Harmonisation of Substantive Criminal Law in the EU and Data Protection

Directive 2017/541 establishes rules on defining criminal and terrorist offences, sanctions, and victim protection within the EU. The directive outlines definitions of terrorist groups, offences, and aims related to terrorist activities. It covers a range of terrorist acts and their impacts on countries and international organizations.

• EU law
• criminal law
• data protection
• Directive 2017/541
• terrorism

penning Follow

Uploaded on Mar 14, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Harmonisation of substantive criminal law in the EU and data protection

2. Directive 2017/541 Directive 2017/541 Directive (eu) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA 1. Definitions 2. Lists of offences which should be penalised in the Member States 3. Obligation to introduce effective investigation measures article 20, 21, 23 4. Protection of victims article 24-26; important legal act: directive 2012/29 https://eur-lex.europa.eu/legal-content/PL/ALL/?uri=CELEX:32017L0541 transposition to national law

3. Directive 2017/541 Directive 2017/541 Article 1 Subject matter This Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the area of terrorist offences, offences related to a terrorist group and offences related to terrorist activities, as well as measures of protection of, and support and assistance to, victims of terrorism. Article 2 Definitions (3) terrorist group means a structured group of more than two persons, established for a period of time and acting in concert to commit terrorist offences; structured group means a group that is not randomly formed for the immediate commission of an offence and that does not need to have formally defined roles for its members, continuity of its membership or a developed structure.

4. Directive 2017/541 Directive 2017/541 Article 3 Terrorist offences defined as offences under national law, which, given their nature or context, may seriously damage a country or an international organisation, are defined as terrorist offences where committed with one of the aims listed in paragraph 2: (a) attacks upon a person s life which may cause death; (b) attacks upon the physical integrity of a person; (c) kidnappingor hostage-taking; (d) causing extensive destruction to a government or public facility, a transport system, an infrastructure facility, including an information system, a fixed platform located on the continental shelf, a public place or private property likely to endanger human life or result in major economic loss; (e) seizure of aircraft, ships or other means of public or goods transport; (f) manufacture, possession, acquisition, transport, supply or use of explosives or weapons, including chemical, biological, radiological or nuclear weapons, as well as research into, and development of, chemical, biological, radiological or nuclear weapons; (g) release of dangerous substances, or causing fires, floods or explosions, the effect of which is to endanger human life; (h) interfering with or disrupting the supply of water, power or any other fundamental natural resource, the effect of which is to endanger human life; (i) illegal system interference, as referred to in Article 4 of Directive 2013/40/EU of the European Parliament and of the Council (19) in cases where Article 9(3) or point (b) or (c) of Article 9(4) of that Directive applies, and illegal data interference, as referred to in Article 5 of that Directive in cases where point (c) of Article 9(4) of that Directive applies; (j) threatening to commit any of the acts listed in points (a) to (i). 2. The aims referred to in paragraph 1 are: (a) seriously intimidating a population; (b) unduly compelling a government or an international organisation to performor abstain from performing any act; (c) seriously destabilising or destroying the fundamental political, constitutional, economic or social structures of a country or an international organisation. 1. Member States shall take the necessary measures to ensure that the following intentional acts, as

5. Directive 2017/541 Directive 2017/541 List of offences: 1. Public provocation to commit a terrorist offence (article 5) 2. Recruitment for terrorism (article 6) 3. Providing training for terrorism (article 7) 4. Receiving training for terrorism (article 8) 5. Travelling for the purpose of terrorism (article 9) 6. Organising or otherwise facilitating travelling for the purpose of terrorism (article 10) 7. Terrorist financing (article 11) 8. Other offences related to terrorist activities (article 12) 9. Aiding and abetting, inciting and attempting (article 13)

6. Directive 2017/541 Directive 2017/541 Harmonisation of sanctions terrorist offences article 15 effective, proportionate and dissuasive criminal penalties, which may entail surrender or extradition. terrorist offences referred to in Article 3 and offences referred to in Article 14, insofar as they relate to terrorist offences, are punishable by custodial sentences heavier than those imposable under national law for such offences in the absence of the special intent required pursuant to Article 3 offences listed in Article 4 are punishable by custodial sentences, with a maximum sentence of not less than 15 years for the offence referred to in point (a) of Article 4, and for the offences listed in point (b) of Article 4 a maximum sentence of not less than 8 years. Where the terrorist offence referred to in point (j) of Article 3(1) is committed by a person directing a terrorist group as referred to in point (a) of Article 4, the maximum sentence shall not be less than 8 years.

