17.11.2009   

EN

Official Journal of the European Union

C 276/1

1.

On 22 April 2009, the Commission adopted a proposal for a Council Regulation amending Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban (hereinafter ‘the proposal’). On the same day, the proposal was sent by the Commission to the EDPS for consultation, in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS recalls that he provided informal comments on 9 March 2009 on a draft proposal and notes that these comments have been taken into account in the proposal.

2.

The EDPS welcomes that he is consulted and that reference to this consultation is made in the preamble of the proposal, in a similar way as in a number of other legislative texts on which the EDPS has been consulted, in accordance with Regulation (EC) No 45/2001.

3.

The proposal amends Regulation (EC) No 881/2002, one of the Community instruments adopted with a view to fight terrorism by taking restrictive measures — notably, freezing the assets — with regard to natural and legal persons suspected of being associated with terrorist organisations. In particular, the proposal aims at addressing the recent developments in the case law of the Court of Justice, and in particular the Kadi case (1), by laying down ‘a procedure respecting fundamental rights that will be followed as regards individuals and entities newly listed by the UN’ (point 4 of explanatory memorandum).

4.

While in its judgements the Court was called to focus specifically on the respect of the fundamental right of defence and in particular on the right to be heard, the case law in this area has broader consequences and could be summarised as follows: the EU standards of protection of fundamental rights should be respected irrespective of whether restrictive measures are adopted at EU level or stem from international organisations such as the United Nations (2).

5.

EU fundamental rights also include the right to the protection of personal data, which has been recognised by the Court of Justice as one of the principles stemming from Article 6(2) TEU and further confirmed by Article 8 of the EU Charter of Fundamental Rights.

6.

In this perspective, the EDPS welcomes not only the recent case law of the Court of Justice, but also the intention of the Commission to address it by enhancing the listing procedure and by taking explicitly into account the right to the protection of personal data. Indeed the EDPS, while fully recognising the objective of fighting terrorism through the processing and the exchange of personal data, firmly believes that protection of personal data is a crucial factor in ensuring the legitimacy and efficiency of the restrictive measures taken by the Commission. These measures are based on processing of personal data, which by itself — irrespective of the freezing of assets — must be subject to data protection rules and guarantees. Therefore, it is extremely important to provide clarity and legal certainty on the applicable rules for processing of personal data of listed individuals, as mentioned in point 8 of the explanatory memorandum.

7.

This is even more important in view of the entry into force of the Lisbon Treaty, which will not only give binding effect to the EU Charter of Fundamental Rights, but will also lay down, in Articles 16 TFEU and 39 TEU, the need for data protection rules and guarantees in all fields of activity of the European Union. Furthermore, the Court of Justice will be fully competent, even in the area of the Common Foreign and Security Policy, to assess the legality — and in particular the respect of fundamental rights — of decisions providing for restrictive measures against natural or legal persons (Article 275 TFEU).

8.

The EDPS welcomes the references in the preamble to the need to apply the Regulation in accordance with the fundamental right to the protection of personal data (recital 10) as well as to the need for appropriate specific safeguards when the Commission processes data relating to criminal offences committed by listed natural persons, and to criminal convictions or security measures concerning such persons.

9.

The EDPS also welcomes that the proposal explicitly recognizes in its recital 12 the applicability of data protection rules, and in particular of Regulation (EC) No 45/2001, to the processing of personal data in this area. Indeed, Article 3 of Regulation (EC) No 45/2001 states that the Regulation applies ‘to the processing of personal data by all Community institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Community law’. In this perspective, even if Regulation (EC) No 881/2002 is linked to Common Position 2002/402/CFSP and to United Nations activities in this area, it is based on the Treaty establishing the European Community.

10.

As a general remark, the EDPS would like to stress that Regulation (EC) No 45/2001 lays down a series of obligations for controllers — inter alia, data quality, lawfulness of processing, notification, security of processing — as well as rights for data subjects — inter alia access, rectification, blocking, erasure, notification to third parties, remedies — which shall apply except where exemptions and restrictions are laid down pursuant to Article 20. In any case, these restrictions to the fundamental right to data protection should comply with a strict proportionality test, i.e. should be limited — both in their substance and in their application in time — to what is necessary to pursue the public interest at stake, as confirmed by the case law of the Court of Justice, also in the area of restrictive measures. This is even more important since these rights and obligations, together with the need for independent supervision with regard to the processing of personal data, constitute the core of the fundamental right to data protection, as explicitly confirmed by Article 8 of the EU Charter of Fundamental Rights.

11.

Furthermore, while welcoming that the proposal addresses, implicitly or explicitly, some of these obligations and rights, the EDPS would like to stress that the proposal cannot be interpreted as excluding or limiting the applicability of those obligations and data subjects’ rights that are not mentioned in it.

12.

Against this background, in the next paragraphs the EDPS will analyze the provisions of the proposal in the light of the most relevant data protection principles, providing recommendations for improvement as well as guidance about how to address some other issues which are currently not addressed but are likely to arise from the application of data protection principles. In some cases, it may be desirable to provide further details about the application of data protection obligations and rights in the area of restrictive measures.

13.

These comments can only reflect the protection of personal data as a crucial factor in ensuring legitimacy and efficiency of the restrictive measures taken by the Commission, and do not address or affect other substantive questions that may be related to the inclusion in a list under the application of other rules.

14.

Article 7a deals with the procedures to list and de-list natural or legal persons and Article 7c provides for a specific procedure applying to those which have been included in the list before 3 September 2008.

15.

The EDPS welcomes these provisions to the extent in which they enhance the respect of fundamental rights by providing means for the persons concerned to be informed about the reasons for inclusion in the lists as well as with an opportunity to express his or her views on the matter. Furthermore, paragraph 4 provides that a de-listing at UN level will automatically trigger a de-listing at EU level, which is in line with the data protection principle that personal data should be kept up to date, as provided for in Article 4(1)(d) of Regulation (EC) No 45/2001.

16.

However, the EDPS points out that these provisions do not exclude similar obligations arising from Regulation (EC) No 45/2001, such as the obligation to provide information to the data subject pursuant to Article 11 and in particular Article 12 — dealing with information to be supplied when the data have not been obtained from the data subject —, the obligation pursuant to Article 14 to rectify without delay inaccurate or incomplete personal data and the obligation pursuant to Article 17 to notify rectification or erasure of data — as in the case of de-listing — to third parties to whom data have been disclosed, unless this proves impossible or involves a disproportionate effort.

17.

Of course, as already mentioned in point 10, necessary exemptions and restrictions to these provisions may be taken pursuant to Article 20 of Regulation (EC) No 45/2001. For example, information to the persons concerned will need to be delayed, insofar as it is needed to preserve the ‘surprise effect’ of the decision to list this person and to freeze his or her assets. In this perspective, the EDPS recommends the legislator to consider whether to explicitly clarify in the proposal the exemptions to data protection principles that may be necessary, such as for example the need to postpone the information notice pursuant to Article 12 until the provisional decision has been taken.

18.

In the proposed Article 7d it is stated in the first paragraph that if the UN or a State submits classified information, the Commission shall treat such information in accordance with the internal Commission provisions on security (Decision 2001/844/EC, ECSC, Euratom (3)) and, where relevant, agreements on the security of classified information concluded between the EU and the submitting State. In the second paragraph it is specified that documents classified at a level corresponding to ‘EU Top Secret’, ‘EU Secret’ or ‘EU Confidential’ will not be released without the consent of the originator.

19.

This Article raises two issues, the first of which relates to the impact of the provision for the data subject's right of access to his or her personal data as laid down in Article 13 of Regulation (EC) No 45/2001 and the second to the possibility of the EDPS, as well as of the Court of Justice, to have access to personal data contained in classified information in order to effectively perform their respective tasks.

20.

The rules on security referred to as well as the agreements between the EU and the submitting State regulate how classified information can be accessed. Only persons with a need-to-know, meaning that they need access in order to be able to perform a function or task, can get access to such information (4). With regard to information carrying the classification levels mentioned in the proposed Article 7d(2), these persons furthermore need a security clearance.

21.

The internal Commission rules on security must be read in conjunction with Regulation (EC) No 1049/2001 on public access to European Parliament, Council and Commission documents, which elaborates the right of anyone to have access to information of the three largest EU institutions. Article 9 of this Regulation deals with the treatment of sensitive documents and refers to the three categories of classification mentioned above. It states in paragraph 3 that sensitive documents will only be released with the consent of the originator, a rule which is contained in the proposed Article 7d(2) as well.

22.

The internal Commission rules on security are reconciled with the right to public access to documents. However, this is not the case with regard to specific rights of access, such as the right of data subjects to have access to their own personal data on the basis of Article 13 of Regulation (EC) No 45/2001. The internal security rules make no reference to data protection rules or the rights of data subjects as such. The situation in which a data subject requests access to personal data contained in a classified document is not addressed in the internal Commission security rules. The same holds true for the agreements on security of classified information with individual states.

23.

Article 13 of Regulation (EC) No 45/2001 grants the data subject the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller, inter alia, communication in an intelligible form of the data undergoing processing (see subparagraph (c)).

24.

The EDPS fully understands that in the context of restrictive measures against certain persons or entities which serve the purpose of preventing terrorist crimes, there are justified reasons not to disclose classified (personal) information to a data subject. This restriction can find its basis in Article 20 of Regulation (EC) No 45/2001, as already mentioned at point 10. The EDPS, however, wishes to point at the requirement of necessity contained in this Article and the procedure foreseen in paragraphs 3 and 4 of Article 20 of Regulation (EC) No 45/2001.

25.

Article 20 requires that restrictions to the provisions mentioned constitute a necessary measure for safeguarding one of the purposes mentioned. Since the internal Commission rules on security as well as the agreements with individual states do not address the issue of data subject access and the proposed Article 7d(2) contains an unconditional obligation to obtain the consent of the originator before classified documents can be released, it is not ensured that a restriction of the right of access only takes place when it is necessary. The provision does not provide any substantive criteria and leaves a full discretion to the originator of the information, which includes parties which are not subject to EU law and EU standards of protection of fundamental rights.

26.

Paragraphs 3 and 4 of Article 20 contain rules relating to the application of a restriction. According to paragraph 3 the institution involved should inform the data subject of the principal reasons on which the restriction is based and of his or her right to have recourse to the EDPS. Paragraph 4 contains a further rule which relates specifically to a restriction of the right of access. It states that the EDPS, when investigating a complaint on the basis of the previous paragraph, shall only inform the data subject of whether the data have been processed correctly and if not, whether any necessary corrections have been made (5). The current proposal to amend Regulation (EC) No 881/2002 should ensure that these rules can be complied with. This point is closely linked to the second issue which the proposed Article 7d raises.

27.

The condition contained in Article 7d(2) that classified information shall only be released with the consent of the originator could also impinge on the independent supervision of the EDPS. The applicability of Regulation (EC) No 45/2001 entails that the processing of personal data may be subject to the remedies laid down in its Article 32 as well as to the enforcement powers of the EDPS laid down in its Article 47. In particular, the latter article grants the EDPS the power to obtain from a controller or Community institution or body access to all personal data and to all information necessary for his enquiries (see Article 47(2)(b) of Regulation (EC) No 45/2001). It is possible that in the context of the current proposal the EDPS might use this power in order to perform his task under Article 20(4) of Regulation (EC) No 45/2001. However, the current formulation of Article 7d would make the effective exercise of this power dependant on the full discretion of the originator of the information.

28.

The text of Article 7d as it currently stands would therefore be in conflict with the rules contained in Regulation (EC) No 45/2001. In this respect, the EDPS wishes to underline that Article 20 of Regulation (EC) No 45/2001 does not provide for the restriction of the duties and powers of the EDPS contained in Articles 46 and 47.

29.

In addition to the remedies available before independent data protection authorities, data protection legislation lays down the right to have a judicial remedy before a Court (see Article 22 of Directive 95/46/EC and Article 32 of Regulation (EC) No 45/2001). Against this background, the EDPS wants to point at the fact that the current text of Article 7d(2) could also affect the effectiveness of this judicial review, by impinging on the ability of the ECJ to review whether a fair balance is struck between the need to combat international terrorism and the protection of fundamental rights. As stated by the CFI in its judgment of 4 December 2008, access to classified information can be necessary to enable the Court to do so (6).

30.

In the light of the foregoing, the EDPS urges the legislator to modify Article 7d in such a way that it is ensured: 1. that the necessity requirement of Article 20 of Regulation (EC) No 45/2001 will be met in case the Commission denies a data subject access to his or her personal information contained in classified documents; 2. that compliance with the rules set out in Article 20, paragraphs 3 and 4 is ensured; and 3. that the powers of the EDPS as contained in Article 47 are fully respected.

31.

To achieve this a first step would be to limit the scope of Article 7d(2) through replacing the word ‘released’ with ‘publicly disclosed’. Such a change would also be legally consistent since, as explained above, the provision is taken from Article 9(3) of Regulation (EC) No 1049/2001 which only deals with public access to documents. The suggested modification would to a large extent solve the problems discussed above: the restriction of the right of access for data subjects will no longer be left to the full discretion of the submitting party and also the possibility for the EDPS and the ECJ to access such information for the performance of their respective tasks would not be restricted.

32.

However, as long as the internal Commission rules and agreements on information security do not explicitly address the issue of data subject access and ensure that the necessity requirement of Article 20 of Regulation (EC) No 45/2001 is met, a problem remains. Whereas the EDPS (and the ECJ) can have access on the basis of the need-to-know principle and after a security clearance of the people who are in fact dealing with the information, it is doubtful whether this is possible for the data subject as well. The EDPS therefore urges the Commission to ensure that the right of access to personal information in classified documents is only restricted when necessary.

33.

Article 7e defines with a good level of detail both the Commission tasks to process personal data (paragraph 1) and the personal data that will be processed (paragraphs 2-4). Its paragraph 5 appoints a Commission unit as controller within the meaning of Article 2(d) of Regulation (EC) No 45/2001.

34.

The EDPS welcomes the first paragraph of Article 7e to the extent in which it aims at providing a legal basis for processing of personal data, pursuant to Article 5 of Regulation (EC) No 45/2001. Indeed, all processing activities of personal data should be based on one of the legal grounds listed by this Article. In this perspective, the EDPS acknowledges that letters (a): ‘necessary for the performance of a task carried out in the public interest (…)’, and (b): ‘necessary for compliance with a legal obligation to which the controller is subject’, may be particularly relevant in the context of restrictive measures.

35.

However, the EDPS recalls that pursuant to Article 4 of Regulation (EC) No 45/2001, personal data should be ‘adequate, relevant and not excessive in relation to the purposes for which they are collected (…)’, and that therefore the Commission should ensure that personal data collected are necessary for the purpose of imposing the restrictive measures envisaged by the draft Regulation.

36.

In this perspective, the EDPS recommends to amend Article 7e, paragraph 1, as follows: ‘The Commission shall process personal data necessary to carry out its tasks under this Regulation’.

37.

Furthermore, the relevance of the categories of data used in connection with restrictive measures — including elements such as general identifiers (i.e., fiscal and social security numbers) and ‘function or profession’ — should be carefully checked, both in general and on a case-by-case basis, especially to the extent in which these pieces of information may include special categories of data and may need specific safeguards.

38.

Against this background, the EDPS welcomes the principle laid down in paragraph 3, according to which the name and surname of the natural person's parents may be included in the Annex when they are necessary in a specific case for the sole purpose of verification of the identity of the listed natural person in question. This provision well reflects the data protection principle of purpose limitation, which should be adequately specified and applied with regard to the whole article. Therefore, the EDPS recommends explicitly applying this principle to all categories of data, by amending Article 7e, paragraph 2, as follows: ‘Annex I shall only include the information necessary for the purpose of verification of the identity of the listed natural persons and in any case no more than the following information’.

39.

The EDPS also welcomes paragraph 4, which establishes that specific categories of personal data such as criminal offences, criminal convictions or security measures can only be processed in specific cases, subject to appropriate specific safeguards and shall not be made public or exchanged.

40.

With regard to paragraph 5, the EDPS acknowledges that the appointment of a controller in Annex II to Regulation (EC) No 881/2002 will enhance the visibility of the controller and its role of ‘point of contact’, thus facilitating the exercise of data subjects’ rights under Regulation (EC) No 45/2001. However, the EDPS recalls that it is also necessary to make sure that the controller is in a position to effectively ensure not only the exercise of data subjects’ rights, but also the compliance with all other obligations stemming from Regulation (EC) No 45/2001. In this perspective, the Commission may consider clarifying this point of the proposal for example by adding to paragraph 5 an explicit reference to the need for the controller to ensure the compliance with obligations stemming from Regulation (EC) No 45/2001.

41.

An important question, which is not explicitly addressed by the proposal but is implicit in the listing procedure, is to which extent personal data processed by Community institutions could be shared with the United Nations and/or third countries and, if so, under which conditions.

42.

In this regard, the EDPS would like to draw attention to Article 9 of Regulation (EC) No 45/2001, which lays down the conditions for transfer of personal data to recipients, other than Community bodies, which are not subject to Directive 95/46/EC. A broad gamut of solutions is available, ranging from the consent of the data subject (paragraph 6(a)) and the exercise of legal claims (paragraph 6(d)) — which could be useful in case the information has been provided by the listed person with a view to trigger a review of the listing — to the existence within the UN of mechanisms to ensure an adequate protection for personal data transmitted from the EU.

43.

The EDPS recalls that the various processing activities envisaged should be in line with this system, with a view to ensure an adequate protection of personal data exchanged with third countries and international organisations, and that specifications in the proposal as well as arrangements with the UN may be needed accordingly.

44.

Article 6 of the proposal excludes liability, except in case of negligence, for those natural and legal persons implementing restrictive measures. In this regard, the EDPS wishes to clarify that this Article shall not be considered as excluding non-contractual liability, pursuant to Article 32(4) of Regulation (EC) No 45/2001 as well as Article 23 of Directive 95/46/EC, for a processing of personal data in breach of applicable data protection law. In this perspective, restrictive measures are based on processing and publication of personal data, which in case of unlawfulness may by itself — irrespective of the restrictive measures taken — give rise to non-material damage, as already recognised by the Court of Justice (7).

45.

It should be noted that a prior checking by the EDPS pursuant to Article 27 of Regulation (EC) No 45/2001 may be necessary, to the extent in which the proposal establishes processing operations relating to special categories of data (suspected offences, criminal convictions or security measures) and for the purpose of excluding individuals from the full enjoyment of their right to property.

46.

The EDPS, pursuant to Article 28 of Regulation (EC) No 45/2001, expects to be consulted with regard to legislative proposals and administrative measures relating to the processing of personal data which may be put forward in the area of restrictive measures on suspected terrorists.

47.

The EDPS welcomes the intention of the Commission's proposal to address the recent case law of the Court of Justice by enhancing the listing procedure and by taking explicitly into account the right to the protection of personal data, which represents a crucial factor in ensuring the legitimacy and efficiency of the restrictive measures taken by the Commission.

48.

The EDPS welcomes the references in the preamble to the need to apply the Regulation in accordance with the fundamental right to the protection of personal data and that the proposal explicitly recognizes in its recital 12 the applicability of data protection rules, and in particular of Regulation (EC) No 45/2001, to the processing of personal data in this area.

49.

As a general remark, the EDPS would like to stress that Regulation (EC) No 45/2001 lays down a series of obligations for controllers as well as rights for data subjects which shall apply even when they are not explicitly mentioned by the proposal. However, in some cases, it may be desirable to provide further details about the application — and possible exemptions and restrictions — of data protection obligations and rights in the area of restrictive measures.

50.

The EDPS welcomes Articles 7a and 7c to the extent in which they enhance the respect of fundamental rights by providing means for the persons concerned to be informed about the reasons for inclusion in the list. However, the EDPS points out that these provisions do not exclude similar obligations arising from Regulation (EC) No 45/2001. In this perspective, the EDPS recommends the legislator to consider whether to explicitly clarify in the proposal the exemptions to data protection principles that may be necessary, such as for example the need to postpone the information notice pursuant to Article 12 until the provisional decision has been taken.

51.

The EDPS considers that Article 7d, by making the release of confidential documents subject to the consent of the originator, may impinge on the data subject's right of access to his or her personal data as laid down in Article 13 of Regulation (EC) No 45/2001 and on the possibility of the EDPS, as well as of the Court of Justice, to have access to personal data contained in classified information in order to effectively perform their respective tasks. In this perspective, the EDPS urges the legislator to amend this provision, in particular by replacing the word ‘released’ with ‘publicly disclosed’.

52.

The EDPS welcomes Article 7e to the extent in which it aims at providing a legal basis for processing of personal data, pursuant to Article 5 of Regulation (EC) No 45/2001. However, he recommends some amendments so as to ensure that data processed are used for specific purposes and are relevant, and that the role of the controller is in line with Regulation (EC) No 45/2001.

53.

The EDPS recalls that possible transfers to third countries and international organisations should be in line with Article 9 of Regulation (EC) No 45/2001, with a view to ensure an adequate protection of these data. In this regard, specifications in the proposal as well as arrangements with the UN may be needed.

54.

The EDPS furthermore notes that the proposal leaves unprejudiced the liability which may arise in case of unlawful processing and publication of personal data; that a prior checking pursuant to Article 27 of Regulation (EC) No 45/2001 may be necessary, and that he expects to be consulted with regard to further legislative proposals and administrative measures in this area.