Regulation (EU) 2023/969 of the European Parliament and of the Council of 10 May 2023 establishing a collaboration platform to support the functioning of joint investigation teams and amending Regulation (EU) 2018/1726
Regulation (EU) 2023/969 of the European Parliament and of the Councilof 10 May 2023establishing a collaboration platform to support the functioning of joint investigation teams and amending Regulation (EU) 2018/1726THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,Having regard to the Treaty on the Functioning of the European Union, and in particular Article 82(1), second subparagraph, point (d), thereof,Having regard to the proposal from the European Commission,After transmission of the draft legislative act to the national parliaments,Acting in accordance with the ordinary legislative procedurePosition of the European Parliament of 30 March 2023 (not yet published in the Official Journal) and decision of the Council of 24 April 2023.,Whereas:(1)The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. At the same time, the Union should ensure that that area remains a safe place. That objective can only be achieved by more effective, coordinated cooperation of the national and international law enforcement and judicial authorities and by means of appropriate measures to prevent and combat crime, including organised crime and terrorism.(2)Achieving that objective is especially challenging where crime takes a cross-border dimension on the territory of two or more Member States and/or third countries. In such situations, Member States need to be able to join their forces and operations to allow for effective and efficient cross-border investigations and prosecutions, for which the exchange of information and evidence is crucial. One of the most successful tools for such cross-border cooperation is joint investigation teams ("JITs") that allow for direct cooperation and communication between the judicial and law enforcement authorities of two or more Member States and possibly third countries so that they can organise their actions and investigations in the most efficient manner. JITs are set up for a specific purpose and a limited period by the competent authorities of two or more Member States and possibly third countries, to carry out criminal investigations with a cross-border impact jointly.(3)JITs have proven instrumental in improving judicial cooperation in relation to the investigation and prosecution of cross-border crimes, such as cybercrime, terrorism, and serious and organised crime, by reducing time-consuming procedures and formalities between JIT members. The increased use of JITs has also enhanced the culture of cross-border cooperation in criminal matters between judicial authorities in the Union.(4)The Union acquis provides for two legal frameworks to set up JITs with the participation of at least two Member States: Article 13 of the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European UnionOJ C 197, 12.7.2000, p. 3. and Council Framework Decision 2002/465/JHACouncil Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams (OJ L 162, 20.6.2002, p. 1).. Third countries can be involved in JITs as Parties where there is a legal basis for such involvement, such as Article 20 of the Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, signed in Strasbourg on 8 November 2001ETS No 182. and Article 5 of the Agreement on mutual legal assistance between the European Union and the United States of AmericaOJ L 181, 19.7.2003, p. 34..(5)International judicial authorities play a crucial role in the investigation and prosecution of international crimes. Their representatives may participate in a particular JIT on invitation of the JIT members based on the relevant agreement setting up a JIT ("JIT agreement"). Therefore, the exchange of information and evidence between national competent authorities and any other court, tribunal or mechanism that aims to address serious crimes of concern to the international community as a whole, in particular the International Criminal Court (ICC), should be facilitated as well. This Regulation should therefore provide access to the Information Technology (IT) platform ("JITs collaboration platform") for representatives of such international judicial authorities in order to enhance international cooperation in relation to the investigation and prosecution of international crimes.(6)There is a pressing need for a collaboration platform for JITs to communicate efficiently and to exchange information and evidence in a secure manner in order to ensure that those responsible for the gravest crimes can be swiftly held responsible. That need is underlined by the mandate of the European Union Agency for Criminal Justice Cooperation (Eurojust) established by Regulation (EU) 2018/1727 of the European Parliament and of the CouncilRegulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138)., which was amended by Regulation (EU) 2022/838 of the European Parliament and of the CouncilRegulation (EU) 2022/838 of the European Parliament and of the Council of 30 May 2022 amending Regulation (EU) 2018/1727 as regards the preservation, analysis and storage at Eurojust of evidence relating to genocide, crimes against humanity, war crimes and related criminal offences (OJ L 148, 31.5.2022, p. 1)., enabling Eurojust to preserve, analyse and store evidence relating to genocide, crimes against humanity, war crimes and related criminal offences and enabling the exchange of related evidence with competent national authorities and international judicial authorities, in particular the ICC.(7)The existing legal frameworks at Union level do not set out how the entities that participate in a JIT are to exchange information and communicate. Those entities reach an agreement on such exchange and communication on the basis of needs and available means. To fight increasingly complex and fast-evolving cross-border crime, speed, cooperation and efficiency are crucial. However, there is currently no system to support the management of JITs, to allow for more efficient evidence searching and recording, and to secure the data exchanged between those involved in a JIT. There is an evident lack of dedicated secure and effective channels to which all those involved in a JIT could have recourse and through which they could promptly exchange large volumes of information and evidence or allow for secure and effective communication. Furthermore, there is no system to support either the management of JITs, including the traceability of evidence exchanged among those involved in a JIT in a manner that is compliant with legal requirements before national courts, or the planning and coordination of operations of a JIT.(8)In light of the increasing possibilities of crime infiltrating IT systems, the current state of play could hamper the effectiveness and efficiency of cross-border investigations, as well as jeopardise and slow down such investigations and prosecutions due to the insecure and non-digital exchange of information and evidence, thereby making them more costly. The judicial and law enforcement authorities in particular need to ensure that their systems are as modern and as safe as possible and that all JIT members can connect and interact easily, independently of their national systems.(9)It is important for JIT cooperation to be improved and supported by modern IT tools. The speed and efficiency of the exchanges between those involved in a JIT could be considerably enhanced by creating a dedicated IT platform to support the functioning of JITs. Therefore, it is necessary to lay down rules establishing a JITs collaboration platform at Union level in order to help those involved in a JIT to collaborate, securely communicate and share information and evidence.(10)The JITs collaboration platform should only be used where there is, inter alia, a Union legal basis for the setting up of a JIT. For all JITs set up solely on international legal bases, the JITs collaboration platform should not be used, since it is financed by the Union budget and developed on the basis of Union legislation. However, where the competent authorities of a third country are a Party to a JIT agreement that has a Union legal basis as well as an international one, the representatives of the competent authorities of that third country should be considered to be JIT members.(11)The use of the JITs collaboration platform should be on a voluntary basis. However, in view of its added value for cross-border investigations, its use is strongly encouraged. The use or non-use of the JITs collaboration platform should not prejudice or affect the legality of other forms of communication or exchange of information, nor should it change the way in which the JITs are set up, are organised or function. The establishment of the JITs collaboration platform should not have an impact on the underlying legal bases for the setting up of JITs, nor should it affect the applicable national procedural legislation regarding the collection and use of the obtained evidence. Officials from other national competent authorities, such as customs, where they are members of JITs set up pursuant to Framework Decision 2002/465/JHA, should be able to have access to the JIT collaboration spaces. The JITs collaboration platform should only provide a secure IT tool to improve cooperation, accelerate the flow of information between its users and increase the security of the data exchanged and the effectiveness of the JITs.(12)The JITs collaboration platform should cover the operational and post-operational phases of a JIT from the moment that the relevant JIT agreement is signed until the JIT evaluation has been completed. Due to the fact that the actors participating in the JIT set-up process are different from the actors who are members of a JIT once it is established, the process of setting up a JIT, especially the negotiation of the content and the signature of the JIT agreement, should not be managed through the JITs collaboration platform. However, given the need for an electronic tool to support the process of signing a JIT agreement, it is important for the Commission to consider covering that process by the e-Evidence Digital Exchange System (eEDES), which is a secure online portal for electronic requests and responses developed by the Commission.(13)For each JIT that uses the JITs collaboration platform, the JIT members should be encouraged to conduct an evaluation of the JIT, either during the operational phase of the JIT or following its closure, using the tools provided for by the JITs collaboration platform.(14)A JIT agreement, including any appendices, should be a prerequisite for the use of the JITs collaboration platform. The content of all future JIT agreements should be adapted to take into account the relevant provisions of this Regulation.(15)The network of national experts on JITs, which was formed in 2005 ("JITs Network"), developed a model agreement which includes appendices, in order to facilitate the setting up of JITs. The content of the model agreement and its appendices should be adapted to take into account the decision to use the JITs collaboration platform and the rules for access to the JITs collaboration platform.(16)From an operational perspective, the JITs collaboration platform should be composed of isolated JIT collaboration spaces created for each individual JIT hosted by the JITs collaboration platform.(17)From a technical perspective, the JITs collaboration platform should be accessible via a secure connection over the internet and should be composed of a centralised information system, accessible through a secure web portal, communication software for mobile and desktop devices, including an advanced logging and tracking mechanism, and a connection between the centralised information system and the relevant IT tools that support the functioning of JITs and that are managed by the JITs Network Secretariat.(18)The purpose of the JITs collaboration platform should be to facilitate the coordination and management of a JIT. The JITs collaboration platform should ensure the exchange and temporary storage of operational information and evidence, provide secure communication, provide for evidence traceability and support the process of the evaluation of a JIT. All those involved in a JIT should be encouraged to use all functionalities of the JITs collaboration platform and to replace insofar as possible the communication and data exchange channels which are currently used with those of the JITs collaboration platform.(19)The coordination and exchange of data between Union agencies and bodies in the area of freedom, security and justice that are involved in judicial cooperation and JIT members is key in ensuring a coordinated Union response to criminal activities and in providing crucial support to Member States in tackling crime. The JITs collaboration platform should complement existing tools that allow for the secure exchange of data among judicial and law enforcement authorities, such as the Secure Information Exchange Network Application (SIENA) managed by the European Union Agency for Law Enforcement Cooperation (Europol) established by Regulation (EU) 2016/794 of the European Parliament and of the CouncilRegulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)..(20)Communication-related functionalities of the JITs collaboration platform should be provided by state-of-the-art software that allows for non-traceable communication to be stored locally on the devices of the JITs collaboration platform users.(21)A proper functionality that allows the exchange of operational information and evidence, including large files, should be ensured through an upload/download mechanism designed to store the data centrally only for the limited period of time necessary for the technical transfer of the data. As soon as the data are downloaded by all addressees, they should be automatically and permanently erased from the JITs collaboration platform.(22)Given its experience with managing large-scale systems in the area of justice and home affairs, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) established by Regulation (EU) 2018/1726 of the European Parliament and of the CouncilRegulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99). should be entrusted with the task of designing, developing and operating the JITs collaboration platform, making use of the existing functionalities of SIENA and other functionalities at Europol to ensure complementarity and, where appropriate, connectivity. Therefore, eu-LISA’s mandate should be amended to reflect those new tasks and eu-LISA should be provided with the appropriate funding and staffing to meet its responsibilities under this Regulation. In that regard, rules should be established on the responsibilities of eu-LISA, as the agency entrusted with the development, technical operation and maintenance of the JITs collaboration platform.(23)eu-LISA should ensure that data held by law enforcement authorities could, where necessary, easily be transmitted from SIENA to the JITs collaboration platform. To that end, a report should be submitted by the Commission to the European Parliament and to the Council assessing the necessity, feasibility and suitability of a connection of the JITs collaboration platform with SIENA. That report should contain the conditions, technical specifications and procedures that ensure a secure and efficient connection and data exchange. The assessment should take into account the high level of data protection needed for such a connection, based on the existing Union and national data protection legal framework, such as Directive (EU) 2016/680 of the European Parliament and of the CouncilDirective (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89)., Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and the rules applicable to relevant Union bodies, offices or agencies in the legal acts establishing them. The protection level of data that will be exchanged through the JITs collaboration platform, namely sensitive and non-classified data, should be taken into account. In accordance with Regulation (EU) 2018/1725, the Commission should also consult the European Data Protection Supervisor prior to submitting that report to the European Parliament and Council with regard to the impact on the protection of individuals’ rights and freedoms stemming from the envisaged processing of personal data.(24)Since the formation of the JITs Network in 2005, the JITs Network Secretariat supports the work of the JITs Network by organising annual meetings and training activities, by collecting and analysing evaluations of the individual JITs and by managing Eurojust’s JIT funding programme. Since 2011, the JITs Network Secretariat has been hosted by Eurojust as a separate unit. Eurojust should be provided with appropriate staff allocated to the JITs Network Secretariat in order to allow the JITs Network Secretariat to support JITs collaboration platform users in the practical application of the JITs collaboration platform, to provide day-to-day guidance and assistance, to design and provide training courses and to raise awareness and promote the use of the JITs collaboration platform.(25)Given the currently existing IT tools supporting operations of JITs, which are hosted at Eurojust and managed by the JITs Network Secretariat, it is necessary to connect the JITs collaboration platform with those IT tools, in order to facilitate the management of JITs. To that end, Eurojust should ensure the necessary technical adaptation of its systems in order to establish such a connection. Eurojust should also be provided with the appropriate funding and staffing to meet its responsibilities in that regard.(26)During the operational phase of a JIT, Eurojust and Europol provide valuable operational support to JIT members by offering a wide range of supporting tools, including mobile offices, cross-match and analytical analyses, coordination and operational centres, the coordination of prosecution, expertise and funding.(27)In order to ensure a clear division of rights and tasks, rules should be established on the responsibilities of Member States, Eurojust, Europol, the European Public Prosecutor’s Office ("the EPPO") established by Council Regulation (EU) 2017/1939Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office ("the EPPO") (OJ L 283, 31.10.2017, p. 1)., the European Anti-Fraud Office (OLAF) established by Commission Decision 1999/352/EC, ECSC, EuratomCommission Decision 1999/352/EC, ECSC, Euratom of 28 April 1999 establishing the European Anti-fraud Office (OLAF) (OJ L 136, 31.5.1999, p. 20). and other competent Union bodies, offices and agencies, including the conditions under which they may use the JITs collaboration platform for operative purposes.(28)This Regulation sets out the details regarding the mandate, composition and organisational aspects of a Programme Management Board which should be established by the Management Board of eu-LISA. The Programme Management Board should ensure adequate management of the design and development phase of the JITs collaboration platform. It is also necessary to set out the details of the mandate, composition and organisational aspects of an Advisory Group to be established by eu-LISA in order to obtain expertise related to the JITs collaboration platform, in particular in the context of the preparation of eu-LISA’s annual work programme and annual activity report.(29)This Regulation establishes rules on access to the JITs collaboration platform and the necessary safeguards. The JIT space administrator or administrators should be entrusted with the management of access rights to the individual JIT collaboration spaces. They should be in charge of managing access, during the operational and post-operational phases of the JIT, for JITs collaboration platform users, on the basis of the relevant JIT agreement. JIT space administrators should be able to delegate their technical and administrative tasks to the JITs Network Secretariat, except for verification of the data uploaded by third countries or representatives of international judicial authorities.(30)Bearing in mind the sensitivity of the operational data exchanged among the JITs collaboration platform users, the JITs collaboration platform should ensure a high level of security. eu-LISA should take all necessary technical and organisational measures in order to ensure the security of the exchange of data by using strong end-to-end encryption algorithms to encrypt data in transit or at rest.(31)This Regulation establishes rules on the liability of Member States, eu-LISA, Eurojust, Europol, the EPPO, OLAF and other competent Union bodies, offices and agencies, in respect of material or non-material damage occurring as a result of any act incompatible with this Regulation. Concerning third countries and international judicial authorities, liability clauses in respect of material or non-material damage should be contained in the relevant JIT agreements.(32)This Regulation lays down specific data protection provisions that concern both operational data and non-operational data. Those data protection provisions are required in order to supplement the existing data protection arrangements and to provide for an adequate overall level of data protection, data security and protection of the fundamental rights of the persons concerned.