7. Directive 2017/541 Directive 2017/541 Sanctions for legal persons article 18 Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 17 is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and may include other sanctions, such as: (a) exclusion from entitlement to public benefits or aid; (b) temporary or permanent disqualification from the practice of commercial activities; (c) placing under judicial supervision; (d) a judicial winding-up order; (e) temporary or permanent closure of establishments which have been used for committing the offence.

8. EU response to terrorism https://www.consilium.europa.eu/en/policies/fight-against-terrorism/terrorist-list/ The EU regularly reviews the list of persons, groups and entities involved in terrorist acts that are subject to sanctions. Criteria for listing The common position establishes that the list will be drawn up from precise information indicating that a decision has been taken by a judicial or equivalent competent authority in respect of the person, group or entity concerned. This decision may concern: initiation of investigations or prosecution for a terrorist act or an attempt to carry out or facilitate such an act conviction for any of those actions Persons, groups and entities identified by the UN Security Council as being related to terrorism and against whom it has ordered sanctions may also be added to the list.

9. EU response to terrorism https://www.europol.europa.eu/publications-events/main- reports/tesat-report Also Europol takes necessary steps to figth against terrorism in the EU.

10. EU response to terrorism Fight against terrorism and human rights is it possible to find right/proper balance? What are effective investigative measures ? What might help with fight against terrorism? Do you see any problems with e.g. using big data/gathering personal information by the goverments?

11. EU Directive 2016/681 use PNR Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime https://eur-lex.europa.eu/legal- content/EN/ALL/?uri=CELEX%3A32016L0681

12. EU response to terrorism Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of the passenger, travel dates, itineraries, seats, baggage, contact details and means of payment. The PNR directive regulates the transfer of such data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

13. EU response to terrorism The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States and Australia. The negotiations for a revision of the envisaged PNR agreement with Canada have been concluded and are pending finalisation. In February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for a PNR agreement.

14. Processing of PNR data article 6 directive 2016/681 Processing of PNR data 1. The PNR data transferred by the air carriers shall be collected by the PIU of the relevant Member State as provided for in Article 8. Where the PNR data transferred by air carriers include data other than those listed in Annex I, the PIU shall delete such data immediately and permanently upon receipt. 2. The PIU shall process PNR data only for the following purposes: (a) carrying out an assessment of passengers prior to their scheduled arrival in or departure from the Member State to identify persons who require further examination by the competent authorities referred to in Article 7, and, where relevant, by Europol in accordance with Article 10, in view of the fact that such persons may be involved in a terrorist offence or serious crime; (b) responding, on a case-by-case basis, to a duly reasoned request based on sufficient grounds from the competent authorities to provide and process PNR data in specific cases for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime, and to provide the competent authorities or, where appropriate, Europol with the results of such processing; and (c) analysing PNR data for the purpose of updating or creating new criteria to be used in the assessments carried out under point (b) of paragraph 3 in order to identify any persons who may be involved in a terrorist offence or serious crime.

15. Serious crimes directive 2016/681 anex II 1. participation in a criminal organisation, 15. organised and armed robbery, 2.. trafficking in human beings, 16. illicit trafficking in cultural goods, including antiques and works of art, 3. sexual exploitation of children and child pornography, 17. counterfeiting and piracy of products, 4. illicit trafficking in narcotic drugs and psychotropic substances, 18. forgery of administrative documents and trafficking therein, 5. illicit trafficking in weapons, munitions and explosives, 19. illicit trafficking in hormonal substances and other growth promoters, 6. corruption, 7. fraud, including that againstthe financial interests of the Union, 20. illicit trafficking in nuclear or radioactive materials, 8. laundering of the proceeds of crime and counterfeiting of currency, including the euro, 21. rape, 22. crimes within the jurisdiction of the International Criminal Court, 9. computer-related crime/cybercrime, 10. environmental crime, including illicit trafficking in endangered animal species and in endangered plant species and varieties, 23. unlawful seizure of aircraft/ships, 24. sabotage, 11. facilitation of unauthorised entry and residence, 25. trafficking in stolen vehicles, 12. murder, grievous bodily injury, 26. industrial espionage. 13. illicit trade in human organs and tissue, 14. kidnapping, illegal restraint and hostage-taking,

16. Effective investigative measures? Five activists from the Catalan independence and anarchist movements who have been deceived over the last three years in relationships they formed with the undercover police officer operating in the Sant Andreu neighbourhood of Barcelona, have stepped forward to file a complaint over the conduct of this officer, a Mallorcan native who said his name was Dani Hern ndez Pons. This man used sexual and affective relationships with women to infiltrate into their movements and even had a romantic relationship with one of them that lasted a year. The women are presenting a private accusation, with the legal support of the ridia human rights group and the CGT trade union, and, specifically, have laid a complaint against the officer for continued sexual abuse, crimes of torture or against moral integrity, revelation and disclosure of secrets and impediments to the exercise of civic rights .

17. Effective investigative measures? The lawyers from Ir dia and the CGT, S nia Olivella and Laia Serra, who are supporting the women, consider it very serious for an undercover police officer to use sexual relationships with activists to obtain information and make use of his undercover identity to infiltrate the fabric of associations and unions. They note that police undercover activity can only be legally justified as part of the investigation of organized crime or terrorism. This case falls outside that definition, since the theoretical objective of the police was to monitor social movements or to destructure them, especially the libertarian movement. This amounts to a serious violation of civil rights, according to the indictment. https://www.elnacional.cat/en/politics/five-activists-deceived-spanish- undercover-cop-sexual-abuse-complaints_962100_102.html

18. Data protection in the EU

19. GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The most important legal act on the protection of personal data in the EU. Extensive definition of personal data - see next slide.

20. What is personal data? IS EMAIL PERSONAL DATA? IF SO, WHEN? IS IP ADDRESS PERSONAL DATA? IF SO, WHEN? WHAT ABOUT FINGERPRINTS, DNA ETC. (OTHER BIOMETRIC DATA)?

21. Definition article 4(1) personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

22. Definition article 4(2) processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, destruction. restriction, erasure or

23. 1. Consent Six lawful bases for processing data under the GDPR which cover business interests: 2. legitimate interest 3. public interest 4. protection of vital interest 5. legal obligation 6. contract

24. Email and IP as a personal data Yes, it can be considered personal data if it makes it possible to identify a specific person, either directly or through the processing of information. Likewise the IP address - if it is permanent, if someone uses it for a long time, it is possible to identify a specific person.

25. GDPR and public safety Article 2 Material scope 1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. 2. This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law; (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; (c) by a natural person in the course of a purely personal or household activity; (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

26. GDPR and public safety The protection of law security and the fight against and prevention of crime requires that certain personal data be processed, collected, stored in a way that is not disclosed to the person concerned. The procedural guarantees under RODO would prevent the police and other services from operating efficiently and effectively. DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

27. Data protection directive Article 1 Subject-matter and objectives 1. This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2. In accordance with this Directive, Member States shall: (a) protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data; and (b) ensure that the exchange of personal data by competent authorities within the Union, where such exchange is required by Union or Member State law, is neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. 3. This Directive shall not preclude Member States from providing higher safeguards than those established in this Directive for the protection of the rights and freedoms of the data subject with regard to the processing of personal data by competent authorities.

28. Principles relating to processing of personal data 1. Member States shall provide for personal data to be: (a) processed lawfully and fairly; (b) collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes; (c) adequate, relevant and not excessive in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

29. Lawfulness of processing Article 8 1. Member States shall provide for processing to be lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and that it is based on Union or Member State law. 2. Member State law regulating processing within the scope of this Directive shall specify at least the objectives of processing, the personal data to be processed and the purposes of the processing.

30. Data protection and privacy The Data Protection Directive allows for the differentiation of data of individuals - convicted, accused, suspects, etc. Different rules apply to the processing of special categories of data, i.e. concerning race, ethnic origin, religion, etc. (see Article 10). The rules for processing, collecting, storing personal data - of different categories - may differ. Not all personal data equally invade the sphere of privacy of an individual. And not all data have the same capacity to identify a person. Depending on the degree of intrusion into an individual's privacy, the greater the procedural guarantees that national law should provide. In any event, national law should be clear and precise enough to allow the individual to know when and under which circumstances (and for what reasons) his or her data may be collected.

31. Time-limits for storage and review Article 5 Member States shall provide for appropriate time limits to be established for the erasure of personal data or for a periodic review of the need for the storage of personal data. Procedural measures shall ensure that those time limits are observed. The CJEU did not specify what the optimal storage time should be. It indicates that data should be kept as long as necessary.

32. What kind of personal data might be useful for the Police and other authorities? Some questions When personal data are collected?

33. Subject to Article 15, Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of and legal basis for the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject; (f) the right to lodge a complaint with the supervisory authority and the contact details of the supervisory authority; (g) communication of the personal data undergoing processing and of any available information as to their origin. Article 14 - Right of access by the data subject

34. Member States should put in place appropriate procedures to allow the individual to access whether his or her data have been collected and are stored. At the end of the retention period, the data should be erased but pseudonymised. Right of access by the data subject pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

35. 1. Member States shall provide for the controller, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing, in order to meet the requirements of this Directive and protect the rights of data subjects. Article 20 - Data protection by design and by default 2. Member States shall provide for the controller to implement appropriate technical and organisational measures ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

36. See: https://eur-lex.europa.eu/legal- content/pl/TXT/?uri=CELEX:62017CJ0623 Protecting national security may involve greater powers of access to personal data. However, states cannot create a legal framework that allows for the generalised, blanket collection of a certain category of data (location, internet tracking, billing) without any subject or object limitation. National security does not mean the possibility of general surveillance. Personal data and national safety

37. Recital 57 Logs should be kept at least for operations in automated processing systems such as collection, alteration, consultation, disclosure including transfers, combination or erasure. The identification of the person who consulted or disclosed personal data should be logged and from that identification it should be possible to establish the justification for the processing operations. The logs should solely be used for the verification of the lawfulness of the processing, self-monitoring, for ensuring data integrity and data security and criminal proceedings. Self-monitoring also includes internal disciplinary proceedings of competent authorities. Automatic data processing/gathering profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

38. 1. Member States shall provide for a decision based solely on automated processing, including profiling, which produces an adverse legal effect concerning the data subject or significantly affects him or her, to be prohibited unless authorised by Union or Member State law to which the controller is subject and which provides appropriate safeguards for the rights and freedoms of the data subject, at least the right to obtain human intervention on the part of the controller. Article 11 Automated individual decision-making 2. Decisions referred to in paragraph 1 of this Article shall not be based on special categories of personal data referred to in Article 10, unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. 3. Profiling that results in discrimination against natural persons on the basis of special categories of personal data referred to in Article 10 shall be prohibited, in accordance with Union law.

39. 133 ensure the effectiveness of Article 10 of Directive 2016/680, it is possible to interpret the national legislation providing for the enforcement in question in a manner consistent with EU law. In particular, it is for the referring court to verify whether national law enables it to be assessed whether it is strictly necessary to collect both the biometric data and the genetic data of the data subject in order for them to be entered in a record. For that purpose, it should, inter alia, be possible to verify whether the nature and gravity of the offence of which the data subject in the main proceedings is suspected or whether other relevant factors, such as those referred to in paragraph 132 of the present judgment, may constitute circumstances capable of establishing that collection is strictly necessary . Furthermore, it should be checked whether the collection of civil status data, which is also provided for in the context of the creation of a police record, as the Bulgarian Government confirmed in a written reply to a question asked by the Court, does not in itself enable the objectives pursued to be met. That being so, it is for the referring court to verify whether, in order to Biometric data CJEU judgment C- 205/21 134 biometric and genetic data are collected, it is for the referring court to ensure that Article 10 of Directive 2016/680 is given full effect by dismissing the police authorities application requesting it to authorise enforcement of their collection. If national law does not guarantee such review of the measure whereby https://curia.europa.eu/juris/document/document.jsf?text=&docid=269704&pa geIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2030739

40. Its old, but still interesting: PRISM program: https://www.washingtonpost.com/wp- srv/special/politics/prism-collection-documents/ Judgment Big Brother Watch and the others v. UK https://globalfreedomofexpression.columbia.edu/cases/big-brother- watch-v-united-kingdom/