13.12.2011   

EN

Official Journal of the European Union

C 363/1

1.

On 24 May 2011, the Commission adopted a proposal for a regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights (hereinafter ‘the proposal’).

2.

The proposal was sent by the Commission to the EDPS on 27 May 2011. The EDPS understands this communication as a request to advise Community institutions and bodies, as foreseen in Article 28(2) of Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). Previously (3), before the adoption of the proposal, the EDPS was given the possibility by the Commission to provide informal comments. The EDPS is pleased with the process, which has helped to improve the text from a data protection point of view at an early stage. Some of those comments have been taken into account in the proposal. The EDPS welcomes the reference to the present consultation in the preamble of the proposal.

3.

The EDPS nevertheless would like to highlight some elements which could still be ameliorated in the text from a data protection perspective.

4.

The proposal sets out the conditions and procedures for action by customs authorities where goods suspected of having infringed an intellectual property right are or should have been subject to customs supervision within the territory of the European Union. It is meant to bring improvements to the legal framework established by Regulation (EC) No 1383/2003 (4), which it will replace.

5.

In particular, it establishes the procedure through which right holders can apply to require the customs department of a Member State to take action in that Member State (‘national application’) or the customs departments of more than one Member State to take action in each and respective Member State (‘EU application’). In this context, to ‘take action’ means to suspend the release of the goods or to organise their detention by the customs authorities. It also establishes the process through which the relevant customs departments take a decision on the application, the actions that the customs authorities (or offices) (5) should consequently take (i.e. suspension of the release, detention or destruction of goods) and the connected rights and obligations.

6.

In this context, processing of personal data takes place in various ways: when the right holder submits its application to the customs authority (6) (Article 6); when the application is transmitted to the Commission (Article 31); when the customs authorities' decision is transmitted to the different competent customs offices (Article 13(1)) and, in case of EU application, to the other Member States' customs authorities (Article 13(2)).

7.

The processing of data provided by the draft regulation does not only cover the personal data of the holder of the right in the context of the transfer of applications and decisions from right holders to custom authorities, between the Member States and between Member States and the Commission. For instance, according to Article 18(3), the customs authorities shall, upon request of the holder of the decision, provide him the names and addresses of the consignor, consignee, the declarant or holder of the goods (7) as well as other information related to the goods. In this case, therefore, personal data about other data subjects (consignor, consignee and holder of the goods can be natural or legal persons) are processed and, upon request, transmitted by the national customs authority to the right holder.

8.

Although not explicitly indicated in the text of the proposal, when looking at the currently applicable Implementing Commission Regulation (EC) No 1891/2004 (8) — which includes the standard application form to be used by right holders — it appears that the procedures established with the proposal would also include processing of data on suspected violations of IP rights by certain individuals or entities (9). The EDPS highlights that data on suspected offences are considered sensitive data which require special safeguards for processing (Article 8(5) of Directive 95/46/EC and 10(5) of Regulation (EC) No 45/2001).

9.

Furthermore, the Commission is in charge of storing the right holders' applications for action in a central database (which should be named ‘COPIS’), which is still in its preparatory phase. COPIS would be a centralised information exchange platform for customs operations regarding all IPRs infringing goods. All exchanges of data on decisions, accompanying documents and notifications between customs authorities of the Member States shall take place through COPIS (Article 31(3)).

10.

The EDPS welcomes the fact that the draft regulation explicitly mentions (Article 32; recital 21) in an article of general application the necessity of compliance of processing of personal data by the Commission with Regulation (EC) No 45/2001 and by the competent authorities of the Member States with Directive 95/46/EC.

11.

This provision also explicitly recognises the supervisory role of the EDPS in relation to the Commission's processing under Regulation (EC) No 45/2001. The EDPS would like to highlight the wrong reference in Article 32 ‘[…] and under the supervision of the independent authority of the Member State referred to in Article 28 of this Directive’: the text should refer to Article 28 of Directive 95/46/EC.

12.