(33)The processing of personal data under this Regulation should comply with the Union’s legal framework on the protection of personal data. Directive (EU) 2016/680 applies to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security. As regards the processing of data by Union institutions, bodies, offices and agencies, Regulation (EU) 2018/1725 applies in the context of this Regulation. To that end, appropriate data protection safeguards should be ensured.(34)Each competent national authority of a Member State and, where appropriate, Eurojust, Europol, the EPPO, OLAF or any other competent Union body, office or agency, should be individually responsible for the processing of operational personal data when using the JITs collaboration platform. JITs collaboration platform users should be considered joint controllers, within the meaning of Regulation (EU) 2018/1725, for the processing of non-operational personal data.(35)In accordance with the relevant JIT agreement, it should be possible for JIT space administrators to grant access to a JIT collaboration space to representatives of competent authorities of third countries which are Parties to a JIT agreement or to representatives of international judicial authorities who participate in a JIT. In the context of a JIT agreement, any transfer of personal data to third countries or international judicial authorities, those authorities being considered international organisations for that purpose, is subject to compliance with the provisions set out in Chapter V of Directive (EU) 2016/680. Exchanges of operational data with third countries or international judicial authorities should be limited to those strictly required to fulfil the purposes of the relevant JIT agreement.(36)Where a JIT has multiple JIT space administrators, one of them should be designated in the relevant JIT agreement as controller of the data uploaded by third countries or representatives of international judicial authorities, before the JIT collaboration space in which third countries or representatives of international judicial authorities are involved is created.(37)eu-LISA should ensure that accessing the centralised information system and all data processing operations in the centralised information system are logged for the purposes of monitoring data integrity and security and the lawfulness of the data processing, as well as for the purposes of self-monitoring. eu-LISA should not have access to operational and non-operational data stored in the JIT collaboration spaces.(38)This Regulation imposes reporting obligations on eu-LISA regarding the development and functioning of the JITs collaboration platform in light of objectives relating to the planning, technical output, cost-effectiveness, security and quality of service. Furthermore, the Commission should conduct an overall evaluation of the JITs collaboration platform that takes into account the objectives of this Regulation, as well as the aggregated results of the evaluations of the individual JITs, not later than two years after the start of operations of the JITs collaboration platform and every four years thereafter.(39)While the cost of setting up and maintenance of the JITs collaboration platform and the supporting role of Eurojust after the start of operations of the JITs collaboration platform should be borne by the Union budget, each Member State, as well as Eurojust, Europol, the EPPO, OLAF and any other competent Union body, office and agency, should bear its own costs that arise from its use of the JITs collaboration platform.(40)In order to establish uniform conditions for the technical development and implementation of the JITs collaboration platform, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the CouncilRegulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..(41)The Commission should adopt the relevant implementing acts necessary for the technical development of the JITs collaboration platform as soon as possible after the date of entry into force of this Regulation.(42)The Commission should determine the date of the start of operations of the JITs collaboration platform once the relevant implementing acts necessary for the technical development of the JITs collaboration platform have been adopted and eu-LISA has carried out a comprehensive test of the JITs collaboration platform, with the involvement of the Member States.(43)Since the objective of this Regulation, namely to enable the effective and efficient cooperation, communication and exchange of information and evidence among JIT members, representatives of international judicial authorities, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies, cannot be sufficiently achieved by the Member States, but can rather, by setting out common rules, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective.(44)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the Treaty on the Functioning of the European Union (TFEU), Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(45)In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, Ireland has notified, by letter of 7 April 2022, its wish to take part in the adoption and application of this Regulation.(46)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered formal comments on 25 January 2022,HAVE ADOPTED THIS REGULATION: