Regulation (EU) 2024/982 of the European Parliament and of the Council of 13 March 2024 on the automated search and exchange of data for police cooperation, and amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, (EU) No 2019/817 and (EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation)
Regulation (EU) 2024/982 of the European Parliament and of the Councilof 13 March 2024on the automated search and exchange of data for police cooperation, and amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, (EU) No 2019/817 and (EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation)THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2), Article 87(2), point (a), and Article 88(2) thereof,Having regard to the proposal from the European Commission,After transmission of the draft legislative act to the national parliaments,Having regard to the opinion of the European Economic and Social CommitteeOJ C 323, 26.8.2022, p. 69.,Acting in accordance with the ordinary legislative procedurePosition of the European Parliament of 8 February 2024 (not yet published in the Official Journal) and decision of the Council of 26 February 2024.,Whereas:(1)The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective is to be achieved by means of, inter alia, appropriate measures to prevent and combat crime and other threats to public security, including organised crime and terrorism, in line with the communication of the Commission of 24 July 2020 on the EU Security Union Strategy. That objective requires law enforcement authorities to exchange data in an efficient and timely manner in order to effectively prevent, detect and investigate criminal offences.(2)The objective of this Regulation is to improve, streamline and facilitate the exchange of criminal information and vehicle registration data, for the purpose of preventing, detecting and investigating criminal offences, between Member States’ competent authorities and between Member States and the European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the CouncilRegulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)., in full compliance with fundamental rights and data protection rules.(3)Council Decisions 2008/615/JHACouncil Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 1). and 2008/616/JHACouncil Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 12)., which lay down rules for the exchange of information between authorities responsible for the prevention and investigation of criminal offences by providing for the automated transfer of DNA profiles, dactyloscopic data and certain vehicle registration data, have proven important for tackling terrorism and cross-border crime, thereby protecting the internal security of the Union and its citizens.(4)Building upon existing procedures for the automated searching of data, this Regulation lays down the conditions and procedures for the automated searching and exchange of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records. That should be without prejudice to the processing of such data in the Schengen Information System (SIS), the exchange of supplementary information related to such data via the SIRENE bureaux pursuant to Regulation (EU) 2018/1862 of the European Parliament and of the CouncilRegulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56). or the rights of individuals whose data is processed therein.(5)This Regulation establishes a framework for the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences (the Prüm II framework). In accordance with Article 87(1) of the Treaty on the Functioning of the European Union (TFEU), it covers all the Member States’ competent authorities, including but not limited to police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences. Therefore, in the context of this Regulation, any authority that is responsible for the management of a national database covered by this Regulation or that grants a judicial authorisation to release any data should be considered to be within the scope of this Regulation as long as the information is exchanged for the prevention, detection and investigation of criminal offences.(6)Any processing or exchange of personal data for the purposes of this Regulation should not result in discrimination against persons on any grounds. It should fully respect human dignity and integrity and other fundamental rights, including the right to respect for one’s private life and to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union.(7)Any processing or exchange of personal data should be subject to the provisions on data protection of Chapter 6 of this Regulation and, as applicable, Directive (EU) 2016/680 of the European Parliament and of the CouncilDirective (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89). or Regulation (EU) 2018/1725Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)., (EU) 2016/794 or (EU) 2016/679Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). of the European Parliament and of the Council. Directive (EU) 2016/680 applies to the use of the Prüm II framework in respect of searches for missing persons and the identification of unidentified human remains for the prevention, detection and investigation of criminal offences. Regulation (EU) 2016/679 applies to the use of the Prüm II framework in respect of searches for missing persons and the identification of unidentified human remains for other purposes.(8)By providing for the automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records, the purpose of this Regulation is also to allow for the search for missing persons and the identification of unidentified human remains. Those automated searches should follow the rules and procedures laid down in this Regulation. Those automated searches are without prejudice to the entry of alerts on missing persons in the SIS and the exchange of supplementary information on such alerts under Regulation (EU) 2018/1862.(9)Where Member States wish to use the Prüm II framework to search for missing persons and to identify human remains, they should adopt national legislative measures to designate the national authorities competent for that purpose and to lay down the specific procedures, conditions and criteria for that purpose. For searches for missing persons outside the area of criminal investigations, the national legislative measures should clearly set out the humanitarian grounds on which a search for missing persons can be conducted. Such searches should comply with the principle of proportionality. The humanitarian grounds should include natural and man-made disasters and other equally justified grounds, such as suspicions of suicide.