Tag Archives: Cross-frontier data flow

Stepping up cross-border cooperation

Leave a reply

Stepping up cross-border cooperation

Outline of the Community (European Union) legislation about Stepping up cross-border cooperation

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Police and customs cooperation

Stepping up cross-border cooperation (Prüm Decision)

Document or Iniciative

Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime.

Summary

The purpose of this decision is to step up cross-border police and judicial cooperation between European Union (EU) countries in criminal matters. In particular, it aims to improve the exchanges of information between the authorities responsible for the prevention and investigation of criminal offences. The decision sets out provisions with regard to:

  • the automated access to DNA profiles *, dactyloscopic data * and certain national vehicle registration data;
  • supply of data in relation to major events;
  • supply of information in order to prevent terrorist offences;
  • other measures for stepping up cross-border police cooperation.

Establishment of national databases and automated access to data

EU countries are to establish national DNA analysis files for the purpose of investigating criminal offences. Reference data, consisting of the non-coding part of the DNA * and of a reference number that does not enable an individual to be identified, must be made available to other EU countries to carry out automated searches *. These searches are performed via national contact points by comparing DNA profiles, but only on the basis of individual cases and in a hit/no-hit * manner. If the search provides a match, the national contact point carrying out the search receives the reference data in an automated manner. If no profile is found for a particular individual who is under investigation or against whom criminal proceedings have been brought, the requested EU country may be obliged to establish a DNA profile for that individual.

EU countries must also make available reference data from the national automated fingerprint identification systems (AFIS). For this purpose, the reference data will consist only of dactyloscopic data and a reference number. The searches are carried out by comparing dactyloscopic data and, similarly to DNA searches, only in individual cases on a hit/no-hit basis. Confirmation of the match is conducted by the national contact point of the requesting EU country. Supply of further available personal data for matching DNA or dactyloscopic data and other information relating to the reference data is governed by national law, including the mutual legal assistance (MLA) in the requested EU country.

The national contact points shall also be given access to certain national vehicle registration data via automated online searches. These searches may only be conducted with a full chassis or registration number.

Supply of data in relation to major events

In relation to any major events that have a cross-border dimension, EU countries must provide each other non-personal data via their national contact points, as required for the purpose of preventing criminal offences and maintaining public order and security. Personal data may be supplied only if the data subjects are considered a threat to public order and security or if it is believed that they will commit criminal offences at the events. However, this data may only be used in relation to the event it was provided for and must be deleted once it has served its purpose, but no later than a year after it was supplied.

Supply of information to fight terrorism

For the purpose of preventing terrorist offences, but only in individual cases and to the extent required by the conditions leading to the supposition that criminal offences will be committed, EU countries may provide the following data to each other via the national contact points:

  • surname and first names;
  • date and place of birth;
  • description of the conditions leading to the supposition that criminal offences will be committed.

The country providing this data may impose certain binding conditions on the receiving country for the data usage.

Other measures for enhancing cross-border police cooperation

EU countries may effectuate joint patrols and other joint operations to prevent criminal offences and to maintain public order and security on a given EU country’s territory. In such cases, designated officers and officials from the seconding country participate in the hosting country’s operations. The seconding officers may be conferred executive powers, or they may be allowed to exercise their executive powers, but only under the guidance and in the presence of the host officers. The competent authority of the host country is responsible for the command and actions of the seconding officers.

With regard to mass gatherings and other comparable major events, disasters and serious accidents, EU countries are to provide mutual assistance to each other. This assistance should consist of information exchanges, coordination of police measures and contribution of material and physical resources.

An EU country must provide assistance and protection to the other country’s officers on duty, which is equivalent to that provided for its own officers.

Provisions on data protection

EU countries must guarantee that personal data processed according to this decision is protected by their national laws. Only the relevant competent authorities may process personal data. They must ensure the accuracy and current relevance of the data. Steps must be taken to rectify or delete incorrect data or data that was supplied when it should not have been. Personal data must be deleted if no longer needed for the purpose it was made available or if the storage time, as provided by national law, has expired.

The relevant authorities must take technical and organisational measures to protect personal data against destruction, loss, unauthorised access, alteration or disclosure. For the purpose of verifying the permissibility of the non-automated processing of personal data, this processing must be logged. Similarly, the automated processing of personal data must be recorded. The independent data protection authorities in EU countries are responsible for the legal examinations of the processing of personal data.

Any individual has the right to information on the data that has been processed in relation to his/her person, including information on the origin of the data, the recipients of the data and the purpose and legal basis for the processing of the data. The individual may request corrections to or the deletion of inaccurate or unlawfully processed data. If the individual’s rights with regard to data protection have been violated, he/she may lodge a complaint with an independent court or a tribunal and claim for damages or other legal compensation.

Background

The conclusions of the Tampere European Council of October 1999 asserted the need to enhance the exchange of law enforcement information between EU countries, which was further confirmed by the Hague Programme of November 2004.

The Prüm Treaty of 27 May 2005 on the stepping up of cross-border cooperation, particularly on combating terrorism, cross-border crime and illegal migration, signed between Belgium, Germany, Spain, France, Luxembourg, the Netherlands and Austria, lays down procedures for more efficient exchanges of information in the framework of criminal investigations. This decision aims to incorporate the provisions of that Treaty into the EU legal framework.

Key terms used in the act
  • Dactyloscopic data: fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images that are stored and dealt with in an automated database.
  • Non-coding part of DNA: chromosome regions that are not expressed genetically.
  • DNA profile: a letter or number code that represents a set of identification characteristics of the non-coding part of an analysed human DNA sample.
  • Automated searching: an online access procedure for consulting the databases of one, several, or all of the EU countries.
  • Hit/no-hit procedure: in this procedure the parties grant each other limited access to the reference data in their national DNA and fingerprint databases and the right to use these data to conduct automated checks of fingerprints and DNA profiles. The personal information related to the reference data is not available to the requesting party.

References

Act Entry into force Deadline for transposition in the Member States Official Journal
Decision 2008/615/JHA

26.8.2008

26.8.2009
(26.8.2011 for Chapter 2 provisions)

OJ L 210 of 6.8.2008

Related Acts

Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime [Official Journal L 210 of 6.8.2008].

This decision provides the administrative and technical provisions that are indispensable for implementing Decision 2008/615/JHA. The focus is especially on the automated exchanges of DNA, dactyloscopic and vehicle registration data, as well as on other forms of cooperation. The technical provisions are set out in the annex to the decision.

Council Decision 2010/482/EU of 26 July 2010 on the conclusion of the Agreement between the European Union and Iceland and Norway on the application of certain provisions of Council Decision 2008/516/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime and Council Decision 2008/616/JHA on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, and the Annex thereto [Official Journal L 238 of 9.9.2010].

The .eu top-level domain

Leave a reply

The .eu top-level domain

Outline of the Community (European Union) legislation about The .eu top-level domain

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Internet Online activities and ICT standards

The “.eu” top-level domain

Document or Iniciative

Regulation (EC) No 733/2002 of the European Parliament and of the Council of 22 April 2002 on the implementation of the .eu Top Level Domain.

Summary

This Regulation aims to establish the conditions of implementation of the “.eu” top-level domain (TLD), and in particular to provide for the designation of a Registry and establish the general policy framework within which the Registry will function.

The creation of the “.eu” TLD is one of the objectives set out in the eEurope 2002 action plan in order to accelerate electronic commerce and promote the use of the Internet.

The “.eu” domain will be additional to, not replace, those which already exist within the EU (e.g. “.fr” for France or “.it” for Italy) and will give users the option of having a pan-European Internet identity (mainly website or e-mail addresses).

Objectives

The implementation of the “.eu” TLD meets the following objectives:

  • to promote the use of Internet networks and increase users’ choice by providing a complementary registration domain to existing country code top-level domains (ccTLDs) or global registration in the generic top-level domains;
  • to improve the interoperability of trans-European servers by ensuring the availability of .eu name servers in the EU;
  • to increase the visibility of the European internal market on the world network and promote the image of the European Union on global information networks.

Characteristics of the Registry

The European Commission is responsible for designating the Registry after publishing a call for expressions of interest in the Official Journal.

The Registry is to be a non-profit organisation, formed in accordance with the law of a Member State and established within the EU.

Obligations of the Registry

The Registry has the following tasks:

  • to register domain names in the .eu TLD through any accredited .eu Registrar requested by any company, organisation or natural person established or resident in the EU;
  • to adopt the registration policy for the .eu TLD in consultation with the Commission and other interested parties, in accordance with public policy rules;
  • to impose fees directly related to costs incurred;
  • to implement the extra-judicial settlement-of-conflicts policy in order to resolve promptly disputes between domain name holders regarding rights relating to names, as well as disputes relating to individual decisions by the Registry;
  • to adopt and implement procedures for the accreditation of .eu registrars;
  • to ensure the integrity of the databases of domain names.

Policy framework

The European Commission is responsible for adopting the public policy rules concerning the implementation and functions of the .eu TLD and the public policy principles on registration. These rules include in particular:

  • an extra-judicial settlement-of-conflicts policy;
  • public policy on speculative and abusive registration of domain names;
  • a policy on possible revocation of domain names;
  • issues of language and geographical concepts;
  • treatment of intellectual property and other rights.

Reservation of rights

The EU retains all rights relating to the “.eu” TLD including, in particular, intellectual property rights and other rights to the Registry databases.

Implementation report

The Commission will have to submit a report to the European Parliament and the Council on the implementation, effectiveness and functioning of the .eu TLD one year after the adoption of the Regulation and thereafter every two years.

