Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52011XX0722(01)

Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories

OJ C 216, 22.7.2011, p. 9–16 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

22.7.2011   

EN

Official Journal of the European Union

C 216/9


Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories

2011/C 216/04

THE EUROPEAN DATA PROTECTION SUPERVISOR,

Having regard to the Treaty on the Functioning of the European Union, and in particular its Article 16,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Articles 7 and 8,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1),

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (2), and in particular its Article 41,

HAS ADOPTED THE FOLLOWING OPINION:

1.   INTRODUCTION

1.

On 15 September 2010, the Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories (‘the Proposal’) (3). The main aim of the Proposal is to establish common rules to increase security and efficiency of the over-the-counter derivatives market.

2.

The EDPS has not been consulted by the Commission, although this is required by Article 28(2) of Regulation (EC) No 45/2001 (‘Regulation (EC) No 45/2001’). Acting on his own initiative, the EDPS has therefore adopted the present Opinion based on Article 41(2) of Regulation (EC) No 45/2001.

3.

The EDPS is aware that this advice comes at a relatively late stage in the legislative process. Nevertheless, he finds it appropriate and useful to issue this Opinion. In the first place, he emphasises the potential data protection implications of the Proposal. In the second place, the analysis presented in the present Opinion is directly relevant for the application of existing legislation and for other pending and possible future proposals containing similar provisions, as will be explained in Section 3.4 of this Opinion.

2.   BACKGROUND AND MAIN ELEMENTS OF THE PROPOSAL

4.

In the wake of the financial crisis, the Commission has initiated and brought forward a review of the existing legal framework for financial supervision in order to cope with the important failures identified in this area both in particular cases and in relation to the financial system as a whole. A number of legislative proposals have been recently adopted in this field with a view to strengthening the existing supervisory arrangements and improving coordination and cooperation at EU level.

5.

The reform introduced in particular an enhanced European financial supervisory framework composed of a European Systemic Risk Board (4) and a European System of Financial Supervisors (ESFS). The ESFS consists of a network of national financial supervisors working in tandem with three new European Supervisory Authorities, i.e. the European Banking Authority (5) (EBA), the European Insurance and Occupational Pensions Authority (6) (EIOPA) and the European Securities and Markets Authority (ESMA) (7). In addition, the Commission adopted a series of specific initiatives to implement the regulatory reform in respect of specific areas or financial products.

6.

One of those is the present proposal which deals with ‘over-the-counter derivatives’, i.e. those derivative products (8) that are not traded on exchanges, but instead privately negotiated between two counterparts. It introduces the obligation for all financial counterparties and non-financial counterparties fulfilling certain threshold conditions to clear all standardised OTC derivatives through Central Counterparties (CCPs). In addition, the proposed regulation shall oblige those financial and non-financial counterparties to report the details of any derivative contract and any modification thereof to a registered trade repository. The Proposal also provides for harmonised organisational and prudential requirements for CCPs and organisational and operational requirements for trade repositories. While national competent authorities retain the responsibility for authorising and supervising CCPs, registration and surveillance of trade repositories is entirely entrusted to ESMA according to the proposed regulation.

3.   ANALYSIS OF THE PROVISIONS CONCERNING ACCESS TO RECORDS OF TELEPHONE AND DATA TRAFFIC

3.1.   General observations

7.

Article 61(2)(d) of the Proposal empowers ESMA to ‘require records of telephone and data traffic’ (emphasis added). As will be further explained below, the scope of the provision and in particular the exact meaning of ‘records of telephone and data traffic’ is not clear. Nevertheless, it seems likely — or at least it cannot be excluded — that the records of telephone and data traffic concerned include personal data within the meaning of Directive 95/46/EC and Regulation (EC) No 45/2001 and, to the relevant extent, Directive 2002/58/EC (now called, as amended by Directive 2009/136/EC, ‘the e-Privacy Directive’), i.e. data relating to the telephone and data traffic of identified or identifiable natural persons (9). As long as this is the case, it should be assured that the conditions for fair and lawful processing of personal data, as laid down in the Directives and the Regulation, are fully respected.

8.

Data relating to use of electronic communication means may convey a wide range of personal information, such as the identity of the persons making and receiving the call, the time and duration of the call, the network used, the geographic location of the user in case of portable devices, etc. Some traffic data relating to internet and e-mail use (for example the list of websites visited) may in addition reveal important details of the content of the communication. Furthermore, processing of traffic data conflicts with the secrecy of correspondence. In view of this, Directive 2002/58/EC has established the principle that traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication (10). Member States may include derogations in national legislation for specific legitimate purposes, but they must be necessary, appropriate and proportionate within a democratic society to achieve these purposes (11).

9.

The EDPS acknowledges that the aims pursued by the Commission in the present case are legitimate. He understands the need for initiatives aiming at strengthening supervision of financial markets in order to preserve their soundness and better protect investors and economy at large. However, investigatory powers directly relating to traffic data, given their potentially intrusive nature, have to comply with the requirements of necessity and proportionality, i.e. they have to be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it (12). It is therefore essential in this perspective that they are clearly formulated regarding their personal and material scope as well as the circumstances in which and the conditions on which they can be used. Furthermore, adequate safeguards should be provided for against the risk of abuse.

3.2.   The scope of ESMAs power is unclear

10.

Article 61(2)(d) provides that ‘in order to carry out the duties set out in Articles 51 to 60, 62 and 63 (i.e. duties relating to the surveillance of trade repositories), ESMA shall have […] (the power) to require records of telephone and data traffic’. Because of its broad formulation, the provision raises several doubts concerning its material and personal scope.

11.

In the first place, the meaning of ‘records of telephone and data traffic’ is not entirely clear and thus needs to be clarified. The provision might refer to records of telephone and data traffic, which trade repositories are obliged to retain in the course of their activities. Several provisions of the proposed regulation concern record keeping requirements of trade repositories (13). However, none of these provisions specifies if and what records of telephone and data traffic must be retained by trade repositories (14). Therefore, should the provision refer to records held by trade repositories, it is essential to define precisely the categories of telephone and data traffic that have to be retained and can be required by ESMA. In line with the principle of proportionality, such data must be adequate, relevant and not excessive in relation to the supervisory purposes for which they are processed (15).

12.

More precision is needed particularly in the present case, in consideration of the heavy fines and periodic penalty payments that trade repositories and other persons (including natural persons as regards periodic penalty payments) concerned might incur for a breach of the proposed regulation (cf Articles 55 and 56). Such fines may reach 20 percent of the annual income or turnover of the trade repository in the preceding business year, i.e. a threshold which is twice as high as the maximum threshold provided for infringements of European competition law.

13.

It should also be noted that the above cited Article 67, paragraph 4, delegates to the Commission the power to adopt regulatory standards specifying the details of the information that trade repositories shall make obligatorily available to ESMA and other authorities. This provision might therefore be used to further specify record-keeping requirements of trade repositories and thus, indirectly, the power granted by ESMA to access records of telephone and data traffic. Article 290 TFEU provides that a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend non-essential elements of the legislative act. According to the EDPS, the exact perimeter of the power to access traffic data cannot be considered a non-essential element of the regulation. The material scope thereof should therefore be specified directly in the text of the regulation and not deferred to future delegated acts.

14.

Similar doubts surround the personal scope of the provision concerned. In particular, the potential addressees of a request to provide records of telephone and data traffic are not specified in Article 61(2)(d). It is not clear in particular whether the powers to require records of telephone and data traffic would only be limited to trade repositories (16). As the purpose of the provision is to allow ESMA to carry out supervision of trade repositories, the EDPS is of the opinion that this power should be strictly limited to trade repositories only.

15.

Finally, the EDPS understands that the aim of Article 61(2)(d) is not to allow ESMA to gain access to traffic data directly from telecom providers. This seems to be the logical conclusion particularly in consideration of the fact that the Proposal does not refer at all to data held by telecom providers or to the requirements set out by the e-Privacy Directive as mentioned in point 8 above (17). However, for the sake of clarity, he recommends making such conclusion more explicit in Article 61(2) or at least in a recital of the proposed regulation.

3.3.   The Proposal does not indicate the circumstances in which and the conditions under which access can be required

16.

Article 61(2)(d) does not indicate the circumstances in which and the conditions under which access can be required. Neither does it provide for important procedural guarantees or safeguards against the risk of abuses. In the following paragraphs, the EDPS will make some concrete suggestions in this direction.

(a)

According to Article 61(2) ESMA may require access to records of telephone and data traffic ‘in order to carry out the duties set out in Articles 51 to 60, 62 and 63’. These Articles cover the whole Title of the proposed regulation on registration and surveillance of trade repositories. According to the EDPS, the circumstances and the conditions for using such power should be more clearly defined. The EDPS recommends limiting access to records of telephone and data traffic to specifically identified and serious violations of the proposed regulation and in cases where a reasonable suspicion (which should be supported by concrete initial evidence) exists that a breach has been committed. Such limitation is also particularly important with a view to avoiding that the access power could be used for the purpose of fishing operations or data mining or for different purposes.

(b)

The Proposal does not require prior judicial authorisation in order for ESMA to require access to records of telephone and data traffic. The EDPS considers that this general requirement would be justified in view of the potential intrusiveness of the power at stake. It should also be considered that the laws of some Member States impose prior judicial authorisation for any kind of interference with the secrecy of correspondence and therefore preclude other law enforcement bodies (i.e. police forces) and institutions of an administrative nature from such interference without this strict supervision (18). At the very least, the EDPS considers unavoidable making a judicial authorisation obligatory whenever such authorisation is required by national law (19).

(c)

The EDPS recommends introducing the requirement for ESMA to request records of telephone and data traffic by formal decision specifying the legal basis and the purpose of the request and what information is required, the time-limit within which the information is to be provided as well as the right of the addressee to have the decision reviewed by the Court of Justice. Any request made in the absence of a formal decision shall not be binding on the addressee.

(d)

Adequate procedural safeguards against possible abuses should be afforded. In this respect, the Proposal could require the Commission to adopt implementing measures setting-out in detail the procedures to be followed by trade repositories and ESMA in processing such data. These acts should specify in particular adequate security measures as well as appropriate guarantees against the risk of abuses, including, but not limited to, the professional standards that the competent persons handling these data shall observe as well as the internal procedures that ensure proper observance of the confidentiality and professional secrecy provisions. The EDPS should be consulted during the procedure relating to the adoption of such measures.

3.4.   Relevance of the present Opinion for other legal instruments containing similar provisions

17.

The power for supervisory authorities to require access to records of telephone and data traffic is not new in the European legislation as it is already foreseen in various existing directives and regulations concerning the financial sector. In particular, the market abuse Directive (20), the MIFID Directive (21), the UCITS Directive (22), the current Regulation on credit rating agencies (23), all contain similarly drafted provisions. The same is true for a number of recent proposals adopted by the Commission, namely the proposals for a Directive on alternative investment fund managers (24), a Regulation amending the existing Regulation on credit rating agencies (25), a Regulation on short selling and certain aspects of credit default swaps (26) and a Regulation on integrity and transparency of energy markets (27).

18.

As regards these existing and proposed legislative instruments, a distinction should be made between investigatory powers granted to national authorities and the granting of such powers to EU authorities. Several instruments oblige Member States to grant the power to require telephone and data traffic records to national authorities ‘in conformity with national law’ (28). As a consequence, the actual execution of this obligation is necessarily subject to the national law including the one implementing Directives 95/46/EC and 2002/58/EC and other national laws which contain further procedural safeguards for national supervisory and investigatory authorities.

19.

No such condition is contained in the instruments which grant the power to require telephone and data traffic records directly to EU authorities, such as in the present proposal on OTC derivatives and the above-mentioned proposal for a Regulation amending Regulation 1060/2009 on credit rating agencies (the ‘CRA Proposal’). As a consequence, in these cases there is an even stronger requirement to clarify in the legislative instrument itself, the personal and material scope of this power and the circumstances in which and the conditions under which it can be used and to ensure that adequate safeguards against abuse are in place.

20.

In this respect, the observations made in the present Opinion, although aimed at the proposal on OTC derivatives, have a more general relevance. The EDPS is aware that with regard to legislation already adopted or close to adoption, these comments may come too late. Nevertheless, he invites the institutions to reflect upon the need to amend the pending proposals in order to take into account the concerns expressed in the present Opinion. As to the already adopted texts, the EDPS invites the institutions to seek for possibilities to clarify matters, for instance where the scope of the provision concerned is liable to be directly or indirectly specified in delegated or implementing acts, for instance acts defining the details of record keeping requirements, interpretative notices or other comparable documents (29). The EDPS expects the Commission to consult him in good time in the context of these related procedures.

4.   DATA PROTECTION CONCERNS RELATING TO OTHER PARTS OF THE PROPOSAL

21.

The EDPS considers it appropriate to make additional comments on some other points of the Proposal which relate to the rights to privacy and data protection of individuals.

4.1.   Applicability of Directive 95/46/EC and Regulation (EC) No 45/2001

22.

Recital 48 correctly states that it is essential that Member States and ESMA protect the right to privacy of natural persons when processing personal data, in accordance with Directive 95/46/EC. The EDPS welcomes the reference to the Directive in the recital. However, the meaning of the recital could be made clearer by further specifying that the provisions of the Regulation are without prejudice to the national rules which implement Directive 95/46/EC. Preferably, such a reference should also be included in a substantive provision.

23.

Moreover, The EDPS notes that ESMA is a European body subject to Regulation (EC) No 45/2001 and to EDPS supervision. It is therefore recommended to introduce an explicit reference to this Regulation, specifying as well that the provisions of the Proposal are without prejudice to such Regulation.

4.2.   Purpose limitation, necessity and data quality

24.

One of the principal aims of the proposed regulation is to enhance the transparency of OTC derivatives market and improve regulatory oversight of such market. In view of this objective, the Proposal obliges financial counterparties and non-financial counterparties meeting certain threshold conditions to report the details of any OTC derivative contract they have entered into and any modification or termination thereof to a registered trade repository (Article 6) (30). Such information is meant to be held by trade repositories and made available by the latter to various authorities for regulatory purposes (Article 67) (31).

25.

In case one of the parties to a derivative contract subject to the above clearing and reporting obligations is a natural person, information about this natural person constitutes personal data in the sense of Article 2(a) of Directive 95/46/EC. The fulfilment of the above obligations therefore constitutes processing of personal data in the sense of Article 2(b) of Directive 95/46/EC. Even in case where the parties to the transaction are not natural persons, personal data may still be processed in the framework of Articles 6 and 67, such as for instance the names and contact details of the directors of the companies. The provisions of Directive 95/46/EC (or Regulation (EC) No 45/2001 as relevant) would therefore be applicable to the present operations.

26.

A basic requirement of data protection law is that information must be processed for specified, explicit and legitimate purposes and that it may not be further processed in a way incompatible with those purposes (32). The data used to achieve the purposes should furthermore be adequate, relevant and not excessive in relation to that purpose. After an analysis of the proposed regulation, the EDPS draws the conclusion that the system put in place by the Proposal does not meet these requirements.

27.

As regards purpose limitation, it must be stressed that the Proposal fails to specify the purposes of the reporting system and, most importantly, the purposes for which the information held by trade repositories can be accessed by the competent authorities under Article 67 of the Proposal. A general reference to the need for enhancing the transparency of the OTC derivatives market is clearly not sufficient to comply with the purpose limitation principle. Such principle is further put under pressure in Article 20(3) of the proposed regulation concerning ‘Professional secrecy’, which, as it is currently formulated, would seem to allow use of confidential information received pursuant to the proposed regulation for a number of additional and not clearly specified purposes (33).

28.

The Proposal furthermore fails to specify the kind of data that will be recorded, reported and accessed, including any personal data of identified or identifiable persons. The above-mentioned Articles 6 and 67 empower the Commission to further specify the content of reporting and record-keeping obligations in delegated acts. Although the EDPS understands the practical need for using such a procedure, he wishes to emphasise that, as long as the information being processed under the above Articles concerns natural persons, the main data protection rules and guarantees should be laid down in the basic law.

29.

Finally, Articles 6 of Directive 46/95/EC and 4 of Regulation (EC) No 45/2001 require that personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the data were collected. The EDPS notes that the Proposal does not lay down any concrete limitation period for the retention of the personal data potentially processed under Articles 6, 27 and 67 of the proposed regulation. Articles 27 and 67 only provide that the relevant records shall be retained for at least 10 years. However, this is only a minimum retention period, which is clearly in contradiction with the requirements set out by data protection legislation.

30.

On the basis of the foregoing, the EDPS urges the legislator to specify the kind of personal information that can be processed under the Proposal, to define the purposes for which personal data can be processed by the various entities concerned and fix a precise, necessary and proportionate data retention period for the above processing.

4.3.   On-site inspections

31.

Article 61(2)(c) empowers ESMA to carry out on-site inspections with or without announcement. It is not clear whether these inspections would be limited to business premises of a trade repository or also apply to private premises or holdings of natural persons. Article 56(1)(c) allowing the Commission, at the request of ESMA, to impose periodic penalty payments on employees of a trade repository or other persons related to a trade repository in order to compel them to submit to an onsite inspection ordered by ESMA pursuant to Article 61(2) might suggest (unintentionally) otherwise.

32.

Without elaborating further on this point, the EDPS recommends limiting the power to carry out on-site inspections (and the related power to impose periodic penalty payments under Article 56) only to business premises of trade-repositories and other legal persons substantially and clearly related to them (34). Should the Commission indeed envisage allowing inspections of non-business premises of natural persons, this should be made clear and more stringent requirements should be foreseen in order to ensure compliance with necessity and proportionality principles (particularly with regards to the indication of the circumstances in which and the conditions on which such inspections can be carried out).

4.4.   Exchanges of data and purpose limitation principle

33.

Several provisions of the proposed regulation allow for broad exchanges of data and information between ESMA, competent authorities of Member States and competent authorities of third countries (see in particular Articles 21, 23 and 62). Transfers of data to third countries may also occur when a recognised CCP or trade repository from a third country provides services to entities recognised in the Union. Insofar as the information and data exchanged concerns identified or identifiable natural persons, Articles 7-9 of Regulation (EC) No 45/2001 and 25-26 of Directive 95/46/EC, as relevant, apply. In particular, transfers to third countries may only occur where an adequate level of protection is ensured in those countries or one of the relevant derogations provided by the data protection legislation applies. For the sake of clarity, an explicit reference to Regulation (EC) No 45/2001 and Directive 95/46/EC should be included in the text, stating that such transfers should be in conformity with the applicable rules foreseen, respectively, in the Regulation or the Directive.

34.

In accordance with the purpose limitation principle (35), the EDPS also recommends introducing clear limits as to the kind of personal information that can be exchanged and define the purposes for which personal data can be exchanged.

4.5.   Accountability and reporting

35.

Article 68 of the Proposal contains a number of reporting obligations of the Commission concerning the implementation of various elements of the proposed regulation. The EDPS recommends introducing also the obligation for ESMA to report periodically on the use of its investigatory powers and particularly the power to require records of telephone and data traffic. In light of the findings of the report, the Commission should also be able to make recommendations, including if appropriate proposals for the revision of the Regulation.

5.   CONCLUSIONS

36.

The present proposal empowers ESMA to ‘require records of telephone and data traffic’ in order to carry out duties related to the supervision of trade repositories. In order to be considered necessary and proportionate, the power to require records of telephone and data traffic should be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it. As it is currently framed, the provision at stake does not meet these requirements as it is too broadly formulated. In particular, the personal and material scope of the power, the circumstances and the conditions under which it can be used are not sufficiently specified.

37.

The comments made in the present Opinion, although aiming at the OTC derivatives Proposal, are also relevant for the application of existing legislation and for other pending and possible future proposals containing equivalent provisions. This is particularly the case where the power in question is entrusted, as in the present proposal, to an EU authority without referring to the specific conditions and procedures laid down in national laws (e.g. the CRA Proposal).

38.

Having regard to the above, the EDPS advises the legislator to:

clearly specify the categories of telephone and data traffic records which trade repositories are required to retain and/or to provide to the competent authorities. Such data must be adequate relevant and not excessive in relation to the purpose for which they are processed,

limit the power to require access to records of telephone and data traffic to trade repositories,

make explicit that access to telephone and data traffic directly from telecom companies is excluded,

limit access to records of telephone and data traffic to identified and serious violations of the proposed regulation and in cases where a reasonable suspicion (which should be supported by concrete initial evidence) exists that a breach has been committed,

clarify that trade repositories shall provide records of telephone and data traffic only where they are requested by formal decision specifying, among others, the right to have the decision reviewed by the Court of Justice,

require that the decision shall not be executed without prior judicial authorisation from the national judicial authority of the Member State concerned (at least where such authorisation is required under national law),

require the Commission to adopt implementing measures setting out in detail the procedures to be followed, including adequate security measures and safeguards.

39.

As regards other aspects of the Proposal, the EDPS would like to refer to his comments made under Section 4 of the present Opinion. In particular, the EDPS advises the legislator to:

include a reference to Directive 95/46/EC and Regulation (EC) No 45/2001 at least in the recitals of the proposed Directive and preferably in a substantive provision as well, stating that the provisions of the proposed regulation are without prejudice to, respectively, the Directive and the Regulation,

specify the kind of personal information that can be processed under the Proposal in compliance with the necessity principle (particularly in relation to Articles 6 and 67), define the purposes for which personal data can be processed by the various authorities/entities concerned and fix precise, necessary and proportionate data retention periods for the above processing,

limit the power to carry out on-site inspections under Article 61(2)(c) and to impose periodic penalty payments under Article 56 only to trade-repositories and other legal persons clearly and substantially related to them,

make explicit that international transfers of personal data should be in conformity with the relevant rules of Regulation (EC) No 45/2001 and Directive 95/46/EC, introduce clear limits as to the kind of personal information that can be exchanged and define the purposes for which personal data can be exchanged.

Done at Brussels, 19 April 2011.

Giovanni BUTTARELLI

Assistant European Data Protection Supervisor


(1)  OJ L 281, 23.11.1995, p. 31.

(2)  OJ L 8, 12.1.2001, p. 1.

(3)  COM(2010) 484 final.

(4)  Regulation (EU) No 1092/2010 of the European Parliament and of the Council of 24 November 2010 on European Union macro-prudential oversight of the financial system and establishing a European Systemic Risk Board (OJ L 331, 15.12.2010, p. 1).

(5)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12).

(6)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48).

(7)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

(8)  A derivative is a financial contract linked to the future value or status of the underlying to which it refers (e.g. the development of interest rates or of a currency value).

(9)  Normally the employees to whom the telephone and data traffic can be imputed as well as recipients and other users concerned.

(10)  See Article 6(1) of Directive 2002/58/EC, (OJ L 201, 31.7.2002, p. 45).

(11)  See Article 15(1) of Directive 2002/58/EC, providing that such restrictions must constitute a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.

(12)  See, e.g., Joined Cases C-92/09 and C-93/09, Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-92/09) v. Land Hessen, not yet published in ECR, point 74.

(13)  For example, Recital 44 states that trade repositories shall be subject to strict record-keeping and data management requirements. Article 66 specifies that a trade repository ‘shall promptly record the information received under Article 6 and shall maintain it for at least 10 years following the termination of the relevant contracts. It shall employ timely and efficient record keeping procedures to document changes to recorded information [sic]’. Article 67 further provides that ‘a trade repository must make the necessary information available’ to ESMA and various other competent authorities.

(14)  The expression ‘records of telephone and data traffic’ may potentially include a wide variety of information, including the duration, time or volume of a communication, the protocol used, the location of the terminal equipment of the sender or recipient, the network on which the communication originates or terminates, the beginning, end or duration of a connection or even the list of websites visited and the content of the communications themselves in case they are recorded. To the extent that they relate to identified or identifiable natural persons, all this information constitutes personal data.

(15)  See Article 6(1)(c) of Directive 95/46/EC and Article 4(1)(c) of Regulation (EC) No 45/2001. It should also be considered whether specific safeguards can be devised to avoid that data concerning genuinely private use are captured and processed.

(16)  Article 56(1)(c) allowing the Commission, at the request of ESMA, to impose periodic penalty payments on employees of a trade repository or other persons related to a trade repository in order to compel them to submit to an investigation launched by ESMA pursuant to Article 61(2) might suggest (unintentionally) otherwise.

(17)  As said, the e-Privacy Directive establishes the general principle that traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. Such data can be further processed only for the purpose of billing and interconnection payments and up to the end of the period during which the bill may lawfully be challenged or payment pursued. Any derogation to this principle must be necessary, appropriate and proportionate within a democratic society for specific public order purposes (i.e. to safeguard national security (i.e. State security), defence, public security or the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications systems).

(18)  The Italian Constitution, for example, requires that any interference with the secrecy of correspondence, including access to traffic data not revealing the content of the communications, be ordered or authorised by a member of the judicial.

(19)  A similar requirement has been introduced in the amended version of the CRA Proposal voted by the EP in December 2010.

(20)  Directive 2003/6/EC of the European Parliament and of the Council of 28 January 2003 on insider dealing and market manipulation (market abuse) (OJ L 96, 12.4.2003, p. 16).

(21)  Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC (OJ L 145, 30.4.2004, p. 1).

(22)  Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32).

(23)  Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302, 17.11.2009, p. 1).

(24)  Proposal of 30 April 2009 for a Directive of the European Parliament and of the Council on Alternative Investment Fund Managers and amending Directives 2004/39/EC and 2009/…/EC, COM(2009) 207.

(25)  Proposal of 2 June 2010 for a Regulation of the European Parliament and of the Council on amending Regulation (EC) No 1060/2009 on credit rating agencies, COM(2010) 289.

(26)  Proposal of 15 September 2010 for a Regulation of the European Parliament and of the Council on Short Selling and certain aspects of Credit Default Swaps, COM(2010) 482.

(27)  Regulation of the European Parliament and of the Council on energy market integrity and transparency, COM(2010) 726.

(28)  See for instance Article 12(2) of the Market Abuse Directive mentioned in footnote 20. See also Article 50 of the MIFID Directive, mentioned in footnote 21.

(29)  For instance Article 37 of the CRA Proposal allows the Commission to amend Annexes to the Regulation, which contain the details of record-keeping requirements imposed on credit rating agencies; see also Recital 10 of the CRA Proposal referring to ESMA power to issue and update non-binding guidelines on issues related to application of the CRA Regulation.

(30)  Article 6(4) of the Proposal delegates to the Commission the power to determine the details and type of the reports for the different classes of derivatives, specifying that such reports shall contain at least: (a) the parties to the contract and, where different, the beneficiary of the rights and obligations arising from it are appropriately identified; and (b) the main characteristics of the contract, including the type, underlying, maturity and notional value are reported.

(31)  See Explanatory Memorandum, p. 11. Article 67 concretizes this by providing that a trade repository shall make the necessary information available to a number of entities, namely ESMA, the competent authorities supervising undertakings subject to the reporting obligations, the competent authorities supervising CCPs and the relevant central banks of the ESCB.

(32)  See e.g. EDPS Opinion of 6 January 2010 on the proposal for a Council Directive on administrative cooperation in the field of taxation (OJ C 101, 20.4.2010, p. 1).

(33)  Article 20(3) reads as follows: ‘Without prejudice to cases covered by criminal law, the competent authorities, ESMA, bodies or natural or legal persons other than competent authorities which receive confidential information pursuant to this Regulation may use it only in the performance of their duties and for the exercise of their functions, in the case of the competent authorities, within the scope of this Regulation or, in the case of other authorities, bodies or natural or legal persons, for the purpose for which such information was provided to them or in the context of administrative or judicial proceedings specifically related to the exercise of those functions, or both. Where ESMA, the competent authority or other authority, body or person communicating information consents thereto, the authority receiving the information may use it for other purposes.’.

(34)  A similar specification has been introduced in the amended version of the CRA Proposal voted by the EP in December 2010.

(35)  See Article 6(1)(b) of Directive 95/46/EC and Article 4(1)(b) of Regulation (EC) No 45/2001.


Top