Regulation (EU) 2024/982 of the European Parliament and of the Council of 13 March 2024 on the automated search and exchange of data for police cooperation, and amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, (EU) No 2019/817 and (EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2), Article 87(2), point (a), and Article 88(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective is to be achieved by means of, inter alia, appropriate measures to prevent and combat crime and other threats to public security, including organised crime and terrorism, in line with the communication of the Commission of 24 July 2020 on the EU Security Union Strategy. That objective requires law enforcement authorities to exchange data in an efficient and timely manner in order to effectively prevent, detect and investigate criminal offences.

(2) The objective of this Regulation is to improve, streamline and facilitate the exchange of criminal information and vehicle registration data, for the purpose of preventing, detecting and investigating criminal offences, between Member States’ competent authorities and between Member States and the European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the Council (3), in full compliance with fundamental rights and data protection rules.

(3) Council Decisions 2008/615/JHA (4) and 2008/616/JHA (5), which lay down rules for the exchange of information between authorities responsible for the prevention and investigation of criminal offences by providing for the automated transfer of DNA profiles, dactyloscopic data and certain vehicle registration data, have proven important for tackling terrorism and cross-border crime, thereby protecting the internal security of the Union and its citizens.

(4) Building upon existing procedures for the automated searching of data, this Regulation lays down the conditions and procedures for the automated searching and exchange of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records. That should be without prejudice to the processing of such data in the Schengen Information System (SIS), the exchange of supplementary information related to such data via the SIRENE bureaux pursuant to Regulation (EU) 2018/1862 of the European Parliament and of the Council (6) or the rights of individuals whose data is processed therein.

(5) This Regulation establishes a framework for the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences (the Prüm II framework). In accordance with Article 87(1) of the Treaty on the Functioning of the European Union (TFEU), it covers all the Member States’ competent authorities, including but not limited to police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences. Therefore, in the context of this Regulation, any authority that is responsible for the management of a national database covered by this Regulation or that grants a judicial authorisation to release any data should be considered to be within the scope of this Regulation as long as the information is exchanged for the prevention, detection and investigation of criminal offences.

(6) Any processing or exchange of personal data for the purposes of this Regulation should not result in discrimination against persons on any grounds. It should fully respect human dignity and integrity and other fundamental rights, including the right to respect for one’s private life and to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union.

(7) Any processing or exchange of personal data should be subject to the provisions on data protection of Chapter 6 of this Regulation and, as applicable, Directive (EU) 2016/680 of the European Parliament and of the Council (7) or Regulation (EU) 2018/1725 (8), (EU) 2016/794 or (EU) 2016/679 (9) of the European Parliament and of the Council. Directive (EU) 2016/680 applies to the use of the Prüm II framework in respect of searches for missing persons and the identification of unidentified human remains for the prevention, detection and investigation of criminal offences. Regulation (EU) 2016/679 applies to the use of the Prüm II framework in respect of searches for missing persons and the identification of unidentified human remains for other purposes.

(8) By providing for the automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records, the purpose of this Regulation is also to allow for the search for missing persons and the identification of unidentified human remains. Those automated searches should follow the rules and procedures laid down in this Regulation. Those automated searches are without prejudice to the entry of alerts on missing persons in the SIS and the exchange of supplementary information on such alerts under Regulation (EU) 2018/1862.

(9) Where Member States wish to use the Prüm II framework to search for missing persons and to identify human remains, they should adopt national legislative measures to designate the national authorities competent for that purpose and to lay down the specific procedures, conditions and criteria for that purpose. For searches for missing persons outside the area of criminal investigations, the national legislative measures should clearly set out the humanitarian grounds on which a search for missing persons can be conducted. Such searches should comply with the principle of proportionality. The humanitarian grounds should include natural and man-made disasters and other equally justified grounds, such as suspicions of suicide.

(10) This Regulation lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data, certain vehicle registration data, facial images and police records and the rules regarding the exchange of core data following a confirmed match on biometric data. It does not apply to the exchange of supplementary information beyond what is provided for in this Regulation, which is regulated by Directive (EU) 2023/977 of the European Parliament and of the Council (10).