References

Act Entry into force Deadline for transposition in the Member States Official Journal

Regulation (EC) No 733/2002

30.4.2002

OJ L 113, 30.4.2002
Amending act(s) Entry into force Deadline for transposition in the Member States Official Journal

Regulation (EC) No 1137/2008

11.12.2008

OJ L 311, 21.11.2008

Related Acts

Communication from the Commission to the European Parliament and the Council of 6 July 2007 – Report on the implementation, functioning and effectiveness of the “.eu” TLD [COM(2007) 385 final].
Two years after its launch, the “.eu” top-level domain (TLD) is an undeniable success. The report indicates that “.eu” domain names are being actively used and that they are meeting real demand among European citizens, industry and other organisations. According to EURid, more than 2.8 million .eu domains have been set up on the Internet, making “.eu” Europe’s fourth most popular TLD and the ninth most popular worldwide, after such major top-level names as “.com”, “.net” and “.info”. The challenge now is to further improve the service given to customers by, for instance, adopting a code of conduct for registrars.

Commission Regulation (EC) No 874/2004 of 28 April 2004 laying down public policy rules concerning the implementation and functions of the .eu Top Level Domain and the principles governing registration [Official Journal L 162 of 30.4.2004].
This Regulation sets out a number of elements needed to implement Regulation (EC) No 733/2002, including the contents of applications for registration, rules for accrediting registrars, procedures for languages and reserved geographical names and the speculative and abusive registration of domain names.
It also establishes a phased registration procedure and an alternative extrajudicial conflict settlement.
Applications for registration must be sent to registrars accredited by the EURid Registry designated by the Commission to manage “.eu” domain names (see below). Registrations will be made on a first come, first served basis (Article 14).

Protection of personal data

Leave a reply

Protection of personal data

Outline of the Community (European Union) legislation about Protection of personal data

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Data protection copyright and related rights

Protection of personal data

Document or Iniciative

European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281 of 23.11.1995] [See amending acts].

Summary

This Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files).

It does not apply to the processing of data:

  • by a natural person in the course of purely personal or household activities;
  • in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence or State security.

The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down guidelines determining when this processing is lawful. The guidelines relate to:

  • the quality of the data: personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. They must also be accurate and, where necessary, kept up to date;
  • the legitimacy of data processing: personal data may be processed only if the data subject has unambiguously given his/her consent or processing is necessary:
    1. for the performance of a contract to which the data subject is party or;
    2. for compliance with a legal obligation to which the controller is subject or;
    3. in order to protect the vital interests of the data subject or;
    4. for the performance of a task carried out in the public interest or;
    5. for the purposes of the legitimate interests pursued by the controller;
  • special categories of processing: it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. This provision comes with certain qualifications concerning, for example, cases where processing is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis;
  • information to be given to the data subject: the controller must provide the data subject from whom data are collected with certain information relating to himself/herself (the identity of the controller, the purposes of the processing, recipients of the data etc.);
  • the data subject’s right of access to data: every data subject should have the right to obtain from the controller:
    1. confirmation as to whether or not data relating to him/her are being processed and communication of the data undergoing processing;
    2. the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive in particular, either because of the incomplete or inaccurate nature of the data, and the notification of these changes to third parties to whom the data have been disclosed.
  • exemptions and restrictions: the scope of the principles relating to the quality of the data, information to be given to the data subject, right of access and the publicising of processing may be restricted in order to safeguard aspects such as national security, defence, public security, the prosecution of criminal offences, an important economic or financial interest of a Member State or of the European Union or the protection of the data subject;
  • the right to object to the processing of data: the data subject should have the right to object, on legitimate grounds, to the processing of data relating to him/her. He/she should also have the right to object, on request and free of charge, to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing. He/she should finally be informed before personal data are disclosed to third parties for the purposes of direct marketing, and be expressly offered the right to object to such disclosures;
  • the confidentiality and security of processing: any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller. In addition, the controller must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access;
  • the notification of processing to a supervisory authority: the controller must notify the national supervisory authority before carrying out any processing operation. Prior checks to determine specific risks to the rights and freedoms of data subjects are to be carried out by the supervisory authority following receipt of the notification. Measures are to be taken to ensure that processing operations are publicised and the supervisory authorities must keep a register of the processing operations notified.

Every person shall have the right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. In addition, any person who has suffered damage as a result of the unlawful processing of their personal data is entitled to receive compensation for the damage suffered.

Transfers of personal data from a Member State to a third country with an adequate level of protection are authorised. However, they may not be made to a third country which does not ensure this level of protection, except in the cases of the derogations listed.

The Directive aims to encourage the drawing up of national and Community codes of conduct intended to contribute to the proper implementation of the national and Community provisions.

Each Member State is to provide one or more independent public authorities responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to the Directive.

A Working Party on the Protection of Individuals with regard to the Processing of Personal Data is set up, composed of representatives of the national supervisory authorities, representatives of the supervisory authorities of the Community institutions and bodies, and a representative of the Commission.

References

Act Entry into force Deadline for transposition in the Member States Official Journal
Directive 95/46/EC

13.12.1995

24.10.1998

OJ L 281 of 23.11.1995
Amending act(s) Entry into force Deadline for transposition in the Member States Official Journal
Regulation (EC) No 1882/2003

20.11.2003

OJ L 284 of 31.10.2003

Successive amendments and corrections to Directive 95/46/EC have been incorporated in the basic text. This consolidated versionis for reference purpose only.

Related Acts

IMPLEMENTATION REPORT

Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive [COMM(2007) 87 final – Not published in the Official Journal].

This Communication examines the work done under the Work Programme for improved implementation of the Directive on data protection contained in the First report on the implementation of Directive 95/46/EC. The Commission highlights the fact that this has improved, has all Member States have now transposed the Directive. It emphasises that the Directive should not undergo any amendments at present.

It also notes that:

  • it will continue in its cooperation with the Member States and, if necessary, will launch official infringement proceedings;
  • it will prepare an interpretative communication regarding certain provisions in the Directive;
  • it will continue its implementation of the Work Programme
  • it will present EU-level sectoral legislation if there are major technological developments in a specific area;
  • it will continue cooperating with its external partners, in particular the US.

Report from the Commission of 15 May 2003 [COM(2003) 265 final – Not published in the Official Journal]
First report on the implementation of the Data Protection Directive (95/46/EC)

The report takes stock of the consultations carried out by the Commission to evaluate Directive 95/46/EC with governments, institutions, business and consumer associations, and individual citizens. The results of the consultations show that few contributors advocated a revision of the Directive. Furthermore, after consulting the Member States, the Commission noted the fact that a majority of them and, also, of the national supervisory authorities, did not consider it necessary to amend the Directive at present.

Despite the delays and gaps in implementation, the Directive has fulfilled its principal objective of removing barriers to the free movement of personal data between the Member States. The Commission also believes that the objective of ensuring a high level of protection in the Community has been achieved since the Directive has set out some of the highest standards of data protection in the world.

Other Internal Market policy objectives have, however, been less well served. The divergences in data protection legislation are still too great between Member States, and these disparities prevent multinational organisations from developing pan-European policies on data protection. The Commission will therefore do what is required to remedy this situation whilst hoping, wherever possible, that it will not be necessary to proceed by way of formal action.

With regard to the general level of compliance with data protection law in the EU, there are three main problems:

  • an under-resourced enforcement effort;
  • very patchy compliance by data controllers;
  • an apparently low level of knowledge of their rights among data subjects, which may be at the root of the previous phenomenon.

In order to ensure the better implementation of the Data Protection Directive, the Commission has adopted a work programme comprising a number of actions which need to be taken between the adoption of this report and the end of 2004. These actions are made up of the following initiatives:

  • discussions with Member States and data protection authorities on the changes needed to bring national legislation fully in line with the requirements of the Directive;
  • association of the candidate countries with efforts to achieve a better and more uniform implementation of the Directive;
  • improving the notification of all legal acts transposing the Directive;
  • simplification of the conditions for international transfers of data;
  • promotion of privacy enhancing technologies;
  • promotion of self-regulation and European Codes of Conducts.

PRIVACY AND ELECTRONIC COMMUNICATIONS DIRECTIVE

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [Official Journal L 201 of 31.07.2002]

This Directive was adopted in 2002 at the same time as a new legislative framework designed to regulate the electronic communications sector. It contains provisions on a number of more or less sensitive topics, such as the Member States keeping connection data for the purposes of police surveillance (the retention of data), the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.

STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries [Official Journal L 385 of 29.12.2004]

The European Commission has approved new standard contractual clauses which businesses can use to ensure adequate safeguards when personal data are transferred from the EU to third countries. These new clauses will be added to those which already exist under the Commission Decision of June 2001 (see below).

Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC [Official Journal L 181 of 04.07.2001]

This Decision sets out standard contractual clauses to ensure an adequate level of protection of personal data transferred from the EU to third countries. The Decision requires Member States to recognise that companies or bodies which use these standard clauses in contracts relating to the transfer of personal data to third countries ensure an “adequate level of protection” of the data.

PROTECTION OF DATA BY THE COMMUNITY INSTITUTIONS AND BODIES

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L8 of 12.01.2001].

This Regulation aims at ensuring the protection of personal data within the institutions and bodies of the European Union. To this end:

  • it includes provisions which guarantee a high level of protection of personal data processed by the Community institutions and bodies; and
  • it provides for the establishment of an independent supervisory body to monitor the application of these provisions.