The purpose of this report is to take stock of the situation more than four years after the adoption of Council Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (the “Prüm Decision”) and more than one year after the deadline of 26 August 2011 for its full implementation. Originally, this report was meant not only to assess implementation but also to reflect on recommendations for further development of the instrument but, since implementation is lagging behind considerably, the Commission decided not to consider further developments before full implementation .

Although the experiences of “operational” Member States (that can exchange certain types of data in automated form, in accordance with a Council Decision) have proven the added value of the instrument, some problems of a technical and funding nature have emerged. The Commission emphasises the need for political will and appropriate prioritisation to overcome barriers at national level .

State of implementation:

(a) DNA data: four Member States (EL, IE, IT and UK) still need to step up their efforts significantly.

(b) Fingerprints: the area of fingerprint data has the highest number of Member States seriously lagging behind. For six Member States (EL, IE, IT, PL, PT and UK), it remains unclear when they will go operational according to the information available to the Commission.

(c) Vehicle Registration Data (VRD): only 13 Member States were operational in the area of VRD. However, fast progress can be expected for a number of additional Member States. Another 4 have passed or are ready for Council evaluation, and for 7 serious efforts can be observed. Only 3 Member States (EL, PT, UK) either have not undertaken any noteworthy activities or are encountering lasting difficulties.

(d) Police cooperation and information exchange (Chapters 3 to 5): all Member States except one have designated national contact points under Chapters 3 (major events) and 4 (measures to prevent terrorist offences). Therefore it can be assumed that they have functionally implemented these chapters. As regards Chapter 5, five Member States replied to the questionnaire that legal or administrative provisions were not yet in place.

(e) Data protection provisions: as at 31 October 2012, four Member States (DK, EL, IE and IT) had not yet submitted the reply to this questionnaire. At the same time, only IT and EL had not yet complied with the requirement to indicate the independent data protection authority responsible for the Prüm data exchange.

CNS/2004/0812

the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data; the supply of data in connection with major events with a cross-border dimension; the supply of information in order to prevent terrorist offences; stepping up cross-border police cooperation.

For the purposes of the supply of data, each Member State shall designate a national contact point. The powers of the national contact points shall be governed by the applicable national law.

In order to step up police cooperation, the competent authorities designated by the Member States may, in maintaining public order and security and preventing criminal offences, introduce joint patrols and other joint operations in which designated officers or other officials (officers) from other Member States participate in operations within a Member State's territory. Officers from a seconding Member State who are involved in a joint operation within another Member State's territory may wear their own national uniforms there.

Member States' competent authorities shall provide one another with mutual assistance, in compliance with national law, in connection with mass gatherings and similar major events, disasters and serious accidents, by seeking to prevent criminal offences and maintain public order and security.

As regards the data protection provisions contained in this Decision, Member States shall ensure that the level of data protection is not lower than the protection laid down in the Council of Europe Convention for the Protection of Individuals with regard to automatic Processing of Personal Data of 28 January 1981 and its additional Protocol of 8 November 2001 and takes account of Recommendation No R (87) 15 of 17 September 1987 of the Committee of Ministers to Member States regulating the use of personal data in the police sector, also where data are not processed automatically.

The Council also adopted a decision on the implementation of the Prüm decision (see CNS/2007/0804 ). This implementing decision lays down administrative and technical provisions as regards in particular the automated exchange of DNA data, dactyloscopic data and vehicle registration data, and other forms of cooperation.

APPLICATION: 26/08/2008.

Implementation: Member States shall take the necessary measures to comply with the provisions of this Decision within one year of this Decision taking effect, with the exception of the provisions of Chapter 2 (on-line access and follow-up requests) with respect to which the necessary measures shall be taken within three years of this Decision and the Council Decision on the implementation of this Decision taking effect.

The Council reached a general approach on a decision laying down the necessary administrative and technical provisions for the implementation of a decision on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (the "Prum decision").

The "Prum decision", agreed by the Council in June 2007, is designed to improve the exchange of information between the authorities responsible for the prevention and investigation of criminal offences.

To this end, the decision contains rules in the following areas:

on the conditions and procedure for the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data; on the conditions for the supply of data in connection with major events with a crossborder dimension; on the conditions for the supply of information in order to prevent terrorist offences; on the conditions and procedure for stepping up cross-border police cooperation through various measures.

The implementing decision establishes those common provisions which are indispensable for administrative and technical implementation of the forms of cooperation set out in the Prum decision, especially for automated exchange of DNA data, dactyloscopic data and vehicle registration data

The European Parliament adopted a resolution drafted by Fausto CORREIA (PES, PT) and amended the initiative by 15 Member States on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. The amendments were made to ensure that the supplying of data is not made automatically but only when necessary and proportionate, and based on particular circumstances that give reasons to believe that criminal offences will be committed.

The main amendments were as follows:

- following the opinion of the Legal Affairs Committee, Parliament felt that the legal basis should be changed so that the proposed decision (whose legal basis is Article 34(2)(c) of the TEU) would become a framework decision based on Article 34(2)(b). This would mean that it would be binding upon the Member States and would entail approximation of their laws and regulations;

- Parliament introduced an amendment to ensure that data collected under this Decision will not be transferred or made available to a third country or to any international organisation. This article is particularly relevant taking into account recent transatlantic disagreements regarding data exchange in the frame of security and fight against terrorism (PNR, cooperation on CIA extraordinary renditions);

- By means of this Framework Decision, the Member States intend to step up cross-border cooperation in matters covered by Title VI of the EU Treaty, particularly the exchange of information between agencies responsible for the prevention and investigation of criminal offences as listed in Article 2 of Council Framework Decision 2002/584/JHA on the European arrest warrant and the surrender procedures between Member States as well as in Articles 1 to 4 of Council Framework Decision 2002/475/JHA on combating terrorism;

- Parliament inserted definitions for several terms, including “criminal offences”, “terrorist offences” and “processing of personal data”. It defined "personal data" as any information relating to an identified or identifiable natural person ('data subject'); an "identifiable person" means a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical or physiological identity;

- a new article provided for Member States to make a clear distinction between the personal data of various categories of persons (e.g. those suspected of having committed or taken part in a criminal offence, those convicted of a criminal offence, those who have been the victim of a criminal offence, etc.); - a new article states that the collection of cellular material for a particular individual who is suspected of having committed such a criminal offence, shall take place only on the basis of national law and only for a specific purpose and shall meet the requirements of necessity and proportionality; - special categories of data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, party or trade union membership, sexual orientation or health shall be processed only if absolutely necessary and proportionate for the purpose of a specific case and in compliance with specific safeguards;

- a new Article states that Member States shall adopt suitable measures to ensure the full implementation of the provisions of Chapter 6 (General Provisions on Data Protection) and shall lay down effective, proportionate and dissuasive sanctions to be imposed in the event of infringement, notably of those provisions aimed at ensuring the confidentiality and security of personal data processing; - the supplying of data in connection with major events with a cross-border dimension should be done only when necessary and proportionate and based on particular circumstances that give reason to believe that criminal offences will be committed;

- personal data may be processed only for the purposes specified. The data supplied shall be deleted without delay once the purposes specified have been achieved or can no longer be achieved, and in any event after no more than two years from the date of supply. Recorded data in general will be kept for three years, rather than two years;

- Parliament incorporated into the proposal two articles of the Prüm Convention (signed between Belgium, Germany, Spain, France, Luxembourg, the Netherlands and Austria). These dealt with " measures in the event of imminent danger " and " cooperation on request ", with the aim of ensuring more efficient police cooperation in border areas. In urgent situations, officers from one Member State may, without the prior consent of another Member State cross the border between the two States so that, within an area of the host Member State's territory close to the border and in compliance with the host Member State's national law, they may take any provisional measures necessary to avert an imminent danger to the physical integrity of individuals. In that case, officers will immediately inform the host Member State of their presence. It will be the host Member State who will assume responsibility for the measures taken by the officers crossing the border;

- officers from a seconding Member State who are involved in a joint operation in another Member State's territory shall wear their own national uniforms. A common distinctive sign must be carried by all members of the joint operation. The host Member State must deliver an accreditation document to the seconding Member States" officers, including the name, rank and a digitised photograph of the officer;

- the Council shall carry out an evaluation of the administrative, technical and financial application and implementation of the Framework Decision every two years. The modalities of the automated searching and comparison of DNA and dactyloscopic data shall be evaluated six months after the date on which the Framework Decision takes effect. For vehicle registration data, this first evaluation shall take place three months after that date. Evaluation reports shall be transmitted to the European Parliament and the Commission.

The committee adopted the report by Fausto CORREIA (PES, PT) amending - under the consultation procedure - the initiative by 15 Member States on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. The main amendments were as follows:

- following the opinion of the Legal Affairs Committee, the committee felt that the legal basis should be changed so that the proposed decision (whose legal basis is Article 34(2)(c) of the TEU) would become a framework decision based on Article 34(2)(b). This would mean that it would be binding upon the Member States and would entail approximation of their laws and regulations;

- the scope of the framework decision should be restricted to criminal offences as listed in the 2002 Framework Decision on the European Arrest Warrant and the surrender procedures between Member States as well as in the 2002 Framework Decision on combating terrorism;

- the committee introduced a definition of "personal data", meaning "any information relating to an identified or identifiable natural person ('data subject'); an "identifiable person" means a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical or physiological identity";

- a new article provided for Member States to make a "clear distinction" between the personal data of various categories of persons (e.g. those suspected of having committed or taken part in a criminal offence, those convicted of a criminal offence, those who have been the victim of a criminal offence, etc.);

- the exchange of personal information between Member States in connection with major events with a cross-border dimension is permitted "when necessary and proportionate in a democratic society, for a specific purpose and on a case-by-case basis";

- the committee incorporated into the proposal two articles (25 and 27) of the Prüm Convention (signed between Belgium, Germany, Spain, France, Luxembourg, the Netherlands and Austria). These dealt with "measures in the event of imminent danger" and "cooperation on request", with the aim of ensuring more efficient police cooperation in border areas;

- a new article specified that the collection of cellular material "shall take place only on the basis of national law and only for a specific purpose and shall meet the requirements of necessity and proportionality";

- special categories of data concerning "racial or ethnic origin, political opinions, religious or philosophical beliefs, party or trade union membership, sexual orientation or health" should be processed "only if absolutely necessary and proportionate for the purpose of a specific case and in compliance with specific safeguards";

- a maximim period of two years should be laid down for the retention of data, except in certain cases;

- a new article provided for "effective, proportionate and dissuasive" sanctions in the event of infringements of the data protection rules;

- lastly, a new article provided for the Council to assess the administrative, technical and financial application and implementation of the Framework Decision every two years and report back to Parliament and the Commission.

Opinion of the European Data Protection Supervisor (EDPS)

This opinion will take into account the unique nature of the initiative, more specifically the fact that major amendments in the substance of the provisions are not foreseen. The EDPS will therefore focus on a number of more general issues related to the initiative and its context. The amendments the EDPS proposes mainly serve to improve the text without modifying the system of information exchange itself.

The EDPS:

welcomes that the present initiative takes a more cautious, gradual approach as a way of implementing the principle of availability. However, he regrets the fact that the initiative does not harmonise essential elements of the collection and exchange of the different kinds of data included in the initiative, needed to ensure compliance with the principles of necessity and proportionality; regrets the fact that the present initiative is taken without a proper impact assessment. He calls on the Council to include such an assessment in the adoption procedure and to examine, as part of this assessment, other possibly less privacy-intrusive policy options; supports the approach of the initiative relating to the different kinds of personal data: the more sensitive the data, the more limited the purposes for which they can be used and the more limited the access; regrets the fact that the initiative does not specify the categories of persons that will be included in the DNA databases and that it does not limit the retention period.

The EDPS believes that this Decision should not be adopted before the adoption of a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, offering an appropriate level of protection. He also believes that the provisions on data protection in Chapter 6 of the initiative do not facilitate the exchange of personal data but enhance the complexity of this exchange, in so far as they build on the traditional notion of mutual legal assistance in criminal matters.