According to the proposal, the Commission is empowered to adopt implementing acts to define the form of the application by the right holders (Article 6(3)) (10). However, the article already contains a list of required information to be provided by the applicant, including the applicant's personal data. In determining the essential content of the application, Article 6(3) should also require the customs authorities to provide to the applicant and any other potential data subject (e.g. consignor, consignee or holder of the goods) with the information pursuant to the national rules implementing Article 10 of Directive 95/46/EC. In parallel, the application should also embody the similar information to be provided to the data subject for processing by the Commission pursuant to Article 11 of Regulation (EC) No 45/2001 (in view of the storing and processing operations in COPIS).

13.

The EDPS therefore recommends that Article 6(3) includes in the list of information to be provided to the applicant also the information to be provided the data subject pursuant to Article 10 of Directive 95/46/EC and Article 11 of Regulation (EC) No 45/2001.

14.

In addition, the EDPS asks to be consulted when the Commission exercises its implementing power, in order to ensure that the new model (national or EU) application forms are ‘data protection compliant’.

15.

The EDPS welcomes the fact that Article 6(3)(l) introduces a requirement for applicants to forward and update any information available in order to enable customs authorities to analyse and assess the risk of infringement of intellectual property rights. This requirement constitutes an implementation of one of the principles of data quality, according to which personal data should be ‘accurate and, when necessary, kept up to date’ (Directive 95/46/EC, Article 6(d)). The EDPS also welcomes the fact that the same principle is implemented in Article 11(3), which requires the ‘holder of the decision’ to inform the competent customs departments that took the decision about any change of the information submitted in the application.

16.

Articles 10 and 11 concern the period of validity of the decisions. A decision of the customs authorities has a limited period of validity within which the customs authorities are to take action. Such period can be extended. The EDPS would like to stress that the application submitted by the right holder (and in particular, the personal data therein) should not be stored or retained by the national customs authorities and in the COPIS database beyond the date of expiry of the decision. Such principle derives from Article 4(1)(e) of Regulation (EC) No 45/2001 and from its correspondent Article 6(1)(e) of Directive 95/46/EC (11).

17.

The current Implementing Regulation (12) establishes (Article 3(3)) that the application forms are to be retained by the customs authorities ‘for at least one year longer than its legal period of validity’. This provision does not seem to be entirely consistent with the principles indicated above.

18.

The EDPS therefore suggests inserting a provision in the proposal which imposes a limit to the retention of personal data linked to the duration of the period of validity of the decisions. Any extension of the duration of the retention date should be avoided or, if justified, should fulfil the principles of necessity and proportionality in relation to the purpose, which needs to be clarified. Including a provision in the proposal, which would be equally applicable throughout the Member States and to the Commission, would guarantee simplification, legal certainty and effectiveness, as it would avoid conflicting interpretations.

19.

The EDPS welcomes the fact that Article 19 (Permitted use of the information by the holder of the decision) clearly recalls the purpose limitation principle in that it limits how a holder of the decision can use — inter alia — the personal data of the consignor and consignee which the customs authorities have provided him pursuant to Article 18(3) (13). The data can only be used to initiate a procedure to establish the possible infringement of intellectual property rights of the decision holder or to seek compensation in case of destruction of the goods pursuant to the procedure provided by the draft regulation, and according to the law of the Member State where the goods are found. Considering that the data can also include information on suspected offences, such limitation is a safeguard against misuse of those sensitive data. This provision is also reinforced by Article 15, which provides for administrative measures against the right holder in case of misuse of the information beyond the purposes indicated in Article 19. The combination of these two articles shows a specific attention of the Commission towards the purpose limitation principle.

20.

The proposal (Article 31(3)) mentions that all applications for action, decisions granting applications, decisions extending the period of validity of decisions and suspending a decision granting the application, also including personal data, shall be stored in a central database of the Commission (COPIS).

21.

COPIS would therefore be a new database essentially aimed at substituting the exchanges of the relevant documents between Member States' customs authorities with a digital repository and transfer system. The Commission, and in particular DG TAXUD, will be managing it.

22.

So far, the legal basis for the exchange of information between the Member States and the Commission has been Regulation (EC) No 1383/2003 (14) and Implementing Commission Regulation (EC) No 1891/2004 (15). As regards Regulation (EC) No 1383/2003, Article 5 allows for lodging of applications to Member States electronically, but does not mention a centralised database. Article 22 mentions that the Member States shall forward the relevant information ‘on the application of this Regulation’ to the Commission and the Commission shall forward this information to the other Member States. As regards the Implementing Regulation, recital 9 establishes that procedures must be laid down for the exchange of information between Member States and the Commission for the latter to be able to monitor and report on the application of the Regulation. Article 8 clarifies that the Member States shall send periodically to the Commission a list of all the written applications and subsequent actions taken by the customs authorities, including personal data of the rightholders, type of rights and products concerned.

23.

The new text of the proposal (Article 6(4)) requires — when defining the content of the application form — that, when computerised or electronic systems are available, applications be submitted electronically. Furthermore, Article 31 says that applications to the national customs authorities shall be notified to the Commission, which shall ‘store them in a central database’. The legal basis for the creation of the COPIS database seems therefore to be limited to the combined provisions of the new Articles 6(4) and 31.

24.

On this legal basis the Commission is elaborating the structure and content of COPIS. However, there is at this stage no further detailed legal provision adopted through the ordinary legislative procedure in which the purpose and characteristics of COPIS are determined. This is particularly worrying in the EDPS' view. Personal data of individuals (names, addresses and other contact details as well as related information on suspected offences) will be the object of an intense exchange between the Commission and the Member States and will be stored for an undefined period of time within the database, yet there is no legal text on the basis of which an individual could verify the legality of such processing. Furthermore, the specific access rights and management rights in relation to the various processing operations are not explicitly clarified.

25.

As highlighted by the EDPS in previous occasions (16), the legal basis for instruments which restrict the fundamental right to the protection of personal data, as recognised by Article 8 of the Charter of Fundamental Rights of the Union and in the case law on the basis of Article 8 of the European Convention on Human Rights, and which is recognised by Article 16 of the TFEU, must be laid down in a legal instrument based on the Treaties and that can be invoked before a judge. This is necessary in order to guarantee legal certainty for the data subject, who must be able to rely on clear rules and invoke them before a court.

26.

The EDPS therefore urges the Commission to clarify the legal basis of the COPIS database by introducing a more detailed provision in an instrument adopted according to the ordinary legislative procedure under the TFEU. Such provision must comply with the requirements of Regulation (EC) No 45/2001 and, where applicable, Directive 95/46/EC. In particular, the provision establishing the database involving the electronic exchange mechanism must: (i) identify the purpose of the processing operations and establish which are the compatible uses; (ii) identify which entities (customs authorities, Commission) will have access to which data stored in the database and will have the possibility to modify the data; (iii) ensure the right of access and information for all the data subjects whose personal data may be stored and exchanged; (iv) define and limit the retention period for the personal data to the minimum necessary for the performance of such purpose. Furthermore, the EDPS highlights that also the following elements of the database should be defined in the main legislative act: the entity which will be controlling and managing the database and the entity in charge of ensuring the security of the processing of the data contained in the database.

27.

The EDPS suggests that the proposal itself includes a new article in which these main elements are clearly established. Alternatively, the text of the proposal should insert a provision envisaging the adoption of a separate legislative act according to the ordinary legislative procedure, for which the Commission should be requested to present a proposal.

28.

In any case, the implementing measures to be adopted should specify in detail the functional and technical characteristics of the database.

29.

In addition, although the proposal does not envisage at this stage any interoperability with other databases managed by the Commission or other authorities, the EDPS stresses that introducing any type of such interoperability or exchange must first and foremost comply with the purpose limitation principle: data should be used for the purpose for which the database has been established, and no further exchange or interconnection can be allowed outside this purpose. It must in addition be supported by a dedicated legal basis which has to find its basis on the EU Treaties.

30.

The EDPS is keen to be involved in the process that will lead to the final establishment of this database, with a view to support and advice the Commission in devising an appropriate ‘data protection compliant’ system. He therefore encourages the Commission to include a consultation of the EDPS in the ongoing preparatory phase.

31.

Last, the EDPS draws attention to the fact that, given that the establishment of the database would involve the processing of special categories of data (on suspected offences), such processing might be subject to prior checking by the EDPS pursuant to Article 27(2)(a) of Regulation (EC) No 45/2001.

32.

The EDPS welcomes the specific reference in the proposal to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001 to the personal data processing activities covered by the Regulation.

33.

The EDPS would like to highlight the following points with a view to ameliorate the text from a data protection perspective: