PURPOSE: to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data while guaranteeing a high level of public safety, and to ensure the exchange of personal data between competent authorities within the Union.
PROPOSED ACT: Directive of the European Parliament and of the Council.
BACKGROUND: the centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by several instruments providing specific data protection rules in the area of police and judicial cooperation in criminal matters (ex-third pillar), including Framework Decision 2008/977/JHA.
Framework Decision 2008/977/JHA has a limited scope of application, since it only applies to cross-border data processing and not to processing activities by the police and judiciary authorities at purely national level. The Framework Decision leaves a large room for manoeuvre to Member States' national laws in implementing its provisions. Additionally, it does not contain any mechanism or advisory group similar to the Article 29 Working Party supporting common interpretation of its provisions, nor foresees any implementing powers for the Commission to ensure a common approach in its implementation.
Due to the specific nature of the field of police and judicial co-operation in criminal matters, it was acknowledged in Declaration 21 (annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon) that specific rules on the protection of personal data and the free movement of such data in the fields of judicial co-operation in criminal matters and police co-operation based on Article 16 TFEU may prove necessary.
- In 2010, the European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives.
- In its resolution on the Stockholm Programme, the European Parliament welcomed a comprehensive data protection scheme in the EU and among others called for the revision of the Framework Decision. The Commission stressed in its Action Plan implementing the Stockholm Programme the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies. In its Communication on “A comprehensive approach on personal data protection in the European Union”, the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.
This proposal further details the approach for the new legal framework for the protection of personal data in the EU as presented in its Communication on this issue.
The legal framework consists of two legislative proposals:
- a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and
- this proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
IMPACT ASSESSMENT: the impact assessment was based on the three policy objectives of: (i) improving the internal market dimension of data protection, (ii) making the exercise of data protection rights by individuals more effective and, (iii) creating a comprehensive and coherent framework covering all areas of Union competence, including police co-operation and judicial co-operation in criminal matters. As regards this latter objective in particular, two policy options were assessed:
- a first one basically extending the scope of data protection rules in this area and addressing the gaps and other issues raised by the Framework Decision,
- and a second more far-reaching one with very prescriptive and stringent rules, which would also entail the immediate amendment of all other "former third pillar" instruments.
A third "minimalistic" option based largely on interpretative Communications and policy support measures, such as funding programmes and technical tools, with minimum legislative intervention, was not considered appropriate to address the issues identified in this area in relation to data protection.
The analysis of the overall impact led to the development of the preferred policy option which is incorporated in the present proposal. According to the assessment, its implementation will lead to further strengthening data protection in this policy area in particular by including domestic data processing, thereby also enhancing legal certainty for competent authorities in the areas of judicial co-operation in criminal matters and police co-operation.
LEGAL BASIS: Article 16(2) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the proposed Directive repeals Framework Decision 2008/977/JHA. It defines the rules relating to processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal offences, and sets out the Directive's two-fold objective, i.e. to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data while guaranteeing a high level of public safety, and to ensure the exchange of personal data between competent authorities within the Union. It defines the scope of application of the Directive. The scope of the Directive is not limited to cross-border data processing but applies to all processing activities carried out by 'competent authorities' as defined in the Directive.
Principles: the proposal sets out the principles relating to processing of personal data and requires the distinction, as far as possible; between personal data of different categories of data subjects. It sets out the grounds for lawful processing, when necessary for the performance of a task carried out by a competent authority based on national law, to comply with a legal obligation to which the data controller is subject, in order to protect the vital interests of the data subject or another person or to prevent an immediate and serious threat to public security.
The proposed Directive sets out a general prohibition of processing special categories of personal data and the exceptions from this general rule. It establishes a prohibition of measures based solely on automated processing of personal data if not authorised by law providing appropriate safeguards.
Rights of the data subject: the proposal introduces the obligation for Member States to ensure easily accessible and understandable information, and to oblige controllers to provide procedures and mechanisms for facilitating the exercise of the data subject's rights. This includes the requirement that the exercise of the rights shall be in principle free of charge. It specifies the obligation for Member States to ensure the information towards the data subject. It also provides the obligation for Member States to ensure the data subject's right of access to their personal data.
The proposal provides that Member States may adopt legislative measures restricting the right of access if required by the specific nature of data processing in the areas of police and criminal justice, and on the information of the data subject on a restriction of access.
