The Council adopted its position at first reading with a view to the adoption of a Directive of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. It is part of a series of measures on data protection, which also includes a General Data Protection Regulation, and aims to replace Council Framework Decision 2008/977/JHA.
The objective of the draft directive is to ensure effective judicial cooperation in criminal matters and police cooperation and facilitate the exchange of personal data between competent authorities of the Member States while guaranteeing a consistent high level of protection of the personal data of natural persons.
The Council position at first reading maintains the objectives of the Framework Decision, notably the minimum harmonisation principle from the Framework Decision. It contains clearer and more specific provisions on most of the provisions in the Framework Decision, in particular the provisions on transfers to third countries or international organisations. Furthermore, it aligns the text of the draft directive to that of draft regulation on a number of provisions. This is particularly the case with regard to definitions, the principles, the Chapter on the controller and processor, the adequacy decisions as well the Chapter on independent supervisory authorities.
The main points of the Council position at first reading are as follows:
Scope: the material scope of the draft directive encompasses the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The draft directive, unlike the Framework Decision 2008/977/JHA, also applies to domestic processing of personal data.
As regards the scope of bodies to which the text applies, the Council position has expanded this beyond competent public authorities to such bodies or entities that have been entrusted by Member State law to exercise authority and public powers for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
Principles relating to personal data: the Council Position includes the notion of transparency among the recitals, while making clear that activities such as covert investigations or video surveillance will be allowed to take place. It adds that personal data should be processed in a manner that ensures appropriate security of the data, which includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Further processing: the Council position lays down that processing by the same or another controller for any of the purposes set out in the directive other than the one for which the personal data were collected, is only permitted where the controller is authorised to process such personal data for such purpose in accordance with Union or Member State law and the processing is necessary and proportionate to that other purpose.
Time limits of storage and review: the Council position lays down that appropriate time limits must be established for the erasure of personal data or for a periodic review of personal data that are stored to verify if it is necessary that they are kept.
Different categories of data subjects: Member States must, where applicable and as far as possible, provide for the controller to make a clear distinction between personal data of different categories of data subjects.
Lawfulness of processing: processing of personal data is lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes set out in the directive and is based on Union or Member State law.
The main rule is that personal date collected at the beginning by a competent authority for the purposes set out in the directive may only be processed for one of the purposes in the directive.
Special categories of personal data: the Council position at first reading allows processing of such data but only where strictly necessary and on the condition that appropriate safeguards for the rights and freedoms of the data subject are adduced. In addition, such processing is allowed only where authorised in EU or Member State law to protect the vital interest of the data subject or where the processing relates to data that have manifestly been made public by the data subject.
Automated individual decision-making, including profiling: a decision based solely on automatic processing, including profiling, which produces an adverse legal effect for the data subject or that significantly affects him or her, must be prohibited unless Union or Member States law authorises it and appropriate safeguards for the rights and freedoms of the data subject are adduced.
Data subjects' rights: the new rules include:
· the right to be informed in a concise and intelligible manner, that his data are being processed;
· the right to have the identity and contact details of the controller and the purpose of the processing;
· the right of access to personal data and the duly justified restrictions to that right;
· the right to rectify, erase or restrict the processing of his or her personal data.
Controller and processor: the draft directive will be applied by competent authorities either domestically or when transmitting personal data between EU Member States or transferring personal data to third countries or international organisations. The provisions of the draft directive will be applied by public authorities and, under certain circumstances, private bodies.
Impact assessment: an impact assessment is necessary before the controller can carry out a processing where the processing is likely to result in a high risk for the rights and freedoms of natural persons. The draft directive sets out the situations in which an impact assessment is compulsory.
Transfers: in order to exchange data with third countries and international organisations, the Council position sets out rules on transfers. When data are transmitted or made available from another Member State, that Member State must give its prior authorisation. The Council position also lays down that all provisions on transfers must be applied in order to ensure that the level of protection of natural persons guaranteed in the draft directive are not undermined.
Furthermore, it adds the possibility for competent authority, but only those that are public authorities (and not the bodies or entities entrusted by Member State law to exercise public powers), to transfer personal data to recipients established in third countries.
Supervisory authorities: in order to ensure compliance with the rules of the draft directive, the monitoring of the latter as well as the draft regulation will be carried out by supervisory authorities.