23.11.2011   

EN

Official Journal of the European Union

C 343/1

1.

On 8 June 2011, the Commission adopted a proposal for a regulation of the European Parliament and of the Council on European statistics on safety from crime (3) (hereinafter ‘the proposal’). The proposal was sent for consultation to the EDPS on the same day.

2.

The EDPS is pleased that he has been consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and welcomes the reference to this Opinion which has been included in the preamble of the proposal.

3.

The EDPS also welcomes the fact that he was previously given the possibility to provide informal comments on the draft proposal.

4.

The proposal aims at implementing a new survey (4) in the European Union on safety from crime. It will set up a common framework for producing comparable European statistics through the collection, compilation, processing and transfer of harmonised European data.

5.

The categories of data to be processed are detailed in Annex I to the proposal, and include detailed questions on the socio-demographic background of respondents to the survey, possible incidents of sexual and physical violence that they might have suffered, their feelings of safety and their attitudes to law enforcement and security precautions.

6.

The proposal regulates the transmission of confidential data from Member States to the Commission (Eurostat), as well as the dissemination and the access to data for scientific purposes. Practical arrangements for the data coding scheme and for exchanging micro-data will be adopted by means of implementing acts.

7.

The present Opinion will analyse the elements of the proposal which are related to the processing of personal data. It builds on two previous Opinions of the EDPS in this field concerning, respectively, Regulation (EC) No 223/2009 which provides a reference framework for the production of European statistics (5) and Regulation (EC) No 1338/2008 on statistics on health and safety at work (6).

8.

The Opinion also refers to Regulation (EC) No 831/2002 on access to confidential data for scientific purposes (7), which is currently under review. The EDPS would welcome a request for consultation in this respect. References in this Opinion to Regulation (EC) No 831/2002 are without prejudice to the advice that the EDPS might provide in that context.

9.

The EDPS is aware of the importance of the development, production and dissemination of statistical data, as he has stated in previous occasions (8). However, he is concerned about the risk that data subjects may be identified and the fact that sensitive data, such as data relating to health, sex life and offences, are being processed.

10.

The EDPS welcomes the references to the protection of individual's rights and freedoms with regard to the processing of personal data which are made in recitals 6 and 7 of the proposal, but regrets that the potential impact of the proposal on privacy and data protection has not been addressed in the accompanying Impact Assessment.

11.

The present Opinion discusses the possibility of identifying data subjects in the context of statistics and in the proposal (part II.2) and the applicability of the data protection framework (part II.3). Subsequently, part II.4 analyses the processing of sensitive data. In part II.5, the Opinion focuses on security safeguards and anonymisation and it finally addresses the information to be provided to data subjects in part II.6.

12.

Personal data are defined in Article 2(a) of Directive 95/46/EC and Article 2(a) of Regulation (EC) No 45/2001 as any information relating to an identified or identifiable natural person (‘data subject’). This identification might be direct, e.g. by a name, or indirect, e.g. by an identification number or other factors. Therefore, as long as there is a possibility to identify natural persons, the relevant data are considered personal data, and thus data protection legislation is applicable.

13.

In the context of statistics, the possibility of identification of data subjects relates mostly to micro-data (9), which contain information about individual statistical units. While researchers, policy makers and other users might demand access to as much and as detailed micro-data as possible in order to increase the quality and the flexibility of their researches, respondents need guarantees that their personal data will be protected, especially when the surveys deal with sensitive matters, such as the one in the present proposal. The protection of personal data has also raised concerns in the context of the review of Regulation (EC) No 831/2002 (10).

14.

As regards the possibility of identifying data subjects, two different notions are relevant in the EU legislation on statistics: ‘confidential data’ and ‘anonymous data’. According to Regulation (EC) No 223/2009, data which allow statistical units (which might be natural persons, households, economic operators or other undertakings) to be ‘identified, either directly or indirectly’, are considered ‘confidential data’ (11) and are therefore subject to statistical confidentiality (12). However, Regulation (EC) No 831/2002 defines confidential data as data ‘which allow only indirect identification’. As in the proposal, statistical units refer to natural persons (as well as to households) (13), in the present case confidential data include personal data and thus data protection legislation will apply irrespective of whether the data allow direct or indirect identification.

15.

The definition of ‘anonymous data’ is also slightly different in these two Regulations. While ‘anonymised micro-data’ is described in Regulation (EC) No 831/2002 as individual statistical records in which the risk of identification has been ‘minimised’ (14), according to Article 19 of Regulation (EC) No 223/2009, ‘anonymised records’ are those ‘which have been prepared in such a way that the statistical unit cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party’ (15). The latter is comparable to the definition provided in recital 26 of Directive 95/46/EC and recital 8 of Regulation (EC) No 45/2001, according to which personal data are ‘rendered anonymous’ when the data subject is ‘no longer’ identifiable, taking into account ‘all the means likely reasonably to be used either by the controller or by any other person to identify the said person’ (16).

16.

Therefore, after anonymisation of the micro-data in the sense of Article 19 of Regulation (EC) No 223/2009, which would only apply to the present proposal in case micro-data were publicly released, the data will no longer be considered personal data and the provisions of Directive 95/46/EC and Regulation (EC) No 45/2001 will not apply.

17.

However, data which are considered anonymised in the context of Regulation (EC) No 831/2002 may not be anonymised according to Directive 95/46/EC and Regulation (EC) No 45/2001, as the risk of identification might remain, and will thus be subject to the data protection legislation. This definition of anonymisation will apply in the present proposal to released micro-data sets in case the relevant survey is subsequently included in the list of Article 6 of Regulation (EC) No 831/2002.

18.

The aim of the proposal is to set up a common framework for ‘producing European statistics through the collection, compilation, processing and transmission by the Member States’ (17) of comparable data on crime and safety.

19.

The data will be collected by Member States and transferred to Eurostat, that shall disseminate them and make them available to researchers. Although the proposal does not regulate how the collection is carried out by Member States, it specifies which data have to be transferred to Eurostat. Therefore, the questions that respondents will be asked in the survey will be determined by the categories of data that Member States are required to transfer to Eurostat, which are laid down in Annex I to the proposal.

20.

Annex I explicitly requests in paragraph 6 the ‘identification of respondent’. Similarly, one of the questions to be asked in the survey as regards partner and non-partner physical violence is ‘who did it’ (paragraph 7(1) of Annex I). If these questions are answered by a name, the data will relate to directly identified individuals.

21.

The EDPS is aware that the aim of these questions is not to obtain the names of the respondent and the aggressor, but probably to assign a code to the respondent or to request specific characteristics of the alleged aggressor, such as the existence and degree of family relationship. In addition, the EDPS welcomes the fact that direct identifiers are not to be transmitted to Eurostat, as according to Article 7(1) of the proposal, they have to be removed beforehand. However, the EDPS would recommend that the descriptions of these variables in points 6 and 7(1) of Annex I be modified in order to clarify which specific information is exactly required and to avoid that these direct identifiers are collected unnecessarily by Member States.

22.

Even without direct identifiers, the collected data will possibly still allow indirect identification ‘by reference to an identification number’ or, due to the elaborate number of data fields requested in the survey, by reference ‘to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’ (18). Therefore, the processing of the data by Member States is subject to the national law implementing Directive 95/46/EC.

23.

In this regard, the EDPS would like to underline the phenomenon of unique or rare combinations, where the combination of different pieces of information allows data subjects to be differentiated from others and thus to be identified, as it has been pointed out by the Article 29 Working Party (19).

24.

The possibility of identification will remain at the moment of transmission of the data to Eurostat and when these data are accessed by researchers, as Article 7(1) of the proposal (20) does not require the removal of indirect identifiers, as discussed above. Furthermore, Article 7(1) and 7(2) explicitly require Member States to transfer confidential micro-data to Eurostat. Similarly, according to Article 9(2) of the proposal (21), Eurostat may grant access to confidential data for scientific purposes.

25.

As discussed above, confidential data are data which allow at least indirect identification of statistical units, which in this case include natural persons. Therefore, the processing of data by Eurostat and their access by researchers will constitute a processing of personal data to which the provisions of Regulation (EC) No 45/2001 apply.

26.

As regards dissemination, Article 9(1) states that Eurostat ‘shall disseminate the statistics on safety from crime by 31 December 2014 at the latest’, but does not specify the modalities in which this dissemination has to be done. If the survey that will be set up by this proposal is subsequently included in the list of Article 6 of Regulation (EC) No 831/2002, the risk of identification will only be ‘minimised’ before the release of micro-data. In this case, Regulation (EC) No 45/2001 will apply, as long as identification of data subjects is still possible.

27.

In case micro-data were publicly disseminated, Article 19 of Regulation (EC) No 223/2009, which requires anonymisation in the sense of Directive 95/46/EC and Regulation (EC) No 45/2001 before individual statistical units are disseminated in the form of a public file, would apply. After anonymisation in this sense, the micro-data would no longer be considered personal data and thus Regulation (EC) No 45/2001 would not be applicable any more.

28.

It is important to underline that the personal data in question fall within a special category of data which is subject to stricter rules in Directive 95/46/EC and Regulation (EC) No 45/2001. Article 8(1) of Directive 95/46/EC and Article 10(1) of Regulation (EC) No 45/2001 explicitly prohibit, except under strict conditions, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life, and restrict the processing of personal data relating to offences, criminal convictions or security measures (22).

29.

Member States are required to submit to Eurostat, among other categories, data on current and past relationships; partner and non-partner physical and sexual violence; medical treatments; exposure to drugs; offences and national origin of respondents and their parents. These categories include data concerning health, sex life and offences and could reveal ethnic origin. Below are some examples.

30.

