21.7.2011   

EN

Official Journal of the European Union

C 215/13

1.

On 22 December 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council on the financial rules applicable to the annual budget of the Union (‘the proposal’). It merges and replaces two earlier Commission proposals on the revision of the Financial Regulation (‘the FR’, Council Regulation (EC, Euratom) No 1605/2002 (3)). These two proposals concerned on the one hand the triennial revision of the FR and on the other hand, the revision of the FR to align it with the Lisbon Treaty (4).

2.

On 5 January 2011, the proposal was sent to the EDPS in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS was informally consulted prior to the adoption of the proposal. The EDPS recommends the legislator to include a reference to the consultation of the EDPS at the beginning of the proposed regulation.

3.

The proposal has certain data protection implications at EU as well as at national level which will be discussed in this Opinion.

4.

References to the relevant data protection instruments can be found in the proposal. However, as will be explained in this Opinion, some further elaboration and clarification is needed in order to ensure full compliance with the data protection legal framework.

5.

The proposed regulation covers several matters which involve the processing of personal data by EU institutions, agencies and bodies, as well as by entities at Member State level. These processing activities will be analysed in greater detail below. When processing personal data EU institutions, agencies and bodies are bound by the rules on data protection laid down in Regulation (EC) No 45/2001. Entities acting at national level are bound by the national provisions in the relevant Member State which implement Directive 95/46/EC.

6.

The EDPS is pleased to see that references to one of these two instruments or to both can be found in the proposed regulation (5). However, the instruments are not systematically and consistently referred to in the proposal. The EDPS therefore encourages the legislator to take a more comprehensive approach on this in the regulation.

7.

The EDPS recommends the legislator to include the following reference to Directive 95/46/EC and Regulation (EC) No 45/2001 in the preamble of the Regulation:

‘This Regulation is without prejudice to the requirements of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.’.

8.

Moreover, the EDPS recommends to include a reference to Directive 95/46/EC and Regulation (EC) No 45/2001 in Article 57(2)(f), like it has been done in Article 31(3) of the proposal.

9.

Article 28 of the proposal deals with internal control of budget implementation. It is foreseen in paragraph 2(d) that for the purpose of the implementation of the budget, internal control is designed to provide reasonable assurance of achieving prevention, detection and correction of fraud and irregularities.

10.

In case of indirect implementation of the budget by the Commission by way of shared management with the Member States or with entities and persons other than Member States, it is stated in Articles 56(2) and 57(3) respectively that Member States and entities and other persons shall prevent, detect and correct irregularities and fraud when executing tasks related to the implementation of the budget. It goes without saying that such measures should fully comply with national provisions implementing Directive 95/46/EC.

11.

To that extent it is stated in paragraph 4(f) of Article 56 (which should be 4(e) following the logical order of the subparagraphs) that the bodies accredited by Member States which are solely responsible for the proper management and control of the funds shall ‘ensure a protection of personal data which satisfies the principles laid down in Directive 95/46/EC’. The EDPS recommends strengthening this reference by changing it into ‘ensure that any processing of personal data complies with the national provisions implementing Directive 95/46/EC’.

12.

As to the entities and persons other than Member States, Article 57(2)(f) states that these entities and persons should ‘ensure a reasonable protection of personal data’. The EDPS strongly criticizes this phrase as it seems to leave room for a less strict application of data protection rules. The EDPS therefore recommends replacing this phrase also by ‘ensure that any processing of personal data complies with the national provisions implementing Directive 95/46/EC’.

13.

Articles 63(8) of the proposal deals with the phenomenon of ‘whistle blowing’. It puts the obligation on staff members to inform the authorising officer (or the specialised financial irregularities panel set up pursuant to Article 70(6) of the proposal) in case they consider that a decision they are required to apply by their superior is irregular or contrary to the principles of sound financial management or the professional rules they are required to observe. In the event of any illegal activity, fraud or corruption which may harm the interests of the Union, the staff members must inform the authorities and bodies designated by the applicable legislation.

14.

The EDPS wishes to point at the fact that the position of whistleblowers is a sensitive one. Persons that receive such information should ensure that the identity of a whistleblower is kept confidential, in particular towards the person about whom an alleged wrongdoing is being reported (6). Ensuring the confidentiality of the identity of a whistleblower does not only protect the person providing the information, it also ensures the efficiency of the whistleblowers scheme as such. Without sufficient guarantees as regards the confidentiality, staff members will be less inclined to report irregular or illegal activities.

15.

The protection of the confidentiality of the whistleblower’s identity is however not absolute. After the first internal investigation, there might be further procedural or judicial steps which require the identity of the whistleblower to be disclosed to, for instances, judicial authorities. National rules regulating judicial procedures should thereby be respected (7).

16.

There might also be situations in which the person accused of a wrongdoing is entitled to receive the name of the whistleblower. This is possible if this person needs the identity for instigating legal procedures against the whistleblower after it has been established that he maliciously made false statements about him (8).

17.

The EDPS recommends amending the current proposal and assure that the identity of whistleblowers is kept confidential during the investigations in as far as this does not contravene national rules regulating judicial procedures and in as far as the person accused of a wrongdoing is not entitled to it because the identity of the whistleblower is needed for instigating legal procedures against the whistleblower after it has been established that the whistleblower maliciously made false statements about him.

18.

According to paragraph 2 of Article 31 (Publication of Union funds recipients and other information) the Commission shall make available, in an appropriate manner, information on the recipients of funds deriving from the budget held by it when the budget is implemented by the Commission either directly or through delegation.

19.

In paragraph 3 of Article 31 it is stated that this information ‘shall be made available with due observance of the requirements of confidentiality, in particular the protection of personal data as laid down in Directive 95/46/EC of the European Parliament and of the Council and Regulation (EC) No 45/2001 of the European Parliament and of the Council, and of the requirements of security, taking into account the specificities of each management mode […] and where applicable in conformity with the relevant sector-specific rules’.

20.

The publication of the identity of recipients of EU funds was dealt with by the European Court of Justice (‘the ECJ’) in its judgement of November 2010 in the case Schecke and Eifert  (9). Without going into the details of that case, it should be underlined that the ECJ carefully assessed whether the EU legislation, which contained the obligation to disclose the information, was in conformity with Articles 7 and 8 of the EU Charter of Fundamental Rights (‘the EU Charter’).

21.

The ECJ examined the purpose for which the information was disclosed and subsequently the proportionality of the measure. The ECJ considered that the institutions are obliged to balance, before disclosing information relating to a natural person, the European Union's interest in the disclosure and the infringement of the rights recognised by the EU Charter (10). The ECJ underlined that derogations and limitations in relation to the protection of personal data must apply only in so far as it is strictly necessary (11).

22.

The ECJ considered that the institutions should explore different methods of publication in order to find the one which would be consistent with the purpose of the publication while causing the least interference with the beneficiaries’ right to private life in general and to protection of personal data in particular (12). In the specific context of the case, the ECJ referred to limiting publication of data by name relating to the beneficiaries according to the periods for which they received aid, or the frequency or nature and amount of the aid received (13).

23.

The EDPS emphasises once again that the role of privacy and data protection is not to prevent public access to information whenever personal data is involved and to unduly limit transparency of the EU administration. The EDPS endorses the point of view that the principle of transparency ‘enables citizens to participate more closely in the decision-making process and guarantees that the administration enjoys greater legitimacy and is more effective and more accountable to the citizen in a democratic system’; publication on the internet of data by name relating to beneficiaries of funds, done appropriately, ‘contributes to the appropriate use of public funds by the administration’ and ‘reinforces public control of the use to which that money is put’ (14).

24.

On this basis, the EDPS wishes to underline that the considerations from the ECJ as referred to in the previous paragraphs are directly relevant for the current proposal. Although reference is made to Directive 95/46/EC and Regulation (EC) No 45/2001, it is not assured that the envisaged publication meets the requirements as explained by the ECJ in Schecke. In this respect it should be underlined that the ECJ not only annulled the Commission Regulation which contained the detailed rules on the publication of information about the beneficiaries of the agricultural funds (15), but also the provision in the Regulation that constitutes the legal basis for the Commission Regulation and which contained the general requirement to disclose the information, in as far as it concerned beneficiaries being natural persons (16).

25.

The EDPS has strong doubts whether the current proposal meets the criteria as explained by the ECJ in Schecke. Neither Article 31, nor the surrounding Articles contain a clear and well-defined purpose for which the publication of the personal information is envisaged. Furthermore, it is unclear when and in what format the information will be disclosed. It is therefore not possible to assess whether the right balance is struck between the various interests involved and to check, as explicitly underlined by the ECJ in Schecke, whether publication would be proportionate. Furthermore, it is unclear how the rights of the data subjects involved will be ensured.

26.

Even if implementing legislation is envisaged -which is not clearly stated- the basic clarifications just mentioned should be contained in the legal basis the FR is supposed to be for the disclosure of such data.

27.

The EDPS therefore recommends the legislator to clarify the purpose and explain the necessity of the envisaged disclosure, to indicate how and the extent to which personal data will be disclosed, to ensure that data is only disclosed if this is proportionate and to assure that data subjects are able to invoke their rights contained in EU data protection legislation.

28.

Article 103 of the proposal deals with the possibility for the contracting authority to impose administrative or financial penalties on (a) contractors, candidates or tenderers in case they are guilty of misinterpretation in supplying the information required by the contracting authority as a condition of participation in the procurement procedure or fail to supply this information (see Article 101(b)) or (b) contractors who have been declared to be in serious breach of their obligations under contract covered by the budget.

29.

In Article 103(1) it is stated that the person concerned must be given an opportunity to present his observations. According to Article 103(2) the penalties may consist of exclusion of the person involved from contracts and grants financed by the budget, for a maximum period of 10 years, and/or a financial penalty up to the value of the contract concerned.

30.

In comparison with the current situation, a new element in the proposal is the possibility for the institution mentioned in Article 103(3) to publish decisions or summary of decisions indicating the name of the economic operator, a short description of the facts, the duration of the exclusion or the amount of the financial penalties.

31.

In as far as this entails the disclosure of information about natural persons, this provision raises some questions from a data protection point of view. First, it is clear from the use of the word ‘may’ that publication is not obligatory. But this leaves open a number of issues where the text of the proposal does not provide clarity. For instance, what is the purpose for such disclosure? What are the criteria on which the institution concerned decides upon disclosure? How long will the information be publicly available and by which medium? Who will verify whether the information is still correct and will keep it up to date? Who will inform the person concerned about the disclosure? These are all questions which relate to the requirements of data quality as contained in Article 6 of Directive 95/46/EC and Article 4 of Regulation (EC) No 45/2001.

32.

It should be emphasised that the publication of such information has an additional negative impact on the person concerned. The publication should only be allowed if it is strictly necessary for the envisaged purpose. The comments made above in Part II.4 in the context of the ECJ ruling in Schecke are relevant here as well.

33.

In its current form, the proposed text in Article 103(3) does not entirely meet the requirements of data protection law. The EDPS therefore recommends the legislator to clarify the purpose and explain the necessity of the envisaged disclosure, to indicate how and the extent to which personal data will be disclosed, to ensure that data is only disclosed if this is proportionate and to assure that data subjects are able to invoke their rights contained in EU data protection legislation.

34.

The proposal also entails the setting up of a Central Exclusion Database (‘the CED’) which will contain details of candidates and tenderers excluded from participation in tenders (see Article 102). This database is already in place on the basis of the current FR, and its working is further elaborated in Commission Regulation (EC) No 1302/2008. The processing operations of personal data that take place in the framework of the CED have been analysed by the EDPS in a prior check Opinion of 26 May 2010 (17).

35.

The recipients of the data provided in the CED are multiple. Depending on who is accessing the database, Articles 7, 8 or 9 of Regulation (EC) No 45/2001 apply.

36.

The EDPS concluded in the abovementioned prior check Opinion that the current practice as regards implementation of Articles 7 (consultation of the database by other EU institutions and agencies) and 8 (consultation of the CED by authorities and certain other bodies of Member States) was compliant with Regulation (EC) No 45/2001.

37.

This conclusion could however not be drawn in relation with the transfer of data to third country authorities which is governed by Article 9 of Regulation (EC) No 45/2001, which deals with data transfer to third country authorities and/or international organisations. In Article 102(2) it is stated that also third countries shall have access to the CED.

38.

Article 9(1) of Regulation (EC) No 45/2001 stipulates that ‘personal data shall only be transferred to recipients, other than Community institutions and bodies, which are not subject to national law adopted pursuant to Directive 95/46/EC, if an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation and the data are transferred solely to allow tasks covered by the competence of the controller to be carried out’. By way of derogation from Article 9(1), Article 9(6) allows the transfer of data to countries which do not provide for adequate protection if ‘the transfer is necessary or legally required on important public interest grounds (…)’.

39.

In the aforementioned prior check Opinion, the EDPS underlined that further steps were necessary to ensure that in case of transfer to a third country or organisation, the recipient offers an adequate level of protection. The EDPS wishes to underline that such an adequacy finding must be based on a case-by-case assessment, and should include a thorough analysis of the circumstances surrounding a data transfer operation or set of data transfer operations. The FR cannot relieve the Commission from this obligation. Similarly, a transfer which would be based on one of the derogations foreseen in Article 9 should also be based on a case-by-case assessment.

40.

In this regards, the EDPS recommends the legislator to add an extra paragraph to Article 102 which deals specifically with the protection of personal data. The paragraph could start with the first sentence already contained in the first paragraph of Article 102, namely that the ‧central database shall be set up and operated by the Commission in compliance with Union rules on the protection of personal data‧. To this is should be added that access to authorities of third countries is only allowed when the conditions laid down in Article 9 of Regulation (EC) No 45/2001 are fulfilled.

41.

The present proposal has certain data protection implications at EU as well as at national level which have been discussed in this Opinion. References to the relevant data protection instruments can be found in the proposal. However, as has been explained in this Opinion, some further elaboration and clarification is needed in order to ensure full compliance with the data protection legal framework. The EDPS recommends the following: