This document is an excerpt from the EUR-Lex website
Document 52008XX1205(02)
Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council facilitating cross-border enforcement in the field of road safety
Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council facilitating cross-border enforcement in the field of road safety
Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council facilitating cross-border enforcement in the field of road safety
OJ C 310, 5.12.2008, p. 9–12
(BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
5.12.2008 |
EN |
Official Journal of the European Union |
C 310/9 |
Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council facilitating cross-border enforcement in the field of road safety
(2008/C 310/02)
THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to the Treaty establishing the European Community, and in particular its Article 286,
Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular its Article 41,
Having regard to the request for an opinion in accordance with Article 28(2) of Regulation (EC) No 45/2001 received on 19 March 2008 from the European Commission,
HAS ADOPTED THE FOLLOWING OPINION:
I. INTRODUCTION
Consultation of the EDPS
1. |
The Proposal for a Directive facilitating cross-border enforcement in the field of road safety (hereinafter ‘the proposal’) was sent by the Commission to the EDPS for consultation on 19 March 2008, in accordance with Article 28(2) of Regulation (EC) No 45/2001/EC (1). |
2. |
Prior to the adoption of the proposal, the Commission informally consulted the EDPS on the draft proposal, which the EDPS welcomed as it gave him an opportunity to make some suggestions on the draft proposal prior to its adoption by the Commission. The EDPS is glad to see that a significant part of his suggestions have been reflected in the proposal. |
The proposal in its context
3. |
The proposal constitutes a measure taken in the global objective of reducing fatalities, injuries and material damage resulting from traffic accidents, which constitutes a major goal of the EU road safety policy. In this context, the proposal intends to establish a system to facilitate the cross-border enforcement of sanctions for specified road traffic offences. It has indeed been noted that a substantive number of traffic offences are committed and remain unsanctioned when they take place in a country different from the country of residence of the offender. |
4. |
In order to contribute to a non discriminatory and more effective enforcement towards traffic offenders, the proposal foresees the establishment of a system of cross-border exchange of information between Member States. |
5. |
Since it provides for the exchange of personal data of suspected offenders, the proposal has direct data protection implications. |
Focus of the opinion
6. |
The opinion of the EDPS will analyse the legitimacy and the necessity of the measures in Chapter II. The quality of data collected, in relation with the purpose, will be addressed in Chapter III. Chapter IV will focus on the rights of the data subjects, and the conditions to exercise them. Finally, the conditions for transfer of data through an electronic network and its security aspects will be analysed. |
II. LEGITIMACY AND NECESSITY OF THE MEASURES
7. |
Directive 95/46/EC on the protection of personal data (2) foresees, as one of its main principles, that data must be collected and processed for a specified, explicit and legitimate purpose. Besides, processing must be necessary for that purpose (3). The legitimacy of the purpose can be evaluated against the criteria given by Article 7(e)-(f) of the Directive, i.e. in particular the performance of a public interest task or the legitimate interests pursued by the controller. |
8. |
It is not questionable that reducing the number of road fatalities is a legitimate purpose that could qualify as a public interest task. The question is rather whether the measures envisaged constitute an appropriate tool with regard to this objective of reducing road fatalities. In other words, does the proposal include concrete elements establishing the necessity of such an exchange of information system, considering the impact it will have on the privacy of persons concerned. |
9. |
The explanatory memorandum states (4) that the existing policy — the Commission Recommendation on enforcement in the field of road safety of 21 October 2003 (5) — would be insufficient to cut by half the number of fatalities (6). This statement is based on the increase in the number of deaths since 2004, and on statistics on the proportion of non-resident drivers in speeding offences. It appears that non-resident drivers would be more involved in speeding offences than resident drivers (7). |
10. |
The statistics mentioned in the impact assessment also indicate a link between the number of controls and the number of casualties, leading to the conclusion that enforcement appears effective as an essential tool to reduce the number of road fatalities (8). |
11. |
The EDPS also notes that this measure taken at community level is without prejudice — and even complementary — to measures taken at national level in order to improve enforcement in countries where this is identified as a priority. |
12. |
The EDPS is satisfied that the elements given in the explanatory memorandum and in the preamble of the proposal are sufficiently detailed and founded to support the legitimacy of the proposal and the necessity of the foreseen exchange of data. |
III. QUALITY OF DATA PROCESSED
13. |
According to Article 6(1)(c) of Directive 95/46/EC, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. |
14. |
The scope of the proposal is limited to specific serious infringements that are considered as the main cause of fatal accidents, i.e. speeding, non-use of seat belt, drink driving and red traffic light running. |
15. |
Three of these offences (speeding, red traffic light running and non-use of seat belt) can be detected and further processed in an automatic way or without direct contact with the driver, which renders necessary at a later stage the identification of the data subject through cross border exchange of information. With regard to drink driving, detection of the offence must happen in the presence of enforcement authorities, who can in principle collect directly the identity of the offenders. The reason why cross-border exchange of information is nevertheless necessary in that case is further explained in the preamble of the Directive: in order to enable the follow-up of offences, verification of the vehicle registration details may be necessary even in case where the vehicle has been stopped, which is notably the case for drink driving. |
16. |
The EDPS is satisfied with the limitation of exchange of information to the four infringements mentioned, taking into account their proportion in the total amount of fatal accidents and the necessity to obtain further identification information in an enforcement perspective. |
17. |
The EDPS also approves the fact that the list of offences is exhaustive, and that any addition of other offences to this list can only happen as a consequence of further monitoring by the Commission, and through a revision of the Directive. This is in line with legal certainty requirements. |
IV. RIGHTS OF THE DATA SUBJECT
18. |
Rights to information, access and correction of personal data are foreseen in the proposal, especially in Article 7. The way data subjects will be informed about their rights will depend on the format of the offence notification. |
19. |
It is therefore important that the offence notification mentioned in Article 5 and developed in Annex 2 comprises all relevant information for the data subject, in a language that he/she understands. |
20. |
In its present version, the notification includes most of the information related to the rights of the data subject. However, this information is located at the end of the ‘reply form’ of the notification. The EDPS would consider it more appropriate that clear information is given in the beginning of the form on the precise quality of the data controller, in other words: the national authority responsible for the enforcement of sanctions. |
21. |
Article 5(5) of the proposal indicates that non-essential elements of the Directive shall be amended in accordance with the regulatory procedure laid down in Council Decision 1999/468/EC on implementing powers conferred to the Commission. The EDPS wonders what elements of the proposal could be considered as non-essential. In order to avoid that the model offence notification be amended further on in its part related to the rights of individuals, the EDPS would recommend completing Article 5(2) of the proposal so that the rights of individual are established in a stable way, including the information on the quality of the data controller. |
22. |
Article 5(2) could be completed as follows: ‘The offence notification shall contain the name of the authority responsible for the enforcement of sanctions and the purpose of the notification, a description of the offence concerned (…), the possibilities for the holder to contest the grounds of the offence notification and to appeal (…), and the procedure to be followed (…). This information shall be given in a language that can be understood by the recipient’. |
23. |
With regard to the possibility for the data subject to access his/her data and possibly to contest their processing, the EDPS welcomes the possibility foreseen in the proposal to exercise his/her rights before an authority situated in his/her country of residence. Indeed, facilitation of cross-border enforcement of infringements should not have as a consequence to prevent or render too difficult the possibilities for data subjects to exercise their rights. |
V. ELECTRONIC NETWORK — SECURITY ASPECTS
24. |
The Explanatory Memorandum (9) indicates the possibility to make use of an already existing EU information system to transfer data necessary for enforcement. |
25. |
As far as only the technical infrastructure is concerned (10), the EDPS has no objection to the use of an already existing system as far as this limits financial or administrative burdens, without impact on the privacy aspects of the project. However, interoperability should not allow exchange of data with other databases. It must be recalled that no interconnection of databases should be established without a clear and legitimate basis (11). |
26. |
The EDPS also insists on the fact that the purpose of the network is to allow the exchange of information between national authorities, and not to create a central database of traffic offences. Centralising and re-use of the data does not enter into the scope of the proposal. |
27. |
The EDPS notes that a safeguard is included in Article 3(3) of the proposal to avoid dissemination of information related to offences. Indeed, only the Member State where the offence was committed is entitled to the processing of the relevant data of the individual concerned. The country of residence of the individual, responsible for the transmission of identification data, is not supposed to store this information or to re-use it for any purpose. The EDPS therefore welcomes the provision of the proposal stating that no country other than the state of offence shall store this information. |
28. |
Common rules shall be adopted by the Commission, in accordance with Article 4 of the proposal, including the technical procedures for electronic exchange of data between the Member States. In the view of the EDPS, these rules shall include physical and organisational safeguards to prevent misuse of the information. The EDPS is available for further consultation with regard to the elaboration of the details of these rules. |
VI. CONCLUSION
29. |
The EDPS considers that the proposal provides for sufficient justification for the establishment of the system for the cross-border exchange of information, and that it limits in an adequate way the quality of data to be collected and transferred. |
30. |
He also welcomes the redress procedure foreseen in the proposal, and in particular the fact that access to personal data will be possible in the country of residence of the data subject. |
31. |
The EDPS gives the following recommendation in order to improve the text with regard to the information of data subjects: the way data subjects will be informed of the fact they have specific rights will depend on the format of the offence notification. It is therefore important that Article 5 comprises all information relevant for the data subject, in a language that he/she understands. A possible wording is suggested in point 22 of the opinion. |
32. |
With regard to security, while the EDPS has no objection to the use of an already existing infrastructure to exchange the information — as far as this limits financial or administrative burdens, he insists on the fact that this should not lead to interoperability with other databanks. The EDPS welcomes the limit put in the proposal on the possibilities of use of the data by Member States other that the one where the offence was committed. |
33. |
The EDPS is available for further consultation with regard to the common rules to be elaborated by the Commission on technical procedures for the electronic exchange of data between the Member States, and in particular with regard to the security aspects of these rules. |
Done at Brussels, 8 May 2008.
Peter HUSTINX
European Data Protection Supervisor
(1) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(2) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
(3) Articles 6(1)(b) and 7.
(4) Point 1: Context of the proposal, ‘General context’.
(5) Commission Recommendation 2004/345/EC. See the Communication from the Commission concerning the Commission recommendation of 21 October 2003 on enforcement in the field of road safety (OJ C 93, 17.4.2004, p. 5).
(6) Objective mentioned in the Explanatory Memorandum and in the White Paper of 2001 on European transport policy.
(7) Explanatory memorandum, 1. Grounds for and objectives of the proposal: while non-resident drivers would represent around 5 % of the global amount of drivers — in countries where the information is available, their share in speeding offences ranges from 2,5 % to 30 %.
(8) See the great differences in the number of casualties depending on Member States, and the fact that the number of casualties would be directly connected with the number of controls. See Impact Assessment, Chapter 2.4.1.
3. |
Legal elements to the proposal, ‘proportionality principle’. |
(10) As would be suggested by the Impact Assessment, Chapter 5.3.1.
(11) See in this respect the Comments of the EDPS of 10 March 2006 on the Communication of the Commission on interoperability of European databases, available at: www.edps.europa.eu: Interoperability is mentioned not only in relation to the common use of large scale IT systems, but also with regard to possibilities of accessing or exchanging data, or even of merging databases. This is regrettable since different kinds of interoperability require different safeguards and conditions. This is for instance the case when the concept of interoperability is used as a platform of other proposed measures aiming to facilitate the exchange of information. The EDPS opinion on the principle of availability emphasised that although the introduction of this principle will not lead to new databases, it will necessarily introduce a new use of existing databases by providing new possibilities of access to those databases.