31.8.2017   

EN

Official Journal of the European Union

C 288/107

Rapporteur:

Mr PEGADO LIZ

1.1

The Commission proposal under examination provides a concrete response — in a generally correct and adequate manner from a strictly technical and legal point of view — to the need to adapt the current rules under Regulation (EC) No 45/2001 of the European Parliament and of the Council  (1) and Decision No 1247/2002/EC of the European Parliament, of the Council and of the Commission  (2) on the protection of personal data by the Union institutions, bodies, offices and agencies in line with the new General Data Protection Regulation (GDPR) (3), which will be applicable throughout the EU from 25 May 2018 onwards.

1.2

This does not preclude the EESC from recalling the substance of its comments and recommendations on the now adopted proposal for a GDPR, or from expressing its regret that the final version has not taken them fully into account. Moreover, in view of the speed of technological progress in this domain, it also fears that its late adoption and entry into force may compound the risks of unauthorised appropriation of data and irregularities in data processing and marketing, and that it may become obsolete before it is even implemented. Given that the proposal under consideration is an adaptation of the GDPR to the way the EU institutions operate, the same concerns are relevant here, mutatis mutandis, particularly as regards the impenetrable language, which is difficult for the man in the street to understand.

1.3

Furthermore, the EESC is of the view that what happens in the EU institutions should serve as a model for Member State procedures, and therefore believes that special care is called for in drafting the proposal.

1.4

To this end, the EESC considers that issues such as aligning the wording of the proposal on that of the Staff Regulations of Officials of the European Union, procedures for dealing with harassment, cyberbullying and whistleblowing in the EU institutions, its application to the Internet of Things, Big Data and the use of search engines for the purpose of accessing, creating or using personal data, and the placing of personal information published on the websites of the institutions on social networking sites (Facebook, Twitter, Instagram, LinkedIn, etc.) should have been addressed explicitly.

1.5

In the same way, the EESC would like the proposal to have set out both the terms for the security of the IT systems that will support data processing and the guarantees against cyber-attacks and breaches or leaks of such data, ensuring technological neutrality rather than relying purely on the internal regulations specific to each department, and would also like to have better clarification of the connection between data protection and the combating of crime and terrorism without needing to resort to disproportionate or excessive surveillance measures — measures that should in any case always be subject to checks by the European Data Protection Supervisor (EDPS).

1.6

The EESC would also like the proposal to have provided a common definition of the competences, training and suitability criteria required in order to be designated data protection officer, data controller or processor in the EU institutions — again, subject to checks and monitoring by the EDPS.

1.7

The EESC is also of the view that, on account of the specific nature of the data collected and the fact that they have a direct bearing on the privacy of the data subjects — particularly as regards health — tax and social data should be limited to that which is strictly necessary for the purpose, and that the maximum protection and guarantees should be ensured in the processing of particularly sensitive personal data, drawing on international law and the most advanced legislation and best practice to be found in some Member States.

1.8

The EESC highlights the need for the proposal to expressly provide for increased resources for the EDPS, ensuring sufficient staffing and recruitment of people with high levels of knowledge and technical competence in the field of data protection.

1.9

The EESC reiterates, yet again, that the data of legally constituted, collective subjects (undertakings, NGOs, commercial companies, etc.) also need to be afforded protection in the area of data collection and processing.

1.10

Finally, the EESC includes in its specific comments a list of amendments to various provisions which, if adopted, would help to provide more effective protection of personal data in the EU institutions, not only for EU officials but also for the thousands of members of the public with whom they come into contact. It therefore urges the Commission, as well as the EP and the Council, to take these amendments into consideration when drafting the final version of the proposal.

2.1

As stated by the Commission in the explanatory memorandum, the aim of the proposal is to repeal Regulation (EC) No 45/2001  (4) and Decision No 1247/2002/EC relating to the protection of personal data by the Union institutions, bodies and offices, with the twin objectives of:

2.2

After a lengthy and difficult process of incubation, the Council and the Parliament finally adopted the General Data Protection Regulation (GDPR) (5), which will become applicable throughout the EU on 25 May 2018. The regulation requires a number of legislative instruments (6) to be adapted, including Regulation (EC) No 45/2001 and Decision No 1247/2002/EC referred to above.

2.3

The Commission also takes extensive account of the results of surveys and stakeholder consultations, and the evaluation study on the application of the regulation over the past 15 years, and reaches the following specific conclusions:

2.4

In view of the nature and extent of the modifications to be made to the previous legal instruments, the Commission decided to repeal them in their entirety and replace them with the regulation currently under consideration, which is consistent with the majority of the other measures referred to and would thus enable them to enter into force at the same time as Regulation (EU) 2016/679, pursuant to Article 98 of the latter.

3.1

From a strictly technical and legal point of view, the EESC endorses in principle:

3.2

This is without prejudice to the substance of the EESC's comments and recommendations regarding the proposal for a GDPR (8), now adopted (9), which does not take them fully into account. Moreover, in view of the rapidity of technological developments in this domain, the Committee fears its late adoption and entry into force may further compound the risks of data being misappropriated and misused in processing and marketing, since it may become obsolete before it is even implemented. Given that the proposal under consideration is an adaptation of the GDPR to the way the EU institutions operate, the same concerns apply to it, mutatis mutandis, particularly as regards the impenetrable language, which is difficult for the man in the street to understand. It would have been better to present and discuss the two proposals at the same time.

3.3

Furthermore, given that the approach adopted by the EU institutions should serve as a model for Member State procedures, the EESC thinks that a number of issues should have been addressed in this proposal.

3.4

To begin with, it is not clear whether the proposal has taken due account of the Staff Regulations of Officials of the European Union (Regulation No 31 (EEC) (10)), given the lack of specific legal provisions guaranteeing more effective protection of the personal data of officials and other staff of the institutions regarding their recruitment, career, duration of contract and any subsequent renewals, as well as their appraisals.

3.4.1

If not in this text, measures of a general nature should be laid down containing rules on the health records of officials and their family members, the protection of data created or used by officials and their respective genetic data, the processing and protection of emails, whether sent by members of the public to EU bodies or sent or exchanged by officials of these bodies, either amongst themselves or with outside parties, and the content of these emails and the websites visited (11).

3.4.2

Likewise, instances of harassment, cyberbullying and whistleblowing in the EU institutions warrant special treatment, notwithstanding the provisions of Article 68.

3.4.3

The EESC also queries the terms of application of the proposal under examination and of Regulation (EU) 2016/679 as regards the Internet of Things, Big Data and the use of search engines for the purpose of accessing, creating or using personal data, and putting personal information published on the websites of the institutions on social networking sites (Facebook, Twitter, Instagram, LinkedIn, etc.), regardless of whether the data subject has given their explicit consent.

3.5

In addition to the reference to the confidentiality of electronic communications in Article 34 of the proposed regulation, the EESC would like the Commission proposal to have set out both the terms for the security of the IT systems that will support the processing of data and the guarantees against cyber-attacks and breaches or leaks of such data (12), ensuring technological neutrality rather than relying purely on the internal regulations specific to each individual department. It would also like to have better clarification of the connection between data protection and the combating of crime and terrorism without needing to resort to disproportionate or excessive surveillance measures — measures that should in any event always be subject to checks by the EDPS.

3.6

The EESC emphasises that the interconnection of personal data in the EU institutions cannot be left solely to the principle of accountability set out in recital 16, and to this end urges the Commission to introduce a specific rule stipulating that an interconnection can only be made with the authorisation of the EDPS, on request by the controller or jointly with the processor.

3.7

However, without prejudice to recital 51 of the preamble and Article 44(3) of the proposal, the EESC would also like the Commission to have provided a common definition of the competences, training and suitability criteria required in order to be designated data protection officer, data controller or processor in the EU institutions (13). Any breaches of these functions should be subject to sanctions in the form of disciplinary, civil or criminal proceedings that are a genuine deterrent and are set out in the proposal — again, subject to checks and monitoring by the EDPS.

3.8

Whilst recognising that this proposal raises the level of protection compared to that prevailing under Regulation (EC) No 45/2001 currently in force, the EESC is of the view that, on account of the specific nature of the data collected and the fact that such data have a direct bearing on the privacy of the data subjects — particularly as regards health — tax and social data should be limited to that which is strictly necessary for the purpose and that the maximum protection and guarantees should be ensured in the processing of personal data, drawing on international law and the most advanced legislation and best practice to be found in some Member States (14).

3.9

Whilst cognisant of the fact that both Regulation (EU) 2016/679 and the proposal under consideration apply exclusively to data for which the subjects are individuals, it reiterates that the data of legally constituted, collective subjects (undertakings, NGOs, commercial companies, etc.), also need to be afforded protection in terms of collection and processing.

4.1

Analysis of the text raises a number of doubts and reservations in the light of the fundamental principles of the right to privacy set out in the EU Charter of Fundamental Rights, the principle of proportionality and the precautionary principle.

4.3.1

In view of the fact that the regulation currently under discussion applies to data processed within the EU institutions, the EESC would like the principle of non-discrimination to be expressly introduced, given the nature of the data being processed.

4.3.2

With respect to Article 4(1)(b) on processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, this should be subject to prior authorisation by the European Data Protection Supervisor, something which is not provided for in Article 58.

4.3.3

Finally, there should be an expressly worded provision that is the equivalent of Article 7 of Regulation (EC) No 45/2001, currently in force, concerning the transfer of data between the EU institutions.

