The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (The Left, DE) on the proposal for a regulation of the European Parliament and of the Council amending Council Decision 2009/917/JHA, as regards its alignment with Union rules on the protection of personal data.

The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:

Role of the European Data Protection Supervisor

The amended text clarifies the role of the European Data Protection Supervisor. It should:

- be responsible for monitoring the processing of personal data under this Regulation by the Commission and for ensuring that it is carried out in accordance with this Regulation;

- carry out an audit of the processing of personal data by the Commission under this Regulation in accordance with international auditing standards at least every three years. A report on that audit should be sent to the European Parliament, to the Council, to the Commission and to the national supervisory authorities.

The European Data Protection Supervisor and the national supervisory authorities, each acting within the scope of their respective competences, should cooperate actively within the framework of their responsibilities to ensure coordinated supervision.

Retention of data

To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the Customs Information System should be simplified by removing the obligation to review data annually and by setting as a general rule a maximum retention period of three years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.

PURPOSE: to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down by the Data Protection Law Enforcement Directive (LED).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: Council Decision 2009/917/JHA on the use of information technology for customs purposes establishes the Customs Information to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680 on data protection in law enforcement.

Under Directive (EU) 2016/680, the Commission was required to review, by 6 May 2019 at the latest, other EU legal acts that regulate competent authorities’ personal data processing for law enforcement purposes, in order to assess the need to align them with the LED and, where appropriate, to make proposals for amending them to ensure consistency in the protection of personal data within the scope of the LED.

The proposal follows the results of the review carried out by the Commission under the Data Protection Law Enforcement Directive, as presented in the 2020 Communication entitled ‘The way forward on aligning the former third pillar acquis with data protection rules’.

CONTENT: the proposal aims to bring the rules governing data protection in Council Decision 2009/917/JHA into line with the principles and rules laid down in the Directive on data protection in the field of law enforcement in order to establish a solid and coherent framework for the protection of personal data in the Union.

The proposed amendments aim to:

- replace the concept of ‘serious contraventions of national laws’ by the reference to ‘criminal offences under national laws’, so as to increase clarity whilst aligning with the LED;

- clarify the respective roles of the Commission and of the Member States with regard to the personal data;

- replace the reference to the list of certain categories of personal data that cannot be entered into the system under Framework Decision 2008/977/JHA by a reference to the corresponding list under the LED;

- clarify the conditions for collecting and recording the personal data and require that the personal data may be entered into the CIS only if there are reasonable grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit one of the criminal offences under national laws covered;

- clarify the conditions in which access to the CIS by international or regional organisations may be permitted under the LED;

- restrict the subsequent processing of personal data recorded in the CIS, in line with the principle of purpose limitation as regulated under the LED;

- clarify the conditions in which non-personal data can be processed for other purposes and the clarify the conditions in which the transmissions and international transfers of personal data and non-personal data can take place;

- introduce a maximum retention period for personal data of five years, in line with the Directive on data protection in law enforcement, and simplify the previous procedure;

- update the general reference to Framework Decision 2008/977/JHA with the reference to the Directive on data protection in the field of law enforcement.