Opinion of the European Data Protection Supervisor

on the Proposal for a Regulation of the European Parliament and of the Council on mutual administrative assistance for the protection of the financial interests of the Community against fraud and any other illegal activities (COM(2004) 509 final of 20 July 2004)

(2004/C 301/03)

THE EUROPEAN DATA PROTECTION SUPERVISOR,

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1],

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2], and in particular its Article 28(2),

HAS ADOPTED THE FOLLOWING OPINION:

1. The Proposal has been submitted by the European Commission on 28 September 2004 for an opinion of the European Data Protection Supervisor (EDPS) in conformity with Article 28(2) of Regulation (EC) No 45/2001. This provides that the Commission shall consult the EDPS, when it adopts a Community legislative proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data. As the present case illustrates, this obligation does not only apply to proposals dealing with personal data protection as their main subject, but also to proposals which build on, supplement or amend the existing legal framework for data protection, and to proposals which have a significant impact on the protection of individuals' rights and freedoms with regard to the processing of personal data, but fail to take the existing legal framework into account.

2. The Proposal is based on Article 280 of the EC Treaty. Therefore, it comes fully under the first pillar activities and it acknowledges, as to the processing of personal data, the need to ensure a proper data protection as laid down in Directive 95/46/EC and, where applicable, in Regulation (EC) No 45/2001 (inter alia, recital 11 and Article 18 of the Proposal).

3. The Proposal does not include new rules on data protection nor exceptions from the aforementioned legislation on data protection. On the contrary, its Article 18 refers the matter globally to that legislation and envisages an implementing regulation in some areas, namely access to and use of information obtained from the Member States' VAT records by the Commission (Article 11(1)), spontaneous exchange of financial information between Member States and the Commission (Article 12(4)), and mutual assistance and exchange of information (Article 21). It is noted with satisfaction that the EDPS will be consulted before adoption of these implementing rules.

4. Article 18(1), second paragraph, provides for a specific obligation of confidentiality versus persons or authorities other than those within the Community institutions and bodies or in the Member States whose functions require them to know the information referred to. It is assumed that this does not affect the rights of data subjects to have access to personal data relating to them, unless one of the relevant exceptions is found to apply, which should in principle only be determined on a case-by-case basis (Article 13 of Directive 95/46/EC and Article 20 of Regulation (EC) No 45/2001).

5. The Proposal is a complement and reinforcement of Regulation (EC) No 1073/1999, Council Regulation (EC) No 515/97 and Council Regulation (EC) No 1798/2003, and in many aspects contains parallel provisions to those of that previous legislation. In this respect, the following comments are relevant:

(a) Article 37(4) of Council Regulation (EC) No 515/97 on personal data protection supervision, should be amended, in an additional provision of the draft, to take account of the fact that the EDPS has now been appointed. In the light of this, Article 37 should also be reconsidered in its entirety in order to provide for a more appropriate and more effective system of supervision and cooperation between supervisory authorities. A similar system should be envisaged or built upon in the proposed Regulation.

(b) The Committee set up under Article 43 of Regulation (EC) No 515/97, whose tasks are enlarged to comprehend the scope of the proposal, presents some problems that should be addressed, at least for the purposes of the present proposal, if not to take the opportunity of further amending Regulation (EC) No 515/97. The English version of this regulation seems to indicate that the ad hoc formation consists of the representatives referred to in Article 43(1) plus the data protection representatives. It should be clear that, as in the French version, the ad hoc formation is "made up by representatives nominated by each Member State from its national supervisory authority or authorities". In any case, EDPS should also be expressly named.

6. Finally, as it is the case for other mandatory opinions, the formal opinion of the EDPS based on Article 28(2) of Regulation (EC) No 45/2001 should be mentioned before the recitals (Having regard to the opinion...).

Done at Brussels, 22 October 2004.

The European Data Protection Supervisor

--------------------------------------------------

[1] OJ L 281, 23.11.1995, p. 31.

[2] OJ L 8, 12.1.2001, p. 1.