9.2.2012   

EN

Official Journal of the European Union

C 35/1

1.

On 12 October 2011, the Commission adopted the following proposals (hereinafter: the proposals) on the common agricultural policy (hereinafter: ‘CAP’) after 2013, that were sent to the EDPS for consultation on the same day:

2.

The EDPS welcomes the fact that he is formally consulted by the Commission and that a reference to the present Opinion is included in the proposed preambles of the direct payments regulation, the Single CMO regulation, the rural development regulation and the horizontal regulation.

3.

The Proposals aim at providing a framework for (1) viable food production, (2) sustainable management of natural resources and climate action, and (3) balanced territorial development. To this end, they establish several support schemes for farmers as well as other measures to stimulate agricultural and rural development.

4.

In the course of these programmes, personal data — mainly relating to aid beneficiaries but also to third parties — are processed at various stages (processing of aid applications, ensuring the transparency of payments, control and fight against fraud, etc.) While the bulk of the processing is carried out by and under the responsibility of the Member States, the Commission is able to access most of these data. Beneficiaries and in some instances third parties (-e.g. for the purpose of fraud checks — have to provide information to the designated competent authorities.)

5.

The relevance of data protection in the context of the CAP has been brought to light by the Court of Justice in its Schecke ruling, annulling EU legislation on the publication of names of beneficiaries of agricultural funds (10). The EDPS is aware that in this case, data protection aspects are not at the core of the proposals. However, insofar as the proposals relate to the processing of personal data, there are pertinent comments to be made.

6.

The goal of this Opinion is not to analyse the whole set of proposals, but to offer input and guidance for designing the processing of personal data necessary for the administration of the CAP in a way that respects the fundamental rights to privacy and data protection and, at the same time, ensures an effective administration of aid, the prevention and investigation of fraud and that spending is transparent and accountable.

7.

To this end, the present Opinion is structured in two parts: a first, more general part includes analysis and recommendations relevant for most of the proposals. This mostly refers to comments on delegated and implementing powers for the Commission. A second part then discusses specific provisions contained in several of the proposals (11) and gives recommendations to address the issues identified therein.

8.

As mentioned, most processing operations are carried out by the Member States. However, the Commission can have access to personal data in many cases. Therefore, the EDPS welcomes that references to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001 are included in the preambles of the relevant proposals (12).

9.

In general, it is observed that many questions central to data protection are not included in the present proposals, but will be regulated by implementing or delegated acts. This applies, for example, to measures to be adopted regarding the monitoring of aid, the establishment of IT systems, transfers of information to third countries and on-the-spot checks (13).

10.

Article 290 TFEU sets out the conditions for the exercise of delegated powers by the Commission. It may be given the power ‘to supplement or amend certain non-essential elements of the legislative act.’ Also, the ‘objectives, content, scope and duration of the delegation’ shall be explicitly defined. Regarding implementing powers, Article 291 TFEU establishes that these may be granted to the Commission when ‘uniform conditions for implementing legally binding Union acts are needed’. Appropriate scrutiny by the Member States shall be ensured.

11.

The EDPS considers that the central aspects of the processing envisaged in the proposals and the necessary data protection safeguards cannot be regarded as ‘non-essential elements’. Therefore, at least the following elements should already be regulated in the main legislative texts in order to increase legal certainty (14):

12.

Once these elements are specified in the main legislative proposals, delegated or implementing acts might be used to implement in more detail these specific safeguards. The EDPS expects to be consulted on the implementing and delegated acts addressing matters of data protection relevance.

13.

In some cases, data relating to (suspected) offences may be processed (e.g. related to fraud). As the applicable legislation on data protection provides for special protection of such data (17), a prior check by the competent national DPAs or the EDPS may be needed (18).

14.

Finally, security measures should be foreseen, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should also be taken into account.

15.

Article 157 of the single CMO regulation empowers the Commission to establish implementing acts regarding communication requirements for different purposes (such as ensuring market transparency, control of CAP measures or implementation of international agreements) (19)‘taking into account data needs and potential synergies between data sources’ (20). The EDPS recommends specifying in this provision which data sources are to be used for which specific purposes. In this regard, the EDPS would like to remind the risk that the interconnection between databases can contradict the principle of purpose limitation (21), according to which personal data must not be further processed in a way incompatible with the original purpose of their collection (22).

16.

Article 77 of the rural development regulation establishes a new Electronic Information System to be ‘drawn up in cooperation between the Commission and the Member States’ for monitoring and evaluation purposes. The system will imply the processing of data on the ‘key characteristics of the beneficiary and the project’ provided by the beneficiaries themselves (Article 78). Insofar as this ‘key information’ includes personal data, this should be specified in the provision. Furthermore, the categories of data to be processed should be defined and the EDPS should be consulted on the implementing acts foreseen in Article 74.

17.

Additionally, Article 92 of the same proposal provides for the establishment of a new information system ‘by the Commission, in collaboration with the Member States’ for the secure exchange of ‘data of common interest’. The definition of the categories of data to be exchanged is too broad and should be narrowed in case personal data are to be transferred using this system. In addition, the relation between Article 77 and Article 92 should also be clarified, as it is not clear whether they have the same purpose and scope.

18.

Recital 40 of the horizontal regulation states that Member States should operate an integrated administration and control system (23) for certain payments and ‘be authorised to make use of it also for other Union support schemes’ in order to ‘improve the effectiveness and monitoring of Union support’. This provision should be clarified, especially if it does not only relate to exploiting synergies in terms of infrastructure, but also to making use of the information stored therein for the purpose of monitoring other support schemes.

19.

According to Article 73(1)(c) of the horizontal regulation, applications for aid shall, besides the parcels and payment entitlements, also include ‘any other information provided for in this Regulation or required with a view to the implementation of the relevant sectoral agricultural legislation or by the Member State concerned’ (24). In case it is expected that this information contains personal data, the categories of data required should be specified.

20.

The horizontal regulation sets up a number of bodies for practical implementation of the CAP and allocates their tasks (Articles 7 to 15). For the Commission, the following competences are foreseen (Titles IV-VII):

21.

The first task mentioned in the preceding paragraph will involve the processing of personal data, while for the second task, there is prima facie no need for personal data to be processed: a general evaluation of the measures can be carried out on the basis of aggregated or anonymised data as well. Unless the Commission provides adequate justification for the need to process personal data in this context, it should be clarified that no personal data should be supplied to the Commission for the purpose of the general evaluation of the measures.

22.

Articles 49 to 52 and 61 to 63 of the horizontal regulation establish the rules for on-the-spot-checks (27). The proposal states that these shall mainly be carried out by the competent authorities in the Member States, especially as regards home visits or formal questioning of persons, but that the Commission shall have access to information thus obtained. Here, the legislator should specify that the Commission shall only access these data where necessary for control purposes. The categories of personal data to be accessed by the Commission should also be specified.

23.

For the purpose of monitoring the aid, the horizontal regulation sets up an Administration and Control System (28) (Articles 68-78) consisting of a number of databases:

24.

The computerised database shall consist of one database per Member State (and, optionally, decentralised databases within them). It records data obtained from each beneficiary through aid applications and payment claims. Given that not all the data collected through aid applications may be necessary for control purposes, consideration should be given to possibilities of minimising the processing of personal data in this regard.

25.

Access to the administration and control system is not explicitly regulated. Similar to what has been stated regarding on-the-spot checks, the EDPS recommends the legislator to establish clearly circumscribed rules for access to this system.

26.

As regards checks, the horizontal regulation foresees the scrutiny of commercial documents, including those of third parties (Articles 79-88) (29). These documents may include personal data on third parties. The conditions under which third parties are required to disclose their commercial documents should be specified in the instrument (30).

27.

Article 87 of the same proposal establishes that Commission officials shall have access to all documents ‘prepared either with a view to or following the scrutiny’‘in accordance with the relevant national laws’. This applies both to cases in which they may participate in the scrutiny (paragraph 2) and those in which certain acts are reserved to officials designated by law of the Member State in which the scrutiny takes place (paragraph 4). In both cases, it should be ensured that Commission officials only access these data when necessary (i.e. for control purposes), also in cases where the national law might allow access for other purposes. The EDPS encourages the legislator to insert precisions to this effect in the text.

28.

According to Article 102 of the horizontal regulation, Member States shall communicate certain categories of information, declarations and documents to the Commission. This shall also include ‘a summary of the results of all available audits and checks carried out’ (Article 102(1)(c)(v)). For this case, it should either be specified that no personal data will be included in these summaries or, if personal data are necessary, the purpose for which they need to be communicated should be specified.

29.

Article 70(1) of the horizontal regulation states that the computerised database shall allow consultation ‘through the competent authority of the Member State’ of data from 2000 onwards and allow ‘direct and immediate consultation’ of data relating to ‘at least’ the previous five consecutive calendar years (31).

30.

The system for the identification and registration of payment entitlements allows for ‘verification of the entitlements and for cross-checks with the aid applications and the identification system for agricultural parcels’. Article 72(2) of the horizontal regulation establishes that data shall be available for a period of ‘at least’ four years (32).

31.

In relation to these two systems, the EDPS recalls Article 6(1)(e) of Directive 95/46/EC and Article 4(1)(e) of Regulation (EC) No 45/2001, which establish that data must not be stored in an identifiable way longer than is necessary for the purpose it was collected for. This implies that maximum retention periods have to be defined, not merely minimum retention periods.

32.

Article 157(1), second subparagraph of the single CMO regulation states that data may be transferred to third countries and international organisations. The EDPS would like to remind that the transfer of personal data to countries which do not provide for adequate protection could only be justified on a case by case basis if any of the exceptions of Article 26 of Directive 95/46/EC or Article 9(6) of Regulation (EC) No 45/2001 apply (for example, if the transfer is necessary or legally required on important public interest grounds).

33.

In this case, the specific purpose of the transfer (e.g. related to the implementation of international agreements) should be specified (33). The relevant international agreements should include specific safeguards as regards the protection of privacy and personal data and the exercise of these rights by data subjects. In addition, in case data are to be transferred by the Commission, the transfer should be subject to authorisation by the EDPS (34).

34.

Recital 70 of the horizontal regulation states that new rules on the publication of information on beneficiaries ‘taking account of the objections expressed by the Court of Justice’ in the Schecke (35) case are under preparation.

35.

The EDPS would like to remind everyone that the rules on the publication of information related to beneficiaries should respect the principle of proportionality. As confirmed by the Court of Justice (36), a proper balance needs to be struck between the beneficiaries’ fundamental rights to privacy and data protection and the European Union’s interest in guaranteeing transparency and ensuring a sound management of public funds.

36.

This is also relevant as regards Article 157(1), second subparagraph of the single CMO regulation, according to which data may ‘be made public subject to the protection of personal data and the legitimate interest of undertakings in the protection of their business secrets’. Articles 157(2)(d) and 157(3)(c) empower the Commission to adopt delegated acts on ‘the conditions and means of publication of the information’ and implementing acts on the arrangements for making information and documents available to the public.

37.

The EDPS welcomes the fact that the publication of information and documents will be subject to the protection of personal data. However, essential elements such as the purpose of the publication as well as the categories of data to be published should be specified in the proposals, rather than by implementing or delegated acts.

38.

The rights of data subjects should be specified, especially as regards the right of information and the right of access. This is especially relevant as regards Article 81 of the horizontal regulation, according to which commercial documents of beneficiaries, but also of suppliers, customers, carriers and other third parties can be checked. While beneficiaries might be aware of their data being processed, third parties should also be adequately informed that their data could be used for control purposes (e.g. by a privacy notice to be given at the moment of collection and information provided on all relevant websites and documents). The obligation to inform data subjects, including third parties, should be included in the proposals.

39.

Security measures should be foreseen, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should be taken into account. A list of security measures to be adopted regarding these computerised databases and systems could be introduced at least by delegated or implementing acts. This is all the more important as the personal data processed in the context of checks and scrutiny might include data on suspected offences.

40.

The EDPS welcomes the requirements laid down by Article 103 of the horizontal regulation regarding confidentiality and professional secrecy for scrutiny in the sense of Articles 79-88 of the same regulation.

41.

The EDPS considers that the central aspects of the processing operations envisaged in the proposals and the necessary data protection safeguards should be regulated in the main legislative texts rather than in delegated or implementing acts, in order to increase legal certainty:

42.

These elements may be further elaborated in delegated or implementing acts. The EDPS expects to be consulted in this regard.

43.

In addition, security measures should be foreseen at least by implementing or delegated acts, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should also be taken into account.

44.

Finally, taking into account that in some cases data relating to (suspected) offences may be processed (e.g. related to fraud), a prior check by the competent national DPAs or the EDPS may be needed.