(Consultation procedure)

The European Parliament,

–   having regard to the Commission proposal (COM(2002) 173(1)),

–   having regard to Article 34(2)(b) of the EU Treaty,

–   having been consulted by the Council pursuant to Article 39(1) of the EU Treaty (C5&nbhy;0271/2002),

–   having regard to Rules 106 and 67 of its Rules of Procedure,

–   having regard to the report of the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs and the opinion of the Committee on Industry, External Trade, Research and Energy (A5&nbhy;0328/2002),

1.  Approves the Commission proposal as amended;

2.  Calls on the Council to notify Parliament should it intend to depart from the text approved by Parliament;

3.  Asks to be consulted again if the Council intends to amend the Commission proposal substantially;

4.  Instructs its President to forward its position to the Council and Commission.

Text proposed by the Commission   Amendments by Parliament Amendment 1 Recital 5 a (new) (5a) This Framework Decision and the definitions it employs, set out in Article 2, should be in agreement with, and where necessary extended to include, the new OECD Guidelines for the Security of Information Systems and Networks, adopted on 25 July 2002. Amendment 2 Recital 9 (9)  All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The personal data processed in the context of the implementation of this Framework Decision will be protected in accordance with the principles of the said Convention. (9)  All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The personal data processed in the context of the implementation of this Framework Decision will be protected in accordance with the principles of the said Convention. At European level there is still a lack of adequate data protection provisions in the area of the third pillar. Hence an EU third pillar instrument for the protection of personal data, specifically in the context of law enforcement, is urgently needed. Amendment 3 Recital 13 a (new) (13a) The protection of information systems is a factor of fundamental importance for creating an area of freedom, security and justice, but the potential abuse of such systems should also be taken into account. National legislation should therefore closely monitor attacks against and unlawful disruption of information systems used to achieve objectives which are contrary to fundamental freedoms and rights until such time as European human rights issues come under Community law and can then be dealt with more democratically by being taken into consideration when European positions are adopted. Likewise, conduct which is considered in national law to be of minor significance shall be expressly exempt from the obligation to impose penalties under criminal law and is thus excluded from the scope of this Framework Decision. Amendment 4 Recital 16 (16)  Measures should also be foreseen for the purposes of co-operation between Member States with a view to ensuring effective action against attacks against information systems. Operational contact points should be established for the exchange of information. (16)  Measures should also be foreseen for the purposes of co-operation between Member States with a view to ensuring effective action against attacks against information systems. Operational contact points should be established for the exchange of information and should be activated as soon as there is an appropriate data protection instrument in the area of the third pillar at European level. Amendment 5 Recital 19 (19)  This Framework Decision respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and notably Chapters II and VI thereof. (19)  This Framework Decision respects the fundamental rights and freedoms and observes the principles recognised in particular by the European Convention for the Protection of Human Rights and Fundamental Freedoms and the case-law of the European Court of Human Rights, the Charter of Fundamental Rights of the European Union, and notably Chapters II and VI thereof, and by national and international law on human rights and fundamental freedoms. Consequently, this framework decision and the national implementing measures cannot be used to suppress, in particular, freedom of opinion, expression, demonstration and association. Amendment 6 Article 1 The objective of this Framework Decision is to improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems. The objective of this Framework Decision is to improve co-operation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems. This Framework Decision respects fundamental rights and freedoms and observes the principles recognised by the European Convention for the Protection of Human Rights and Fundamental Freedoms, the case-law of the European Court of Human Rights, in the Charter of Fundamental Rights of the European Union and in national and international law concerning human rights and fundamental freedoms. Amendment 7 Article 1 a (new) Article 1a Information campaigns 1.  In addition to the creation of offences covering the actions referred to in Articles 3, 4 and 5, prevention should also not be neglected, and Member States shall help encourage participants in the Information Society increasingly to promote a culture of security, particularly by holding information campaigns, together with the affected employers, organisations and other actors, to raise awareness of security risks on information networks. 2.  The Commission shall take the initiative with a view to raising awareness among citizens, businesses and the public sector concerning security risks on electronic communication networks, and shall play a role in coordinating and harmonising the content of information campaigns in the Member States on the security aspects and risks involved in electronic communications networks. Amendment 8 Article 2, point (f) (f) "Authorised person" means any natural or legal person who has the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and who is acting in accordance with that right or permission. Deleted Amendment 9 Article 2, point (g), subparagraph 1a (new) Conduct by natural or legal persons is at all events not unlawful where they have the right, by contract or by law, or the lawful permission, to use, manage, control, test, conduct legitimate scientific research or otherwise operate an information system and where they are acting in accordance with that right or permission. Amendment 10 Article 3, paragraph 1 a (new) Trivial or minor conduct is not included within the scope of this Framework Decision and is therefore a matter for the national law of the Member States. Amendment 11 Article 4, paragraph 1 a (new) Trivial or minor conduct is not included within the scope of this Framework Decision and is therefore a matter for the national law of the Member States. Amendment 12 Article 9, paragraph 2 2.  Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 3, 4 and 5 for the benefit of that legal person by a person under its authority. 2.  Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable, where possible, where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 3, 4 and 5 for the benefit of that legal person by a person under its authority. Amendment 13 Article 10, paragraph 1, introduction 1.  Member States shall ensure that a legal person held liable pursuant to Article 9(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and may include other sanctions, such as: 1.  Member States shall ensure that a legal person held liable pursuant to Article 9(1) is punishable by effective, proportionate and dissuasive sanctions, which may include criminal or non-criminal fines or other sanctions, such as: Amendment 14 Article 11, paragraph 2, point (a) (a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or (a) the offender commits the offence when effectively present on its territory, whether or not the offence is against an information system on its territory; or Amendment 15 Article 11, paragraph 2, point (b) (b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory. (b) the offence is against an information system on its territory, whether or not the offender commits the offence when effectively present on its territory, or Amendment 16 Article 11, paragraph 2, point (b a) (new) (ba) the offence has some other close connection with the territory of a Member State. Amendment 17 Article 13, paragraph 1 1.  Member States shall bring into force the measures necessary to comply with this Framework Decision by 31 December 2003. 1.  Member States shall bring into force the measures necessary to implement Articles 1 to 11 of this Framework Decision by 31 December 2003 and Article 12 within one year of its entry into force. Amendment 18 Article 14 This Framework Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Communities. Articles 1 to 11 of this Framework Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Communities. Article 12 shall enter into force on the same day as a data protection instrument for the third pillar. A specific reference to this effect shall be made on publication in the Official Journal of the European Communities.

(1) OJ C 203 E, 27.8.2002, p. 109.