REGOLAMENTO DEL PARLAMENTO EUROPEO E DEL CONSIGLIO SULLO SCAMBIO AUTOMATIZZATO DI DATI PER LA COOPERAZIONE DI POLIZIA (PRÜM 2)
Autore: Dott.ssa Laura De Rose, Vice Direttore Foroeuropa
Il nuovo Regolamento Prüm 2, che sta per esser pubblicato sulla Gazzetta Ufficiale dell’Unione Europea, è destinato a diventare uno strumento indispensabile per accelerare e facilitare la cooperazione tra le forze di polizia dei paesi membri dell’Unione Europea (UE).
Il nuovo regolamento stabilisce le condizioni e le procedure per la ricerca e lo scambio automatizzati di profili DNA, dati dattiloscopici, dati di immatricolazione dei veicoli, immagini facciali e casellari di polizia.
Inoltre, Prüm 2 permetterà a Europol non solo di mettere alla disposizione delle autorità nazionali competenti le informazioni ricevute dai paesi terzi, ma anche di ampliare le sue stesse capacità operative e di supporto nella lotta contro il crimine organizzato e il terrorismo.
ForoEuropa presenta una sintesi dei contenuti essenziali di questo nuovo Regolamento, in lingua inglese.
_______________
The new Regulation on automated data exchange for police cooperation (Prüm 2) establishes i) the conditions and procedures for automated searching and exchange of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records[1]; and ii) the rules for the exchange of core data following match on biometric data.
The new Regulation is complementary to the Information Exchange Directive[2]. In particular: Prüm 2 does not apply to exchange of information beyond what is provided for in it, which is regulated by the Directive. On the other hand, in accordance with Article 2(2): “This Directive shall not apply to exchanges of information between the competent law enforcement authorities for the purpose of preventing, detecting or investigating criminal offences that are specifically regulated by other Union legal acts […])”.
General elements
The DNA automated searches shall be conducted by comparing the DNA profiles stored in a Member State database with all DNA profiles stored in all the other MS databases and Europol data.
Automated searches of vehicle registration data: Member States communicate amongst each other through the EUCARIS network, also for Europol’s use, thus there is no need for a central component.
Automated searches of facial images (convicted, suspects, victims) are only possible for the purpose of preventing, detecting, investigating criminal offence punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State.
Automated searching (and exchange) of police records: it is a voluntary process; i.e. it is up to the Member States to decide to participate. If so, by reasons of reciprocity, they may query other Member States databases only if they make their own databases available for queries. Further, the participant Member States have the obligations to establish national police record indexes.
Relating to the police records, Europol is in charge of establishing a specific exchange system, called EPRIS (European Police Record Information System), based on the principle of data protection by design and on specific data protection safeguards, amongst others by applying pseudonymisation[3], which implies that indexes and queries may not contain clear personal data, rather alphanumerical ‘strings’ only.
Further, data queries may only concern convicted or suspected persons, and be performed only for the purpose of preventing, detecting, investigating criminal offence punishable by a max term of imprisonment of at least one year under the law of the requesting Member State.
Compared to existing system (Prüm 1), Prüm 2 establishes a new technical architecture based on one router serving as connecting point between all Member States. Furthermore, this router will be connected to the European Search Portal to allow Member States and Europol to launch queries under Prüm 2 and EU Interoperability at the same time.
In the event of a match between data used for the search and data held in the database of the requested Member State/s, and following a manual confirmation by the requesting Member State, the requested Member State should return the available set of core data through the router within 48 hours, except if a judicial authorisation is required. While data search and data comparison constitute an automated process, human intervention is required for the main steps, such as the launch of a query, the confirmation of match, the launch of a request for data and the decision to release data.
Notwithstanding the control effected by the Member States over the content of the databases made available to Prüm 2 and the conditions for automated searches, it is essential to achieve uniform implementing conditions. To this end, the Commission is entrusted with implementing powers concerning aspects such as technical arrangements/specifications for automated searching procedures, data exchange standards, incl. minimum quality standards, and data elements to be exchanged.
Member States shall take all the necessary measures to ensure that automated searching is possible 24/7. Further, each Member State and Europol shall keep a record of the justifications for the queries made (e.g. purpose of the query, incl. reference to specific case; indication as to whether the query concerns a suspect, a convicted person, a victim, a missing person, unidentified human remains, or a person). Such justifications shall be traceable in logs.
Prüm 2 and Europol
Prüm 2 will enable Europol to make the biometric data of suspects and convicted persons received from third countries available to Member States law enforcement authorities, with a view to preventing, detecting and investigating serious organised crime, while ensuring full compliance with data protection.
Further, Europol will be able to search all Member States databases against the data received from third countries, in order to establish cross-border links between the cases of which Europol is competent. Using Prüm data besides the other available data will enable Europol to provide even wider support to the Member States, of course in strict compliance with the applicable legal framework.
In particular, where its searches show a match, Europol shall inform only the Member States involved. The requested Member States shall decide whether to return a set of core data via the router within 48 hrs of all the prescribed conditions having been met. Europol may use the information obtained from a query and from the exchange of core data depending on the consent of the Member State/s in whose database the match occurred.
Specific rules on the exchange of data
Member States shall ensure availability of DNA reference data (profile and reference) from their national databases for the purpose of automated searches by other Member States and Europol. Member States shall conduct automated searches by comparing all new DNA profiles in their database/s with the DNA profiles stored in the other Member States databases and with Europol data.
Member States shall allow other Member States and Europol to access the dactyloscopic data in their national databases in order to conduct automated searches by comparing dactyloscopic data.
Member States shall allow other Member States and Europol access to the relevant data to conduct automated searches (searches with data relating to owner or holder of the vehicle shall only be conducted in the case of suspects or convicted persons). Member States shall use a specific system –EUCARIS- for such searches.
Member States shall ensure the availability of facial image reference data of suspects, convicted persons and, if allowed by national law, of victims from their national databases. Member States shall allow other Member States and Europol access to the facial image data in their national databases to conduct automated searches only for criminal offences punishable by a max term of imprisonment of at least one year under the law of the requesting Member State/s.
Member States may voluntarily participate in the automated exchange of police records. Participating Member States shall ensure the availability of national police record indexes including biographical data of suspects and convicted persons from their databases (a close list of such data is set under the Regulation, including pseudonymised names and aliases and reference numbers to retrieve biographical data and the Member State code). Participating Member States shall allow other participating Member States and Europol to access to data from their national police record indexes to conduct automated searches only for criminal offences punishable by a max term of imprisonment of at least one year under the law of the requesting Member States.
Responsibilities
Member States are responsible, amongst others, for establishing the connection to the router/EPRIS, the integration of the national systems and infrastructures into the router/EPRIS, the manual confirmation of a match by qualified staff, as well as for ensuring data availability and for connecting the competent authorities to router/EPRIS/EUCARIS.
Europol’s responsibilities include making arrangements for the access of duly authorised staff to router/EPRIS/EUCARIS, processing the queries of data by the router and adapting its information systems accordingly, as well as developing and maintaining EPRIS.
Processes
The competent authorities shall “request a query [to MS databases/Europol data]” by submitting data to the router. The router shall dispatch “the request for a query” to specific/all Member States and Europol data simultaneously with the data submitted by the user. Upon receipt of the request from the router, each requested Member State/Europol shall launch a query of their databases/data in an automated manner and “without delay”.
Any matches resulting from queries shall be sent back in an automated manner to the router; when there is no match, the requesting Member States shall be notified in an automated manner.
As noted, EPRIS is meant to enable automated searching of national police record indexes. It shall be composed of i) a decentralised infrastructure in the Member States, incl. a search tool enabling simultaneous querying of national police record indexes; ii) a central infrastructure “supporting the search tool”; and iii) secure communication channel between the central infrastructure, Member States and Europol.
The process under EPRIS entails various steps. The process is triggered by the submission of a request for a query. EPRIS shall dispatch the query (with the submitted data) to the Member States national police record indexes or to Europol. Upon receipt of the request from EPRIS, each requested Member State shall launch a query of their national police record index in an automated manner and “without delay”. Any matches resulting from queries in each requested Member State’s index shall be sent back in an automated manner to EPRIS. The list of matches shall be returned by EPRIS to the requesting Member State/s or Europol in an automated manner. The requesting Member State/s shall decide the match/es for which follow-up is necessary and send a follow-up request to the relevant Member States via SIENA. The requested Member States shall process such requests without delay in order “to decide whether to share the data stored in its/their databases”.
Final provisions
The Commission shall determine the date from which the Member States and Europol can start using the router by means of an implementing act (including upon completion by eu-LISA of a comprehensive test of the router). Two years after the start of the operations, Member States shall ensure the availability of facial images for the purposes of automated searching of facial images.
Further, the Commission shall determine the date from which the Member States and Europol can start using EPRIS (upon completion by Europol of a comprehensive test conducted in cooperation with Member States).
Concerning the third country-sourced biometric data held by Europol and Europol’s access to data stored in Member States’ databases, the Commission shall determine the date from which Europol shall make the referred data available/have access to the referred data.
The Commission with the Member States, eu-LISA, Europol and the Fundamental Rights Agency shall prepare a practical handbook for the implementation and management of Prüm 2. This handbook shall provide technical and operational guidelines and shall be completed before the start of operations of the router and EPRIS.
Two years after the start of operation of EPRIS and every two years thereafter, Europol shall submit a report on technical functioning of EPRIS to the European Parliament, Council and Commission.
Three years after the start of operations of the router and EPRIS, and every four years thereafter, the Commission shall produce a report on the overall evaluation of Prüm 2. Further, one year after start of operations of the router and every two years thereafter, the Commission shall issue a special report evaluating the use of facial images.
The Regulation was adopted by the Council on 26 February 2024. It shall enter into force on the 20th day following that of its publication in the Official Journal of the EU, which is currently pending.
[1] Police records are defined as follows in the Regulation: “[…] any biographical data concerning suspects and convicted person available in national databases established for the prevention, detection and investigation of criminal offences”.
[2] Directive (EU) 2023/977 on the exchange of information between the law enforcement authorities of Member States.
[3] Under Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities […], and on the free movement of such data, pseudonymisation means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information […]”.