Provisions on the rectification, erasure and restriction of processing in judicial proceedings provide clarification based on Article 4(4) of Framework Decision 2008/977/JHA.
Controller and processor: the proposal sets out that the Member States must ensure the compliance of the controller with the obligations arising from the principles of data protection by design and by default. It clarifies the position and obligation of processors, and adds new elements, including that a processor that processes data beyond the controller's instructions is to be considered a co-controller. It introduces the obligation for controllers and processors to maintain documentation of all processing systems and procedures under their responsibility.
Data security: the Article on the security of processing is based on the current Article 17(1) of Directive 95/46 on the security of processing, and Article 22 of Framework Decision 2008/977/JHA, extending the related obligations to processors, irrespective of their contract with the controller.
The proposal introduces an obligation to notify personal data breaches, inspired by the personal data breach notification, clarifying and separating the obligations to notify the supervisory authority and to communicate, in qualified circumstances, to the data subject. It also provides for exemptions on reasons set out in the Directive.
Data Protection Officer: the proposal introduces an obligation for the controller to appoint a mandatory data protection officer who should fulfil the tasks listed in the Directive. Where several competent authorities are acting under the supervision of a central authority, functioning as controller, at least this central authority should designate such a data protection officer.
Transfer of personal data to third countries or international organisations: transfers to third countries may take place only if the transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The proposal lays down that transfers to a third country may take place in relation to which the Commission has adopted an adequacy decision of the level of protection or, in the absence of such decisions, where appropriate safeguards are in place. It furthermore sets out the criteria for the Commission’s assessment of an adequate or not adequate level of protection, and expressly includes the rule of law, judicial redress and independent supervision. It also provides for the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.
In addition, the proposed Directive:
- defines the appropriate safeguards needed prior to international transfers, in the absence of a Commission adequacy decision. These safeguards may be adduced by a legally binding instrument such as an international agreement. Alternatively, the data controller may on the basis of an assessment of the circumstances surrounding the transfer conclude that they exist;
- spells out the derogations for data transfer;
- obliges Member States to provide that the controller informs the recipient of any processing restrictions and takes all reasonable steps to ensure that these restrictions are met by recipients of the personal data in the third country or international organisation;
- explicitly provides for international co-operation mechanisms for the protection of personal data between the Commission and the supervisory authorities of third countries.
Independent national supervisory authorities: the proposal obliges Member States to establish supervisory authorities and to enlarge the mission of these authorities to contribute to the consistent application of the Directive throughout the Union, which may be the supervisory authority established under the General Data Protection Regulation. It clarifies the conditions for the independence of supervisory authorities, implementing case law of the Court of Justice.
It sets out the competence of the supervisory authorities. It obliges Member States to provide for the duties of the supervisory authority, including hearing and investigating complaints and promoting the awareness of the public on risk, rules, safeguards and rights. A particular duty of the supervisory authorities in the context of this Directive is, where direct access is refused or restricted, to exercise the right of access on behalf of data subjects and to check the lawfulness of the data processing.
Co-operation: the proposal introduces rules on mandatory mutual assistance. It provides that the European Data Protection Advisory Board, established by the General Data Protection Regulation, exercises its tasks also in relation to processing activities within the scope of this Directive.
Remedies, liability and sanctions: the proposal provides: (i) for the right of any data subject to lodge a complaint with a supervisory authority, (ii) that the bodies, organisations or associations which may lodge a complaint on behalf of the data subject and also in case of a personal data breach independently of a data subject's complaint; (iii) for the right to a judicial remedy against a supervisory authority; (iv) the data subject may launch a court action for obliging the supervisory authority to act on a complaint; (v) the right to a judicial remedy against a controller or processor; (vi) for the introduction of common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings; (vii) for the Member States to provide for the right to compensation and lay down rules on penalties, to sanction infringements of the Directive, and to ensure their implementation.
BUDGETARY IMPLICATIONS: the specific budgetary implications of the proposal relate to the tasks allocated to the European Data Protection Supervisor as specified in the legislative financial statements accompanying this proposal. These implications require reprogramming of Heading 5 of the Financial Perspective. The total appropriations are estimated at EUR 24.339 million for 2014-2020. The proposal has no implications on operational expenditure.
DELEGATED ACTS: this proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union.