23.9.2011   

EN

Official Journal of the European Union

C 279/20

1.

On 8 December 2010, the European Commission adopted a proposal for a Regulation of the European Parliament and of the Council on energy market integrity and transparency (3) (‘Proposal’).

2.

The Commission did not consult the EDPS, although Article 28(2) of Regulation (EC) No 45/2001 would have required this. Acting on his own initiative, the EDPS adopts this Opinion based on Article 41(2) of this Regulation. The EDPS is aware that this advice comes at a late stage in the legislative process. Nevertheless, he finds it appropriate and useful to issue this Opinion, given the significant potential impact of the Proposal on the right to privacy and the protection of personal data. A reference to this Opinion should be included in the preamble of the Proposal.

3.

The main aim of the Proposal is to prevent market manipulation and insider trading on wholesale energy (gas and electricity) markets. Market integrity and transparency of wholesale markets, where gas and electricity are traded between companies producing energy and traders, are key to the prices consumers finally pay.

4.

To this end, the Proposal aims at establishing comprehensive rules at EU level to prevent traders from using inside information to their own benefit and from manipulating the market by artificially causing prices to be higher than would be justified by availability, production cost, capacity to store or to transport energy. In particular, the proposed rules prohibit the following:

5.

Market monitoring at the European level to uncover possible infringements of these prohibitions will be the responsibility of the European Agency for the Cooperation of Energy Regulators (the ‘ACER’) (4).

6.

Pursuant to the Proposal, the ACER will have timely access to information on the transactions taking place on wholesale energy markets. This includes information on price, quantity sold and the parties involved. This bulk data will also be shared with national regulators that will then be responsible for investigation of suspected abuses. In cases with a cross-border impact, the ACER will have the power to coordinate investigations. National regulatory authorities in Member States will enforce penalties.

7.

The Proposal follows a number of other recent legislative proposals with a view to strengthening the existing financial supervisory arrangements and improving coordination and cooperation at EU level, including the Directive on insider dealing and market manipulation (‘MAD’) (5) and the Directive on markets in financial instruments (‘MiFID’) (6). The EDPS recently commented on another one of these recent proposals (7).

8.

The Proposal contains several provisions relevant to the protection of personal data:

9.

The Proposal is based on the premise that in order to detect market abuse (i) it is necessary to have an effectively functioning market monitoring system with timely access to complete transactional data; and that (ii) this should include monitoring at the EU level. Therefore, the proposed Regulation provides for the ACER to gather, review and share (with relevant national and EU authorities) a large amount of bulk data from wholesale energy markets.

10.

In particular, the proposed Regulation requires market participants to provide the ACER with ‘records of their transactions’ in wholesale energy products. In addition to records of transactions, market participants are also required to provide the ACER with information related to the ‘capacities of facilities for production, storage, consumption or transmission of electricity or natural gas’.

11.

The form, content and timing of the information to be provided will be laid down in delegated acts of the Commission.

12.

Considering that the Proposal leaves it entirely up to delegated acts to define the content of the information which is to be collected in the framework of this monitoring and reporting exercise, it cannot be excluded that personal data — i.e. any information relating to an identified or identifiable natural person (8) — will be involved. Under current EU law this is only allowed, where necessary and proportionate in view of the specific purpose (9). The proposed Regulation should therefore clearly specify whether and to what extent the records of transactions and capacity information to be collected for monitoring purposes may include any personal data (10).

13.

If the processing of personal data is foreseen, specific safeguards — for example, regarding purpose limitation, retention period and potential recipients of the information — may also be required. Considering their essential nature, these data protection safeguards should then be set forth directly in the text of the proposed Regulation rather than in delegated acts.

14.

If, in contrast, no processing of personal data is expected (or such processing would only be exceptional and would be restricted to rare cases, where a wholesale energy trader might be an individual rather than a legal entity), this should be clearly set forth in the Proposal, at least in a recital.

15.

Article 9(1) requires the ACER to ‘ensure the confidentiality, integrity and protection’ of the information it receives under Article 7 (i.e. records of transactions and capacity information collected in the framework of the market monitoring exercise). Article 9 also provides that ‘where relevant’, the ACER ‘will comply’ with Regulation (EC) No 45/2001 when it processes personal data under Article 7.

16.

Furthermore, Article 9(1) also requires the ACER to ‘identify sources of operational risk and minimise them through the development of appropriate systems, controls and procedures’.

17.

Finally, Article 9(2) allows the ACER to make public parts of the information that it holds, ‘provided that commercially sensitive information on individual market participants or individual transactions is not released’.

18.

The EDPS welcomes the fact that Article 9 is dedicated, in part, to data protection, and that the proposed Regulation specifically requires the ACER to comply with Regulation (EC) No 45/2001.

19.

Having said that, the EDPS emphasises that Regulation (EC) No 45/2001 applies to the ACER in full by virtue of this Regulation whenever it processes personal data. Therefore, the Proposal should remind that Regulation (EC) No 45/2001 should apply to the ACER not only when it processes data under Article 7, but also in all other situations: importantly, also when the ACER processes personal data regarding suspected market abuse/infringements under Article 11. In addition, to be more precise, the EDPS recommends that instead of using the term ‘where relevant’ to describe situations where the ACER is required to comply with Regulation (EC) No 45/2001, the phrase ‘whenever personal data are processed’ is used.

20.

Reference should also be made to Directive 95/46/EC considering that this Directive applies to processing of personal data by the national regulatory authorities involved. Indeed, for the sake of clarity, the EDPS recommends that the proposed Regulation should mention, in a general manner (at least in a recital), that while the ACER shall be subject to Regulation (EC) No 45/2001, Directive 95/46/EC shall apply to the national regulatory authorities concerned.

21.

The EDPS welcomes the requirement that the ACER should identify and minimise operational risks through the development of appropriate systems, controls and procedures. To further strengthen the principle of accountability (11), if the processing of personal data would play a structural role, the proposed Regulation should specifically require the ACER to establish a clear framework for accountability that ensures data protection compliance and provides evidence thereof. This clear framework established by the ACER should contain a number of elements, such as:

22.

Equivalent requirements should also apply to national regulatory authorities and other EU authorities concerned.

23.

With regard to the requirement in Article 9(2) that the ACER should make public parts of the information, which it holds, the EDPS understands that the aim of this provision is not to authorise the ACER to publish data for purposes of ‘naming and shaming’ and to publicly disclose wrongdoings of companies or individuals.

24.

With that said, the Proposal is silent on whether there is any intention to publicly disclose any personal data. Therefore, for the avoidance of any doubt, the proposed Regulation should either specifically provide that the published information should not contain any personal data or clarify what, if any, personal data may be disclosed.

25.

If any personal data is to be published, the need for disclosure (e.g. for reasons of transparency) must be carefully considered and balanced against other competing concerns, such as the need to protect the rights to privacy and to the protection of personal data of the individuals concerned.

26.

Accordingly, before any disclosure, a proportionality assessment should be carried out, taking into account the criteria established by the European Court of Justice in Schecke  (13). In this case the ECJ underlined that derogations and limitations in relation to the protection of personal data must apply only in so far as it is strictly necessary. The ECJ further considered that the European institutions should explore different methods of publication in order to find the one which would be consistent with the purpose of the publication while causing the least interference with the data subjects' rights to private life and to the protection of personal data.

27.

The Proposal foresees that market monitoring will be followed by an investigation where market abuse is suspected and that this may lead to appropriate sanctions. Article 10(1), in particular, requires Member States to grant the national regulatory authorities the necessary investigative powers to ensure that the provisions of the Regulation on insider trading and market manipulation are applied (14).

28.

The EDPS welcomes the specification in Article 10(1) that (i) the investigatory powers shall be exercised (only) to ensure that the provisions of the Regulation on insider trading and market manipulation (Articles 3 and 4) are applied; and that (ii) these powers shall be exercised in a proportionate manner.

29.

Having said that, the Proposal should go further to ensure legal certainty and an adequate level of protection for personal data. As it will be shown below, there are two main problems with the text of Article 10 as proposed. First, Article 10 does not designate sufficiently clearly the scope of the investigatory powers; for example, it is not sufficiently clear whether private telephone records may be required, or whether an on-site inspection may be carried out in a private home. Second, Article 10 also does not provide for the necessary procedural safeguards against the risk of unjustified intrusion into privacy or misuse of personal data; for example, it does not require a warrant from a judicial authority.

30.

Both the scope of the investigatory powers and the necessary safeguards are presumably left for national law to specify. Indeed, Article 10(1) leaves many options open for Member States by providing that the investigatory powers ‘may be exercised (a) directly; (b) in collaboration with other authorities or market undertakings; or (c) by application to the competent judicial authorities’. This appears to allow divergences in national practices, for example, as to whether and under what circumstances a warrant would be required from a judicial authority.

31.

While some national laws may already provide for adequate procedural and data protection safeguards, in order to ensure legal certainty to data subjects, certain clarifications should be made and certain minimum requirements with regard procedural and data protection safeguards should be set forth at the EU level, in the proposed Regulation, as will be discussed below.

32.

As a general principle, the EDPS emphasises that when EU legislation requires Member States to take measures at the national level that have an effect on fundamental rights (such as the rights to privacy and to the protection of personal data), the legislation should also require effective measures to be taken simultaneously with the restrictive measures to ensure the protection of the fundamental rights at stake. In other words, harmonisation of potentially privacy-intrusive measures, such as investigatory powers, should be accompanied by harmonisation of adequate procedural and data protection safeguard based on best practice.

33.

Such an approach may help prevent too wide divergences at the national level and ensure a higher and more uniform level of protection for personal data throughout the European Union.

34.

If harmonisation of minimum safeguards at this stage is not feasible, at a minimum, the EDPS recommends that the proposed Regulation should specifically require the Member States to adopt national implementing measures to ensure the necessary procedural and data protection safeguards. This is all the more important as the chosen form of the legal instrument is a regulation, which is directly applicable, and, as a general rule, would not necessarily require further implementing measures in the Member States.

35.

The Proposal requires that the investigatory powers to be granted to national regulatory authorities specifically include the power to carry out on-site inspections (Article 10(2)(c)).

36.

It is not clear whether these inspections would be limited to a business property (premises, land and vehicles) of a market participant or whether they may also be carried out in a private property (premises, land or vehicles) of individuals. It is equally unclear whether the inspections can also be carried out without prior warning (‘dawn raids’).

37.

If the Commission envisages requiring Member States to authorise the regulatory authorise to carry out on-site inspections of private properties of individuals, or to carry out dawn raids, this should, first of all, be clearly specified.

38.

Secondly, the EDPS also emphasises that the proportionality of on-site inspections on a private property (such as in private homes of individuals) is far from being self-evident and — if it is foreseen — should be specifically justified.

39.

Thirdly, for this case additional safeguards would also be needed, particularly with regard to the conditions on which such inspections can be carried out. For example, and without limitation, the Proposal should specify that an on-site inspection can only be carried out in an individual's home if there is a reasonable and specific suspicion that evidence is stored in that particular home, which is relevant to prove a serious violation of Articles 3 or 4 of the Regulation (i.e. the provisions on prohibition of insider trading and market manipulation). Importantly, the Proposal should also require a judicial warrant in all Member States (15).

40.

Fourthly, to ensure proportionality and prevent excessive interference with private life, unannounced inspections in private homes should be subject to the additional condition that in the event of an announced visit, evidence would be likely to be destroyed or tampered with. This should be clearly foreseen in the proposed Regulation.

41.

Article 10(2)(d) requires that the powers of the national regulatory authorities should also specifically include the power to ‘require existing telephone and existing data traffic records’.

42.

The EDPS acknowledges the value of telephone and data traffic records in insider trading cases, particularly in order to establish connections between insiders and traders. Having said that, the scope of this power is not sufficiently clear, neither are appropriate procedural and data protection safeguards foreseen. Therefore, the EDPS recommends that the Proposal should be clarified as discussed below. In particular, the following issues should be addressed:

43.

For the sake of legal certainty, the Proposal should first of all clarify what types of records may, where necessary, be required by the authorities.

44.

The Proposal should specifically limit the scope of the investigatory powers to (i) the contents of telephone, e-mail and other data traffic records that are already routinely and lawfully collected by traders for business reasons to evidence transactions; and to (b) traffic data (e.g. who made the call or sent the information, to whom, and when) which are already available directly from the market participants (traders) concerned.

45.

In addition, the Proposal should also specify that the records must have been collected for a lawful purpose and in compliance with applicable data protection laws, including provision of adequate information to data subjects under Articles 10 and 11 of Directive 95/46/EC.

46.

The EDPS welcomes the fact that the Proposal limits this power to ‘existing’ records and thus does not require the powers of the regulatory authorities to oblige a trader or third party to specifically intercept, monitor or record telephone or data traffic for the purposes of the investigation.

47.

However, for the sake of avoidance of any doubt, this intention should be made clearer, at least in a recital. It should be avoided that there would be any room left for interpreting the proposed Regulation to give a legal basis for national regulatory authorities to intercept, monitor or record telephone or data communications, whether covertly or openly, with or without a warrant.

48.

The text of the Proposal refers to ‘existing telephone and existing data traffic records’. It is not sufficiently clear whether both the contents of existing data and telephone communications and traffic data (e.g. who made the call or sent the information, to whom, and when) may be required.

49.

This should be made clearer in the provisions of the proposed Regulation. As discussed in paragraphs 43 to 45, it should be clearly specified what type of records may be required, and it must be ensured that those records were collected in compliance with applicable data protection laws in the first place.

50.

The Proposal should unambiguously specify whom the national regulatory authorities can require records from. In this respect, the EDPS understands that Article 10(2)(d) is not intended to allow national authorities to require traffic data from providers of ‘publicly available electronic communications services’ (16) (such as telephone companies or Internet service providers).

51.

Indeed, the Proposal does not refer at all to such providers, and also does not use the term ‘traffic data’. Importantly, it also does not refer to, either implicitly or explicitly, the fact that derogation would be sought from the requirements set out by the e-Privacy Directive (17), which establishes the general principle that traffic data can be further processed only for the purpose of billing and interconnection payments.

52.

For the sake of avoidance of any doubt, the EDPS recommends that the fact that the Proposal provides no legal basis for data to be required from providers of publicly available electronic communications services should be explicitly mentioned in the text of the proposed Regulation, at least in a recital.

53.

Further, the Proposal should clarify whether the national regulatory authorities may only require records from the market participant under investigation or whether they are also empowered to require records from third parties (such as from a party to a transaction with the market participant under investigation, or a hotel where an individual suspected of insider trading was staying) to provide their own records.

54.

Finally, the Proposal should also clarify whether the authorities may also require private records of individuals, such as employees or executives of the market participant under investigation (e.g. text messages sent from personal mobile devices or browsing history of home Internet use stored on a home computer).

55.

The proportionality of requiring private records is debatable and — if it is foreseen — should be specifically justified.

56.

As with the case of on-site inspections (see paragraphs 35 to 40 above), the Proposal should require a warrant from a judicial authority, as well as further specific safeguards if the authorities require any private records.

57.

With respect to cross-border cooperation, the ACER is given an important role, alerting national regulatory authorities of potential market abuse and facilitating information exchange. To facilitate cooperation, Article 11(2) also specifically requires national regulatory authorities to inform the ACER ‘in as specific manner as possible’ where they have reasonable grounds to suspect any breach of the proposed Regulation. In order to ensure a coordinated approach, Article 11(3) also requires information sharing among national regulatory authorities, competent financial authorities, the ACER, as well as the European Securities and Markets Authority (the ‘ESMA’) (18).

58.

In accordance with the purpose limitation principle (19), the Proposal should explicitly provide that any personal data transferred on the basis of Article 11 of the proposed Regulation (reports of suspected market abuse) should only be used for purposes of investigating the suspected market abuse reported. The information should in any case not be used for any purposes that are incompatible with that purpose.

59.

Data should also not be retained for long periods of time. This is even more important in those cases, where it can be shown that the initial suspicion was unfounded. In those cases there needs to be a specific justification for further retention (20).

60.

In this respect, the Proposal should first set a maximum retention period for which the ACER and other recipients of the information may keep the data, taking into account the purposes of the data storage. Unless a suspected market abuse has led to a specific investigation and the investigation is still ongoing, all personal data related to reported suspected market abuse should be deleted from the records of all recipients after the lapse of a specified period. Unless a longer retention period is clearly justified, the EDPS considers that deletion should be carried out at the latest two years following the date of reporting the suspicion (21).

61.

In the event that a suspicion proves to be unfounded and/or an investigation is closed without taking further action, the Proposal should oblige the reporting regulatory authority, the ACER, and any third party with access to information regarding suspected market abuse, to swiftly inform these parties so that they are able to update their own records accordingly (and/or delete the information regarding the reported suspicion from their records with immediate effect or after the lapse of a proportionate retention period as appropriate) (22).

62.

These provisions should help ensure that in cases where the suspicion has not been confirmed (or even investigated further), or where it has been established that a suspicion is unfounded, innocent individuals would not be kept on a ‘black list’ and ‘under suspicion’ for an unduly long period of time (see Article 6(e) of Directive 95/46/EC and corresponding Article 4(e) of Regulation (EC) No 45/2001).

63.

Articles 7, 8 and 11 of the proposed Regulation provide for exchanges of data and information between the ACER, the ESMA and authorities of Member States. Article 14 (‘Relations with third countries’) provides that the ACER ‘may enter into administrative arrangements with international organisations and the administrations of third countries’. This may lead to transfer of personal data from the ACER and possibly also from the ESMA and/or from the authorities of the Member States to international organisations and authorities of third countries.

64.

The EDPS recommends that Article 14 of the Proposal clarifies that transfers of personal data can only be made in accordance with Article 9 of Regulation (EC) No 45/2001 and Articles 25 and 26 of Directive 95/46/EC. In particular, international transfers shall only take place if the third country in question ensures an adequate level of protection, or to entities or individuals in a third country that does not afford adequate protection if the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regard the exercise of the corresponding rights.

65.

The EDPS emphasises that derogations (such as those mentioned in Article 9(6) of Regulation (EC) No 45/2001 and 26(1) of Directive), should not be used, in principle, to justify mass, systematic and/or structural data transfers to third countries.

66.

Some of the data shared among the ACER, the ESMA and various authorities in Member States regarding suspected infringements are likely to include personal data, such as the identity of the suspected perpetrators or other individuals involved (e.g. witnesses, whistle-blowers, employees or other individuals acting on behalf of the businesses involved in trading).

67.

Article 27(1) of Regulation (EC) No 45/2001 provides that ‘processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes shall be subject to prior checking by the European Data Protection Supervisor’. Article 27(2) specifically confirms that processing of data relating to ‘suspected offences’ and ‘offences’ presents such risks, and requires prior checking. Considering the role foreseen for the ACER in the coordination of investigations, it seems likely that it will process data relating to ‘suspected offences’ and thus, its activities will be subject to prior checking (23).

68.

In the framework of a prior checking procedure, the EDPS may provide the ACER with further guidance and specific recommendations with regard to compliance with data protection rules. Prior checking of the activities of ACER may also bring added value considering the fact that Regulation (EC) No 713/2009, which established the ACER, does not include any reference to the protection of personal data and has not been subject to a legislative opinion of the EDPS.

69.

The Proposal should clarify whether any personal data may be processed in the context of market monitoring and reporting and which safeguards will apply. If, in contrast, no processing of personal data is expected (or such processing would only be exceptional and would be restricted to rare cases, where a wholesale energy trader might be an individual rather than a legal entity), this should be clearly set forth in the Proposal, at least in a recital.

70.

Provisions on data protection, data security and accountability should be clarified and further strengthened, especially if the processing of personal data would play a more structural role. The Commission should ensure that adequate controls are in place to ensure data protection compliance and provide evidence thereof (‘accountability’).

71.

The Proposal should clarify whether on-site inspections would be limited to a business property (premises and vehicles) of a market participant or also apply to private properties (premises or vehicles) of individuals. In the latter case, the necessity and proportionality of this power should be clearly justified and a judicial warrant and additional safeguards should be required. This should be clearly foreseen in the proposed Regulation.

72.

The scope of the powers to require ‘existing telephone and existing data traffic records’ should be clarified. The Proposal should unambiguously specify what records can be required and from whom. The fact that no data can be required from providers of publicly available electronic communications services should be explicitly mentioned in the text of the proposed Regulation, at least in a recital. The Proposal should also clarify whether the authorities may also require private records of individuals, such as employees or executives of the market participant under investigation (e.g. text messages sent from personal mobile devices or browsing history of home internet use). If this would be the case, the necessity and proportionality of this power should be clearly justified and the Proposal should also require a warrant from a judicial authority.

73.

With regard to reporting of suspected market abuse, the Proposal should explicitly provide that any personal data contained in these reports should only be used for purposes of investigating the suspected market abuse reported. Unless a suspected market abuse has led to a specific investigation and the investigation is still ongoing (or a suspicion has proved to be well-founded and has led to a successful investigation), all personal data related to the reported suspected market abuse should be deleted from the records of all recipients after the lapse of a specified period (unless otherwise justified, at the latest two years following the date of report). In addition, parties to an information exchange should also send each other an update in case a suspicion proves to be unfounded and/or an investigation has been closed without taking further action.

74.

With regard to transfers of personal data to third countries, the Proposal should clarify that in principle, transfers can only be made to entities or individuals in a third country that does not afford adequate protection if the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regard the exercise of the corresponding rights.

75.

The ACER should submit to the EDPS for prior checking its personal data processing activities with regard to coordination of investigations under Article 11 of the proposed Regulation.