Article 8(2) to (4) of Directive 95/46/EC and Article 10(2) to (4) of Regulation (EC) No 45/2001 contain exceptions to the prohibition of processing these categories of data. In the present case, Article 8(4) of Directive 95/46/EC and Article 10(4) of Regulation (EC) No 45/2001, which allow the processing of such data for reasons of ‘substantial public interest’, could apply. This exception is however subject to the provision of ‘appropriate safeguards’ and must be ‘laid down by law’ (23).

31.

As regards this last requirement, the EDPS believes that a regulation, which will be adopted by the ordinary legislative procedure as required by Article 338 of the Treaty on the Functioning of the European Union, will provide an adequate legal basis for the processing.

32.

However, the relevant ‘substantial public interest’ justifying the collection, transmission and dissemination of such detailed and sensitive data is not sufficiently stated in the proposal. According to its Article 1, the proposal aims at establishing ‘a framework for the development, production and dissemination of comparable statistics on safety from crime’. Yet although the explanatory memorandum and the preamble provide explanations on the relevant political context, they do not make explicit the specific purposes or policy objectives pursued by these statistics. These are only partly mentioned in the Legislative Financial Statement attached to the proposal (24).

33.

The EDPS would therefore recommend to clearly state in the preamble of the proposal the substantial public interest justifying the processing, as it has been done in other regulations requiring the processing of health data (25) and setting up European statistics (26). This is also important for assessing the necessity of the processing of such detailed categories of sensitive data, as they might be excessive and cannot be considered relevant if the purpose is not clearly specified.

34.

As regards the need for ‘appropriate safeguards’, the EDPS notes the references to Regulation (EC) No 223/2009, Regulation (EC) No 831/2002 and the European Statistics Code of Practice (27), which require the protection of confidential data. But, as already pointed out by the EDPS (28), the fact that data relating directly or indirectly to identifiable natural persons are considered confidential data and treated as such, does not, in itself, ensure that the processing of these data will fully comply with data protection legislation. In this sense, the EDPS welcomes the references to Directive 95/46/EC and Regulation (EC) No 45/2001 which are made in the preamble of the proposal.

35.

However, taking into account the sensitive nature of the data to be processed and the fact that statistical purposes might be fulfilled by anonymised micro-data (29), the EDPS emphasises that data should be anonymised as soon as possible in the sense of Directive 95/46/EC and Regulation (EC) No 45/2001 (30). In case that, due to the level of detail that is necessary for the survey, complete anonymisation of the micro-data cannot be guaranteed before transmission to Eurostat or before granting access to researchers, and if this is clearly justified, the proposal should at least strive for anonymisation in the sense of Regulation (EC) No 831/2002 (minimisation of the risks of identification).

36.

Confidential data, which in this case would be sensitive data, should only be processed if it is necessary, i.e., if the same scientific purposes cannot be achieved with micro-data which has been anonymised in the sense of Directive 95/46/EC and Regulation (EC) No 45/2001 or in which the risks of identification have been minimised in the sense of Regulation (EC) No 831/2002. Data released to the public should in any case be anonymised in the sense of Directive 95/46/EC, Regulation (EC) No 45/2001 and Article 19 of Regulation (EC) No 223/2009.

37.

Until their anonymisation in the sense of Directive 95/46/EC and Regulation (EC) No 45/2001, the data will need to be subject to adequate technical and organisational measures to ensure their confidentiality and security, as required by Articles 16 and 17 of Directive 95/46/EC, and Articles 21 and 22 of Regulation (EC) No 45/2001. These measures should take into account the risks represented by the processing and the sensitive nature of the data to be protected.

38.

In addition, Article 27(1) of Regulation (EC) No 45/2001 provides that ‘processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes shall be subject to prior checking by the European Data Protection Supervisor’. Article 27(2) specifies that processing of data relating to ‘health’, ‘suspected offences’, ‘offences’ and ‘criminal convictions’ presents such risks, and thus requires prior checking.

39.

As the processing by Eurostat will involve personal data relating to these categories, it will be subject to prior checking (31). Therefore, in the framework of a prior checking procedure, the EDPS may provide further guidance and specific recommendations with regard to compliance with data protection rules.

40.

Finally, Article 8(2) of the proposal states that practical arrangements for the data coding scheme and for exchanging micro-data will be adopted by means of implementing acts. The EDPS would welcome a request for consultation as regards these practical arrangements.

41.

The EDPS reminds that, as the data will be directly collected by Member States from respondents, Article 10 of Directive 95/46/EC will be applicable. Therefore, data subjects will have to be informed, at least, on the voluntary nature of the survey and the possibility to refuse to reply to one or more questions; the purposes of the processing operation for which the data are intended; the identity of the controller; the fact that the data will be transmitted to Eurostat, who might grant access to researchers; and the existence of the rights of access to, rectification, blocking and erasure of the data; unless the processing falls within the exceptions to these rights provided by national data protection laws.

42.

The importance of the development, production and dissemination of statistical data has been repeatedly acknowledged by the EDPS. Nevertheless, the EDPS is concerned about the processing of sensitive data in this specific survey and the possibility of identifying victims and aggressors of physical and sexual violence. Therefore, he recommends, in particular, the following: