Regulation 2024/868 - Amendment of Council Decision 2009/917/JHA as regards its alignment with Union rules on the protection of personal data

1.

Legislative text

 

Official Journal

of the European Union

EN

L series

 

 

2024/868

19.3.2024

REGULATION (EU) 2024/868 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 13 March 2024

amending Council Decision 2009/917/JHA as regards its alignment with Union rules on the protection of personal data

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

 

(1)

Directive (EU) 2016/680 of the European Parliament and of the Council (2) provides for harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against, and the prevention of threats to, public security. That Directive requires the Commission to review other relevant acts adopted by the Union in order to assess the need to align them with that Directive and to make, where appropriate, the necessary proposals to amend those acts to ensure a consistent approach to the protection of personal data within the scope of that Directive.

 

(2)

Council Decision 2009/917/JHA (3) establishes the Customs Information System (CIS), the purpose of which is to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and thereby to increase the effectiveness of the customs administrations of the Member States. The CIS consists of a central database facility which stores personal data, such as names and forenames, addresses, numbers of identity papers, related to commodities, means of transport, businesses or persons and detained, seized or confiscated items and cash. The central database facility is managed by the Commission, which does not have access to the personal data stored in it. The authorities designated by the Member States have the right of access to the central database facility and can enter and consult the information stored in it. The European Union Agency for Law Enforcement Cooperation (Europol) and the European Union Agency for Criminal Justice Cooperation (Eurojust) have, within their respective mandates and for the fulfilment of their tasks, the right to access the data entered in the central database facility by the authorities designated by the Member States and to search those data.

 

(3)

In order to ensure a consistent approach to the protection of personal data in the Union, Decision 2009/917/JHA should be amended in order to align it with Directive (EU) 2016/680. In particular, the personal data protection rules laid down in that Decision should respect the principle of purpose limitation, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision of the operation of the CIS by the European Data Protection Supervisor and the national supervisory authorities in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council (4).

 

(4)

In order to ensure a clear and consistent approach to the adequate protection of personal data, the term ‘serious contraventions’ used in Decision 2009/917/JHA should be replaced by ‘criminal offences’ as referred to in Directive (EU) 2016/680, bearing in mind the fact that where particular conduct is prohibited under the criminal law of a Member State, that in itself implies a certain degree of seriousness of the contravention. Moreover, the purpose of the CIS should remain limited to assisting in the prevention, investigation, detection or prosecution of criminal offences under national laws as defined in Decision 2009/917/JHA, that is, national laws in respect of which the customs administrations of the Member States are competent and which are therefore particularly relevant in the context of customs. Therefore, whereas qualification as a criminal offence is a necessary requirement, not all criminal offences under national laws are covered by Decision 2009/917/JHA. For instance, the criminal offences of illicit drug trafficking, illicit weapons trafficking and money laundering are covered by Decision 2009/917/JHA. Furthermore, the replacement of the term ‘serious contraventions’ with the term ‘criminal offences’ should not be understood as affecting the specific requirements set out in Decision 2009/917/JHA regarding the establishment and sending by each Member State of a list of criminal offences under their national laws that meet certain conditions for the purposes of the customs files identification database.

 

(5)

When processing personal data under Decision 2009/917/JHA, without prejudice to specific rules contained in that Decision, Member States are subject to their national provisions adopted pursuant to Directive (EU) 2016/680, the Commission is subject to the rules laid down in Regulation (EU) 2018/1725, Europol is subject to the rules laid down in Regulation (EU) 2016/794 of the European Parliament and of the Council (5) and Eurojust is subject to the rules laid down in Regulation (EU) 2018/1727 of the European Parliament and of the Council (6). Those acts govern, inter alia, the obligations and responsibilities of controllers, joint controllers, processors and the relationship between them with regard to the protection of personal data. National supervisory authorities responsible for monitoring and ensuring the application of Directive (EU) 2016/680 in each Member State should be competent for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the competent authorities of each Member State. The European Data Protection Supervisor should be responsible for monitoring and ensuring the application of the provisions relating to the protection of personal data laid down in Decision 2009/917/JHA by the Commission, Europol, and Eurojust.

 

(6)

In order to ensure the optimal preservation of the data in the CIS, while reducing the administrative burden for the competent authorities, and in line with Council Regulation (EC) No 515/97 (7), the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review annually the need for the retention of personal data and by setting a maximum retention period of five years which can be increased by an additional period of two years provided that such an increase is justified. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the necessity of the data for the conduct of joint customs operations and of investigations.

 

(7)

The processing of personal data under Decision 2009/917/JHA involves the processing, exchange and subsequent use of relevant information for the purposes set out in Article 87 of the Treaty on the Functioning of the European Union (TFEU). In the interests of consistency and the effective protection of personal data, the processing of personal data under Decision 2009/917/JHA should comply with Union and national law on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against, and the prevention of, threats to public security.

 

(8)

In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation.

 

(9)

In accordance with Articles 1, 2 and 2a of Protocol No 22 on the position of Denmark annexed to the TEU and the TFEU, Denmark is bound by Decision 2009/917/JHA and is therefore taking part in the adoption of this Regulation.

 

(10)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 4 July 2023.

 

(11)

Decision 2009/917/JHA should therefore be amended accordingly,

HAVE ADOPTED THIS REGULATION:

Article 1

Decision 2009/917/JHA is amended as follows:

 

(1)

in Article 1, paragraph 2 is replaced by the following:

‘2.   The purpose of the Customs Information System, in accordance with this Decision, shall be to assist the competent authorities of the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.’

;

 

(2)

Article 2 is amended as follows:

 

(a)

point (2) is replaced by the following:

 

‘2.

“personal data” means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680 of the European Parliament and of the Council (*1);

(*1)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).’;"

 

(b)

the following point is added:

 

‘6.

“national supervisory authority” means a supervisory authority as defined in Article 3, point (15), of Directive (EU) 2016/680.’;

 

(3)

in Article 3(1), the introductory wording is replaced by the following:

‘The Customs Information System shall consist of a central database facility, accessible through terminals in each Member State. It shall comprise exclusively data necessary to achieve its purpose as stated in Article 1(2), including personal data, in the following categories:’;

 

(4)

Article 4 is amended as follows:

 

(a)

paragraph 1 is replaced by the following:

‘1.   Member States shall determine the items to be entered into the Customs Information System relating to each of the categories referred to in Article 3(1), to the extent that this is necessary to achieve the purpose of that system. No items of personal data shall be entered in any event within the category set out in Article 3(1), point (e).’

;

 

(b)

paragraph 5 is replaced by the following:

‘5.   In no case shall the special categories of personal data referred to in Article 10 of Directive (EU) 2016/680 be entered into the Customs Information System.’

;

 

(5)

in Article 5, paragraph 2 is replaced by the following:

‘2.   For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit a criminal offence under national laws.’

;

 

(6)

Article 7 is amended as follows:

 

(a)

paragraph 1 is replaced by the following:

‘1.   Direct access to data entered into the Customs Information System shall be reserved to the national authorities designated by each Member State. Those national authorities shall be customs administrations, but may also include other authorities competent, according to the laws, regulations and procedures of the Member State in question, to act in order to achieve the purpose stated in Article 1(2).’

;

 

(b)

paragraph 3 is deleted;

 

(7)

Article 8 is amended as follows:

 

(a)

paragraphs 1 and 2 are replaced by the following:

‘1.   The national authorities designated by each Member State in accordance with Article 7, Europol and Eurojust may process personal data obtained from the Customs Information System in order to achieve the purpose stated in Article 1(2), in accordance with Union or national law applicable to the protection of personal data with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered the personal data into that system.

The national authorities designated by each Member State, Europol and Eurojust may process non-personal data obtained from the Customs Information System in order to achieve the purpose stated in Article 1(2) or for other purposes, including administrative ones, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.

  • 2. 
    Without prejudice to paragraphs 1 and 4 of this Article and Articles 11 and 12, data obtained from the Customs Information System shall only be used by national authorities in each Member State designated by the Member State in question, which are competent, in accordance with the laws, regulations and procedures of that Member State, to act in order to achieve the purpose stated in Article 1(2).’

;

 

(b)

paragraph 4 is replaced by the following:

‘4.   Personal data obtained from the Customs Information System may, with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered that data into that system, be:

 

(a)

transmitted to, and further processed by, national authorities other than those designated under paragraph 2, in accordance with Union or national law applicable to the protection of personal data; or

 

(b)

transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Union or national law applicable to the protection of personal data.

Non-personal data obtained from the Customs Information System may be transferred to, and further processed by national authorities other than those designated under paragraph 2, third countries, and international or regional organisations, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.’

;

 

(8)

in Article 13, paragraph 5 is replaced by the following:

‘5.   Subject to this Decision, where in any Member State a court, or other competent authority within that Member State, makes a final decision as to the amendment, supplementation, rectification or erasure of data in the Customs Information System, the Member States undertake mutually to enforce such a decision. In the event of conflict between such decisions of courts or of other competent authorities in different Member States, including of the national supervisory authorities, concerning rectification or erasure, the Member State which entered the data in question shall erase them from that system.’

;

 

(9)

Article 14 is replaced by the following:

‘Article 14

Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the purpose stated in Article 1(2) and may not be retained for more than five years. However, exceptionally, those data may be retained for an additional period of up to two years, where and insofar as a strict need to do so in order to achieve that purpose is established in an individual case.’

;

 

(10)

Article 15 is amended as follows:

 

(a)

paragraph 2 is replaced by the following:

‘2.   The purpose of the customs files identification database shall be to enable the national authorities responsible for carrying out customs investigations designated in accordance with Article 7, when opening a file on or investigating one or more persons or businesses, and for Europol and Eurojust, to identify the competent authorities of other Member States which are investigating or have investigated those persons or businesses, in order, through information on the existence of investigation files, to achieve the purpose referred to in Article 1(2).’

;

 

(b)

paragraph 3 is replaced by the following:

‘3.   For the purposes of the customs files identification database, each Member State shall send the other Member States, Europol, Eurojust and the Committee referred to in Article 27 a list of criminal offences under its national laws.

This list shall comprise only criminal offences that are punishable:

 

(a)

by deprivation of liberty or a detention order for a maximum period of not less than 12 months; or

 

(b)

by a fine of at least EUR 15 000.’

;

 

(11)

Article 20 is replaced by the following:

‘Article 20

Unless otherwise provided for in this Decision:

 

(a)

national provisions adopted pursuant to Directive (EU) 2016/680 shall apply to the processing of personal data under this Decision by national authorities designated by each Member State in accordance with Article 7 of this Decision;

 

(b)

Regulation (EU) 2018/1725 of the European Parliament and of the Council (*2) shall apply to the processing of personal data under this Decision by the Commission;

 

(c)

Regulation (EU) 2016/794 of the European Parliament and of the Council (*3) shall apply to the processing of personal data under this Decision by Europol; and

 

(d)

Regulation (EU) 2018/1727 of the European Parliament and of the Council (*4) shall apply to the processing of personal data under this Decision by Eurojust.

(*2)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)."

(*3)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)."

(*4)  Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).’;"

 

(12)

Articles 22, 23, 24 and 25 are deleted;

 

(13)

Article 26 is replaced by the following:

‘Article 26

  • 1. 
    The European Data Protection Supervisor shall be responsible for monitoring the processing of personal data under this Decision by the Commission and for ensuring that it is carried out in accordance with this Decision. The tasks and powers referred to in Articles 57 and 58 of Regulation (EU) 2018/1725 shall apply accordingly.
  • 2. 
    The European Data Protection Supervisor shall carry out an audit of the processing of personal data by the Commission under this Decision in accordance with international auditing standards at least every five years. A report on that audit shall be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.
  • 3. 
    The European Data Protection Supervisor and the national supervisory authorities, acting within the scope of their respective competences, shall cooperate actively within the framework of their responsibilities to ensure coordinated supervision of the operation of the Customs Information System in accordance with Article 62 of Regulation (EU) 2018/1725.’

;

 

(14)

in Article 27, paragraph 2, point (a) is replaced by the following:

 

‘(a)

for the implementation and correct application of this Decision, without prejudice to the powers of the national supervisory authorities and of the European Data Protection Supervisor;’;

 

(15)

Article 28 is amended as follows:

 

(a)

in paragraph 2, the following points are added:

 

‘(i)

to ensure that it is possible to restore installed systems in the case of interruption;

 

(j)

to ensure the proper functioning of the System, that faults in the System are reported and that stored personal data cannot be corrupted by the System malfunctioning.’;

 

(b)

paragraph 3 is replaced by the following:

‘3.   The Committee referred to in Article 27 shall monitor the queries of the Customs Information System for the purpose of checking that searches made were admissible and made by authorised users. At least 1 % of all searches made shall be checked. A record of such searches and checks shall be maintained in the System and shall be used only for the abovementioned purpose by that Committee, the national supervisory authorities and the European Data Protection Supervisor. It shall be erased after six months.’

;

 

(16)

Article 29 is replaced by the following:

‘Article 29

The competent customs administration referred to in Article 10(1) shall be responsible for the security measures set out in Article 28, in relation to the terminals located in the territory of the Member State concerned, the review functions set out in Articles 14 and 19, and otherwise for the proper implementation of this Decision so far as is necessary under the laws, regulations and procedures of that Member State.’

;

 

(17)

in Article 30, paragraph 1 is deleted.

Article 2

By 9 October 2025, without prejudice to the application of this Regulation, the personal data entered into the Customs Information System before 8 April 2024 shall be reviewed by the Member States which entered those data and, where necessary, updated or deleted in order to ensure that their processing complies with Decision 2009/917/JHA as amended by this Regulation.

Article 3

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Strasbourg, 13 March 2024.

For the European Parliament

The President

  • R. 
    METSOLA

For the Council

The President

  • H. 
    LAHBIB
 

  • (1) 
    Position of the European Parliament of 6 February 2024 (not yet published in the Official Journal) and decision of the Council of 26 February 2024.
  • (2) 
    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
  • (4) 
    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
  • (5) 
    Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
  • (6) 
    Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).
  • (7) 
    Council Regulation (EC) No 515/97 of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (OJ L 82, 22.3.1997, p. 1).
 

ELI: http://data.europa.eu/eli/reg/2024/868/oj

ISSN 1977-0677 (electronic edition)

 

This summary has been adopted from EUR-Lex.