Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) - Chapter I - Article 2(e) - scope of the General Data Protection Regulation and the Data Protection Directive - Hoofdinhoud
| Documentdatum | 20-05-2015 |
|---|---|
| Publicatiedatum | 22-05-2015 |
| Kenmerk | 8745/15 |
| Van | Presidency |
| Externe link | origineel bericht |
| Originele document in PDF |  |
Council of the European Union Brussels, 20 May 2015
PUBLIC
(OR. en)
8745/15
Interinstitutional File:
2012/0011 (COD) i LIMITE
DATAPROTECT 73 JAI 280 MI 295 DIGIT 33 DAPIX 73 FREMP 100 COMIX 216 CODEC 689
NOTE
From: Presidency
To: JHA Counsellors DAPIX
No. prev. doc.: 7740/15
Subject: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection
Regulation) - Chapter I - Article 2(e) - scope of the General Data Protection Regulation and the Data Protection Directive
At the DAPIX meeting on 20 April 2015 a number of delegations supported text proposed by the
Presidency. However, a number of delegations expressed concern about the use of the term
“maintain law and order” and broadening the scope of the Directive. The DE delegation suggested that the Directive cover “the prevention of threats to public security”.
The UK delegation suggested (7979/15) to apply the Directive only to data processing falling within the scope of Chapter 4 or 5 of Title V of Part Three of TFEU. Some delegations looked positively at that suggestion while entering scrutiny reservations.
Following the DAPIX meeting on 20 April 2015 and taking into account the text suggestion made by the UK delegation, the suggestion made by the DE delegation as well as comments made by other delegations, the Presidency is suggesting two options for a new wording for Article 1 of the Data Protection Directive as well as new wording for its recital 11a.
The text in Option 1 is based on the Presidency's previous proposal and the DE suggestion to use the term “'the prevention of threats to public security'”.
The text in Option 2 is based on the UK proposal.
Since many delegations did not approve language in recital 11a on the exclusion of agencies dealing with national security, the Presidency also suggests to add a recital 11b to address that issue.
In the light of the above, delegations are invited to indicate which of the options they favour.
Option 1
Article 1 Subject matter and objectives 1. This Directive lays down the rules relating to the protection of individuals with regard to the processing of personal data by competent (…) authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and the prevention of threats to public security.
Recital 11a
(11a) The activities carried out by the police or other law enforcement authorities, are mainly focused on the prevention, investigation, detection or prosecution of criminal offences for example police activities without prior knowledge if an accident is a criminal offence or not. Those activities performed by the above-mentioned authorities also include a task conferred on the police or other law enforcement authorities where necessary to prevent threats to public security, which in each Member State should be considered as tasks aimed at preventing human behaviour which may lead to threats to fundamental interests of the society protected by the law, is contrary to social values and customary norms of society and which may lead to a criminal offence and thus allowing them to exercise authority and take coercive measures in the context of such activities, for
example police activities at demonstrations and major sporting events 1 .
Member States may entrust competent authorities with other tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or for the prevention of threats to public security, so that the processing of personal data for those other purposes falls within the scope of the General Data Protection Regulation. With regard to the processing of personal data by the competent authorities for those other purposes, Member States may maintain or introduce more specific provisions to adapt the application of the rules of the General Data Protection Regulation. Such provisions may determine more precisely specific requirements for processing of personal data by the competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. Agencies or units dealing especially with national security issues should not be considered as law
enforcement authorities. 2
Those activities of safeguarding public security, insofar as they are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences, may include activities which go beyond the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union (i.e judicial cooperation in criminal matters and police cooperation).
1 Cion feared that activities normally carried out by administrative authorities such as in the
area of food safety - where authorities controlled if food was poisonous, thereby constituting a criminal offence, - would then be covered by the Directive and not the Regulation - a situation unacceptable to the Cion.
2 Moved to the recital 11b.
Recital (11b) (11b) Since this Directive should not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, agencies or units dealing especially with national security issues should not be considered as law enforcement competent authorities within the meaning of this Directive.
Recital 12 (12) In order to ensure the same level of protection for individuals through legally enforceable rights throughout the Union and to prevent divergences hampering the exchange of personal data between competent (…) authorities, the Directive should provide harmonised rules for the protection and the free movement of personal data (…) processed for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and for the purposes of maintaining law and order and the safeguarding preventing threats to public security. The approximation of Member States’ laws should not result in any lessening of the data protection they afford but should, on the contrary, seek to ensure a high level of protection within the Union. Member States should not be precluded from providing higher safeguards than those established in this Directive for the protection of the rights and freedoms of the data subject with regard to the processing of personal data by competent (…) authorities.
Option 2
Article 1 Subject matter and objectives 1. This Directive lays down the rules relating to the protection of individuals with regard to the processing of personal data by competent authorities falling within the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union.
Article 2 Scope
4. Member states may set conditions in national legislation relating to the protection of individuals with regard to the processing of personal data which does not fall within the scope of this Directive or of Regulation xx/xxxx.
(11) Therefore a distinct Directive should meet the specific nature of these fields and lay down the rules relating to the protection of individuals with regard to the processing of personal data falling within the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union by competent (…) authorities. Such competent authorities may include not only public authorities such as the judicial authorities, the police or other law enforcement authorities but also any body/entity entrusted by national law to performing public duties or exercising public powers falling within the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union in accordance with national law.
However where such body/entity processes personal data for other purposes than for the performance of public duties and/or the exercise of public powers falling within the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union, Regulation XXX applies if the processing falls within the scope of the Regulation or alternatively the processing falls outside the scope of Union law. Therefore Regulation XXX applies in cases falling within its scope where a body/entity, collects personal data for other purposes and further processes those personal data for compliance with a legal obligation to which it is subject e.g. financial institutions retain for the purpose of investigation, detection and prosecutions certain data which are processed by them, and provide those data only to the competent national authorities in specific cases and in accordance with national law. A body/entity which processes personal data on behalf of such authorities (…) within the scope of this Directive should be bound, by a contract or other legal act and the provisions applicable to processors pursuant to this Directive, while the application of Regulation XXX remains unaffected for processing activities of the processor outside the scope of this Directive.
Recital 11a
(11a) The activities carried out by the police or other law enforcement authorities may fall outside of the scope of Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union. Where these activities fall outside of Union law, Member States may set conditions in their national legislation relating to the protection of individuals with regard to the processing of personal data.