21.3.2017   

EN

Official Journal of the European Union

C 87/1

(1)

On 8 August 2016, the European Commission (‘Commission’) published a Proposal for a Regulation of the European Parliament and of the Council establishing a common framework for European statistics relating to persons and households, based on data at individual level collected from samples (hereafter: ‘the Proposal’) (1). On the same day, the Commission requested the European Data Protection Supervisor (‘EDPS’), as an independent advisory body, for his Opinion. The Council of the European Union (‘Council’) also submitted a request on 25 November 2016.

(2)

As set out in its Article 1 (‘Subject matter’), the purpose of the Proposal is to establish a common framework for European statistics relating to persons and households, based on data at individual level collected from samples.

(3)

The EDPS takes note of the policy objectives of the Proposal. He welcomes:

(4)

Our main concern is the ambiguity in the current draft surrounding the possibility of the use of ‘administrative’ data and ‘big data’ sources such as telephone location data, corporate and tax records, social security and medical records, records of unemployment offices and organisations managing social security. While big data may promise new possibilities and increased efficiencies for the production of official statistics, it also poses specific risks, and therefore, we suggest careful scrutiny of any relevant provisions (2).

(5)

We would also welcome more clarity on the fact that whenever any information is directly provided by individuals, this should be done on a voluntary basis, using consent under Articles 6 and 7 of the General Data Protection Regulation (‘GDPR’) (3) as a legal basis for the processing of personal data; unless the provision of information is specifically required under Union or Member States law in accordance with applicable data protection law.

(6)

In light of these concerns, we would particularly welcome if the legislators could introduce more clarity in the way Article 8 (on data sources and methods) is drafted.

(7)

Other relevant provisions that the EDPS considers could be improved may include the following:

(8)

Depending on the date of entry into force of the proposed Regulation, references to applicable law in Recital 20 may need to be updated. In particular, they may need to be replaced by references to the General Data Protection Regulation (GDPR), which will become applicable on 25 May 2018, and by references to the new legal instrument replacing Regulation (EC) No 45/2001.

(9)

We would also welcome a reference, in a recital, to compliance with the safeguards relating to processing for statistical purposes under Article 89 of the GDPR.

(10)

Considering that the Proposal foresees use of data from new data sources, which might include, for example, location data obtained from mobile telephone records (see Section 3.4 discussing Article 8 below), we also recommend a specific reference to the ePrivacy Directive (4) currently under revision (or to the new ePrivacy Regulation if appropriate considering the timelines).

(11)

To enable easier reference for non-experts, we recommend that the words ‘under Article 8(4) of Directive 95/46/EC’ be added after the phrase ‘substantial public interest’. Should the text refer to the GDPR, the appropriate reference would be Article 9(2)(g) of the GDPR.

(12)

Article 2(e) of the Proposal defines ‘administrative records’ as ‘data generated by a non-statistical source, usually a public body, the aim of which is not to provide statistics, for its own purposes’. The term, ‘administrative records’ is then used in Article 8 as well as in Recital 4.

(13)

This definition of administrative records appears to be very broad and appear to include, in practice, ‘any other data sources’, which is another term also used in Article 8. The term ‘administrative data’, as defined, can thus include, for example, not only administrative records of public bodies but also sources such as mobile phone location data, which is, in the sense as the term is commonly used in everyday language, not always considered as an ‘administrative record’.

(14)

This in itself does not appear to have a direct impact on the level of protection of personal data, considering that Article 8, in any event, includes ‘any other data sources’. Nevertheless, for the sake of clarity, the legislators could consider revising Article 2(e) and more narrowly defining ‘administrative records’. Alternatively, the legislators could delete Article 2(e) altogether, and instead, in Article 8, refer to ‘administrative records created by an organisation, usually a public body, for other, non-statistical purposes, and any other sources, methods or innovative approaches…’.

(15)

Further, as we noted above, Recital 4 specifically encourages use of administrative sources for statistical purposes. We welcome the fact that the recital highlights the need to ensure ‘quality, accuracy, timeliness and comparability of those statistics’. To further improve this provision, we recommend adding a reference to the protection of personal data. For example, the following text can be added at the end of the paragraph: ‘as well as safeguarding the right to the protection of personal data’.

(16)

In addition to data directly provided by the respondents, Article 8 also refers to ‘administrative records and any other sources, methods or innovative approaches in so far as they allow for the production of data that are comparable and compliant with the applicable specific requirements laid down by this Regulation’.

(17)

Article 8 reflects the intention, set forth on page 13 of the Explanatory Memorandum, to allow and promote ‘the use of new forms of data collection and of alternative data sources, including administrative data and estimates obtained from modelling and big data’. See also Recital 4 of the Proposal, already mentioned above, promoting ‘the use of administrative sources, thanks to technological advances’ and Article 13 on feasibility and pilot studies, which also discusses the use of other data sources.

(18)

In the field of statistics, as in other fields, big data may bring benefits, such as increased efficiency. However, it can also create additional risks. The new data protection framework, and the adoption of the GDPR in particular, aims to address these risks in a way that provides protection but also allows flexibility for further data use, including for statistical purposes.

(19)

Further legislative measures in the field of national or Union law governing statistics, however, will likely to be still required, in order to allow more widespread use of big data in statistics in a way compatible with applicable data protection law.

(20)

The current Proposal should not provide the illusion that Article 8 itself is providing a sufficient legal basis for using big data for the purposes of the Proposal. It is essential that the recitals and Article 8, combined, make it clear that any such use of big data sources is subject to applicable data protection law, including the need for an appropriate legal basis under Article 6 of the GDPR.

(21)

To this effect, we recommend that Article 8 be revised as follows:

Article 8

Data sources and methods

1.   Member States shall provide the data referred to in Article 1 by using one or a combination of the following sources, provided that they meet the quality requirements given in Article 12 and are collected and further processed in accordance with and subject to safeguards provided for in applicable data protection laws:

2.   Member States shall provide the Commission (Eurostat) with detailed information on the sources and methods used.

(22)

Article 11(1) provides that the sampling frames shall also include ‘the information needed to link persons to other administrative records, in so far as is allowed under data protection rules’.

(23)

We recommend that the second part of the sentence be rephrased to read: ‘insofar as linking to such other records is necessary and proportionate, and specifically permitted under applicable Union or Member State law, to which the controller is subject and which also lays down suitable measures to safeguard the data subjects’ rights and freedoms and legitimate interest'.

(24)

The EDPS recommends: