26.4.2007   

EN

Official Journal of the European Union

C 91/15

1.

The proposal for a Regulation of the European Parliament and of the Council laying down the procedure for implementing Regulation (EC) No 883/2004 of the European Parliament and the Council of 29 April 2004 on the coordination of social security systems (3) was sent by the Commission to the EDPS for consultation, in accordance with Article 28(2) of Regulation 45/2001/EC (hereinafter ‘the Proposal’). According to the EDPS, the present opinion should be mentioned in the preamble of the Regulation.

2.

The formal consultation from the Commission follows the contacts between the EDPS secretariat and the services of the relevant DG of the Commission (DG EMPL), in the framework of the EDPS inventory exercise 2007 (4). Indeed, this Proposal is one of those proposals, within DG EMPL portfolio, that present a high interest for the EDPS. Furthermore, the EDPS contributed to a hearing organised by the European Parliament on 23 November 2006, by giving some preliminary remarks on the Proposal. In this context, the EDPS welcomes this consultation and expects to be timely consulted in the future with regard to other Commission proposals relating to the protection of personal data in the social security and employment sectors, in particular those mentioned in his inventory.

3.

The Proposal lays down the procedure for implementing Regulation (EC) No 883/2004 of the European Parliament and of the Council of 29 April 2004 on the coordination of social security systems. Indeed, the new rules on coordination in the latter Regulation cannot be applied until the current Proposal, laying down the corresponding implementing measures, has been adopted (5). Therefore, the Proposal shall be assessed in conjunction with the basic regulation on which it is based. With regard to this point, it should also be noted that the EDPS has not given his opinion on Regulation 883/2004, since the corresponding Commission proposal was adopted on 12 February 1999 (6), before Regulation 45/2001/EC had entered into force.

4.

The objective of the Proposal is to modernise and simplify the existing rules, by strengthening cooperation between social security institutions and improving the methods of data exchange between social security institutions.

5.

The Proposal has a wide scope, both as to the citizens concerned and the areas covered. On one hand, it covers all EU citizens who are insured under national legislation (therefore, including non-employed persons), provided there are trans-border elements. On the other hand, it applies to a vast range of areas in social security: sickness benefits; maternity and equivalent paternity benefits; invalidity benefits; old-age pensions; survivor's pensions; benefits in respect of accidents at work and occupational diseases; death grants; unemployment benefits; early retirement pensions; family benefits.

6.

The EDPS welcomes this Proposal to the extent that it aims at favouring the free movement of citizens and improving the standard of living and conditions of employment of EU citizens moving within the Union.

7.

Provisions on exchange of personal data between national administrations competent for social security constitute a major part of the Proposal. Indeed, social security could not exist without the processing of different kinds of personal data, in many cases of a sensitive nature. Furthermore, exchange of personal data relating to social security between different Member States is a natural consequence of a European Union whereby citizens are increasingly making use of their right to freedom of movement.

8.

However, it is also essential that this increased exchange of personal data between national administrations of Member States, while providing better conditions for free movement of people, also ensures a high level of protection of personal data, thereby guaranteeing one of the EU fundamental rights. In this context, the EDPS is glad to note that also the European Economic and Social Committee (‘EESC’), in its opinion of 26 October 2006 on the Proposal, pointed out the need to ensure adequate protection of personal data, especially in consideration of the sometimes sensitive nature of the data at stake (7).

9.

The EDPS has been consulted on the proposal for an implementing Regulation. However, as mentioned above, the implementing Regulation cannot be assessed separately from Regulation (EC) No 883/2004, which lays down the basic principle of the coordination of social security systems, also with regard to the protection of personal data. Therefore, the EDPS will take into account in his opinion the framework laid down by the latter Regulation. Nevertheless, the EDPS will focus his advice on those issues for which the legislator of the implementing regulation still has a margin of manoeuvre.

10.

Furthermore, the EDPS notes that the Proposal, besides having a broad scope, is also very complex, since it lays down detailed, and sometimes technical, provisions on the different circumstances, mechanisms and limitations in the coordination of social security systems. Therefore, in analysing the Proposal, the EDPS will not deal individually with all the provisions, but will adopt an horizontal approach, by focussing on principles of data protection that are particularly relevant to the Proposal.

11.

Under this approach, this opinion aims at ensuring compliance with data protection legislation but also efficiency of the proposed measures, by anticipating and addressing issues that may arise at the time of implementation in national legal systems. In this opinion the EDPS will first define the relevant data protection legal framework and then deal with the application of relevant data protection principles to the Proposal. In the conclusions, the EDPS will highlight his main findings and recommendations.

12.

In the context of the Proposal, personal data of insured persons will usually be processed by competent national authorities, and will thus fall within the scope of national laws implementing Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (‘the Directive’). In the more limited number of cases in which personal data of insured persons will be processed by Community institutions, they will be subject to Regulation (EC) No 45/2001 (8) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This would be, for example, the case where personal data relating to EU staff is processed (9). Therefore, the current legal framework on data protection provides for a harmonized level of protection throughout the EU.

13.

The current Proposal will rely on this harmonised framework. However, national legislations implementing the Directive are not fully uniform and some divergences may still exist between national data protection laws. It is therefore of great importance that the legislator takes this into account, in order to ensure that the proposed measures fully comply with this framework and cope with these possible differences.

14.

Furthermore, the increased trans-border exchange of data will call for a better coordination of national provisions on protection of personal data. In this respect, the EDPS welcomes Article 77 of Regulation 883/2004. This provision explicitly states that personal data processed by virtue of the Regulation, as well as its implementing rules, shall be transmitted in accordance with Community provisions on protection of personal data.

15.

Article 77 of Regulation 883/2004 also provides guidance on the applicable national data protection law in case of transmissions of data between competent authorities of different Member States, by stating that the communication of personal data from one Member State to another one shall be subject to the data protection legislation of the former, the transmitting Member State. On the contrary, any communication from the receiving Member State, as well as the storage, alteration and destruction of the received data shall be subject to the data protection legislation of the receiving Member State. This provision is in line with the provision on national law applicable laid down by Article 4 of the Directive.

16.

In the Proposal, a reference to the Community provisions on the protection of personal data is made in Recital 3 as well as in Article 3(2). While recital 3 broadly states that persons concerned must benefit from all of the guarantees provided by Community provisions on the protection of personal data, Article 3(2) specifically refers to the exercise of the rights to access and rectification of one's own personal data.

17.

The EDPS agrees on the need — for a legal instrument implementing enhanced processing and transmissions of personal data — to clearly and explicitly recall the applicable data protection framework. In this perspective, the EDPS recommends that a general reference to the Community provisions on the protection of personal data is not only laid down in the Recitals, but is also explicitly made in its provisions (for example, in Article 3). This general provision would not exclude that other provisions, like those currently laid down in Article 3(2), can further address more specific issues relating to the concrete application of data protection principles in the framework of coordination of social security systems (see further, points 36-38).

18.

One of the basic principles of data protection law is that personal data shall only be processed for the purpose for which they were collected or for a compatible purpose (Article 6.1.b of the Directive). The Proposal does not include any general provision on purpose limitation (10). However, the general approach of the Proposal is that personal data collected for one of the social security purposes (pension, invalidity benefit, unemployment, etc) will be processed and further transmitted to other Member States' authorities for the same purpose. Therefore, most processing operations laid down by the Proposal will concern personal data processed for the same purpose or a compatible one. This will be also the case of processing of personal data in the framework of the transmission of data for recovery of claims or benefits not due (Article 73).

19.

However, in other circumstances, such as in the case of cooperation between tax authorities (Recital 14), social security data might be necessary also for purposes other than social security. In this case, exceptions to the principle of purpose limitation could be justified by virtue of Article 13 of the Directive, in specific circumstances and provided that they are necessary and based on legislative measures, either at national or Community level. In this context, the legislator might consider whether to specifically refer in the Proposal to the conditions under which social security data may be processed for a different purpose.

20.

Against this background, the EDPS considers that the Proposal respects the basic data protection provisions on purpose limitation. Furthermore, the EDPS notes that the prohibition to use personal data for purposes other than social security arises from the applicable data protection legislation, which would allow for exceptions to this general principle only under specific and strict conditions.

21.

According to data protection principles, personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (Article 6.1.c of the Directive). In the context of social security systems, this means that only a necessary and proportionate set of data shall be transmitted in each circumstance.

22.

This principle is correctly enshrined in Article 2.1 of the Proposal, which lays down an obligation for Member States' institutions to share with each other all data necessary for establishing and determining the rights and obligations of insured persons. In this context, the EDPS highlights that the assessment of the necessary sets of personal data may vary slightly according to the kind of benefit at stake. For example, the kind of personal information needed for sickness benefits will be different from information needed for old-age pensions. The information transmitted by Member States' authorities should not go beyond what is necessary for the insured person's rights or obligations at stake in the specific case.

23.

Proportionality should also apply with regard to the number of competent bodies having access to data as well as to the modalities and length of storage of personal data. Only relevant authorities and institutions shall have access to social security data, and these data shall be stored — in a form that permits identification of the data subject — for no longer than it is necessary for the purpose for which they are processed (Article 6.1.e of the Directive).

24.

With regard to the number of authorities and institutions having access to the personal data of insured persons, Article 83 of the Proposal will create a public database, listing the relevant bodies for each Member State. It should be also noted that the Proposal leaves flexibility for Member States to decide whether personal data shall be transmitted through a central point of access in a Member State or directly to the relevant authority or institution (Article 2.3). Furthermore, in each Member State there might be many designated bodies, some of which may operate at a regional level.

25.

With regard to the storage period of personal data, the EDPS notes that in the context of social security, the proportionality test may lead to very different results, depending on the area of social security covered. For example, processing of personal data relating to sickness benefits will usually be necessary for a shorter period of time than in the case of pensions, which are benefits likely to be provided for a longer period. Period of storage of personal data would also depend on the kind of body that processes them. For example, in the case of central points of access, this would mean that personal data would be deleted as soon as they have been further transmitted to the competent body. In any case, it should be clear that personal data shall be deleted or anonymized as soon as they are no longer necessary for the purpose for which they were collected or processed.

26.

In the light of these considerations, the EDPS highlights that in such a complex system, whereby personal data are processed and further transmitted through an asymmetric network of bodies, special attention should be paid to ensure that personal data are processed by the competent authorities, for a proportionate period of time, and that duplications of databases are avoided. The EDPS believes that the database laid down by Article 83 will help ensuring that necessary personal data are transmitted only to the relevant authorities in each specific case. However, further clarifications on the modalities of transmitting and storing the data could be added to the current Proposal, as the Commission has already done in other proposals (11). In this context, the EDPS believes that a certain harmonization of storage periods would not only protect citizens' right to protection of personal data, but would also enhance the efficiency of the coordination between national administrations of different Member States.

27.

The Proposal establishes a variety of mechanisms, according to which personal data relating to insured persons are transferred between competent bodies of different Member States. These exchanges of personal data may be divided in two broad categories: those made on the basis of the request of the concerned person; and those carried out ex officio, usually between third parties (competent bodies, employers), without any specific request by the concerned person. In many cases, relevant bodies will process and transmit sensitive data, in particular data relating to health conditions.

28.

All these processing activities shall comply with the conditions for processing personal data laid down in the Directive: competent national bodies and employers may process personal data only on the basis of the consent of the person concerned or some other legitimate basis, such as compliance with a legal obligation or performance of a task carried out in the public interest or in the exercise of official authority (Article 7.a, 7.c and 7.e of the Directive). Stricter conditions apply to sensitive data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life (Article 8 of the Directive).

29.

Against this background, the EDPS points out that the provisions of the Proposal may well be considered as laying down a legal obligation — pursuant to Article 7.c of the Directive — to process and transmit social security data, insofar as this obligation is specific. Therefore, in those cases where the Proposal lays down a clear obligation to process personal data, the processing operations by competent national bodies and employers could be based on Article 7(c) of the Directive. On the contrary, where this legal obligation is not laid down directly by the Proposal, the processing of personal data shall be based either on a national (non-harmonised) specific legal obligation or on a different legal ground.

30.

Article 7.e of the Directive allows processing of personal data when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed. This would be the case where the relevant body processes data on the basis of its tasks or official authority stemming from a general — national or Community — legal provision rather than on the basis of a specific legal obligation. In this case, the right to object is applicable pursuant to Article 14.a of the Directive.

31.

The use of consent as a legal ground, pursuant to Article 7.a of the Directive, has a more limited scope with regard to processing of personal data by public authorities or in employment relationships, since consent can be deemed to be free — pursuant to Article 2.h of the Directive — only if there are viable alternatives for the person concerned.

32.

With regard to processing of sensitive data (Article 8 of the Directive), considerations similar to those made in the previous paragraphs shall apply. The EDPS considers that obligations stemming from employment law (Article 8.2.b of the Directive), further exceptions (Article 8.4) or consent (Article 8.2.a) might constitute relevant legal grounds for processing sensitive social security data. In this case, specific safeguards — such as technical compartmentalization measures — might be necessary.

33.

In the light of the aforementioned considerations, he EDPS points out that the more this Proposal clearly lays down specific legal obligations for competent bodies and employers to process personal data, the easier and more efficient its implementation in the Member States will be, with regard to compliance with national data protection laws stemming from the Directive. Therefore the EDPS, without entering into the details of the various specific mechanisms laid down by the Proposal, recommends the EU legislator to ensure that each and every proposed mechanism of processing and transmission of personal data is clearly based on a specific legal obligation directly laid down by the Proposal or on other legitimate grounds for processing pursuant to Articles 7 and 8 of the Directive.

34.

Adequately informing data subjects about the processing of their personal data and about their rights is essential, as laid down in Section IV of Directive 95/46. This is even more important when personal data are processed by many authorities in different Member States and therefore data subjects might run the risk of loosing sight of who is processing their personal data, for which purposes, and how to enforce their rights.

35.

With regard to this issue, the EDPS strongly supports a proactive approach: providing data subjects with exhaustive and timely information, with a view to clarifying both the use of the information collected and their rights. In this respect, the EDPS not only endorses the call made by the EESC (12) to raise awareness between all potential users of the Regulation, but also calls on the legislator to add an explicit reference in the Proposal to the need to provide concerned persons with specific and adequate information on processing of their personal data. This could be done by amending Article 19 (Provision of information to insured persons) in order to ensure that the necessary information is provided to insured persons.

36.

Data subjects' rights are particularly relevant in the context of social security systems, since they allow persons concerned to keep control over their (sensitive) data, to ensure their accuracy and to check the information on the basis of which important decisions are taken and benefits are granted. This is particularly relevant in a trans-border context, where the margin of error in transmitting personal data is likely to be higher by virtue of the necessity of translating the information. It is also worth mentioning that the enhanced accuracy of information resulting from the enforcement of data subjects' rights benefits not only the concerned persons but also relevant social security bodies.

37.

The EDPS warmly welcomes Article 3.2 of the Proposal, which states that Member States shall guarantee that the persons concerned have the right to access personal data and the right to rectify them, in accordance with Community provisions on protection of personal data. However, the EDPS suggests supplementing this provision with a broader reference to all data subjects' rights, including the right to object (Article 14 of Directive 95/46) and the safeguards concerning automated individual decisions (Article 15 of Directive 95/46).

38.

In addition, the EDPS recommends that the Proposal duly take into account the need to facilitate the effective exercise of data subjects' rights in a trans-border context. Indeed, concerned persons will have to enforce their rights in a situation in which their personal data come from different authorities of two or more countries. Therefore, it would be desirable that in such cases data subjects' rights could also be exercised directly through the relevant authority which receives personal data from other Member States. This would mean that the competent authority which is in direct contact with the insured person would be called upon to act as a one-stop-shop not only with regard to social security benefits, but also with regard to all personal data processed in connection with those benefits. An insured person would then be able to exercise his or her data subjects' rights through the competent authority irrespective of the origin of the data. Therefore, the EDPS invites the legislator to consider this possibility, also in the light of the examples already provided in other Commission proposals (13).

39.

In the Proposal, security in processing of data is of specific relevance in relation to the more widespread use of electronic tools by public administrations of different Member States. Furthermore, the transmission in most cases will involve sensitive data, and as also pointed out by the EESC, is therefore even more important ‘to ensure that these data are properly secure and cannot fall into the wrong hands’ (14).

40.

In this regard, the EDPS welcomes Article 4 of the Proposal, which states that the transmission of data between relevant bodies ‘shall be carried out by electronic means under a common secure framework that can guarantee the confidentiality and protection of exchanges of data’. However, the EDPS stresses that this ‘common secure framework’, to be defined by the Administrative Commission for the Coordination of Social Systems (15), should duly take into account the recommendations issued by the IDABC programme (16) (Interoperable Delivery of European e-Government Services to public Administrations, Businesses and Citizens) relating to Community data protection provisions, and in particular those relating to the security of processing (Article 17 of the Directive). In this perspective, the EDPS also recommends that expert advisers in data protection and security are duly involved in the relevant works of this Administrative Commission

41.

The EDPS welcomes this proposal to the extent that it aims at favouring the free movement of citizens and improving the standard of living and conditions of employment of EU citizens moving within the Union. Indeed, coordination of social security systems could not exist without the processing and the transmission of different kinds of personal data, in many cases of a sensitive nature.

42.

However, it is also essential that this increased exchange of personal data between national administrations of Member States, while providing better conditions for free movement of people, also ensures a high level of protection of personal data, thereby guaranteeing one of the EU fundamental rights.

43.

The Proposal will rely on the harmonised data protection framework laid down by Community provisions on protection of personal data, and in particular by Directive 95/46/EC and national implementing laws. The EDPS is glad that the applicability of this data protection framework is recalled by both the basic Regulation 883/2004 and by the Proposal. However, specific issues relating to the application of data protection principles in the framework of coordination of social security systems should be further and explicitly addressed.

44.

With regard to the purpose limitation principle, the EDPS considers that the Proposal respects the basic data protection provisions on purpose limitation. Furthermore, the EDPS notes that the prohibition to use personal data for purposes other than social security is not explicitly laid down in the Proposal but arises from the applicable data protection legislation, which would allow for exceptions to this general principle only in specific circumstances and under strict conditions. In this context, the legislator might consider whether to specifically refer in the Proposal to the conditions under which social security data may be processed for a different purpose.

45.

With regard to proportionality in data processed, competent bodies and storage periods, the EDPS highlights that in such a complex system, whereby personal data are processed and further transmitted through an asymmetric network of bodies, special attention should be paid to ensure that personal data are processed by the competent authorities, for a proportionate period of time, and that duplications of databases are avoided. In this context, further clarifications on the modalities of transmitting and storing the data could be added to the Proposal.

46.

With regard to legal grounds for processing personal data, the EDPS, without entering into the details of the various specific mechanisms laid down by the Proposal, recommends the EU legislator to ensure that each and every proposed mechanism of processing and transmission of personal data is clearly based on a specific legal obligation directly laid down by the Proposal or on other legitimate grounds for processing pursuant to Articles 7 and 8 of the Directive.

47.

With regard to information to insured persons, the EDPS recommends adding an explicit reference in the Proposal to the need to provide concerned persons with specific and adequate information on processing of their personal data.

48.

With regard to data subjects' rights, the EDPS warmly welcomes Article 3.2 of the Proposal and suggests supplementing this provision with a broader reference to all data subjects' rights, including the right to and the safeguards concerning automated individual decisions. Furthermore, the EDPS invites the legislator to facilitate the effective exercise of data subjects' rights in a trans-border context by providing that the competent authority which is in direct contact with the insured person should act as a one-stop-shop not only with regard to social security benefits, but also with regard to all data processed in connection with those benefits.

49.

With regard to security measures, the EDPS recommends that the ‘common secure framework ’for the transmission of data laid down by Article 4 of the Proposal duly take into account relevant recommendations on data protection and security of processing. In this context, expert advisers in data protection and security should be duly involved in the relevant works of the competent Administrative Commission.