4.4.1

It is not clear why Article 5(1)(b) of the proposed regulation is not subject to the requirement set out in paragraph 2 of that article, unlike indents (c) and (e) of Article 6, both of which are subject to the provision laid down in Article 3 of the GDPR.

4.4.2

The EESC considers that indent (d) ought to include a reference to the fact that consent should be subject to the principle of good faith.

4.5.1

Application of this article should always be subject to authorisation by the European Data Protection Supervisor.

4.5.2

In such cases, the data subject should always be informed prior to any data collection or at the moment of any new decision, and should possibly have the option of requesting rectification, the right to object, erasure or restriction of processing.

4.6.1

In the EESC's view, the exception to the rule of the validity of consent for children under the age of 16 (between 13 and 16 years of age) — which is already an aberration in itself — is only admissible for Member States for cultural reasons of domestic law (Article 8 of the GDPR), but should not be admissible as a rule for the EU institutions, which establishes the age of consent at 13 years (Article 8(1)).

4.6.2

Furthermore, it has not been specified how in practice the EDPS is to address ‘specific attention’ to children, as referred to in Article 58(1)(b), particularly when it comes to the list of users referred to in Article 36 when data is publicly accessible.

4.7.1

Paragraph 1 should also include political affiliation (which is not the same thing as political opinion) and private life.

4.7.2

In paragraph 2(b), even where the purpose is to carry out the obligations and exercise specific rights of the data subject, the latter should always be given prior notice.

4.7.3

In paragraph 2(d), processing should only be carried out with the consent of the data subject.

4.7.4

Indent (e) should only constitute an exception when it can be legitimately surmised from the subject's statements that consent has been given to the processing of data.

4.9.1

With regard to further information, as referred to in Article 15(2), it should be added that the data subject should be informed as to whether the controller's reply to the request is of an obligatory or optional nature and of the possible consequences of failure to reply.

4.9.2

Where data is collected from open networks, the data subject must always be informed that their personal data may be circulated on networks without security measures, running the risk of being seen and used by unauthorised third parties.

4.9.3

The right provided for in Article 17(1) should be exercised freely and without restriction, at reasonable intervals, swiftly or immediately and at no cost.

4.9.4

The EESC would suggest that it should also be a requirement for the data subject to receive confirmation as to whether data regarding himself or herself are being processed or not.

4.9.5

The information referred to in Article 17(1) should be provided in an intelligible, clear and comprehensible manner, particularly as regards data to be processed and any information on the origin of such data.

4.11.1

The EESC believes that it should be added to paragraph 2(c) that consent only occurs after express information is provided of the repercussions of the legal effects of decisions on the data subject, as only then will the consent be duly informed.

4.11.2

As regards paragraph 3, the EESC is of the view that appropriate measures should be drawn up by the European Data Protection Supervisor and not by the data controller.

4.12.1

The EESC is concerned that the wording of Article 25 in the proposed regulation offers too broad an interpretation of Article 23 of the GDPR as regards restrictions on the application of the principles establishing the fundamental rights of the data subject. It would advise the Commission to subject it to a critical review, analysing the various paragraphs according to strict criteria, possibly setting out the scope of each indent, particularly in respect of the limitation of the right to confidentiality in electronic communications networks provided for in Article 7 of the Charter of Fundamental Rights, referred to in the ePrivacy Directive and retained in the proposed regulation being assessed in another EESC opinion.

4.12.2

The EESC is completely opposed to the possibility granted in Article 25(2) allowing EU institutions and bodies to restrict the application of limitations on the rights of data subjects to legal acts for which they have not given their express consent. The same applies to Article 34.

—

prevent any unauthorised person from having access to installations used for the processing of such data;

—

prevent the reading, copying, modification or removal of data media by unauthorised persons;

—

prevent unauthorised input and unauthorised gaining of knowledge, modification or removal of personal data;

—

prevent the use of automated data processing systems by unauthorised persons using data transmission equipment;

—

ensure that it is possible to verify those bodies to which personal data may be communicated;

—

ensure that authorised persons may only gain access to data covered by the requirement for prior authorisation.

4.20.1

If, notwithstanding the above and where the data protection officer is not an official, in view of the nature of his/her office, it should be possible to dismiss him/her at any time, a favourable opinion of the EDPS being sufficient for this purpose (Article 45(8) of the regulation).

4.20.2

It takes the view that the term of the mandate should be 5 years and should be renewable only once.

4.25

The proposal for a regulation is riddled with expressions or concepts of an ambiguous nature. These should be revised and replaced. Examples include ‘to the extent possible’, ‘if possible’, ‘without delay’, ‘high risk’, ‘due account’, ‘reasonable time limit’ and ‘particular importance’.