Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 52017XX0321(01)

    EDPS Opinion on the proposed common framework for European statistics relating to persons and households

    OJ C 87, 21.3.2017, p. 1–4 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

    21.3.2017   

    EN

    Official Journal of the European Union

    C 87/1


    EDPS Opinion on the proposed common framework for European statistics relating to persons and households

    (2017/C 87/01)

    The Proposal aims at establishing a common framework for European statistics relating to persons and households based on data collected primarily from samples at individual level.

    The Proposal, in relevant part, contains references to the use of administrative records, as well as to other sources or innovative approaches to provide statistical data in the context of big data. New innovative approaches can bring promises for statistics and research, but will also pose risks, raise challenges, and legislators must ensure that any potential benefits should never come at the expense of individuals' rights. To provide effective protection for the right of privacy and the right to the protection of personal data, legislators should anticipate the potential risks and challenges that these promising techniques may bring and provide for appropriate safeguards.

    To this end, we recommend revising Article 8 in order to ensure that any data processing involving administrative records and other data sources must be done in compliance with applicable data protection laws and that any direct provision of data by individuals (apart from certain exceptions as provided by law and subject to appropriate safeguards) must be made on a voluntary basis.

    With regard to linking administrative records, as foreseen in Article 11, we also highlight the need for ensuring that any such linking must be done in compliance with data protection law, subject to necessity, proportionality, and specific safeguards under Member State or Union law.

    THE EUROPEAN DATA PROTECTION SUPERVISOR,

    Having regard to the Treaty of the Functioning of the European Union, and in particular its Article 16,

    Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

    Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,

    Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular Article 28(2) thereof,

    HAS ADOPTED THE FOLLOWING OPINION:

    1.   Background and purpose of the Proposal

    (1)

    On 8 August 2016, the European Commission (‘Commission’) published a Proposal for a Regulation of the European Parliament and of the Council establishing a common framework for European statistics relating to persons and households, based on data at individual level collected from samples (hereafter: ‘the Proposal’) (1). On the same day, the Commission requested the European Data Protection Supervisor (‘EDPS’), as an independent advisory body, for his Opinion. The Council of the European Union (‘Council’) also submitted a request on 25 November 2016.

    (2)

    As set out in its Article 1 (‘Subject matter’), the purpose of the Proposal is to establish a common framework for European statistics relating to persons and households, based on data at individual level collected from samples.

    (3)

    The EDPS takes note of the policy objectives of the Proposal. He welcomes:

    the fact that he has been consulted and that a reference to this consultation has been made in Recital 23 of the proposed Regulation;

    the inclusion of Recital 20 referring to applicable data protection law (Regulation 95/46/EC and Regulation (EC) No 45/2001 of the European Parliament and of the Council); as well as

    the reference to data protection rules when linking different records regarding an individual (Article 11).

    2.   Overview and key concerns

    (4)

    Our main concern is the ambiguity in the current draft surrounding the possibility of the use of ‘administrative’ data and ‘big data’ sources such as telephone location data, corporate and tax records, social security and medical records, records of unemployment offices and organisations managing social security. While big data may promise new possibilities and increased efficiencies for the production of official statistics, it also poses specific risks, and therefore, we suggest careful scrutiny of any relevant provisions (2).

    (5)

    We would also welcome more clarity on the fact that whenever any information is directly provided by individuals, this should be done on a voluntary basis, using consent under Articles 6 and 7 of the General Data Protection Regulation (‘GDPR’) (3) as a legal basis for the processing of personal data; unless the provision of information is specifically required under Union or Member States law in accordance with applicable data protection law.

    (6)

    In light of these concerns, we would particularly welcome if the legislators could introduce more clarity in the way Article 8 (on data sources and methods) is drafted.

    (7)

    Other relevant provisions that the EDPS considers could be improved may include the following:

    Article 2(e) on the definition of ‘administrative records’;

    Recital 4 on the use of ‘administrative sources’ for statistical purposes;

    Recital 20 on applicable data protection law and the notion of ‘substantial public interest’;

    Article 11(1) on sampling frames.

    3.   Recommendations

    3.1.   References to applicable data protection law (Recital 20)

    (8)

    Depending on the date of entry into force of the proposed Regulation, references to applicable law in Recital 20 may need to be updated. In particular, they may need to be replaced by references to the General Data Protection Regulation (GDPR), which will become applicable on 25 May 2018, and by references to the new legal instrument replacing Regulation (EC) No 45/2001.

    (9)

    We would also welcome a reference, in a recital, to compliance with the safeguards relating to processing for statistical purposes under Article 89 of the GDPR.

    (10)

    Considering that the Proposal foresees use of data from new data sources, which might include, for example, location data obtained from mobile telephone records (see Section 3.4 discussing Article 8 below), we also recommend a specific reference to the ePrivacy Directive (4) currently under revision (or to the new ePrivacy Regulation if appropriate considering the timelines).

    3.2.   References to ‘substantial public interest’ (Recital 20)

    (11)

    To enable easier reference for non-experts, we recommend that the words ‘under Article 8(4) of Directive 95/46/EC’ be added after the phrase ‘substantial public interest’. Should the text refer to the GDPR, the appropriate reference would be Article 9(2)(g) of the GDPR.

    3.3.   Definition of administrative records (Article 2(e) and Recital 4)

    (12)

    Article 2(e) of the Proposal defines ‘administrative records’ as ‘data generated by a non-statistical source, usually a public body, the aim of which is not to provide statistics, for its own purposes’. The term, ‘administrative records’ is then used in Article 8 as well as in Recital 4.

    (13)

    This definition of administrative records appears to be very broad and appear to include, in practice, ‘any other data sources’, which is another term also used in Article 8. The term ‘administrative data’, as defined, can thus include, for example, not only administrative records of public bodies but also sources such as mobile phone location data, which is, in the sense as the term is commonly used in everyday language, not always considered as an ‘administrative record’.

    (14)

    This in itself does not appear to have a direct impact on the level of protection of personal data, considering that Article 8, in any event, includes ‘any other data sources’. Nevertheless, for the sake of clarity, the legislators could consider revising Article 2(e) and more narrowly defining ‘administrative records’. Alternatively, the legislators could delete Article 2(e) altogether, and instead, in Article 8, refer to ‘administrative records created by an organisation, usually a public body, for other, non-statistical purposes, and any other sources, methods or innovative approaches…’.

    (15)

    Further, as we noted above, Recital 4 specifically encourages use of administrative sources for statistical purposes. We welcome the fact that the recital highlights the need to ensure ‘quality, accuracy, timeliness and comparability of those statistics’. To further improve this provision, we recommend adding a reference to the protection of personal data. For example, the following text can be added at the end of the paragraph: ‘as well as safeguarding the right to the protection of personal data’.

    3.4.   Data sources and methods (Article 8)

    (16)

    In addition to data directly provided by the respondents, Article 8 also refers to ‘administrative records and any other sources, methods or innovative approaches in so far as they allow for the production of data that are comparable and compliant with the applicable specific requirements laid down by this Regulation’.

    (17)

    Article 8 reflects the intention, set forth on page 13 of the Explanatory Memorandum, to allow and promote ‘the use of new forms of data collection and of alternative data sources, including administrative data and estimates obtained from modelling and big data’. See also Recital 4 of the Proposal, already mentioned above, promoting ‘the use of administrative sources, thanks to technological advances’ and Article 13 on feasibility and pilot studies, which also discusses the use of other data sources.

    (18)

    In the field of statistics, as in other fields, big data may bring benefits, such as increased efficiency. However, it can also create additional risks. The new data protection framework, and the adoption of the GDPR in particular, aims to address these risks in a way that provides protection but also allows flexibility for further data use, including for statistical purposes.

    (19)

    Further legislative measures in the field of national or Union law governing statistics, however, will likely to be still required, in order to allow more widespread use of big data in statistics in a way compatible with applicable data protection law.

    (20)

    The current Proposal should not provide the illusion that Article 8 itself is providing a sufficient legal basis for using big data for the purposes of the Proposal. It is essential that the recitals and Article 8, combined, make it clear that any such use of big data sources is subject to applicable data protection law, including the need for an appropriate legal basis under Article 6 of the GDPR.

    (21)

    To this effect, we recommend that Article 8 be revised as follows:

    Article 8

    Data sources and methods

    1.   Member States shall provide the data referred to in Article 1 by using one or a combination of the following sources, provided that they meet the quality requirements given in Article 12 and are collected and further processed in accordance with and subject to safeguards provided for in applicable data protection laws:

    (a)

    information directly provided by the respondents on a voluntary basis, on the basis of the consent of the data subjects providing the data under Article 7 of [the GDPR] (unless the provision of information is specifically required under Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subjects' rights and freedoms and legitimate interest) ;

    (b)

    administrative records and any other sources, methods or innovative approaches in so far as they allow for the production of data that are comparable and compliant with the applicable specific requirements laid down by this Regulation.

    2.   Member States shall provide the Commission (Eurostat) with detailed information on the sources and methods used.

    3.5.   Sampling frames (Article 11)

    (22)

    Article 11(1) provides that the sampling frames shall also include ‘the information needed to link persons to other administrative records, in so far as is allowed under data protection rules’.

    (23)

    We recommend that the second part of the sentence be rephrased to read: ‘insofar as linking to such other records is necessary and proportionate, and specifically permitted under applicable Union or Member State law, to which the controller is subject and which also lays down suitable measures to safeguard the data subjects’ rights and freedoms and legitimate interest'.

    4.   Conclusions

    (24)

    The EDPS recommends:

    including a reference to the ePrivacy Directive when referring to applicable law in Recital 20 as well as making the necessary updates to all relevant references, if needed, in light of the current review of the data protection framework;

    clarifying references to ‘substantial public interest’ in Recital 20;

    substantially revising Article 8 in order to ensure that any data processing involving administrative records and other data sources must be done in compliance with applicable data protection laws and that any direct provision of data by individuals (apart from certain exceptions as provided by law and subject to appropriate safeguards) must be made on a voluntary basis;

    with regard to linking administrative records, as foreseen in Article 11, ensuring that any such linking must be done in compliance with data protection law, subject to necessity, proportionality, and specific safeguards under Member State or Union law;

    considering a revision of the definition of ‘administrative record’ in Article 2(e) and adding a reference to the protection of the right to the protection of personal data in the related Recital 4.

    Brussels, 1 March 2017.

    Wojciech Rafał WIEWIÓROWSKI

    Assistant European Data Protection Supervisor


    (1)  COM(2016)551 final.

    (2)  On the opportunities, risks and challenges posed by big data, see EDPS Opinion 7/2015 on ‘Meeting the challenges of big data’:

    https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf. See more specifically Section 1.

    (3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

    (4)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37).


    Top