Regulation (EU) 2018/1727 of the European Parliament and of the Council (2) established Eurojust and sets out its tasks, competence and functions.
(2)
Council Decision 2005/671/JHA (3) states that, in order to combat terrorism, it is essential for the relevant services to have the fullest and most up-to-date information possible. That Decision requires Member States’ competent authorities to provide Eurojust with information on prosecutions and convictions for terrorist offences which affect or may affect two or more Member States.
(3)
As a result of inconsistencies in the interpretation of Decision 2005/671/JHA, in some cases the information is not shared in a timely manner, information is not shared at all, or not all relevant information is shared. Eurojust needs to receive sufficient information to identify links between cross-border investigations.
(4)
Assisting the competent authorities of the Member States in ensuring the best possible coordination of investigations and prosecutions, including the identification of links between such investigations and prosecutions, is an important task of Eurojust under Regulation (EU) 2018/1727. That Regulation enables Eurojust to take a more proactive approach and to provide better services to the Member States, for example by suggesting the initiation of investigations and identifying coordination needs, cases that potentially breach the principle of ne bis in idem and prosecution gaps.
(5)
In September 2019, Eurojust set up the European Judicial Counter-Terrorism Register on the basis of Decision 2005/671/JHA with the specific objective of identifying potential links between judicial proceedings against suspects of terrorist offences and possible coordination needs stemming from such links.
(6)
The European Judicial Counter-Terrorism Register was set up after the adoption of Regulation (EU) 2018/1727, and consequently that Register is not well-integrated in the technical infrastructure of Eurojust, nor is that Register referred to in Regulation (EU) 2018/1727. Therefore, it is necessary to remedy that situation.
(7)
To combat terrorism effectively, efficient exchange of information for the investigation or prosecution of terrorist offences between competent national authorities and Union agencies is crucial. It is essential to have the most complete and up-to-date information possible.
(8)
Terrorist organisations are increasingly involved in other forms of serious crime and often form part of organised networks. Such involvement concerns serious crimes such as trafficking in human beings, drug trafficking, financial crime and money laundering. It is necessary to cross-check judicial proceedings against such serious crimes.
(9)
In order to enable Eurojust to identify links between cross-border judicial proceedings against suspects of terrorist offences as well as links between judicial proceedings against suspects of terrorist offences and information processed at Eurojust relating to other cases of serious crimes, it is essential that Eurojust receive from the competent national authorities as soon as possible, in accordance with the relevant provisions of this Regulation, the information that is necessary to enable Eurojust to identify those links by means of cross-checks.
(10)
In order to provide data to Eurojust, competent national authorities need to know exactly what kind of information they have to transmit, at what stage of the national criminal proceedings and in which cases. The competent national authorities should transmit information to Eurojust in a structured, organised, systematic and semi-automated manner. A semi-automated manner is one in which the mode used to transmit information is partly automated and partly under human control. That manner of transmission is expected to significantly increase the quality and relevance of the information Eurojust receives.
(11)
Sharing, storing and cross-checking data will significantly increase the amount of data processed by Eurojust. Those elements should be taken into account when determining, within the existing procedures and frameworks, the financial, human and technical resources required by Eurojust.
(12)
Directive (EU) 2017/541 of the European Parliament and of the Council (4), as transposed into national law, is the reference point for competent national authorities to define terrorist offences.
(13)
It is crucial to exchange reliable identification data in order for Eurojust to identify links between terrorism investigations and judicial proceedings against suspects of terrorist offences. It is also crucial for Eurojust to possess and store a set of data that ensures that individuals subject to such terrorism investigations or judicial proceedings can reliably be identified. The use of biometric data is therefore important, taking into account the uncertainties regarding alphanumerical data, especially for third-country nationals, the fact that suspects sometimes use fake or double identities, and that biometric data are often the only link to suspects in the investigative phase. Therefore, where, under national law on criminal proceedings or on procedural rights in criminal proceedings, the competent national authorities store and collect biometric data and are permitted to transmit them, those authorities should be able to exchange such data, when available, with Eurojust. Due to the sensitive nature of biometric data and the impact that processing of biometric data has on the respect for private and family life and the protection of personal data, as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, such data should be transmitted in a way that strictly complies with the principles of necessity, proportionality and purpose limitation and only for the purpose of identifying individuals that are subject to criminal proceedings related to terrorism offences.
(14)
As information about existing links to other judicial proceedings is most useful at an early stage of the investigation, it is necessary that the competent national authorities provide information to Eurojust as soon as the case is referred to a judicial authority in accordance with national law. A case should be considered to have been referred to a judicial authority where, for instance, the judicial authority is informed of an ongoing investigation, approves or orders an investigation measure, or decides to prosecute, depending on the applicable national law. If a competent national authority is already aware of links between criminal proceedings in its Member State and criminal proceedings in another Member State, it should inform Eurojust accordingly.
(15)
Taking into account the fact that in some Member States’ legal traditions and systems a judicial authority does not supervise investigations and is only involved at later stages of proceedings, this Regulation should not prevent competent national authorities from providing information on terrorism investigations to their national members at an earlier stage in accordance with their national law.
(16)
In order to ensure the accuracy of the data in the European Judicial Counter-Terrorism Register, to identify links or ascertain the identity of a suspect as early as possible in an investigation and to ensure that time limits are respected, the competent national authorities should update the information they have provided. Such updates should include new information relating to the person under investigation, judicial decisions such as pre-trial detention, opening of court proceedings, acquittals and final decisions not to prosecute, as well as judicial cooperation requests or identified links with other jurisdictions.
(17)
The competent national authorities should not be obliged to share information on terrorist offences with Eurojust at the earliest stage where doing so would jeopardise ongoing investigations or the safety of an individual or be contrary to essential interests of the security of the Member State concerned. Such derogations from the obligation to share information should only be applied in exceptional circumstances and on a case-by-case basis. When considering whether or not to derogate from that obligation, competent national authorities should take due account of the fact that Eurojust treats the information provided by such authorities in compliance with Union law on data protection, and of the confidentiality of the judicial proceedings.
(18)
For the purposes of exchanging sensitive data between competent national authorities and Eurojust and of processing such data, secure communication channels, such as a decentralised IT system or the secure telecommunications connection referred to in Council Decision 2008/976/JHA (5), should be used in order to protect such data against unauthorised disclosure and cyber attacks. Such use should be without prejudice to future technological developments.
(19)
In order to exchange data securely and protect the integrity of the communication and data exchange, the case management system should be connected to secure communication channels and meet high cybersecurity standards. Such secure communication channels may also be used to connect the case management system with other Union information systems to the extent that the legal acts establishing those systems provide for access by Eurojust.
(20)
The decentralised IT system should enable secure data exchanges between competent national authorities and Eurojust, without any Union institution, body, office or agency being involved in the substance of such exchanges. The decentralised IT system should be comprised of IT back-end systems of Member States and Eurojust that are interconnected by interoperable access points. The access points of the decentralised IT system should be based on e-CODEX.
(21)
In order to ensure uniform conditions for the implementation of this Regulation as regards the establishment and use of the decentralised IT system for cases covered by this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (6).
(22)
The transmission of unstructured data makes manual intervention necessary, creates additional administrative burden and reduces the quality of the results of cross-checking. Therefore, competent national authorities should transmit data in a structured manner while complying with minimal interoperability requirements as defined in the European Interoperability Framework referred to in the Commission Communication of 23 March 2017 entitled ‘European Interoperability Framework – Implementation Strategy’. In addition, the transfer of data should be automated as much as possible to lessen the administrative burden on competent national authorities and to ensure that the necessary data are provided regularly and quickly.
(23)
A modernised case management system is necessary for Eurojust to process sensitive personal data securely. The new system needs to integrate and enable the functionalities of the European Judicial Counter-Terrorism Register and improve Eurojust’s ability to identify links while taking, as a rule, full advantage of existing national and Union mechanisms for comparing biometric data.
(24)
It is important to maintain the control and responsibility of the national members for the data which they receive from the competent national authorities. No operational personal data should be shared with another Member State by default. Operational personal data should only be shared in so far as competent national authorities authorise the exchange of data. In order to digitalise and speed up the follow-up on potential links while ensuring full control over the data, handling codes should be introduced.
(25)
Present-day terrorism and serious and organised crime are very dynamic and globalised phenomena, often affecting two or more Member States. Although terrorism already had a strong transnational component, the use and availability of electronic communication means that transnational collaboration between terrorist offenders has increased significantly. The transnational character of a terrorist offence may not be known when the case is referred to a judicial authority but it might be revealed during the cross-checking of data by Eurojust. The investigation or prosecution of terrorist offences therefore requires coordination and cooperation between prosecuting authorities or a prosecution on common bases, as provided for in Article 85 of the Treaty on the Functioning of the European Union (TFEU). Information on terrorism cases should be exchanged with Eurojust in a timely manner, unless the specific circumstances of the case clearly indicate that it has a purely national character.
(26)
Investigations and prosecutions in terrorism cases are often impeded by the lack of information exchange between national investigation and prosecution authorities. In order to be able to cross-check new terrorist investigations with previous investigations and identify potential links, it is necessary to ensure that the retention period for data on any previous investigations and convictions is adequate for operational activities. Therefore, it is necessary to extend the time limits for storing data in the European Judicial Counter-Terrorism Register.
(27)
The possibility to cross-check new terrorist investigations with previous investigations could identify potential links and entail the need for cooperation. Such cross-checking might reveal that a person suspected or prosecuted in an ongoing case in a Member State was suspected or prosecuted in a case concluded in another Member State. It might also identify links between ongoing investigations or prosecutions which could otherwise have been hidden. That is the case even where previous investigations ended in an acquittal or in a final decision not to prosecute. It is therefore necessary to store data on any previous investigations where appropriate, not only on convictions.
(28)
It is necessary to ensure that data from investigations that ended in an acquittal or in a final decision not to prosecute are processed for prosecution purposes only. Such data may not be used for purposes other than identifying links with ongoing investigations and prosecutions and supporting those investigations and prosecutions. Unless the competent national authority decides otherwise on a case-by-case basis, Eurojust should be able to continue to process such operational data. Where, after the decision to acquit or not to prosecute becomes final, the competent national authority decides that it is not necessary to process the data of acquitted or non-prosecuted persons, including due to the specificities of the case or the grounds for acquittal or non-prosecution, those data should be deleted.
(29)
Eurojust has concluded 12 cooperation agreements with third countries, which allow for the transfer of operational personal data and the secondment of third-country liaison prosecutors to Eurojust. Moreover, the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part (7) allows for the secondment of a liaison prosecutor. In March 2021, the Council gave the Commission a mandate to negotiate cooperation agreements between Eurojust and 13 further third states, namely Algeria, Argentina, Armenia, Bosnia and Herzegovina, Brazil, Colombia, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey.
(30)
While Regulation (EU) 2018/1727 provides a legal basis for the cooperation and exchange of data with third countries, it does not contain any rules on the formal and technical aspects of the cooperation with third-country liaison prosecutors seconded to Eurojust, in particular as regards their access to the case management system. In the interest of legal certainty, Regulation (EU) 2018/1727 should provide an explicit legal basis for the cooperation between Eurojust and the third-country liaison prosecutors and for their access to the case management system. Eurojust should implement adequate safeguards and security measures for the protection of data and fundamental rights through the updated technical set-up and strict internal rules.
(31)
When processing operational personal data in accordance with this Regulation, Eurojust should ensure a high level of data protection. For the processing of operational personal data, Eurojust is subject to Article 3 and Chapter IX of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8), as well as specific rules on the processing of operational personal data provided for in Regulation (EU) 2018/1727 as amended by Regulation (EU) 2022/838 of the European Parliament and of the Council (9) and this Regulation. Those provisions apply to the processing of all operational personal data processed by Eurojust. In particular, they apply to all operational personal data processed in the case management system, whether they are processed by national members, national correspondents, liaison prosecutors or other authorised persons in accordance with Regulation (EU) 2018/1727.
(32)
Decisions on whether and how Eurojust should support the coordination and cooperation between investigating and prosecuting authorities should remain solely with the competent authorities of the Member States concerned, subject to applicable national law, Union law or international law, comprising conventions or other international agreements on mutual assistance in criminal matters.
(33)
In the interest of legal certainty, the relationship between the exchange of information between competent national authorities on terrorism cases and Eurojust under Decision 2005/671/JHA and under Regulation (EU) 2018/1727 should be clarified. Therefore, the relevant provisions should be deleted from Decision 2005/671/JHA and should be added to Regulation (EU) 2018/1727.
(34)
While some competent national authorities are already connected to the secure telecommunications connection referred to in Article 9 of Decision 2008/976/JHA, many competent national authorities are not yet connected to that secure telecommunications connection or to secure communication channels. In order to ensure that the Member States have sufficient time to provide such a connection to the competent national authorities, a transitional period for implementation should be granted.
(35)
In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union (TEU) and the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(36)
In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark annexed to the TEU and the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(37)
The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on 26 January 2022,
