The European Parliament adopted by 630 votes to 1, with 6 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.

The proposal aims to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down in the Directive on data protection in the field of law enforcement in order to establish a solid and coherent framework for the protection of personal data in the Union.

Parliament’s position adopted at first reading following the ordinary legislative procedure amended the Commission proposal as follows:

Customs Information System

It is clarified that the purpose of the Customs Information System, in accordance with this Decision, is to assist the competent authorities of the Member States with the prevention, investigation, detection or prosecution of criminal offences under national laws, by making information available more rapidly, thereby increasing the effectiveness of the cooperation and control procedures of the customs administrations of the Member States.

The Customs Information System should consist of a central database facility, accessible through terminals in each Member State. It should comprise exclusively data necessary to achieve its purpose, including personal data, in the following categories. Member States should determine the items to be entered into the Customs Information System relating to each of the categories, to the extent that this is necessary to achieve the purpose of that system.

In no case should the special categories of personal data referred to in Article 10 of Directive (EU) 2016/680 be entered into the Customs Information System.

Access to data

Direct access to data entered into the Customs Information System should be reserved to the national authorities designated by each Member State . Those national authorities should be customs administrations, but may also include other authorities competent, according to the laws, regulations and procedures of the Member State in question, to act in order to achieve the purpose of the Customs Information System.

The national authorities designated by each Member State, Europol and Eurojust may process non-personal data obtained from the Customs Information System in order to achieve the stated purpose, in compliance with any conditions imposed by the designated national authorities of the Member State which entered the non-personal data in that system.

Data obtained from the Customs Information System should only be used by national authorities in each Member State designated by the Member State in question, which are competent, in accordance with the laws, regulations and procedures of that Member State.

Transfer of data

Personal data obtained from the Customs Information System may, with the prior authorisation of, and subject to compliance with any conditions imposed by, the designated national authorities of the Member State which entered that data into that system, be:

- transmitted to, and further processed by, national authorities in accordance with Union or national law applicable to the protection of personal data; or

- transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Union or national law applicable to the protection of personal data.

Modification of data

Subject to this Decision, where in any Member State a court, or other competent authority within that Member State, makes a final decision as to the amendment, supplementation, rectification or erasure of data in the Customs Information System, the Member States undertake mutually to enforce such a decision. In the event of conflict between such decisions of courts or of other competent authorities in different Member States, including of the national supervisory authorities, concerning rectification or erasure, the Member State which entered the data in question should erase them from that system.

Role of the European Data Protection Supervisor (EDPS)

The European Data Protection Supervisor should be responsible for monitoring the processing of personal data under this Decision by the Commission and for ensuring that it is carried out in accordance with this Decision. It should carry out an audit of the processing of personal data by the Commission under this Decision in accordance with international auditing standards at least every five years. A report on that audit should be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.

The European Data Protection Supervisor and the national supervisory authorities, acting within the scope of their respective competences, should cooperate actively within the framework of their responsibilities to ensure coordinated supervision of the operation of the Customs Information System.

Review

By 18 months from the date of entry into force of this Regulation, the personal data entered into the Customs Information System before the date of entry into force of this Regulation should be reviewed by the Member States which entered those data and, where necessary, updated or deleted in order to ensure that their processing complies with Decision 2009/917/JHA as amended by this Regulation.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (The Left, DE) on the proposal for a regulation of the European Parliament and of the Council amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Role of the European Data Protection Supervisor

The amended text clarifies the role of the European Data Protection Supervisor. It should:

- be responsible for monitoring the processing of personal data under this Regulation by the Commission and for ensuring that it is carried out in accordance with this Regulation;

- carry out an audit of the processing of personal data by the Commission under this Regulation in accordance with international auditing standards at least every three years. A report on that audit should be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.

The European Data Protection Supervisor and the national supervisory authorities, each acting within the scope of their respective competences, should cooperate actively within the framework of their responsibilities to ensure coordinated supervision.

Retention of data

To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the Customs Information System should be simplified by removing the obligation to review data annually and by setting as a general rule a maximum retention period of three years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.

PURPOSE: to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down by the Data Protection Law Enforcement Directive (LED).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Council Decision 2009/917/JHA on the use of information technology for customs purposes establishes the Customs Information to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680 on data protection in law enforcement.

Under Directive (EU) 2016/680, the Commission was required to review, by 6 May 2019 at the latest, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.

The proposal follows the results of the review carried out by the Commission under the Data Protection Law Enforcement Directive, as presented in the 2020 Communication entitled ‘The way forward on aligning the former third pillar acquis with data protection rules’.

CONTENT: the proposal aims to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down in the Directive on data protection in the field of law enforcement in order to establish a solid and coherent framework for the protection of personal data in the Union.

The proposed amendments aim to:

- replace the concept of ‘serious contraventions of national laws’ by the reference to ‘criminal offences under national laws’, so as to increase clarity whilst aligning with the LED;

- clarify the respective roles of the Commission and of the Member States with regard to the personal data;

- replace the reference to the list of certain categories of personal data that cannot be entered into the system under Framework Decision 2008/977/JHA by a reference to the corresponding list under the LED;

- clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit one of the criminal offences under national laws covered;

- clarify the conditions in which access to the CIS by international or regional organisations may be permitted under the LED;

- restrict the subsequent processing of personal data recorded in the CIS, in line with the principle of purpose limitation as regulated under the LED;

- clarify the conditions in which non-personal data can be processed for other purposes and the clarify the conditions in which the transmissions and international transfers of personal data and non-personal data can take place;

- introduce a maximum retention period for personal data of five years, in line with the Directive on data protection in law enforcement, and simplify the previous procedure;

- update the general reference to Framework Decision 2008/977/JHA with the reference to the Directive on data protection in the field of law enforcement.