23.12.2011   

EN

Official Journal of the European Union

C 377/5

1.

On 31 March 2011, the Commission adopted a proposal for a directive of the European Parliament and of the Council on credit agreements relating to residential property (hereinafter ‘the proposal’).

2.

The proposal was sent by the Commission to the EDPS on 31 March 2011. The EDPS understands this communication as a request to advise Community institutions and bodies, as foreseen in Article 28(2) of Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). Previously (3), before the adoption of the proposal, the EDPS was given the possibility by the Commission to provide informal comments. The EDPS welcomes the openness of the process, which has helped to improve the text from a data protection point of view at an early stage. Some of those comments have been taken into account in the proposal. The EDPS welcomes the reference to the present consultation in the preamble of the proposal.

3.

Responsible lending is defined by the proposal as the care taken by creditors and intermediaries to lend amounts that consumers can afford and meet their needs and circumstances. The concept of responsible borrowing entails that consumers should provide relevant, complete and accurate information on their financial situation and are encouraged to make informed and sustainable decisions.

4.

The proposal lists a range of factors that drive the decision to grant a particular mortgage credit, the borrower’s choice of mortgage product and the borrower’s ability to repay the loan. These include the economic climate, information asymmetries and conflicts of interest, regulatory gaps and inconsistencies, as well as other factors such as a borrowers’ financial literacy and mortgage financing structures. In the proposal's perspective, irresponsible behaviour by certain market actors was at the source of the financial crisis, therefore irresponsible lending and borrowing are the objectives to be addressed by the legislative inititative in order to avoid a repetition of the financial crisis.

5.

The proposal therefore introduces prudential and supervisory requirements for lenders and obligations and rights for borrowers in order to establish a clear legal framework which should guarantee the EU mortgage market from the disruptive effects experienced during the financial crisis.

6.

The proposal involves a limited number of activities, which have relevance under the EU data protection regime. These are mainly related to the consultation by creditors and credit intermediaries of the so-called ‘credit database’ with the purpose of assessing the creditworthiness of consumers and to the release of information by the consumers to the creditors or credit intermediaries.

7.

The EDPS is pleased to note that important references to the relevant data protection rules have been included in the current text of the proposal. However, he would like to point towards the need for a few clarifications. On the one hand, the proposal should not introduce too detailed provisions on the respect of the data protection principles, which is guaranteed by the applicability to any of the processing operations of the national laws implementing Directive 95/46/EC. On the other hand, the EDPS suggests some improvements in the text with the aim of clarifying it and with the purpose of avoiding that criteria determining the access rights to the credit database are mandated to delegated legislation.

8.

The EDPS is pleased to note that the proposal has introduced the reference to directive 95/46/EC in the preamble to the text of the directive. Recital 30 introduces the general application of Directive 95/46/EC to the data processing activities carried out within the context of the assessment of consumers' creditworthiness.

9.

However, in order to reflect the fact that any data processing operation must be carried out in accordance with the implementing rules and that the various national laws implementing such directive are the appropriate references, the proposal could introduce a general article as the following: ‘Any processing of personal data performed pursuant to this directive shall be carried out in conformity with the relevant national laws implementing Directive 95/46/EC’. By introducing such an article, the specific references to the Directive in Articles 15(3) and 16(4) could be removed.

10.

Article 14 of the proposal introduces an obligation for creditors to carry out a thorough assessment of the creditworthiness of consumers. This assessment should be based on certain criteria, such as the consumer's income, savings, debts and other financial commitments. This obligation could have a significant impact on the privacy of individuals seeking credit, as the type and amount of information that could be accessed to by the creditor is potentially very large. Therefore, the EDPS welcomes the introduction of specifications in the text as regards the limitation of the creditor's search to the ‘necessary’ information obtained by the creditor. The Article establishes in general terms that this information can only be obtained from ‘internal relevant or external sources’. The EDPS welcomes the explicit reference to the principles of necessity and proportionality enshrined in Article 6 of Directive 95/46/EC, but would however suggest specifying in a more detailed way, to the extent possible, which are the sources from which the information can be obtained.

