Alignment of relevant Union law enforcement rules with regard to data protection
In “A New Push for European Democracy”
On 29 January 2020, the Commission's published its new work programme, announcing a.o. its intention to adopt a non-legislative initiative on aligning relevant EU law enforcement (LE) rules with regard to data protection.
On 24 June 2020, the Commission published a Communication on the 'Way forward on aligning the former third pillar acquis with data protection rules'. It identified 10 legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive (LED). The alignment aims at bringing legal certainty and clarifying issues such as the purposes of the personal data processing by the competent authorities and what types of data may be subject to such processing.
The LED was adopted in 2016 and had to be transposed by Member States by 6 May 2018. It is the first instrument that takes a comprehensive approach in the field of LE, as opposed to the previous ad hoc approaches whereby each law enforcement instrument was governed by its own data protection rules. According to Article 62(6) of the directive, the Commission was required to review other legal acts adopted by the EU which regulate processing of personal data by the competent authorities for LE purposes, in order to assess the need to align them with the LED and to make, where appropriate, the necessary proposals to amend those acts in order to ensure a consistent approach. For this review, the Commission took into account the results of the study carried out as part of European Parliament pilot project 'Fundamental Rights Review of EU data collection instruments and programmes', mapping the relevant acts and identifying provisions to align. Based on this study, the Commission identified 26 EU legal acts falling in the scope of the review, out of which only 10 are not fully in line with LED and need to be amended:
- Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams (JITs);
- Council Decision 2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning terrorist offences;
- Council Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between LE authorities of the Member States of the EU;
- Council Decision 2007/845/JHA of 6 December 2007 concerning cooperation between Asset Recovery Offices of the Member States in the field of tracing and identification of proceeds from, or other property related to, crime;
- Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime and Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime;
- Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes;
- Agreement between the EU and Japan on mutual legal assistance in criminal matters;
- Directive 2014/41/EU of 3 April 2014 regarding the European Investigation Order (EIO) in criminal matters;
- Directive (EU) 2015/413 of 11 March 2015 facilitating cross-border exchange of information on road-safety-related traffic offences;
- Directive (EU) 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
In January 2021, the Commission published 2 legislative proposals amending Framework Decision 2002/465/JHA on JITs (procedure 2021/0008(COD)) and Directive 2014/41/EU on the EIO (2021/0009(COD)), as regards their alignment with EU rules on the protection of personal data. Both final acts were signed and published in the OJ in February 2022.
In December 2021, a proposal on strengthening the automated data exchange under the Prüm framework (2021/0410(COD)) was published, as part of the legislative package on the EU Police Cooperation Code and which will modernise the 2008 Prüm Decisions (Council decisions 2008/615/JHA and 2008/616/JHA). The same package included a proposal for a Directive on information exchange between LE authorities of Member States, amending Council Framework Decision 2006/960/JHA (2021/0411(COD)). The final acts were published respectively in April 2024 and May 2023.
Also in December 2021, a proposal for a regulation regarding digital information exchange in terrorism cases was issued (2021/0393(COD)), as part of a package of measures to digitalise EU justice systems. The proposal amends both Eurojust regulation and Council Decision 2005/671/JHA, in order to modernise current practices of sharing information on judicial cases related to terrorism between Member States and Eurojust. A second legislative proposal part of the package proposes to align Council Decision 2005/671/JHA with EU rules on the protection of personal data (2021/0399(COD). The final acts of both the regulation and the directive were published in October 2023.
In May 2022, the Commission proposed to revise directive 2014/42/EU, to include stronger rules on asset recovery and on freezing and confiscation of criminal assets (2022/0167(COD). The final act was published in May 2024. It also replaces Council decision 2007/845/JHA.
In March 2023, the Commission proposed the revision of directive 2015/413/EU on cross-border enforcement of road traffic rules (2023/0052(COD)) and in May 2023 the revision of Council Decision 2009/917/JHA on the use of information technology for customs purposes (2023/0143(COD)). The final act of the latter was published in March 2024.
In August 2022, the Commission proposed to amend the EU-Japan Agreement on Mutual Legal Assistance in criminal matters to ensure appropriate data protection safeguards (2022/0245(NLE)).
No proposal has been presented yet to amend the PNR Directive.
References:
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
- European Commission, 2020 Commission Work Programme – A Union that strives for more, COM(2020) 37 final, 29.01.2020.
- European Commission communication, Way forward on aligning the former third pillar acquis with data protection rules, COM(2020) 262 final and Annexes to the communication.
- European Commission, Communication on the EU Security Union Strategy, COM(2020) 605 final, 24.07.2020.
- European Commission, Commission Work Programme 2021 - A Union of vitality in a world of fragility, COM(2020) 690 final, 19.10.2020.
- European Commission, Commission Work Programme 2022 - Making Europe stronger together, COM(2021) 645 final, 19.10.2021.
- European Commission, First report on application and functioning of the Data Protection Law Enforcement Directive (EU) 2016/680 (‘LED’), 25.07.2022.
- European Commission, Commission Work Programme 2023 - A Union standing firm and united, COM(2022) 548 final, 18.10.2022.
- European Commission, Commission Work Programme 2024 - Delivering today and preparing for tomorrow, COM(2023) 638 final, 17.10.2023.
Further reading:
- Fundamental rights review of EU data collection instruments and programmes, Final report, Fondazione Giacomo Brodolini (see in particular chapter 6. Compliance with Directive 680/2016, p.92)
Author: Katrien Luyten, Members' Research Service, legislative-train@europarl.europa.eu