30.12.2010   

EN

Official Journal of the European Union

C 357/1

1.

On 24 February 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 2007/2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) (3) (hereinafter ‘the proposal’ or ‘the proposed Regulation’).

2.

The EDPS welcomes the fact that he was informally consulted by the Commission before the adoption of the proposal. Informal comments were issued by the EDPS on 8 February 2010 and resulted in a number of changes in the final version of the proposal adopted by the Commission.

3.

On 2 March 2010, the proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001.

4.

In this context, it is also pertinent to mention that on 26 April 2010 the EDPS issued an Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) concerning the ‘Collection of names and certain other relevant data of returnees for join return operations (JRO)’ (hereinafter the ‘Prior Check Opinion’) (4). The conclusions of the abovementioned Opinion, the subject of which is the processing of personal data in the context of the preparation and realisation of the JROs under Article 9 of Regulation (EC) No 2007/2004, have been used as a basis for some of the observations and conclusions presented in this opinion.

5.

As far as the aim and objective of the proposal are concerned, the Explanatory Memorandum accompanying the proposed Regulation (hereinafter EM) reads as follows: ‘the proposal addresses amendments to Council Regulation (EC) No 2007/2004 (…) that are necessary in order to ensure a well defined and correct functioning of the FRONTEX Agency in the coming years. The objective of the proposal is to adapt the Regulation, in the light of the evaluations carried out and practical experiences, to clarify the mandate of the Agency and to address identified shortcomings’.

6.

In this context, it should be mentioned that recital 9 of the proposal refers to the fact that the Stockholm Programme calls for a clarification and enhancement of the role of FRONTEX regarding the management of the external borders of the European Union.

7.

In addition, recital 10 refers to the need for strengthening FRONTEX’s operational capabilities. As mentioned in this recital, ‘the mandate of the Agency should be revised in order to strengthen in particular the operational capabilities of the Agency while ensuring that all measures taken are proportionate to the objectives pursued and fully respect fundamental rights (…)’. Moreover, recital 11 highlights that ‘current possibilities for providing effective assistance to the Member States regarding the operational aspects should be reinforced as concerns the available technical resources’.

8.

Furthermore, as mentioned in recital 4 of the proposal, ‘this Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, notably human dignity, prohibition of torture and of inhuman or degrading treatment or punishment, right to liberty and security, the rights to the protection of personal data, right to asylum, non-refoulement, non-discrimination, the rights of the child, right to an effective remedy. This Regulation should be applied by the Member States in accordance with these rights and principles.’

9.

The proposal reflects the recommendations made in the Commission's Communication of 13 February 2008 on the evaluation and future development of the FRONTEX Agency (5) as well as those made by the Management Board to the extent they require a revision of the legal framework of the Agency, with the exceptions as described in the impact assessment.

10.

As a general remark, the EDPS notes that the proposal aims to allow FRONTEX to fulfil its current tasks and responsibilities, as well as those provided by the proposed Regulation, more effectively. The new tasks of FRONTEX, as referred to in the Explanatory Memorandum, are to include, should they be approved as proposed by the Commission, amongst others: 1) widening of the work related to risk analysis; 2) strengthening the work related to research; 3) introducing the possibility to coordinate joint return operations; 4) new tasks related to the development and operation of information systems; 5) new tasks related to providing assistance to EUROSUR, etc.

11.

This new legal framework, envisaged by the proposal, in which FRONTEX is to operate in the near future, and which might also result in new operational tasks to be given to FRONTEX on the basis of the proposed Regulation, has been carefully taken into account by the EDPS while reflecting on the content and the conclusions of this opinion.

12.

Against this background, and, as mentioned before, taking account of the possible new roles and responsibilities of the Agency, it is striking that the proposed Regulation is almost completely silent about the processing of personal data by FRONTEX, with a sole exception of the last sentence of Article 11 of the proposal. This issue will also be considered further in the light of the findings and conclusions of the EDPS Prior Check Opinion referred to in point 4.

13.

Furthermore, the opinion will focus on those specific provisions of the proposed Regulation which have, or might in the future have, data protection implications. In this context, the following specific provisions will be addressed in the opinion:

14.

As already mentioned, the proposal does not specify whether, and if so, under which circumstances, conditions and limitations, and subject to which safeguards, FRONTEX would be allowed to process (some) personal data in the context of its growing tasks and responsibilities envisaged by the proposal. Indeed, the proposed Regulation neither clarifies this issue nor does it contain a specific legal basis providing for clarification of the circumstances under which such processing by FRONTEX could take place, subject to strong data protection safeguards and in accordance with the proportionality and necessity principles.

15.

In this context, it is important to once again refer to the Explanatory Memorandum which informs that the preferred option of the Impact Assessment has been fully reflected in the proposal ‘with the exception of giving FRONTEX a limited mandate to process personal data related to fighting criminal networks organising illegal immigration’. The EM reads further that ‘the Commission does consider that all possibilities to reinforce the fight against the smuggling of migrants and against trafficking of human beings should be explored’. However, ‘it prefers to return to the question of personal data in the context of the overall strategy for information exchange to be presented later this year and also taking into account the reflection to be carried out on how to further develop cooperation between Agencies in the justice and home affairs field as requested by the Stockholm Programme’.

16.

The EDPS has doubts about the approach taken by the Commission in the proposed Regulation with regard to the issue of processing of personal data by FRONTEX. The above quoted reference in the EM does not clarify what might be the scope of processing of personal data in other areas of FRONTEX activities (see points 10 and 11). To explain this with an example, the EDPS wishes to refer to his Prior Check Opinion regarding the preparation and realisation of the JROs, the activity in the context of which FRONTEX informed the EDPS that some processing of personal data might be necessary for the effective execution of the tasks laid down in Article 9 of the FRONTEX Regulation.

17.

In the Prior Check Opinion, the EDPS saw ‘a more specific legal base than Article 9 of Regulation (EC) No 2007/2004 as preferable, if not required, due to the sensitivity of the data and the activities concerned with regard to a vulnerable population, so as to provide clearer limits to the processing and ensure appropriate guarantees for data subjects, as required by Article 8 of the European Convention on Human Rights and the EU Charter of Fundamental Rights’.

18.

The EDPS believes that the example of the joint return operations in the context of which some processing of personal data is considered necessary by FRONTEX, shows that there is an urgent need for clarification of this issue in the proposal. The Commission's reluctance to specify this in the proposed Regulation or to clearly state the date by when it will do so, instead preferring to postpone the matter pending new legal and political circumstances (see point 15 of this opinion), raises serious concerns. In the EDPS’s view, this approach could lead to an undesirable legal uncertainty and a significant risk of non-compliance with data protection rules and safeguards.

19.

Considering the new tasks and responsibilities of FRONTEX as envisaged in the proposal, the EDPS is of the opinion that the proposed Regulation should — to the extent necessary and appropriate — address clearly the question of the scope of the activities that may give rise to the processing of personal data by FRONTEX. The EDPS believes that a specific legal basis addressing the processing of personal data by FRONTEX in the context of its current or new tasks is needed. Only where necessary for clearly identified and lawful purposes — in particular JRO — should such processing be allowed.

20.

The legal basis should furthermore provide for specification as to the necessary and appropriate safeguards, limitations and conditions under which such a processing of personal data would take place, in compliance with Article 8 of the European Convention on Human Rights and Article 8 of the EU Charter of Fundamental Rights.

21.

The need for specification is even more pertinent given the practical difficulty to clearly distinguish between FRONTEX’s operational and non-operational activities and, more specifically, the cases in which the processing of personal data would take place for purely administrative or purely operational purposes. These terms may give rise to confusion as to their precise scope and content. Therefore, the EDPS invites the legislator to clarify the issue in the proposed Regulation.

22.

The EDPS also takes this opportunity to emphasise that the conclusions of the Prior Check Opinion only apply to a specific activity (i.e. JRO) to be carried out in the future by FRONTEX in accordance with Article 9 of the FRONTEX Regulation (6). These conclusions are based on a comprehensive analysis of the legal and practical circumstances of this specific activity as well as the information provided by FRONTEX to the EDPS in the course of the prior check. As a consequence, they cannot be applied to the assessment of the necessity, proportionality and lawfulness of any processing of personal data which might in the future be envisaged in the context of other activities of FRONTEX. Should any other processing of personal data be foreseen by FRONTEX, the latter should be subject to a case-by-case analysis as to the lawfulness of the processing, in the absence of a specific provision in the FRONTEX Regulation (7).

23.

As mentioned in point 13, this opinion will also address those specific provisions of the proposed Regulation which have or might have data protection implications in the future (Articles 11, 11(a), 11(b), 13 and 14).

24.

The proposal provides for a new wording of Article 11 of Regulation (EC) No 2007/2004, which modifies the role of the Agency by obliging it to facilitate the exchange of information and developing and operating an information system capable of exchanging classified information. More specifically, the proposed wording stipulates that ‘the Agency may take all necessary measures to facilitate the exchange of information relevant for its tasks, with the Commission and the Member States. It shall develop and operate an information system capable of exchanging classified information with the Commission and the Member States. The exchange of information to be covered by this system shall not include the exchange of personal data’.

25.

The EDPS welcomes the specification proposed in the last sentence of the abovementioned provision as it clarifies the content of the information which can be exchanged by FRONTEX with the Commission and the Member States, and leaves no doubt as to whether such an exchange of information would involve personal data.

26.

However, in this context, the EDPS wishes to draw attention to the fact that the proposed Article 11 is in fact the only provision in the proposal which explicitly tackles the issue of the processing of personal data by FRONTEX in the context of its operational activities. It does so by excluding the exchange of personal data in the field of a particular information system. The fact that other provisions, such as the one dealing with cooperation with European Union agencies and bodies and international organisations (Article 13) or the one governing cooperation with third countries (Article 14) do not contain any specification of this nature may lead to uncertainties or even concerns from a data protection perspective.

27.

The proposal provides for insertion of Article 11(a) which concerns the application of Regulation (EC) No 45/2001 and reads as follows: ‘The Management Board shall establish measures for the application of Regulation (EC) No 45/2001 by the Agency, including those concerning the Data Protection Officer of the Agency’.

28.

The EDPS welcomes this provision which confirms that the Agency is obliged to process personal data in accordance with Regulation (EC) No 45/2001, wherever it is allowed to do so.

29.

In that context, the appointment of the Data Protection Officer is of particular importance and should be accompanied by the prompt establishment of the implementing rules regarding the scope of powers and tasks to be entrusted to the Data Protection Officer in accordance with Article 24(8) of Regulation (EC) No 45/2001. Furthermore, these rules should be complemented by all the necessary measures required for the effective application of this Regulation to FRONTEX.

30.

This provision is highly pertinent also in the context of the conclusions of the Prior Check Opinion for the purpose of which FRONTEX informed the EDPS that some processing of personal data would be necessary for the proper and effective execution of the tasks under Article 9 of the FRONTEX Regulation. Since Regulation (EC) No 45/2001 applies, FRONTEX, in its role of data controller, will have to ensure compliance with all the provisions contained in that Regulation.

31.

It should also be mentioned here that the proposal does not contain any specific rules related to the exercise of the data subject’s rights (Articles 13-19 of Regulation (EC) No 45/2001). Moreover, there is no specific provision either related to the obligation of the data controller to provide information to the data subject (Articles 11 and 12 of Regulation (EC) No 45/2001). The EDPS recommends that special account should be taken of those rules in the measures to be established by the Management Board on the basis of the proposed Article 11(a) of the proposal.

32.

Article 11(b) provides that FRONTEX should apply the security principles of Commission Decision 2001/844/EC, ECSC, Euratom for classified information. This shall cover, inter alia, provisions for the exchange, processing and storage of classified information. The proposed provision also obliges the Agency to process non-classified sensitive information as adopted and implemented by the Commission.

33.

The EDPS welcomes this provision as a necessary specification regarding the way classified information should be secured, exchanged, processed and stored by FRONTEX. The EDPS also welcomes the way non-classified sensitive information should be securely processed following the security principles adopted by the Commission. In order to complete and clarify this security obligation, the EDPS recommends that the words: ‘and develops accordingly its own and detailed security policy’ are added to the last sentence of Article 11(b). Indeed, in order to be effective, the Commission principles need to be appropriately transposed and implemented through a tailored-made security policy.

34.

The proposal replaces the current wording of Article 13 of the FRONTEX Regulation. The new wording states that ‘The Agency may cooperate with Europol, the European Asylum Support Office, the Fundamental Rights Agency, other European Union agencies and bodies, and the international organisations competent in matters covered by this Regulation in the framework of working arrangements concluded with those bodies, in accordance with the relevant provisions of the Treaty and the provisions on the competence of those bodies’.

35.

Having analysed this provision, the EDPS understands that the working arrangements with agencies, bodies and international organisations mentioned in this Article will not involve the processing of personal data. This understanding is based on the fact that the new wording does not specify this issue nor does it address the categories of data which could be exchanged between the agencies and bodies. It does not provide either for the conditions under which such exchange could take place.

36.

Notwithstanding the position taken above, the EDPS would like to draw attention to the provisions of Article 22 of the Council Decision of 6 April 2009 establishing the European Police Office (Europol) (8) (hereinafter ‘Europol Decision’) regarding Relations with Union or Community institutions, bodies, offices and agencies. This provision enables Europol to establish and maintain cooperative relations with the institutions, bodies, offices and agencies set up by, or on the basis of, the Treaty on European Union and the Treaty establishing the European Communities, in particular FRONTEX. In this context, it should be added that paragraph 2 of Article 22 stipulates that ‘Europol shall conclude agreements or working arrangements with the entities referred to in paragraph 1; such agreements or working arrangements may concern the exchange of operational, strategic or technical information, including personal data and classified information. Any such agreement or working arrangement may be concluded only after approval by the Management Board which shall previously have obtained, as far as it concerns the exchange of personal data, the opinion of Joint Supervisory Body’. Moreover, on the basis of Article 22(3) Europol may, before the entry into force of the agreement or working arrangement referred to in paragraph 2, directly receive and use information, including personal data, from the entities referred to in paragraph 1 in so far as that is necessary for the legitimate performance of its tasks, and it may, under the conditions laid down in Article 24(1), directly transmit information included personal data, to such entities, in so far as that is necessary for the legitimate performance of the recipient’s tasks.

37.

Given that Europol Decision contains a provision which could allow Europol to conclude an agreement or a working arrangement with FRONTEX which may concern the exchange of operational, strategic or technical information, including personal data, the EDPS calls on the legislator to clarify in the proposed Regulation that the working arrangement which could be concluded with Europol on the basis of the proposed Article 13 of FRONTEX Regulation, would exclude the exchange of personal information.

38.

Article 14(1) of the proposal deals with the issue of facilitation of operational cooperation with third countries and cooperation with competent authorities of third countries. More specifically, it requires the Agency ‘in matters covered by its activities and to the extent required for the fulfilment of its tasks, (…) facilitate the operational cooperation between Member States and third countries, in the framework of the European Union external relations policy, including with regard to human rights’. Moreover, paragraph 6 of the abovementioned Article stipulates that ‘the Agency may cooperate with the authorities of third countries competent in matters covered by this Regulation in the framework of working arrangements concluded with these authorities, in accordance with relevant provisions of the Treaty’.

39.

As far as the abovementioned provision is concerned, the EDPS notes that it does not refer to the processing of personal data nor does it specify whether, and if so, to which extent and under which circumstances the ‘working arrangements’ envisaged in this provision would include personal data. Therefore, and taking account of the reasoning mentioned in the general remarks, the EDPS understands that this provision would not involve the processing of personal data. Such conclusion is also in line with the information received by the EDPS from FRONTEX in the context of the notification for Prior Checking in the context of JROs.

40.

The EDPS welcomes the fact that he is consulted by the Commission in accordance with Article 28(2) of Regulation (EC) No 45/2001.

41.

The EDPS has noted the aim and objectives of the proposed Regulation as well as the reasons which led to the adoption of the proposal providing for revision of the FRONTEX legislative framework. He notes in particular that the proposal aims to allow FRONTEX to fulfil its current tasks and responsibilities, as well as those provided by the proposed Regulation, more effectively.

42.

Taking account of the new legal framework, envisaged by the proposal, in which FRONTEX is to operate in the near future, and which might also result in new operational tasks to be given to FRONTEX on the basis of the proposed Regulation, it is striking that the proposal is silent about the processing of personal data by FRONTEX, with a sole exception of the last sentence of Article 11.

43.

The EDPS is of the opinion that the proposed Regulation should — to the extent necessary and appropriate — clearly address the question of the scope of activities that may give rise to the processing of personal data by FRONTEX.

44.

A specific legal basis addressing the issue of the processing of personal data by FRONTEX and providing for clarification of the circumstances under which such processing by FRONTEX could take place, subject to strong data protection safeguards and in accordance with the proportionality and necessity principles, is needed. Only where necessary for clearly identified and lawful purposes (in particular JRO) should such processing be allowed.

45.

The legal basis should specify the necessary and appropriate safeguards, limitations and conditions under which such a processing of personal data would take place, in compliance with Article 8 of the European Convention on Human Rights and Article 8 of the EU Charter of Fundamental Rights, including guarantees regarding the data subject’s rights as one of the most important elements.

46.

The Commission’s reluctance to specify this in the proposed Regulation or to clearly state the date by when it will do so, instead preferring to postpone the matter pending new legal and political circumstances, raises serious concerns. In the EDPS’s view, this approach could lead to undesirable legal uncertainty and a significant risk of non-compliance with data protection rules and safeguards.

47.

In order to further improve the proposal, the EDPS also calls on the legislator to clarify in the proposed Regulation that the working arrangement which could be concluded with Europol on the basis of the proposed Article 13 of the FRONTEX Regulation, would exclude the exchange of personal information. Moreover, he also suggests a clarification of Article 11(b) of the proposal.