal data, the processing of personal data under Decision 2009/917/JHA should comply with Union and national law on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against, and the prevention of, threats to public security. |
(8) |
In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation. |
(9) |
In accordance with Articles 1, 2 and 2a of Protocol No 22 on the position of Denmark annexed to the TEU and the TFEU, Denmark is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation. |
(10) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 4 July 2023. |
(11) |
Decision 2009/917/JHA should therefore be amended accordingly, |
HAVE ADOPTED THIS REGULATION:
Article 1
Decision 2009/917/JHA is amended as follows:
(1) |
in Article 1, paragraph 2 is replaced by the following: ‘2. The purpose of the Customs Information System, in accordance with this Decision, shall be to assist the competent authorities of the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.’ ; |
(2) |
Article 2 is amended as follows:
|
(3) |
in Article 3(1), the introductory wording is replaced by the following: ‘The Customs Information System shall consist of a central database facility, accessible through terminals in each Member State. It shall comprise exclusively data necessary to achieve its purpose as stated in Article 1(2), including personal data, in the following categories:’; |
(4) |
Article 4 is amended as follows:
|
(5) |
in Article 5, paragraph 2 is replaced by the following: ‘2. For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence under national laws.’ ; |
(6) |
Article 7 is amended as follows:
|
(7) |
Article 8 is amended as follows:
|
(8) |
in Article 13, paragraph 5 is replaced by the following: ‘5. Subject to this Decision, where in any Member State a court, or other competent authority within that Member State, makes a final decision as to the amendment, supplementation, rectification or erasure of data in the Customs Information System, the Member States undertake mutually to enforce such a decision. In the event of conflict between such decisions of courts or of other competent authorities in different Member States, including of the national supervisory authorities, concerning rectification or erasure, the Member State which entered the data in question shall erase them from that system.’ ; |
(9) |
Article 14 is replaced by the following: ‘Article 14 Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the purpose stated in Article 1(2) and may not be retained for more than five years. However, exceptionally, those data may be retained for an additional period of up to two years, where and insofar as a strict need to do so in order to achieve that purpose is established in an individual case.’ ; |
(10) |
Article 15 is amended as follows:
|
(11) |
Article 20 is replaced by the following: ‘Article 20 Unless otherwise provided for in this Decision:
(*2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)." (*3) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)." (*4) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).’;" |
(12) |
Articles 22, 23, 24 and 25 are deleted; |
(13) |
Article 26 is replaced by the following: ‘Article 26
; |
(14) |
in Article 27, paragraph 2, point (a) is replaced by the following:
|
(15) |
Article 28 is amended as follows:
|
(16) |
Article 29 is replaced by the following: ‘Article 29 The competent customs administration referred to in Article 10(1) shall be responsible for the security measures set out in Article 28, in relation to the terminals located in the territory of the Member State concerned, the review functions set out in Articles 14 and 19, and otherwise for the proper implementation of this Decision so far as is necessary under the laws, regulations and procedures of that Member State.’ ; |
(17) |
in Article 30, paragraph 1 is deleted. |
Article 2
By 9 October 2025, without prejudice to the application of this Regulation, the personal data entered into the Customs Information System before 8 April 2024 shall be reviewed by the Member States which entered those data and, where necessary, updated or deleted in order to ensure that their processing complies with Decision 2009/917/JHA as amended by this Regulation.
Article 3
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Strasbourg, 13 March 2024.
For the European Parliament
The President
-
R.METSOLA
For the Council
The President
-
H.LAHBIB
-
Position of the European Parliament of 6 February 2024 (not yet published in the Official Journal) and decision of the Council of 26 February 2024.
-
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
-
Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes (OJ L 323, 10.12.2009, p. 20).
-
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
-
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
-
Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).
-
Council Regulation (EC) No 515/97 of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (OJ L 82, 22.3.1997, p. 1).
ELI: http://data.europa.eu/eli/reg/2024/868/oj
ISSN 1977-0677 (electronic edition)
This summary has been adopted from EUR-Lex.