1.4.2011   

EN

Official Journal of the European Union

C 101/1

1.

On 20 September 2010, the European Commission adopted a proposal for a Regulation on the marketing and use of explosives precursors (3) (‘the Proposal’). On 11 November 2010, the Proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS welcomes the fact that he is consulted by the Commission and that reference to this consultation is made in the recitals of the Proposal.

2.

The main aim of the proposed measures is to reduce the risk of attacks by terrorists or other criminals using home-made explosive devices. To this end, the Regulation limits the access of the general public to certain chemicals, which can be misused as precursors to home-made explosives. In addition, the Proposal places the sales of such chemicals under stricter control by means of reporting suspicious transactions and thefts.

3.

In this opinion, the EDPS calls the legislators’ attention to a number of relevant data protection issues and provides recommendations to ensure the fundamental right to the protection of personal data.

4.

The Proposal addresses the problems of the misuse of certain chemicals, which are widely available to the general public on the market, as precursors to home-made explosives. Articles 4 and 5 of the Proposal deal with the prohibition of sale to the general public, which is combined with a licensing scheme and requirement to record all licensed transactions. Article 6 requires economic operators to report suspicious transactions and thefts. Finally, Article 7 addresses the need for data protection.

5.

The sales of certain chemicals, above specified concentration thresholds, to members of the general public will be prohibited. Sales of higher concentrations would only be allowed to users who can document a legitimate need to use the chemical.

6.

The scope of the prohibition is limited to a short-list of chemical substances and their mixtures (see Annex I to the Proposal), and the sales of these substances to the general public. The restrictions do not apply to professional users or in business-to-business operations. Furthermore, the availability to the general public of the short-listed substances is limited only if they are above certain concentration levels. In addition, substances can still be obtained upon presentation of a license from a public authority (documenting legitimate use). Finally, an exception applies to farmers who are allowed to purchase ammonium nitrate to be used as fertiliser without a license irrespective of concentration thresholds.

7.

Licenses will also be required if a member of the general public intends to import the short-listed substances to the European Union.

8.

An economic operator which makes a substance or mixture available to a licensed member of the general public is required to verify the license presented and keep a record of the transaction.

9.

Each Member State is required to lay down the rules for granting the license. The competent authority in the Member State shall refuse to grant the license to the applicant if there are reasonable grounds for doubting the legitimacy of the intended use. Licenses granted shall be valid in all Member Sates. The Commission may draw up guidelines on the technical details of the licenses to assist their mutual recognition.

10.

The sales of a broader range of chemicals of concern (those listed in Annex II, in addition to all those listed in Annex I, which are already subject to the licensing requirement) will be subject to reporting of suspicious transactions and thefts.

11.

The Proposal requires each Member State to designate a national contact point (with a clearly identified telephone number and e-mail address) for the reporting of suspicious transactions and thefts. Economic operators are required to report any suspicious transactions and thefts without delay, mentioning, if possible, the identity of the client.

12.

The Commission shall draw up and update guidelines to assist the economic operators to recognize and notify suspicious transactions. The guidelines will also include regular updates to a list of additional substances not included in either Annex I or II, for which voluntary reporting of suspicious transactions and thefts is encouraged.

13.

Recital 11 and Article 7 require that the processing of personal data under the Regulation must always be carried out in accordance with EU data protection laws, in particular, Directive 95/46/EC (4) and national data protection laws implementing this Directive. The Proposal contains no further provisions on data protection.

14.

Reporting suspicious transactions and thefts and the licensing and recording scheme foreseen in the Regulation require processing of personal data. They both imply — in any case to some extent — interference with private life and the right to the protection of personal data, and thus require adequate safeguards.

15.

The EDPS welcomes that the Proposal contains a separate provision (Article 7) on data protection. With that said, this single — and very general — provision foreseen in the Proposal is insufficient to adequately address the data protection concerns raised by the proposed measures. In addition, the relevant articles of the Proposal (Articles 4, 5 and 6) also fail to describe in sufficient detail the specificities of the data processing operations foreseen.

16.

To illustrate, with regard to licensing, the Regulation requires that economic operators keep a record of the licensed transactions, without, however, specifying what personal data those records should contain, how long they should be kept, whom they can be disclosed to and under what conditions. Nor is it specified what data will be collected when processing license applications.

17.

As for the requirement to report suspicious transactions and thefts, the Proposal establishes a reporting requirement, without, however, specifying what constitutes a suspicious transaction, what personal data should be reported, how long the information reported should be kept, whom it can be disclosed to and under what conditions. Nor does the Proposal provide further details regarding the ‘national contact points’ to be designated, or any database that these contact points may establish for their Member States, or any eventual database that might be established at EU level.

18.

From a data protection point of view, the collection of data regarding suspicious transactions is the most sensitive subject in the Proposal. The relevant provisions should be clarified so as to ensure that the data processing remains proportionate and abuse is prevented. To achieve this, conditions for processing data should be clearly specified and adequate safeguards should be applied.

19.

Importantly, data should not be used for any other purpose than the fight against terrorism (and other crime involving misuse of chemicals for home-made explosive devices). Data should also not be retained for long periods of time, especially if the number of potential or actual recipients were to be large, and/or if the data were to be used for data mining. This is even more important in those cases where it can be shown that the initial suspicion was unfounded. In those cases there needs to be a specific justification for further retention. By way of illustration, the EDPS mentions in this context the ruling of the European Court of Human Rights in the case of S and Marper v the United Kingdom (2008) (5), according to which the long term retention of the DNA of persons not convicted of a criminal offence was a breach of their right to privacy under Article 8 of the European Convention on Human Rights.

20.

For these reasons, the EDPS recommends that Articles 5, 6 and 7 of the Proposal should contain further and more specific provisions to adequately address these concerns. Some specific recommendations will be made below.

21.

In addition, it should also be considered whether specific and more detailed provisions can be drawn up in an implementing Commission Decision in accordance with Articles 10, 11 and 12 of the Proposal to address additional data protection issues at the practical level.

22.

Finally, the EDPS also recommends that the Commission guidelines on suspicious transactions and on the technical details of the licenses should include further specific provisions on data processing and data protection. Both guidelines, as well as any possible implementing decision in the area of data protection, should be adopted after consulting the EDPS and — where the implementation at the national level is at stake — the Article 29 Data Protection Working Party. The Regulation itself should clearly foresee this and should also specifically list the main issues to be dealt with in the guidelines/implementing decision.

23.

The EDPS recommends that Article 5 of the Regulation should specify a maximum retention period (prima facie, not exceeding two years) as well as the categories of personal data to be recorded (not exceeding name, license number and items purchased). These recommendations flow from the principle of necessity and proportionality: the collection and conservation of personal data should be limited to what is strictly necessary for the purposes pursued (see Article 6(c) and (e) of Directive 95/46/EC). If such specifications are left to national law or practice, this will probably lead to unnecessary uncertainties and unequal treatment of similar situations in practice.

24.

Further, Article 5 of the Regulation should also expressly prohibit — in connection with the licensing procedure — the collection and processing of ‘special categories of data’ (as defined in Article 8 of Directive 95/46/EC) such as, among others, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.

25.

This should also help ensure that applicants will not be treated in a discriminatory way, for example, on account of their race, nationality or political or religious affiliation. In this context, the EDPS emphasizes that ensuring a high level of data protection is also a means contributing to fighting racism, xenophobia and discrimination, which, in turn, can contribute to preventing radicalisation and recruitment into terrorism.

26.

The Regulation provides that license applications are to be rejected if there are reasonable grounds for doubting the legitimacy of the intended use. In this regard, it would be helpful if the guidelines or implementing decision specified the data that can be collected by the licensing authorities in connection with the license application.

27.

The guidelines or implementing decision should provide that the records should only be disclosed to competent law enforcement authorities investigating terrorist activities or other suspected criminal abuse of explosive precursors. The information should not be used for any additional purposes (see Article 6(b) of Directive 95/46/EC).

28.

The EDPS further recommends that the guidelines or implementing decision should specify that the licensing authority — who is best positioned to provide such a notice directly to the data subjects — should inform license holders about the fact that their purchases will be recorded and may be subject to reporting if found ‘suspicious’ (see Articles 10 and 11 of Directive 95/46/EC).

29.

The EDPS recommends that the role and nature of the national contact points should be clarified in the Proposal. The Impact Assessment, in paragraph 6.33 refers to the possibility that these contact points may not only be ‘law enforcement authorities’ but also ‘associations’. The legislative documents provide no further information in this regard. This should be, in particular, clarified in Article 6.2 of the Proposal. In principle, data should be held by law enforcement authorities — if this will not be the case, the reasons for this should be very clearly justified.

30.

Furthermore, Article 6 of the Regulation should specify the personal data to be recorded (not exceeding name, license number, items purchased, and reasons giving rise to suspicion). These recommendations flow from the principle of necessity and proportionality: the collection of personal data should be limited to what is strictly necessary for the purposes pursued (see Article 6(c) of Directive 95/46/EC). In this context, similar considerations apply as expressed in point 23.

31.

Article 6 of the Regulation should also expressly prohibit — in connection with the reporting procedure — the collection and processing of ‘special categories of data’ (as defined in Article 8 of Directive 95/46/EC) such as, among others, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs (see also points 24-25).

32.

Finally, Article 6 should set a maximum retention period, taking into account the purposes of the data storage. The EDPS recommends that — unless a suspicious transaction or theft has led to a specific investigation and the investigation is still ongoing — all reported suspicious transactions and thefts should be deleted from the database after the lapse of a specified period (prima facie, at the latest two years following the date of report). This should help ensure that in cases where the suspicion has not been confirmed (or even investigated further), innocent individuals would not be kept on a ‘black-list’ and ‘under suspicion’ for an unduly long period of time (see Article 6(e) of Directive 95/46/EC). Too wide divergences on this point at the national level should in any case be avoided.

33.

This limitation is also necessary to ensure the principle of data quality (see Article 6(d) of Directive 95/46/EC) as well as other important legal principles such as the presumption of innocence. This may not only result in a more adequate level of protection for the individuals, but at the same time, should also allow law enforcement to more effectively focus on those more serious cases where the suspicion will likely be ultimately confirmed.

34.

What transaction might be ‘suspicious’ is not defined in the Proposal. However, Article 6(6)(a) of the Proposal foresees that the Commission ‘shall draw up and update guidelines’ and shall provide information on ‘how to recognize and notify suspicious transactions’.

35.

The EDPS welcomes that the Proposal requires the Commission to draw up guidelines. These should be sufficiently clear and concrete and prevent an overbroad interpretation so as to minimize the transmissions of personal data to law enforcement authorities and to prevent any arbitrary or discriminatory practices, for example, on account of race, nationality or political or religious affiliation.

36.

The guidelines/implementing rules should further provide that the information should be kept secure and confidential and should only be disclosed to competent law enforcement authorities investigating terrorist activities or other suspected criminal abuse of explosive precursors. The information should not be used for additional purposes, for instance, to investigate unrelated matters by tax or immigration authorities.

37.

The guidelines/implementing decision should further specify who should have access to the data received (and stored) by the national contact points. Access/disclosures should be limited on a strict need-to-know basis. Publication of a list of possible recipients should also be considered.

38.

The guidelines/implementing decision should provide for rights of access to data subjects, including, when appropriate, correction or deletion of their data (see Articles 12-14 of Directive 95/46/EC). The existence of this right — or any potential exceptions under Article 13 — may have important implications. For example, under the general rules, the data subject has also the right to know if his/her transaction has been reported as suspicious. The (potential) use of this right, however, could prevent the seller of explosives precursors to communicate suspicious transactions of the buyer. Therefore, any exceptions should be clearly justified and specifically set forth, preferably in the Regulation, or in any event, in the guidelines/implementing decision. A redress mechanism should also be foreseen, with the involvement of the national contact points.

39.

The EDPS welcomes that Article 16 of the Proposal provides for a review of the Regulation (five years after adoption). Indeed, the EDPS is of the Opinion that any new instruments should prove in periodic reviews that they continue to constitute effective means of fighting terrorism (and other criminal activity). The EDPS recommends that the Regulation should specifically provide that during such a review, the Regulation's effectiveness, as well as its effects on fundamental rights, including data protection, should also be considered.

40.

The EDPS recommends adding to the Proposal further, more specific provisions to adequately address data protection concerns. In addition, the Commission guidelines on suspicious transactions and on the technical details of the licenses — and an eventual implementing decision on data protection — should also include further specific provisions on data processing and data protection. The guidelines (and the implementing decision, if any) should be adopted after consulting the EDPS and — where appropriate — the Article 29 Working Party with representatives of data protection authorities in the Member States.

41.

Article 5 of the Regulation should specify a maximum retention period (prima facie, not exceeding two years) for the recorded transactions as well as the categories of personal data to be recorded (not exceeding name, license number and items purchased). Processing of special categories of data should be expressly prohibited.

42.

The role and nature of the contact points should be clarified in Article 6 of the Proposal. This provision should also specify a maximum retention period for the data reported on suspicious transactions (prima facie, not exceeding two years) as well as the personal data to be recorded (not exceeding name, license number, items purchased, and reasons giving rise to suspicion). Processing of special categories of data should be expressly prohibited.

43.

Further, the guidelines/implementing decision should specify the data that can be collected by the licensing authorities in connection with the license application. They should also clearly limit the purposes for which data can be used. Similar provisions should also apply to the records of suspicious transactions. The guidelines/implementing decision should specify that the licensing authority should inform license holders about the fact that their purchases will be recorded and may be subject to reporting if found ‘suspicious’. The guidelines/implementing decision should further specify who should have access to the data received (and stored) by the national contact points. Access/disclosures should be limited on a strict need-to-know basis. They should also provide for appropriate rights of access to data subjects and clearly set forth and justify any exceptions.

44.

The effectiveness of the measures foreseen should be periodically reviewed, at the same time also considering their impact on privacy.