(11) Directive (EU) 2023/977 provides a coherent Union legal framework to ensure that a Member State’s competent authorities have equivalent access to information held by other Member States when they need such information to fight crime and terrorism. To enhance the exchange of information, that Directive formalises and clarifies the rules and procedures for sharing information between Member States’ competent authorities, in particular for investigative purposes, including the role of each Member State’s Single Point of Contact in such exchanges.

(12) The purposes of the exchanges of DNA profiles under this Regulation are without prejudice to the exclusive competence of the Member States to decide the purpose of their national DNA databases, including the prevention or detection of criminal offences.

(13) Member States should, at the time of initial connection to the router established by this Regulation, conduct automated searches of DNA profiles by comparing all the DNA profiles stored in their databases with all the DNA profiles stored in all the other Member States’ databases and Europol data. The purpose of that initial automated search is to avoid any gaps in identifying matches between DNA profiles stored in a Member State’s database and DNA profiles stored in all the other Member States’ databases and Europol data. The initial automated search should be conducted bilaterally and should not necessarily be performed with all other Member States’ databases and Europol data at the same time. The arrangements for conducting such searches, including the timing and the quantity by batch, should be agreed bilaterally in accordance with the rules and procedures laid down in this Regulation.

(14) Following the initial automated search of DNA profiles, Member States should conduct automated searches by comparing all the new DNA profiles added to their databases with all the DNA profiles stored in other Member States’ databases and Europol data. That automated searching of new DNA profiles should take place regularly. Where such searches could not take place, the Member State concerned should be able to conduct them at a later stage to ensure that matches have not been missed. The arrangements for conducting such later searches, including the timing and the quantity by batch, should be agreed bilaterally in accordance with the rules and procedures laid down in this Regulation.

(15) For the automated searching of vehicle registration data, Member States and Europol should use the European Vehicle and Driving Licence Information System (Eucaris), set up by the Treaty concerning a European Vehicle and Driving Licence Information System (EUCARIS) and designed for that purpose, which connects all participating Member States in a network. No central component is needed to establish communication as each Member State communicates directly with the other connected Member States, and Europol communicates directly with the connected databases.

(16) The identification of a criminal is essential for a successful criminal investigation and prosecution. The automated searching of facial images of persons convicted or suspected of having committed a criminal offence or, where permitted under the national law of the requested Member State, of victims, collected in accordance with national law, could provide additional information for successfully identifying criminals and fighting crime. Given the sensitivity of the data concerned, it should only be possible to conduct automated searches for the purpose of preventing, detecting or investigating a criminal offence punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State.

(17) The automated searching of biometric data by Member States’ competent authorities responsible for the prevention, detection and investigation of criminal offences under this Regulation should only concern data contained in databases established for the prevention, detection and investigation of criminal offences.

(18) Participation in the automated searching and exchange of police records should remain voluntary. Where Member States decide to participate, it should only be possible for them, in the spirit of reciprocity, to query other Member States’ databases if they make their own databases available for queries by other Member States. Participating Member States should establish national police record indexes. It should be for the Member States to decide which national databases established for the prevention, detection and investigation of criminal offences to use to create their national police record indexes. Those indexes include data from national databases that the police usually check when receiving requests for information from other law enforcement authorities. This Regulation establishes the European Police Record Index System (EPRIS) in accordance with the privacy-by-design principle. Data protection safeguards include pseudonymisation because indexes and queries do not contain clear personal data, but alphanumerical strings. It is important that EPRIS prevent Member States or Europol from reversing pseudonymisation and revealing the identification data which resulted in the match. Given the sensitivity of the data concerned, exchanges of national police record indexes under this Regulation should only concern the data of persons convicted or suspected of having committed a criminal offence. In addition, it should only be possible to conduct automated searches of national police record indexes for the purpose of preventing, detecting and investigating a criminal offence punishable by a maximum term of imprisonment of at least one year under the law of the requesting Member State.

(19) The exchange of police records under this Regulation is without prejudice to the exchange of criminal records through the existing European Criminal Records Information System (ECRIS), established by Council Framework Decision 2009/315/JHA (11).

(20) In recent years, Europol has received a large amount of biometric data of suspects and persons convicted of terrorism and criminal offences from third-country authorities in accordance with Regulation (EU) 2016/794, including battlefield information from war zones. In many cases, it has not been possible to make full use of such data because they are not always available to the Member States’ competent authorities. Including data provided by third countries and stored by Europol in the Prüm II framework and thus making those data available to the Member States’ competent authorities in line with Europol’s role as the Union central criminal information hub is necessary to better prevent, detect and investigate serious criminal offences. It also contributes to building synergies between different law enforcement tools and ensures that data are used in the most efficient manner.

(21) Europol should be able to search Member States’ databases under the Prüm II framework with data received from third-country authorities, in full respect of the rules and conditions provided for in Regulation (EU) 2016/794, in order to establish cross-border links between criminal cases in respect of which Europol is competent. Being able to use Prüm data, in addition to other databases available to Europol, would enable a more complete and informed analysis to be carried out, thereby allowing Europol to provide better support to Member States’ competent authorities for the prevention, detection and investigation of criminal offences.

(22) Europol should ensure that its search requests do not exceed the search capacities for dactyloscopic data and for facial images established by the Member States. In the event of a match between data used for the search and data stored in Member States’ databases, it should be up to Member States to decide whether to supply Europol with the information necessary for it to fulfil its tasks.

(23) Regulation (EU) 2016/794 applies in its entirety to the participation of Europol in the Prüm II framework. Any use by Europol of data received from third countries is governed by Article 19 of Regulation (EU) 2016/794. Any use by Europol of data obtained from automated searches under the Prüm II framework should be subject to the consent of the Member State which provided the data and is governed by Article 25 of Regulation (EU) 2016/794 where the data are transferred to third countries.

(24) Decisions 2008/615/JHA and 2008/616/JHA provide for a network of bilateral connections between the national databases of Member States. As a consequence of that technical architecture, each Member State had to establish a connection with each Member State participating in the exchanges, which meant at least 26 connections per Member State, per data category. The router and EPRIS will simplify the technical architecture of the Prüm framework and serve as connecting points between all Member States. The router should require a single connection per Member State in relation to biometric data. EPRIS should require a single connection per participating Member State in relation to police records.

(25) The router should be connected to the European Search Portal, established by Regulations (EU) 2019/817 (12) and (EU) 2019/818 (13) of the European Parliament and of the Council, to allow Member States’ competent authorities and Europol to launch queries to national databases under this Regulation at the same time as queries to the Common Identity Repository, established by those Regulations, for law enforcement purposes in accordance with those Regulations. Those Regulations should therefore be amended accordingly. Moreover, Regulation (EU) 2019/818 should be amended with a view to enabling the storage of reports and statistics of the router in the central repository for reporting and statistics.

(26) It should be possible for a reference number for biometric data to be a provisional reference number or a transaction control number.

(27) Automated fingerprint identification systems and facial image recognition systems use biometric templates comprised of data derived from a feature extraction of actual biometric samples. Biometric templates should be obtained from biometric data, but it should not be possible to obtain that same biometric data from the biometric templates.

(28) The router should rank, where decided by the requesting Member State and where applicable according to the type of biometric data, the replies from the requested Member State or Member States or from Europol by comparing the biometric data used for querying and the biometric data supplied in the replies by the requested Member State or Member States or Europol.

(29) In the event of a match between the data used for the search and data held in the national database of the requested Member State or Member States, following a manual confirmation of the match by a qualified member of staff of the requesting Member State and following the transmission of a description of the facts and an indication of the underlying offence using the common table of offence categories set out in an implementing act to be adopted pursuant to Framework Decision 2009/315/JHA, the requested Member State should return a limited set of core data, to the extent that such core data are available. The limited set of core data should be returned via the router and, except where a judicial authorisation is required under national law, within 48 hours of the relevant conditions having been met. That deadline will ensure fast communication exchange between Member States’ competent authorities. Member States should retain control over the release of the limited set of core data. Human intervention should be maintained at key points in the process, including for the decision to launch a query, the decision to confirm a match, the decision to launch a request to receive the set of core data following a confirmed match and the decision to release personal data to the requesting Member State, in order to ensure that no core data will be exchanged in an automated manner.

(30) In the specific case of DNA, the requested Member State should also be able to confirm a match between two DNA profiles where that is relevant for the investigation of criminal offences. Following the confirmation of that match by the requested Member State and following the transmission of a description of the facts and an indication of the underlying offence using the common table of offence categories set out in an implementing act to be adopted pursuant to Framework Decision 2009/315/JHA, the requesting Member State should return a limited set of core data via the router within 48 hours of the relevant conditions having been met, except where a judicial authorisation is required under national law.