The EDPS recommends the following amendments to the text of the initiative:

including in Article 1 a reference to Chapter 6 on data protection; including a definition of non-coding part of DNA, as well as providing for a procedure ensuring that, both today and in the future, no more information can be revealed from the non-coding part; specifying the text of article 7 (collection of cellular matters and supply of DNA profiles), taking into account that the principle of proportionality requires a more limited interpretation of this article; including a definition of personal data in Article 24; specifying in Article 24 (2) that Chapter 6 applies to the collection and processing of DNA material and fingerprints in a Member State and that also the supply of further personal data within the scope of this decision is covered; summarising article 24 (2) as follows: “the provisions (on data protection) apply to data which are or have been supplied pursuant to the decision”, deleting the provision “save as otherwise provided in the preceding Chapters”; modifying Article 30 on logging, in order to ensure that all activities relating to those data are logged; modifying Article 31 (the right to information and compensation), so as to guarantee the right to information without need for a request; including in Chapter 6 a separation of data relating to different categories of people (victims, suspects, other people whose data are included in a database); adding a sentence to Article 34 stating that the Council shall consult the EDPS before the adoption of such an implementing measure; including an evaluation clause in Chapter 7 (final provisions and implementation).

More generally, the EDPS recommends that the Council deals with the shortcomings of the initiative, either by amending the text of the initiative and/or by including these elements in a Council Framework Decision on data protection in the third pillar. In the view of the EDPS, the first option (relating to the elements mentioned in the preceding point) does not necessarily lead to a modification of the system of information exchange itself and does not contradict the intention of the 15 Member States that took the initiative not to change the essential parts of the Prüm Treaty.

PURPOSE: to combat terrorism and cross-border crimes by facilitating and strengthening cross-border cooperation through the exchange of information between agencies responsible for the prevention and the investigation of criminal offences (integration into the EU legal framework of the parts of the Prüm Treaty relating to police and judicial cooperation in criminal matters (the so-called third pillar), with the exception of the provision relating to cross-border police intervention in the event of imminent danger (Article 48)).

PROPOSED ACT: Initiative of Belgium, Bulgaria, Germany, Spain, France, Luxembourg, the Netherlands, Austria, Slovenia, Slovakia, Italy, Finland, Portugal,

Romania and Sweden for a Council Decision.

BACKGROUND: For effective international cooperation in the field of combating terrorism and cross-border crime, it is of fundamental importance that precise information may be exchanged swiftly and efficiently. The aim is to introduce procedures for promoting fast, efficient and inexpensive means of data exchange. For the joint use of data those procedures should be subject to accountability and incorporate appropriate guarantees as to the accuracy and security of the data during transmission and storage as well as procedures for recording data exchange and restrictions on the use of information exchanged. These requirements are satisfied by the Prüm Treaty of 27 May 2005 between Belgium, Germany, Spain, France, Luxembourg, the Netherlands and Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration. In order that the substantive requirements of the Hague Programme can be fulfilled for all Member States and that its targets in terms of timescale can be achieved, the essential parts of the Prüm Treaty need to be made applicable to all Member States. This Council Decision should therefore be based on the main provisions of the Prüm Treaty.

CONTENT: the aim and content of the document, according to the preamble, clearly states that one of the goals of the European Union is to give citizens a high degree of security in the area of freedom, security and justice by developing common procedures among the Member States in the field of police and judicial cooperation in criminal matters. It points out that precise information for an effective international cooperation needs procedures in the Member States for "promoting fast, efficient and inexpensive means of data exchange.

The preamble goes on to explain the need for a "hit/no hit" system to enable searching Member States to access data from other Member States' national DNA analysis files and automatic dactyloscopic identification systems. Member States are to have access rights to each other's DNA analysis files. All this should be achieved by networking national databases. It is further intended that this should allow close cooperation between police authorities, including joint security operations and cross-border intervention. The preamble further refers to guaranteeing the right to privacy and the protection of personal data. Since prior checks cannot be carried out in this regard in the case of cross-border on-line access to data bases, post hoc monitoring is to be carried out. A recital makes it clear that it will be for Member States to provide for efficient implementation of all data protection rules contained in this Decision.

To this end, this proposed Decision contains rules in the following areas:

Chapter 2 : provisions on the conditions and procedure for the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data. All sections refer to "national contact points" competent for the supply of data and governed by the applicable national law.

Chapter 3 : provisions on the conditions for the supply of data in connection with major events with a cross-border dimension. This chapter makes it clear that the supply of non-personal data must be permitted under the supplying of the Member State's national law.

Chapter 4 : provisions on the conditions for the supply of information in order to prevent terrorist offences. It states that the supplying Member State imposes the conditions on the use made of the data by the receiving Member State - which will be bound by them - in compliance with national law.

Chapter 5 : provisions on the conditions and procedure for stepping up border police cooperation through various measures. This chapter deals with other forms of cooperation, such as joint operations, for which it is necessary to refer to what Member States' law permits and, for the rules of civil liability, to the law of the Member State in whose territory they are operating.

Chapter 6 : sets out the general provisions on data protection and makes it plain that each Member State is to guarantee a level of protection "in its national law" at least equal to that resulting from the Council of Europe Convention for the Protection of Individuals.

PURPOSE: to combat terrorism and cross-border crimes by facilitating and strengthening cross-border cooperation through the exchange of information between agencies responsible for the prevention and the investigation of criminal offences (integration into the EU legal framework of the parts of the Prüm Treaty relating to police and judicial cooperation in criminal matters (the so-called third pillar), with the exception of the provision relating to cross-border police intervention in the event of imminent danger (Article 48)).

PROPOSED ACT: Initiative of Belgium, Bulgaria, Germany, Spain, France, Luxembourg, the Netherlands, Austria, Slovenia, Slovakia, Italy, Finland, Portugal,

Romania and Sweden for a Council Decision.

BACKGROUND: For effective international cooperation in the field of combating terrorism and cross-border crime, it is of fundamental importance that precise information may be exchanged swiftly and efficiently. The aim is to introduce procedures for promoting fast, efficient and inexpensive means of data exchange. For the joint use of data those procedures should be subject to accountability and incorporate appropriate guarantees as to the accuracy and security of the data during transmission and storage as well as procedures for recording data exchange and restrictions on the use of information exchanged. These requirements are satisfied by the Prüm Treaty of 27 May 2005 between Belgium, Germany, Spain, France, Luxembourg, the Netherlands and Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration. In order that the substantive requirements of the Hague Programme can be fulfilled for all Member States and that its targets in terms of timescale can be achieved, the essential parts of the Prüm Treaty need to be made applicable to all Member States. This Council Decision should therefore be based on the main provisions of the Prüm Treaty.

CONTENT: the aim and content of the document, according to the preamble, clearly states that one of the goals of the European Union is to give citizens a high degree of security in the area of freedom, security and justice by developing common procedures among the Member States in the field of police and judicial cooperation in criminal matters. It points out that precise information for an effective international cooperation needs procedures in the Member States for "promoting fast, efficient and inexpensive means of data exchange.

The preamble goes on to explain the need for a "hit/no hit" system to enable searching Member States to access data from other Member States' national DNA analysis files and automatic dactyloscopic identification systems. Member States are to have access rights to each other's DNA analysis files. All this should be achieved by networking national databases. It is further intended that this should allow close cooperation between police authorities, including joint security operations and cross-border intervention. The preamble further refers to guaranteeing the right to privacy and the protection of personal data. Since prior checks cannot be carried out in this regard in the case of cross-border on-line access to data bases, post hoc monitoring is to be carried out. A recital makes it clear that it will be for Member States to provide for efficient implementation of all data protection rules contained in this Decision.

To this end, this proposed Decision contains rules in the following areas:

Chapter 2 : provisions on the conditions and procedure for the automated transfer of DNA profiles, dactyloscopic data and certain national vehicle registration data. All sections refer to "national contact points" competent for the supply of data and governed by the applicable national law.

Chapter 3 : provisions on the conditions for the supply of data in connection with major events with a cross-border dimension. This chapter makes it clear that the supply of non-personal data must be permitted under the supplying of the Member State's national law.

Chapter 4 : provisions on the conditions for the supply of information in order to prevent terrorist offences. It states that the supplying Member State imposes the conditions on the use made of the data by the receiving Member State - which will be bound by them - in compliance with national law.

Chapter 5 : provisions on the conditions and procedure for stepping up border police cooperation through various measures. This chapter deals with other forms of cooperation, such as joint operations, for which it is necessary to refer to what Member States' law permits and, for the rules of civil liability, to the law of the Member State in whose territory they are operating.

Chapter 6 : sets out the general provisions on data protection and makes it plain that each Member State is to guarantee a level of protection "in its national law" at least equal to that resulting from the Council of Europe Convention for the Protection of Individuals.