(10)This Regulation lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records and the rules regarding the exchange of core data following a confirmed match on biometric data. It does not apply to the exchange of supplementary information beyond what is provided for in this Regulation, which is regulated by Directive (EU) 2023/977 of the European Parliament and of the CouncilDirective (EU) 2023/977 of the European Parliament and of the Council of 10 May 2023 on the exchange of information between the law enforcement authorities of Member States and repealing Council Framework Decision 2006/960/JHA (OJ L 134, 22.5.2023, p. 1)..(11)Directive (EU) 2023/977 provides a coherent Union legal framework to ensure that a Member State’s competent authorities have equivalent access to information held by other Member States when they need such information to fight crime and terrorism. To enhance the exchange of information, that Directive formalises and clarifies the rules and procedures for sharing information between Member States’ competent authorities, in particular for investigative purposes, including the role of each Member State’s Single Point of Contact in such exchanges.(12)The purposes of the exchanges of DNA profiles under this Regulation are without prejudice to the exclusive competence of the Member States to decide the purpose of their national DNA databases, including the prevention or detection of criminal offences.(13)Member States should, at the time of initial connection to the router established by this Regulation, conduct automated searches of DNA profiles by comparing all the DNA profiles stored in their databases with all the DNA profiles stored in all the other Member States’ databases and Europol data. The purpose of that initial automated search is to avoid any gaps in identifying matches between DNA profiles stored in a Member State’s database and DNA profiles stored in all the other Member States’ databases and Europol data. The initial automated search should be conducted bilaterally and should not necessarily be performed with all other Member States’ databases and Europol data at the same time. The arrangements for conducting such searches, including the timing and the quantity by batch, should be agreed bilaterally in accordance with the rules and procedures laid down in this Regulation.(14)Following the initial automated search of DNA profiles, Member States should conduct automated searches by comparing all the new DNA profiles added to their databases with all the DNA profiles stored in other Member States’ databases and Europol data. That automated searching of new DNA profiles should take place regularly. Where such searches could not take place, the Member State concerned should be able to conduct them at a later stage to ensure that matches have not been missed. The arrangements for conducting such later searches, including the timing and the quantity by batch, should be agreed bilaterally in accordance with the rules and procedures laid down in this Regulation.(15)For the automated searching of vehicle registration data, Member States and Europol should use the European Vehicle and Driving Licence Information System (Eucaris), set up by the Treaty concerning a European Vehicle and Driving Licence Information System (EUCARIS) and designed for that purpose, which connects all participating Member States in a network. No central component is needed to establish communication as each Member State communicates directly with the other connected Member States, and Europol communicates directly with the connected databases.(16)The identification of a criminal is essential for a successful criminal investigation and prosecution. The automated searching of facial images of persons convicted or suspected of having committed a criminal offence or, where permitted under the national law of the requested Member State, of victims, collected in accordance with national law, could provide additional information for successfully identifying criminals and fighting crime. Given the sensitivity of the data concerned, it should only be possible to conduct automated searches for the purpose of preventing, detecting or investigating a criminal offence punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State.(17)The automated searching of biometric data by Member States’ competent authorities responsible for the prevention, detection and investigation of criminal offences under this Regulation should only concern data contained in databases established for the prevention, detection and investigation of criminal offences.(18)Participation in the automated searching and exchange of police records should remain voluntary. Where Member States decide to participate, it should only be possible for them, in the spirit of reciprocity, to query other Member States’ databases if they make their own databases available for queries by other Member States. Participating Member States should establish national police record indexes. It should be for the Member States to decide which national databases established for the prevention, detection and investigation of criminal offences to use to create their national police record indexes. Those indexes include data from national databases that the police usually check when receiving requests for information from other law enforcement authorities. This Regulation establishes the European Police Record Index System (EPRIS) in accordance with the privacy-by-design principle. Data protection safeguards include pseudonymisation because indexes and queries do not contain clear personal data, but alphanumerical strings. It is important that EPRIS prevent Member States or Europol from reversing pseudonymisation and revealing the identification data which resulted in the match. Given the sensitivity of the data concerned, exchanges of national police record indexes under this Regulation should only concern the data of persons convicted or suspected of having committed a criminal offence. In addition, it should only be possible to conduct automated searches of national police record indexes for the purpose of preventing, detecting and investigating a criminal offence punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State.(19)The exchange of police records under this Regulation is without prejudice to the exchange of criminal records through the existing European Criminal Records Information System (ECRIS), established by Council Framework Decision 2009/315/JHACouncil Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23)..(20)In recent years, Europol has received a large amount of biometric data of suspects and persons convicted of terrorism and criminal offences from third-country authorities in accordance with Regulation (EU) 2016/794, including battlefield information from war zones. In many cases, it has not been possible to make full use of such data because they are not always available to the Member States’ competent authorities. Including data provided by third countries and stored by Europol in the Prüm II framework and thus making those data available to the Member States’ competent authorities in line with Europol’s role as the Union central criminal information hub is necessary to better prevent, detect and investigate serious criminal offences. It also contributes to building synergies between different law enforcement tools and ensures that data are used in the most efficient manner.(21)Europol should be able to search Member States’ databases under the Prüm II framework with data received from third-country authorities, in full respect of the rules and conditions provided for in Regulation (EU) 2016/794, in order to establish cross-border links between criminal cases in respect of which Europol is competent. Being able to use Prüm data, in addition to other databases available to Europol, would enable a more complete and informed analysis to be carried out, thereby allowing Europol to provide better support to Member States’ competent authorities for the prevention, detection and investigation of criminal offences.(22)Europol should ensure that its search requests do not exceed the search capacities for dactyloscopic data and for facial images established by the Member States. In the event of a match between data used for the search and data stored in Member States’ databases, it should be up to Member States to decide whether to supply Europol with the information necessary for it to fulfil its tasks.(23)Regulation (EU) 2016/794 applies in its entirety to the participation of Europol in the Prüm II framework. Any use by Europol of data received from third countries is governed by Article 19 of Regulation (EU) 2016/794. Any use by Europol of data obtained from automated searches under the Prüm II framework should be subject to the consent of the Member State which provided the data and is governed by Article 25 of Regulation (EU) 2016/794 where the data are transferred to third countries.(24)Decisions 2008/615/JHA and 2008/616/JHA provide for a network of bilateral connections between the national databases of Member States. As a consequence of that technical architecture, each Member State had to establish a connection with each Member State participating in the exchanges, which meant at least 26 connections per Member State, per data category. The router and EPRIS will simplify the technical architecture of the Prüm framework and serve as connecting points between all Member States. The router should require a single connection per Member State in relation to biometric data. EPRIS should require a single connection per participating Member State in relation to police records.(25)The router should be connected to the European Search Portal, established by Regulations (EU) 2019/817Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) No 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27). and (EU) 2019/818Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) No 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85). of the European Parliament and of the Council, to allow Member States’ competent authorities and Europol to launch queries to national databases under this Regulation at the same time as queries to the Common Identity Repository, established by those Regulations, for law enforcement purposes in accordance with those Regulations. Those Regulations should therefore be amended accordingly. Moreover, Regulation (EU) 2019/818 should be amended with a view to enabling the storage of reports and statistics of the router in the central repository for reporting and statistics.(26)It should be possible for a reference number for biometric data to be a provisional reference number or a transaction control number.(27)Automated fingerprint identification systems and facial image recognition systems use biometric templates comprised of data derived from a feature extraction of actual biometric samples. Biometric templates should be obtained from biometric data, but it should not be possible to obtain that same biometric data from the biometric templates.(28)The router should rank, where decided by the requesting Member State and where applicable according to the type of biometric data, the replies from the requested Member State or Member States or from Europol by comparing the biometric data used for querying and the biometric data supplied in the replies by the requested Member State or Member States or Europol.(29)In the event of a match between the data used for the search and data held in the national database of the requested Member State or Member States, following a manual confirmation of the match by a qualified member of staff of the requesting Member State and following the transmission of a description of the facts and an indication of the underlying offence using the common table of offence categories set out in an implementing act to be adopted pursuant to Framework Decision 2009/315/JHA, the requested Member State should return a limited set of core data, to the extent that such core data are available. The limited set of core data should be returned via the router and, except where a judicial authorisation is required under national law, within 48 hours of the relevant conditions having been met. That deadline will ensure fast communication exchange between Member States’ competent authorities. Member States should retain control over the release of the limited set of core data. Human intervention should be maintained at key points in the process, including for the decision to launch a query, the decision to confirm a match, the decision to launch a request to receive the set of core data following a confirmed match and the decision to release personal data to the requesting Member State, in order to ensure that no core data will be exchanged in an automated manner.(30)In the specific case of DNA, the requested Member State should also be able to confirm a match between two DNA profiles where that is relevant for the investigation of criminal offences. Following the confirmation of that match by the requested Member State and following the transmission of a description of the facts and an indication of the underlying offence using the common table of offence categories set out in an implementing act to be adopted pursuant to Framework Decision 2009/315/JHA, the requesting Member State should return a limited set of core data via the router within 48 hours of the relevant conditions having been met, except where a judicial authorisation is required under national law.(31)Data lawfully supplied and received under this Regulation are subject to the time limits for storage and review established pursuant to Directive (EU) 2016/680.(32)The universal message format (UMF) standard should be used in the development of the router and EPRIS, in so far as applicable. Any automated exchange of data under this Regulation should use the UMF standard, in so far as applicable. Member States’ competent authorities and Europol are also encouraged to use the UMF standard in relation to any further exchange of data between them in the context of the Prüm II framework. The UMF standard should serve as the standard for structured, cross-border information exchange between information systems, authorities or organisations in the field of Justice and Home Affairs.(33)Only non-classified information should be exchanged via the Prüm II framework.(34)Each Member State should notify the other Member States, the Commission, the European Union Agency for the Operational Management of Large-Scale Information Systems in the Area of Freedom, Security and Justice (eu-LISA), established by Regulation (EU) 2018/1726 of the European Parliament and of the CouncilRegulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99)., and Europol of the content of its national databases made available via the Prüm II framework and of the conditions for automated searches.(35)Certain aspects of the Prüm II framework cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical arrangements and specifications for automated searching procedures, the standards for data exchange, including minimum quality standards, and the data elements to be exchanged. In order to ensure uniform conditions for the implementation of this Regulation with respect to such aspects, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the CouncilRegulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..(36)Data quality is of utmost importance as a safeguard and an essential prerequisite to ensure the efficiency of this Regulation. In the context of the automated searching of biometric data and in order to ensure that the data transmitted are of sufficient quality and to reduce the risk of false matches, a minimum quality standard should be established and regularly reviewed.(37)Given the scale and sensitivity of the personal data exchanged for the purposes of this Regulation, and the existence of different national rules for storing information on individuals in national databases, it is important to ensure that the databases used for automated searching under this Regulation are established in accordance with national law and Directive (EU) 2016/680. Therefore, prior to connecting their national databases to the router or EPRIS, Member States should conduct a data protection impact assessment as referred to in Directive (EU) 2016/680 and, where appropriate, consult the supervisory authority as provided for in that Directive.(38)Member States and Europol should ensure the accuracy and relevance of personal data which are processed pursuant to this Regulation. Where a Member State or Europol becomes aware of the fact that data which have been supplied are incorrect or no longer up to date or should not have been supplied, it should notify the Member State which received the data or Europol, as appropriate, without undue delay. All Member States concerned or Europol, as the case may be, should correct or delete the data accordingly without undue delay. Where the Member State which received the data or Europol has reason to believe that the supplied data are incorrect or should be deleted, it should inform the Member State which provided the data without undue delay.(39)Strong monitoring of the implementation of this Regulation is of utmost importance. In particular, compliance with rules for processing personal data should be subject to effective safeguards, and regular monitoring and audits by data controllers, supervisory authorities and the European Data Protection Supervisor, as relevant, should be ensured. Provisions allowing for a regular checking of the admissibility of queries and the lawfulness of data processing should also be in place.(40)Supervisory authorities and the European Data Protection Supervisor should ensure coordinated supervision of the application of this Regulation within the framework of their responsibilities, in particular where they identify major discrepancies between Member State’s practices or potentially unlawful transfers.(41)When implementing this Regulation, it is crucial that Member States and Europol take note of the case law from the Court of Justice of the European Union in relation to the exchange of biometric data.(42)Three years following the start of operations of the router and EPRIS and every four years thereafter, the Commission should produce an evaluation report that includes an assessment of the application of this Regulation by the Member States and Europol, in particular of their compliance with the relevant data protection safeguards. Evaluation reports should also include an examination of the results achieved against the objectives of this Regulation and its impact on fundamental rights. Evaluation reports should also evaluate the impact, performance, effectiveness, efficiency, security and working practices of the Prüm II framework.(43)As this Regulation provides for the establishment of a new Prüm framework, provisions of Decisions 2008/615/JHA and 2008/616/JHA that are no longer relevant should be deleted. Those Decisions should be amended accordingly.(44)As the router is to be developed and managed by eu-LISA, Regulation (EU) 2018/1726 should be amended by adding that to the tasks of eu-LISA.(45)Since the objectives of this Regulation, namely to step up cross-border police cooperation and to allow Member States’ competent authorities to search for missing persons and identify unidentified human remains, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.(46)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(47)In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEUs, Ireland has notified its wish to take part in the adoption and application of this Regulation.(48)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 2 March 2022OJ C 225, 9.6.2022, p. 6.,HAVE ADOPTED THIS REGULATION: