23.9.2011   

EN

Official Journal of the European Union

C 279/11

1.

On 17 March 2011, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 1073/1999 concerning investigations conducted by the European Anti-fraud Office (OLAF) and repealing Regulation (Euratom) No 1074/1999 (hereinafter ‘the Proposal’).

2.

The Proposal was sent by the Council to the EDPS on 8 April 2011. The EDPS understands this communication as a request to advise Community institutions and bodies, as foreseen in Article 28(2) of Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). The EDPS welcomes the explicit reference to this consultation in the preamble of the Proposal.

3.

The Proposal is aimed at amending Articles 1-14 and at deleting Article 15 of Regulation (EC) No 1073/1999. Council Regulation (Euratom) No 1074/1999 of 25 May 1999 concerning investigations conducted by the European Anti-Fraud Office (OLAF) is expected to be repealed.

4.

Previously (3), before the adoption of the Proposal, the EDPS was given the possibility by the Commission to provide informal comments. The EDPS welcomes the openness of the process, which has helped to improve the text from a data protection point of view at an early stage. Indeed, some of those comments have been taken into account in the Proposal.

5.

This new text is the result of a long review process. In 2006, the Commission put forward a proposal to amend Regulation (EC) No 1073/1999. The legislative proposal focused on ‘achieving better operational efficiency and improved governance for the Office’.

6.

This previous proposal was discussed both in the Council and the European Parliament under the co-decision procedure. The EDPS issued his Opinion in April 2007, including many observations aimed at rendering the text of the proposal more coherent with the data protection rules enshrined in Regulation (EC) No 45/2001 (4). The Parliament adopted a resolution on 20 November 2008 (5) in first reading including approximately one hundred amendments to the proposal.

7.

At the request of the Czech Presidency of the Council (January-June 2009), in July 2010 the Commission presented an updated Reflection paper on the reform of the Office to the European Parliament and the Council. In October 2010, the European Parliament welcomed the Reflection paper and asked the Commission to take up the legislative procedure again. On 6 December 2010, the Council adopted its Conclusions on the Reflection paper put forward by the Commission. The Supervisory Committee of OLAF contributed to the discussion with its opinions on the Reflection paper and on the respect for fundamental rights and procedural guarantees in investigations by OLAF. The Commission has thereafter presented the new Proposal.

8.

The Proposal includes provisions which have a strong impact on individuals’ rights. OLAF will continue to collect and further process sensitive data relating to suspected offences, offences, criminal convictions as well as information that would serve to exclude individuals from a right, benefit or contract insofar as such information represents a particular risk to the rights and freedoms of the data subjects. The fundamental right to the protection of personal data is relevant not only for its own sake, but also has strong connections with other fundamental rights, such as non-discrimination and due process of law, including the right of defence in OLAF investigations. The respect of due process has an impact on the validity of evidence and should be considered a priority by OLAF to reinforce its accountability. It is therefore essential to ensure that, in carrying out its investigations, fundamental rights including the rights to data protection and privacy of the persons implicated therein are properly guaranteed.

9.

The stated aim of the Proposal is to increase the efficiency, effectiveness and accountability of OLAF, while safeguarding its investigative independence. This purpose would be achieved mainly by: (i) increasing the cooperation and information exchange with other EU institutions, offices, bodies and agencies as well as Member States; (ii) fine-tuning the de minimis approach (6) to investigations; (iii) strengthening the procedural guarantees for the persons under investigation by OLAF; (iv) including the possibility for OLAF to conclude administrative arrangements to facilitate information exchange with Europol, Eurojust, competent authorities of third countries as well as with international organisations and (v) clarifying the monitoring role of the Supervisory Committee.

10.

The EDPS supports the objectives of the proposed amendments and, in this respect, welcomes the Proposal. The EDPS particularly appreciates the introduction of the new Article 7(a) which is dedicated to the procedural guarantees afforded to individuals. In relation to individuals’ rights to the protection of their personal data and privacy, the EDPS considers that on the whole the Proposal contains improvements vis-à-vis the current situation. In particular, the EDPS welcomes the express recognition of the importance of the rights of the data subjects pursuant to Article 11 and 12 of Regulation (EC) No 45/2001 (7).

11.

However, despite the overall positive impression, the EDPS considers that from the point of view of the protection of personal data, the Proposal could be further improved without jeopardising the objectives that it pursues. In particular, the EDPS is concerned that, because of the lack of coherence on certain aspects, the Proposal may be interpreted as a lex specialis regulating the processing of personal data collected in the scope of OLAF investigations, which would take precedence over the application of the general data protection framework contained in Regulation (EC) No 45/2001. Thus, there is a risk that the data protection standards contained in the Proposal could be interpreted ex contrario as being lower than those contained in the Regulation, and this is without any apparent justification neither in the Proposal itself nor the Explanatory Memorandum.

12.

In order to avoid this outcome, the following sections provide an analysis of the Proposal which, on the one hand, describes its shortcomings and, on the other hand, suggests specific ways to improve upon them. The scope of this analysis is limited to the provisions having a direct impact on personal data protection, particularly Article 1, paragraphs (8), (9), (10), (11) and (12) pursuant to which Articles 7a, 7b, 8, 9 10 and 10a are added or amended.

13.

OLAF was created in 1999 (8) to protect the EU's financial interests and taxpayers’ money against fraud, corruption and any other illegal activity. The Office is attached to the Commission, but it is independent of it. OLAF conducts investigations, which can be external (9) (in particular, investigations which can take place in the Member States or in third countries) and internal (10) (investigations within the EU institutions, bodies, offices and agencies) with the purpose to fight fraud and illegal activity which might harm the financial interests of the European Union.

14.

Furthermore, OLAF can also (i) forward to national competent authorities information uncovered during its external investigations; (ii) forward to the national judiciary bodies information found during internal investigations into matters liable to result in criminal proceedings and (iii) forward to the institution, body, office or agency concerned the information obtained during internal investigations (11).

15.

OLAF can also closely cooperate with Eurojust (12) and Europol (13) to carry out its statutory duty to fight against fraud, corruption and any other activity which might affect the financial interest of the Union. In this context, Europol (14) and Eurojust (15) can exchange operational, strategic or technical information with OLAF, including personal data.

16.

On the basis of Regulation (EC) No 1073/1999, OLAF can also investigate in third countries in accordance with the various cooperation agreements in force between the European Union and these third countries. Fraudulent activities to the detriment of the Union budget may also take place outside the territory of the European Union, for example with respect to foreign aid granted by the European Union to developing countries, candidate countries or other recipient countries, or with regard to violations of customs legislation. In order to effectively detect and tackle these infringements, thus, OLAF needs to carry out on-the-spot inspections and checks in third countries as well. To illustrate the importance of international cooperation and, thus, also of data exchange, currently the European Union has more than 50 agreements on mutual administrative assistance in customs matters, including with large trading partners such as China, the United States of America, Japan, Turkey, the Russian Federation and India.

17.

The implementation of Regulation (EC) No 45/2001 in the activities of OLAF has been the object of a number of interventions by the EDPS in the recent years. In relation to the focus of the Proposal (OLAF investigations), it is worth noting the Opinion of 23 June 2006 on a notification for prior checking on OLAF internal investigations (16); Opinion of 4 October 2007 on five notifications for prior checking on external investigations (17) and the Opinion of 19 July 2007 on a notification for prior checking on regular monitoring of the implementation of the investigative function (18), which relates to the activities of the Supervisory Committee.

18.

Neither the Proposal nor the Explanatory memorandum attached to it refers to the impact of the Proposal on the data protection rules. Nor does it refer to a privacy and data protection impact assessment. An explanation of how the impact on data protection has been dealt with would certainly increase the transparency of the overall assessment of the Proposal. The EDPS is surprised that the Explanatory Memorandum completely lacks any chapter on ‘Results of consultations with the interested parties and impact assessments’.

19.

As mentioned in the previous Opinion on the 2006 proposal (19), the EDPS welcomes the Proposal's recognition that Regulation (EC) No 45/2001 applies to all data processing activities carried out by OLAF. In particular, the new formulation of Article 8(4) (20) clearly mentions the role of the Regulation in the context of OLAF's various activities. This constitutes an update of the text of Regulation (EC) No 1073/1999, which only mentioned Directive 95/46/EC as a reference for the data protection obligations.

20.

The last sentence of Article 8(4) introduces the implementation of the requirement to appoint a data protection officer: ‘The Office shall appoint a Data Protection Officer in accordance with Article 24 of Regulation (EC) No 45/2001’. This insertion, which formalises the actual appointment of the OLAF DPO, is also welcomed by the EDPS.

21.

However, the EDPS is concerned that the implementation of the data protection standards in the proposed text is not completely in conformity with the requirements of the Regulation, and this might raise concerns as regards its coherence. This aspect will be analysed in detail below.

22.

OLAF investigations can have a serious impact on the fundamental rights of individuals. As indicated by the Court of Justice in the Kadi judgment (21), these rights are protected by the Community legal order. More precisely, in the Schecke judgment (22), the Court, by reference to the Charter of Fundamental Rights of the European Union (Charter) (23), and in particular to Articles 8 and 52 thereof, highlights that any limitation to the right to the protection of personal data can be justified only if it is provided by law, if it respects the essence of the right, and if it is subject to proportionality and meets the objectives of general interest of the European Union. The EDPS places great weight on the respect of fundamental rights in the area of activity of OLAF.

23.

Recital 13 of the Proposal clarifies that the fundamental rights of the persons concerned by an investigation should be respected at all times, and in particular when information about ongoing investigations is provided. The recital then highlights the need to respect confidentiality of investigations, the legitimate rights of the persons concerned, the national provisions governing judicial proceedings and, ultimately, the Union's legislation on data protection. It is specified that the exchange of information should be governed by the proportionality and need-to-know principles.

24.

This recital seems to introduce a limitation to the applicability of fundamental rights both ratione personae (limited to persons concerned by the investigation) and ratione materiae (limited to exchange of information). This could lead to a incorrect interpretation of the text according to which fundamental rights in the area of OLAF's activities would be applied in a ‘restrictive’ way (24).

25.

The EDPS therefore suggests modifying the text of the recital in order to avoid possible misinterpretations: the recital mentions that the fundamental rights of ‘persons concerned by an investigation’ should be respected at all times. As OLAF not only deals with persons concerned by an investigation (suspects) but also with informants (persons providing information about the fact of a possible or actual case), whistleblowers (25) (persons within the EU institutions who report to OLAF facts related to a possible or actual case), and witnesses, the provision should more broadly define the categories of ‘persons’ who enjoy the fundamental rights.

26.

Furthermore, recital 13 concerns respect for fundamental rights in particular in the context of the ‘exchange of information’. The recital mentions, besides fundamental rights and confidentiality, that ‘Information forwarded or obtained during investigations should be treated in accordance with the Union legislation on data protection’. The location of this sentence might be confusing and it should be placed in a separate recital to clarify that respect for data protection legislation is separate and self-standing and is not only related to exchange of information.

27.

The EDPS welcomes the fact that Article 7(a) is specifically dedicated to procedural guarantees during investigations. This new provision is in line with the stated purpose of the Proposal to reinforce the accountability of OLAF. The Article also refers to the Charter, which includes provisions that are relevant in relation to OLAF's investigations, namely Article 8 (Protection of personal data) and the entire Chapter VI (Justice).

28.

Article 7(a)(1) of the Proposal requires the Office to seek evidence for and against the person concerned, and recalls the duty to carry out investigations objectively and impartially. These principles have a positive impact on the ‘data quality’ (26) principle established in Article 4 of Regulation (EC) No 45/2001, in as much as the criterion requires the data to be accurate, conform to objective reality and be complete and up-to-date. The EDPS therefore welcomes the insertion of this paragraph.

29.

The following paragraphs of Article 7(a) concern the different steps of OLAF's investigations. These steps can be summarised as follows: (i) interviews with witnesses or persons concerned (paragraph 7(a)(2)); (ii) person found to be concerned by the investigations (paragraph 7(a)(3)); (iii) conclusions of the investigation referring to the name of a person (paragraph 7(a)(4)).

30.

The EDPS notes that the obligation to provide the information pursuant to Articles 11 and 12 of Regulation (EC) No 45/2001 is mentioned (only) in relation to step (iii) above. The EDPS is pleased that the Proposal has integrated the EDPS’ recommendations provided in his legislative Opinion of 2006 (27).

31.

However, such a selective mentioning of the rights of the data subject in relation to a single procedural stage may be interpreted in a way that the same information should not be granted to the data subject (witness or person concerned) when he or she is invited to an interview or when the staff member is informed that he or she may be concerned by the investigation. For reasons of legal certainty, the EDPS therefore suggests that the reference to the relevant articles should be inserted in relation to all of the three situations mentioned in points (i), (ii) and (iii) above. However, once the information related to Article 11 or 12 of Regulation (EC) No 45/2001 has been provided to the data subject, it will not be necessary to provide the same information in the following steps.

32.

Furthermore, the text does not introduce any specification as regards the data subjects’ rights of access and rectification of the data pursuant to Articles 13 and 14 of Regulation (EC) No 45/2001. These rights are protected by Article 8(2) of the Charter and therefore have a special prominence among the rights of the data subject. The EDPS had already asked (28) for the insertion of a clearer specification of the rights of access and rectification of the data subject in order to avoid the risk of interpreting the text as introducing a special ‘lower standard’ data protection regime for the persons concerned by OLAF investigations. The EDPS regrets that these aspects are not addressed in the Proposal.

33.

The EDPS would also like to point out the possibility to limit the rights of information, access and rectification in specific cases, as provided for by Article 20 of Regulation (EC) No 45/2001. OLAF's compliance with the data protection rules can therefore coexist with the necessity to preserve the confidentiality of its investigations. This aspect will be further developed in the paragraphs below.

34.

As a general remark, the EDPS acknowledges that the investigative role of OLAF requires the ability to protect the confidentiality of its investigations with the purpose of effectively tackling the fraud and illicit activities that it is required to pursue. The EDPS however highlights that this ability has an impact on certain rights of data subjects, and that Regulation (EC) No 45/2001 establishes specific conditions under which such rights can be restricted in this context (Article 20).

35.

According to Article 20 of Regulation (EC) No 45/2001, the rights provided by Articles 4 (data quality) and 11 to 17 (information to be supplied, right of access, rectification, blocking, erasure, right to obtain notification to third parties) can be restricted so long as this is necessary to safeguard, among others: ‘(a) the prevention, investigation, detection and prosecution of criminal offences’ or ‘(b) economic and financial interests of Member States or of the European Communities’ and ‘(d) a monitoring, inspection […] task connected with the exercise of official authority in cases referred to in points (a) and (b) above’. The same Article provides that the principal reasons why a restriction is imposed should be communicated to the data subject and that the subject should be made aware of the possibility to have recourse to the EDPS (Article 20(3)). Furthermore, Article 20(5) provides that such communication may be deferred for as long as providing the information to the data subject would deprive the restriction imposed of its effect.

36.

The text of the Proposal essentially introduces exceptions to the rights of data subjects for reasons of confidentiality of the investigations. Article 7(a)(4) provides that ‘Without prejudice to Articles 4(6) and 6(5)’ (29), no conclusions referring by name to a person concerned may be drawn ‘once the investigation has been completed without that person being given the opportunity to comment on facts concerning him or her in writing or at an interview […] and being provided with the information required by Articles 11 and 12 of Regulation No 45/2001’. The text seems therefore to suggest that, in the cases provided by Articles 4(6) and 6(5), the right to be heard and the right to information of the data subject could be limited.

37.

The Proposal further establishes that, if necessary to preserve the confidentiality of the investigations and in cases entailing the use of investigations falling within the remit of a national judicial authority, the Director-General of OLAF may decide to defer the possibility for the person to make her or his view known. The text does not specify whether in this context also the information required by Articles 11 and 12 of Regulation (EC) No 45/2001 should be deferred.

38.

The formulation of the text is unclear. First, the connection between the possible limitations of the rights of the person under investigation in relation to conclusions connected to his/her name and the type of information that OLAF should communicate to the relevant EU entity in the actual investigation are far from clear. Second, it is not clear which categories of the rights of the data subject are the object of a potential restriction. Third, the Article fails to insert the necessary safeguard of Article 20(3) of Regulation (EC) No 45/2001.

39.

The consequence could be that individuals in some cases could be faced with conclusions on the investigation without having been aware of being subject to the investigation and without receiving any information on the reasons why their rights to be heard and rights of information pursuant to Articles 11 and 12 of Regulation (EC) 45/2001 have been restricted.

40.

If Articles 20(3) and (5) of Regulation (EC) No 45/2001 are respected such a scenario would not be per se in conflict with the Regulation. However, the absence of a clear reference to the articles of the Regulation in the text does not appear to be consistent with the purpose of the Proposal to reinforce the procedural guarantees in favour of persons concerned by OLAF investigations and to enhance OLAF's accountability.

41.

The EDPS therefore suggests that a possible limitation of the right of the data subject within the meaning of Article 20 of Regulation (EC) No 45/2001 should be introduced explicitly. In addition, the procedural safeguards of Article 20(3) should be mentioned in the text, as well as the possible exception of Article 20(5). Such a clear provision would enhance the legal certainty for the data subject and the accountability of OLAF.

42.

In conclusion, in order to establish a clear set of rights for the data subject and to introduce possible exceptions due to confidentiality of the investigations compliant with Article 20 of Regulation (EC) No 45/2001, the EDPS suggests that the text should clearly indicate:

43.

The EDPS highlights that any information on investigations which might be made public by OLAF can involve sensitive personal data, and the necessity of any such publication must be carefully evaluated. The Court of First Instance (now the General Court), in its judgment in the Nikolaou case in 2007 (31), ruled that OLAF had violated Article 8(3) of Regulation (EC) No 1073/1999 (32) and Regulation (EC) No 45/2001 by not properly enforcing its obligation to ensure the protection of personal data in the context of a ‘leak’ (33) and of a publication of a press release (34).

44.

Therefore, the EDPS welcomes the introduction of paragraph 8(5) which provides explicitly that the Director-General shall ensure that information to the public is given ‘neutrally, impartially’ and in accordance with the principles set out in Article 8 and in Article 7(a). In the light of the comments made above on Article 7(a) in relation to its restrictive approach to the rules of Regulation (EC) No 45/2001, the EDPS particularly welcomes the reference in paragraph 8(5) to the more general provision of Article 8, which implies that any processing of personal data in the context of information to the public shall be done in conformity with all the principles Regulation (EC) No 45/2001.

45.

The EDPS would like to insist, in the context of the current revision, on the need to introduce a specific provision to guarantee the confidentiality of whistleblowers’ and informants’ identity. The EDPS underlines that the position of whistleblowers is a sensitive one. Persons that provide such information should be guaranteed that their identity is kept confidential, in particular vis-à-vis the person about whom an alleged wrongdoing is being reported (35). The present guarantees (Commission Communication SEC/2004/151/2) do not appear to be sufficient from a legal point of view. The EDPS notes that such provision would be in line with the Opinion of the Article 29 Data Protection Working Party on internal whistleblowing schemes (36).

46.

The EDPS recommends amending the current Proposal and ensuring that the identity of whistleblowers and informants is kept confidential during the investigations so long as this does not contravene national rules regulating judicial procedures. In particular, the subject of the allegations might be entitled to know the identity of the whistleblower and/or informant to instigate legal procedures against them if it has been established that they maliciously made false statements about him/her (37).

47.

The EDPS welcomes the specifications made in recital 6 and Article 10(a), and in particular the introduction of the requirement for a clear legal basis governing the cooperation with Eurojust and Europol, which is fully in line with Regulation (EC) No 45/2001. However, the Proposal should be more detailed in order to reflect the different data protection regimes for Eurojust and Europol.

48.

To date, OLAF has in place a Practical Agreement with Eurojust (38) which spells out the conditions under which the transfer of personal data can take place. The cooperation between OLAF and Eurojust includes in particular the exchange of case summaries, of case-related strategic and operational information, the participation to meetings and the mutual assistance that may be useful for the efficient and effective fulfilment of their respective tasks. The Practical Agreement (39) mostly defines the modus operandi for the exchange of information, including personal data, and in some cases also highlights or specifies certain elements of the existing legal framework.

49.

As regards Europol, such an agreement is not in place with OLAF (40), but the Europol decision permits Europol to directly receive, use and transmit information, including personal data, from, inter alia, OLAF also before the conclusion of a formal exchange agreement as long as this is necessary for the legitimate performance of Europol's and OLAF's tasks (41). The exchange is also subject to the existence of a confidentiality agreement between the two entities. Article 24 of the Europol Decision specifies some safeguards that Europol should observe in relation to any data transfer which takes place before the conclusion of a formal exchange agreement: ‘Europol shall be responsible for the legality of the transmission of data. Europol shall keep a record of all transmissions of data under this Article and of the grounds for such transmissions. Data shall be transmitted only if the recipient gives an undertaking that the data will be used only for the purpose for which they were transmitted’. Article 29 of the same decision also specifies when the responsibility for the data transferred by third parties falls on Europol.

50.

The conclusion of a specific agreement with Europol on data transfers is strongly supported by the EDPS, and the fact that so far it has not been concluded reinforces the need for specific guarantees in the text of the Proposal. In view of the different data protection regimes in relation to the transfer of personal data from OLAF to Eurojust and Europol and vice versa, the EDPS believes that the Proposal should address more clearly the necessary guarantees and standards which should govern the cooperation between OLAF and those bodies and be taken into account in the current and future working arrangements between them.

51.

In order to reinforce the need for the conclusion of an administrative arrangement, the provision of Article 10(a)(2) should be changed to read ‘The Office shall agree on administrative arrangements […]’. This way, it would mirror the similar provision of the Europol decision (42), which establishes that Europol shall conclude agreements or working arrangements with other Union institutions, bodies and agencies. Furthermore, the Proposal could clarify in Article 10(a) that, as a general principle, the exchange of personal data with Eurojust and Europol should be limited to and should not exceed what is necessary for the legitimate performance of the tasks entrusted to OLAF, Europol and Eurojust. The Proposal should also introduce the obligation for OLAF to keep a record of all transmissions of data and the grounds of such transmissions, in order to reinforce the accountability of OLAF as to the implementation of the obligations imposed by Regulation (EC) No 45/2001 on transfers of personal data.

52.

Paragraph 3 of Article 10(a) mentions that ‘The Office may [also] agree, as appropriate, on administrative arrangements with competent services in third countries and international organisations. The Office shall coordinate with the Commission services concerned and the European External Action Service’.

53.

The EDPS welcomes the fact that the cooperation of OLAF with third countries and international organisations is connected to the conclusion of administrative arrangements. However, the data protection implications resulting from the possible exchange of data with third countries and international organisations should be more specifically addressed in the Proposal.

54.

The Proposal should be more precise on the specific requirements and conditions for possible transfers of data from and to third countries and organisations. The EDPS advises that the text of Article 10(a)(3) should include also the following wording: ‘To the extent that cooperation with international organisations and third countries entails the transfer of personal data from OLAF to other entities, any such transfer should take place according to the criteria of Article 9 of Regulation (EC) No 45/2001’.

55.

The EDPS welcomes the wording of Article 11 of the Proposal according to which ‘The Supervisory Committee may ask the Office for additional information on investigations in duly justified situations, without however interfering with the conduct of investigations’, since such wording expresses the principle of necessity in relation to any possible transfer of personal data from OLAF to the Supervisory Committee.

56.

The issue of access of the Supervisory Committee to personal data of persons implicated or possibly implicated in investigations should also be clarified in the context of the rules of procedure to be adopted by the Committee on the basis of the new Article 11 paragraph 6. The EDPS would appreciate being involved in the process that would lead to the adoption of the rules of procedure of the Supervisory Committee. The consultation of the EDPS could also be inserted in the text of the Proposal as a requirement for the adoption of the rules of procedure.

57.

Besides all the specific points mentioned above, the EDPS would like to encourage the Commission to propose a more open approach to the EU data protection regime by OLAF. It would be the right moment for OLAF to develop a strategic planning of its data protection compliance by voluntarily clarifying the practical approach to the treatment of its numerous files containing personal data. OLAF could proactively and publicly explain how it treats personal data in its various activities. The EDPS believes that such a global and explicit approach would result in enhanced transparency of OLAF's treatment of personal data and in an ameliorated user friendliness of its investigative processes.

58.

Therefore, the EDPS suggests that the provisions of the Proposal give the Director General the task of ensuring that a comprehensive overview of all different processing operations of OLAF is carried out and kept up to date, or that at least this is explained in a recital. Such an overview -the results of which should be transparent through, for example, an annual report or through other options- would not only enhance the effectiveness of the different activities of OLAF and their interaction, but also encourage OLAF to take a more global approach on the necessity and proportionality of processing operations. It would also be helpful to OLAF to better demonstrate that it properly implements privacy by design and accountability principles.

59.

In conclusion the EDPS welcomes those modifications introduced in the text which enhance the compliance of the Proposal with the EU data protection regime.

60.

However, the EDPS would also like to highlight a number of shortcomings that should be addressed by the modification of the text, and most importantly: