This document is an excerpt from the EUR-Lex website
Document 52023XX01055
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on European statistics (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on European statistics (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on European statistics (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
OJ C, C/2023/1055, 20.11.2023, ELI: http://data.europa.eu/eli/C/2023/1055/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
|
Official Journal |
EN Series C |
|
C/2023/1055 |
20.11.2023 |
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on European statistics
(C/2023/1055)
(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
On 10 of July 2023, the European Commission issued the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 223/2009 on European statistics (‘the Proposal’). The Proposal aims at making the legal framework governing European statistics fit for the future and improving the responsiveness of the European Statistical System to data needs.
The EDPS welcomes the objective of the Proposal, namely to make the legal framework governing European statistics fit for the future. The EDPS also recognises that new innovative approaches can bring promises for statistics and research. However, the EDPS has serious concerns regarding the indication that information relating to specific persons might be obtained from any source, including digital traces relating to specific persons held by private data holders. The EDPS considers that collection of personal data from such sources may not be necessary and proportionate to the aims pursued, having regard to the potential risks for the rights and freedoms of data subjects. Therefore, the EDPS considers it is necessary to clarify in the Proposal that only non-personal (anonymised) data will be requested from the private data holders by national statistical institutes or the Commission (Eurostat).
Insofar as the Proposal seeks to provide a legal basis to request personal data from private data holders, it should provide a clear and comprehensive overview of the categories of personal data concerned, taking into account the requirements of necessity and proportionality. Moreover, the sources from which those categories of personal data may be obtained should be clearly set out in the Proposal itself or in sectorial legislation. Further, the EDPS recommends that such sharing of personal data by private data holders shall make use of privacy-enhancing technologies and shall take place using a secure infrastructure.
As regards the collection of statistics from the Large-Scale IT systems (‘LSITs’) in the area of freedom, security and justice, the EDPS considers that the Proposal should be amended. In particular, the Proposal should clarify that LSITs statistics in the area of freedom, security and justice shall be gathered exclusively from the central repository for reporting and statistics (‘CRRS’). If necessary, the co-legislators could foresee in specific transitional measures until the CRRS is fully operational.
The EDPS welcomes that with regard to the sharing of data within the European Statistical System, the Proposal envisages the use of privacy-enhancing technologies. At the same time, the EDPS recalls that any sharing of personal data must in any event comply with all relevant provisions of the GDPR (1) and EUDPR (2), including Article 89(1) GDPR and Article 13 EUDPR. The EDPS recommends introducing the use of pilot studies to test and assess the fitness of relevant privacy enhancing technologies.
1. Introduction
|
1. |
On 10 of July 2023, the European Commission issued the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 223/2009 on European statistics (‘the Proposal’) (3). |
|
2. |
Regulation (EC) No 223/2009 of the European Parliament and of the Council (4) establishes the legal framework at Union level for the development, production and dissemination of European statistics. |
|
3. |
The general objective of the Proposal is to make the legal framework governing European statistics fit for the future and to improve the responsiveness of the European Statistical System (5) (‘ESS’) to data needs. The Proposal also seeks to provide a mechanism and tools for the ESS to react swiftly and in a collective and coordinated manner, to urgent data demands in times of crises (6). |
|
4. |
More specifically, the Proposal seeks to allow statistical authorities to tap the full potential of digital data sources and technologies by enabling their reuse for European statistics. The Proposal would help make the ESS more efficient and effective by promoting data sharing and strengthening its coordination. The Proposal would also:
|
|
5. |
The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 10 July 2023, pursuant to Article 42(1) of the EUDPR. The EDPS welcomes the reference to this consultation in recital (24) of the Proposal. |
7. Conclusions
In light of the above, the EDPS recommends the co-legislators to:
|
(1) |
make reference, in a recital, to compliance with the safeguards relating to processing of personal data for statistical purposes under Article 89 of the GDPR and Article 13 of the EUDPR and in particular that the data should in principle be rendered anonymous; |
|
(2) |
clarify in Article 17a(2) of the Proposal that LSITs statistics in the area of freedom, security and justice shall be gathered exclusively from the CRRS. Insofar relevant, the co-legislators could provide for transitional measures until the CRRS is fully operational; |
|
(3) |
clarify in Article 17c(2) of the Proposal that only non-personal (anonymised) data will be requested from private data holders, in particular by deleting the wording ‘insofar as possible’ from Article 17c(2); |
|
(4) |
clarify that any processing of data pursuant a request for data under Article 17c shall be without prejudice to the ePrivacy Directive (8); |
|
(5) |
if the co-legislators wish to provide a framework allowing NSIs and the Commission to request personal data from private data holders in specific circumstances, to provide for:
|
|
(6) |
introduce an obligation for the Commission (Eurostat) and the Member States to test and assess by means of pilot studies the fitness of relevant privacy enhancing technologies for data sharing within the ESS; |
|
(7) |
consider providing the option for the Commission to adopt implementing acts laying down technical specifications for the data sharing and measures for the confidentiality and security of information, where pilot studies identify effective and secure data sharing solutions; |
|
(8) |
specify, in the context of the infrastructure to facilitate data sharing, the roles of the various actors involved as controller, joint controller or processor in the enacting terms of the Proposal. |
Brussels, 6 September 2023.
Wojciech Rafał WIEWIÓROWSKI
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(3) COM(2023) 402 final.
(4) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programme of the European Communities (OJ L 87, 31.3.2009, p. 164).
(5) Article 4 of the Regulation (EC) No 223/2009 states that ‘[t]he European Statistical System (ESS) is the partnership between the Community statistical authority, which is the Commission (Eurostat), and the national statistical institutes (NSIs) and other national authorities responsible in each Member State for the development, production and dissemination of European statistics.’.
(6) COM(2023) 402 final, p. 1.
(7) See COM(2023) 402 final, p. 1-2.
(8) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
ELI: http://data.europa.eu/eli/C/2023/1055/oj
ISSN 1977-091X (electronic edition)