11.

The credit database is mentioned first in recital 27, where its usefulness is highlighted in the context of the assessment of creditworthiness and during the lifetime of the loan. The recital also specifies that, pursuant to Directive 95/46/EC, consumers should be informed about the consultation of the database, and should have the right to access, rectify, block or erase the data contained in the database. Article 14 introduces specific obligations on the creditor regarding a possible rejection of the credit request, in particular when connected with the consultation of the ‘credit database’.

12.

More general provisions establishing the ‘database access’ criteria are contained in Article 16. Article 16 is formulated in a very broad manner (‘Each Member State shall ensure non-discriminatory access for all creditors to databases used in that Member State for assessing […] creditworthiness […] and for monitoring consumers' compliance with the credit obligations […]’). The text does not specify whether the databases should be specifically designed for such creditworthiness checks, who is responsible for the database, what kind of information might be contained in the database, what the ‘monitoring’ of consumer compliance entails, etc. The EDPS understands that credit databases have different structures and are established in different legal frameworks across the various Member States and that a full harmonisation of the abovementioned criteria would go beyond the scope of the directive. The aim of the proposal would be however to introduce harmonised conditions of access to the database so that, for example, a creditor in Belgium could access the credit history of a consumer in Italy (even though the Belgian and the Italian databases might be different) at the same conditions as Italian creditors, if the consumer is asking for a mortgage in Belgium. The details of the criteria for harmonised access shall be further specified in delegated acts of the Commission (see Article 16(2)). The EDPS also notes the reference to Directive 95/46/EC in Article 16(4) (4).

13.

The EDPS has already expressed the view that measures which have a substantive impact on the privacy of citizens should not be dealt with in delegated legislation. Certainly details can be elaborated in such legislation. The main implications for the citizens should however be clear and agreed upon in the legislation adopted on the basis of the ordinary legislative procedure. From a data protection perspective, the EDPS is particularly concerned about the apparent contradiction between the generalised possibility of consultation by (a not yet identifiable number of) credit operators to the database under Article 16 and the ‘light’ obligation inserted only in recital 27, namely that ‘consumers […] should be informed about the consultation of the database’ and ‘should have access to the information […] rectify, erase or block the personal data concerning them […]’. In the EDPS' view, the concrete possibility to exercise the data subject's rights pursuant to Directive 95/46/EC is connected to the possibility to identify the possible recipients of the personal data contained in the credit database. The effectiveness of the reference to the rights contained in Directive 95/46/EC could be therefore neutralised by the impossibility for the data subject to clearly and pre-emptively identify the natural or legal persons who can have access to the database.

14.

The EDPS therefore suggests some modifications to the text of the directive with the purpose of addressing the shortcomings identified above. Any (5) access to the database should be subject to the following conditions, which should be introduced in the text of Article 16: (i) definition of the criteria on the basis of which creditors or credit intermediaries can have access to the database and, in particular, clarification of whether only creditors or credit intermediaries who concluded a contract with a consumer or are required by the consumer to take steps to conclude a contractual relationship with him (6) can have access to his or her data; (ii) obligation to communicate in advance to the consumer that a certain creditor or credit intermediary has the intention to access his or her personal data in the database; (iii) obligation to contemporaneously communicate to the consumer of his or her rights to access, rectify, block or erase the data contained in the database pursuant to the principles of Directive 95/46/EC.

15.

As a result of the introduction in the text of such general criteria and obligations, the specific provision of Article 14(2)(c) and recital 29 related to the obligation to communicate to the consumer the access to the database in case of rejection of the credit request could be removed from the text.

16.

The EDPS welcomes the specific reference in the proposal to Directive 95/46/EC. However, he suggests some minor modifications in the text in order to clarify the applicability of the data protection principles to the processing operations covered by the proposal. In particular: