23.3.2010   

EN

Official Journal of the European Union

C 73/1

1.

On 27 July 2009, the Commission adopted a proposal for a Council Regulation imposing certain specific restrictive measures directed against certain natural and legal persons, entities and bodies in view of the situation in Somalia as well as a proposal for a Council Regulation amending Council Regulation (EC) No 314/2004 concerning certain restrictive measures in respect of Zimbabwe. On 18 September, the Commission also adopted a proposal for a Council Regulation amending Council Regulation (EC) No 329/2007 concerning restrictive measures against the Democratic People's Republic of Korea. Furthermore, on 23 November, the Commission adopted a proposal for a Council Regulation imposing certain specific restrictive measures in respect of Guinea. All these proposals were sent by the Commission to the EDPS for consultation, in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS recalls that he also provided informal comments on the drafts of these proposals, as well as on other draft proposals to amend analogous Council Regulations imposing freeze of funds and other restrictive measures.

2.

The EDPS welcomes that he is consulted and that reference to this consultation is made in the preamble of the proposals, in a similar way as in a number of other legislative texts on which the EDPS has been consulted, in accordance with Regulation (EC) No 45/2001.

3.

All these proposals, by amending current legislation or putting forward new legal instruments, envisage fighting terrorism or human rights abuses by imposing restrictive measures — notably, assets-freezing, travel bans — with regard to natural and legal persons suspected of being associated with terrorist organisations and/or with certain governments. In this perspective, the European Commission publishes and publicises ‘blacklists’ of natural or legal persons concerned by these restrictive measures.

4.

The EDPS already issued on 28 July 2009 an opinion on the proposal for a Council Regulation amending Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban (‘Al-Qaida proposal’). That opinion welcomed the intention of the Commission to better ensure the protection of fundamental rights, including the protection of personal data, and recommended to amend and/or clarify certain aspects of the proposal in order to meet essential EU data protection principles. The EDPS has closely followed the developments of the negotiations in the Council on the Al-Qaida proposal (3) and regrets that many of the provisions dealing with the protection of personal data have been deleted or substantially reduced.

5.

The points already made in that opinion still remain valid and most of them apply to a certain extent also to the present proposals, which in many provisions reflect those of that proposal. The present opinion, taking into account all the proposals so far received for consultation by the EDPS as well as the developments of the negotiations in the Council, will address the application of data protection principles in the area of restrictive measures and will put forward recommendations for improvements. These recommendations will also take into account the entry into force of the Lisbon Treaty as well as the important policy guidelines laid down by the recently adopted Stockholm Programme (4). This approach will allow the EDPS to issue further opinions on proposals for legislation in this area only insofar as those new proposals substantially diverge from the provisions of the current proposals.

6.

This opinion focuses on those aspects of restrictive measures that are directly linked to the protection of personal data, and in particular on those aspects that the EDPS recommends being clarified in this area, in order to ensure certainty of law and efficiency of measures. This opinion does not address or affect other substantive questions that may be related to the inclusion in a list under the application of other rules.

7.

The Commission proposals are aimed at addressing the case law of the Court of Justice, which reaffirmed on several occasions that the EU standards for protection of fundamental rights should be respected irrespective of whether restrictive measures are adopted at EU level or stem from international organisations such as the United Nations (5).

8.

EU fundamental rights also include the right to the protection of personal data, which has been recognised by the Court of Justice as one of the principles stemming from Article 6(2) TEU and further confirmed by Article 8 of the EU Charter of Fundamental Rights (6). In the context of restrictive measures, the right to the protection of personal data plays a crucial role, being also instrumental to the effective respect of other fundamental rights, such as the right of defence, the right to be heard and the right to an effective judicial protection.

9.

In this perspective, the EDPS, as already done in his opinion of 28 July 2009 with regard to restrictive measures with regard to Al-Qaida, welcomes the intention of the Commission to improve the current legal framework by enhancing the listing procedure and by taking explicitly into account the right to the protection of personal data. Restrictive measures are based on processing of personal data, which by itself — irrespective of the freezing of assets — is subject to data protection rules and guarantees. Therefore, it is extremely important to provide clarity and legal certainty on the applicable rules for processing of personal data of listed individuals, also with a view to ensuring the lawfulness and legitimacy of the restrictive measures.

10.

The Stockholm Programme makes it clear that ‘when it comes to assessing the individual's privacy in the area of freedom, security and justice, the right to freedom is overarching’ and that the EU should promote the application of data protection principles within the EU and in its relations with other countries.

11.

The entry into force of the Lisbon Treaty strengthens the legal framework in this area. On the one hand, it establishes two new legal bases (Articles 75 and 215 TFEU) allowing the EU to adopt restrictive measures against natural or legal persons and groups or non-State entities. On the other hand, Articles 16 TFEU and 39 TEU reaffirm the right to data protection and the need for data protection rules and guarantees in all fields of activity of the European Union, and the EU Charter of Fundamental Rights acquires a binding value, which, as the Stockholm Programme explicitly recognises, ‘will reinforce the obligation of the Union, including its institutions, to ensure that in all its areas of activity, fundamental rights are actively promoted’ (7).

12.

In particular, with regard to the processing of personal data carried out by EU institutions Article 16 TFEU applies to all activities of the EU, including the Common Foreign and Security Policy, while Article 39 TEU foresees a different decision-making procedure with regard to processing of personal data carried out by Member States within the scope of the Common Foreign and Security Policy. Furthermore, the Court of Justice becomes fully competent, even in the area of the Common Foreign and Security Policy, to assess the legality — and in particular the respect of fundamental rights — of decisions providing for restrictive measures against natural or legal persons (Article 275 TFEU).

13.

Furthermore, the EU accession to the European Convention of Human Rights, foreseen by the Lisbon Treaty, will make the positions taken by the Council of Europe with regard to blacklisting (8) and the case law of the European Court of Human Rights even more relevant for the EU legal framework.

14.

Against this background, Article 8 of the Charter of Fundamental Rights has a special importance, especially where it spells out that personal data shall be processed on a legitimate basis laid down by law and that ‘everyone has the right of access to data which have been collected concerning him or her’. These essential elements of data protection must be respected by all EU measures and individuals may even be in a position to claim the direct effect — irrespective of any explicit recognition in secondary EU legislation — of the rights conferred by this Article.

15.

The new legal framework brought by the entry into force of the Lisbon Treaty provide the legislator with the tools and the obligation to lay down comprehensive and consistent rules for the protection of personal data, also in the area of restrictive measures. This obligation is even more important in the light of the proliferation and of the increasing duration of this kind of measures, which have far-reaching consequences for the individuals concerned.

16.

In this perspective, the EDPS highly recommends the Commission to abandon the current piecemeal approach — whereby specific, and sometimes different, rules on the processing of personal data are adopted for each country or organisation — and to propose a general and consistent framework for all targeted sanctions implemented by the EU against natural or legal persons, entities or bodies, which ensures the respect of fundamental rights of individuals concerned, and in particular the respect of the fundamental right to the protection of personal data. Necessary restrictions to these rights should be clearly laid down by law, be proportionate and in any case respect the essence of these rights.

17.

According to the EDPS, this effort should be carried out in parallel with the objective laid down by the European Council in the Stockholm Programme to ‘work towards enhancing the design, implementation and effectiveness of sanctions by the UN Security Council with a view to safeguarding fundamental rights and ensuring fair and clear procedures’ (9).

18.

The following paragraphs, on the analysis of the current proposals, will not only provide recommendations for improving the provisions of these proposals but will also highlight those data protection aspects which are currently not addressed and which the EDPS recommends to clarify either in these legal instruments or in a more general framework.

19.

As already stated in the EDPS opinion of 28 July 2009, data protection rules laid down by Regulation (EC) No 45/2001 are applicable to the processing of personal data carried out by EU institutions in the area of restrictive measures, even if these measures originate from international organisations or Common Positions adopted in the framework of the Common Foreign and Security Policy.

20.

In this perspective, the EDPS welcomes the references in the current proposals to the applicability of Regulation (EC) No 45/2001, as well as to the data subjects’ rights stemming from it. However, the EDPS regrets that the developments of the negotiations relating to the restrictive measures in respect of Al-Qaida have resulted in the deletion of some of these references.

21.

In this respect, the EDPS would like to stress that these deletions do not exclude or limit the applicability of those obligations and data subjects’ rights that are no longer explicitly mentioned in the legal instruments. However, the EDPS considers that explicitly mentioning and addressing the data protection aspects in the legal instruments on restrictive measures not only enhances the protection of fundamental rights, but also avoids that delicate issues remain unclear and are therefore brought before the Courts.

22.

In a more general perspective, the EDPS stresses that, pursuant to Article 8 of the EU Charter of Fundamental Rights, ‘everyone has the right to the protection of personal data’. This fundamental right should thus be guaranteed in the European Union, irrespective of the nationality, the place of residence or the professional activities of the persons concerned. This means that, while restrictions of this right may well be necessary in the framework of restrictive measures, no in-principle or blanket exclusion of this right can be made with regard to categories of individuals, such as those having links with a third country government.

23.

According to applicable data protection rules (Article 4 of Regulation (EC) No 45/2001), personal data must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. Personal data must also be accurate and kept up to date: every reasonable step must be taken to ensure that data which are inaccurate or incomplete are erased or rectified. Furthermore, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they were collected or are further processed.

24.

The EDPS welcomes that all Commission proposals (10) explicitly define the categories of personal data that will be processed in the framework of restrictive measures and explicitly regulate the processing of personal data relating to criminal offences, convictions and security measures.

25.

Against this background, the EDPS welcomes the principle laid down in paragraph 3, according to which the name and surname of the natural person's parents may be included in the Annex only when they are necessary in a specific case for the sole purpose of verification of the identity of the listed natural person in question. This provision well reflects also the data protection principle of purpose limitation, which lays down that personal data shall be collected for specified purposes and not further processed in a way incompatible with those purposes.

26.

In order to ensure that this principle is adequately specified and applied with regard to all processing of personal data in this area, the EDPS recommends explicitly applying this principle to all categories of data, by amending relevant articles in such a way that the Annex with the listed persons ‘shall only include the information necessary for the purpose of verification of the identity of the listed natural persons and in any case no more than the following information’. This amendment would allow avoiding the collection and the publication of unnecessary information about listed natural persons and about their families.

27.

Furthermore, the EDPS suggests that the proposals explicitly state that personal data will be deleted or made anonymous as soon as they are no longer necessary in each case for the implementation of the restrictive measures or for ongoing litigation before the Court of Justice.

28.

With regard to the obligation to keep personal data accurate and up to date, the current proposals take different approaches. The proposal on Somalia, mirroring the one on Al-Qaida, establishes that when the UN decides to de-list a person, the Commission should modify the EU list accordingly (Article 11.4). The proposal on the Democratic People's Republic of Korea instead establishes an obligation to review the EU list at regular intervals and at least every 12 months (Article 6.2). The other proposals do not refer to any of these mechanisms.

29.

Nonetheless, all the EU lists, irrespective of the country they target and of whether they are adopted directly at EU level or implement UN decisions, have to comply with the principle of data quality, which in the area of restrictive measures has a crucial importance. Indeed, as the Court of First Instance recently pointed out (11), when the restrictive measures are based on police and security enquiries, the developments in these enquiries — such as the closing of an investigation, the abandoning of prosecution or the acquittal in the criminal proceedings — should be duly taken into account when reviewing the lists, so as to avoid that a person's funds are frozen indefinitely, beyond review by any court and whatever the results of any judicial proceedings taken.

30.

Against this background, the EDPS recommends that effective mechanisms to de-list natural persons as well as to review EU lists at regular intervals, are implemented with regard to all current and future proposals in this area.

31.

In his opinion of 28 July 2009, the EDPS welcomed the intention of the Commission to enhance the respect of fundamental rights by providing the persons concerned with means to be informed about the reasons for inclusion in the lists as well as with an opportunity to express his or her views on the matter. The same kind of provision is now proposed with regard to Somalia (12) and Guinea (13), while with regard to Zimbabwe (14) the right to be informed about the reasons for inclusion and to state one's views is limited to those persons not linked with the government. The proposal on the Democratic Republic of Korea does not even mention this possibility.

32.

The EDPS recalls the obligation to provide information to the data subject pursuant to Article 11 and in particular Article 12 of Regulation (EC) No 45/2001, dealing with information to be supplied when the data have not been obtained from the data subject. These provisions have to be respected with regard to all individuals, irrespective of their nationality or their link with the government of a certain country. Of course, different modalities of providing information to the listed persons are available and may be adapted to the specific political context of the restrictive measures. Furthermore, restrictions or exceptions can be enacted pursuant to Article 20 of Regulation (EC) No 45/2001 (15) to the extent in which they are necessary in specific circumstances, but a blanket and unlimited exclusion of the obligation to provide information is not possible.

33.

Against this background, the EDPS recommends to address more explicitly in all current and future proposals in this area the right of information of the listed persons, as well as the conditions and the modalities of the restrictions which may be necessary.

34.

Article 8.2 of the EU Charter of Fundamental Rights states that ‘[e]veryone has the right of access to data which has been collected concerning him or her, and the right to have it rectified’, making the right of access one of the core elements of the fundamental right to the protection of personal data. In the same line, Article 13 of Regulation (EC) No 45/2001 grants the data subject the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller, inter alia, communication in an intelligible form of the data undergoing processing (see subparagraph (c)).

35.

In the area of restrictive measures, personal data concerning listed individuals, and notably those data relating to the reasons on the basis of which individuals are listed, are often contained in classified documents. With regard to these documents, all Commission proposals put forward identical provisions: firstly, it is stated that if the UN or a State submits classified information, the Commission must treat such information in accordance with the internal Commission provisions on security (Decision 2001/844/EC, ECSC, Euratom (16)) and, where relevant, agreements on the security of classified information concluded between the EU and the submitting State; secondly, it is specified that documents classified at a level corresponding to ‘EU Top Secret’, ‘EU Secret’ or ‘EU Confidential’ will not be released without the consent of the originator (17).

36.

The EDPS already analysed in details these provisions in his opinion of 28 July 2009 (18), and noted that neither the internal Commission rules on security nor the agreements with individual Member States or UN address the issue of the access by data subjects to personal data concerning them. Furthermore, even if restrictions of the right of access may well be envisaged in the area of restrictive measures, the current provisions do not ensure that a restriction only takes place when it is necessary and do not provide substantive criteria to assess its necessity. Indeed, according to the proposals, the right of access would be subject to an unconditional obligation to obtain the consent of the originator, which would leave a full discretion to the originator of the information, which includes parties which are not subject to EU law and EU standards of protection of fundamental rights.

37.

The negotiations in the Council have led to the deletion of this provision in the proposal on Al-Qaida.

38.

Against this background, the EDPS strongly recommends the legislator to address in the current and future proposals the essential issue of the right of listed individuals to have access — directly or indirectly through other authorities (19) — to the personal data concerning them contained in classified documents, subject to the proportionate restrictions that may be necessary in certain circumstances.

39.

The EDPS would also like to recall that Regulation (EC) No 45/2001 lays down other data subjects’ rights which the legislator may consider addressing in these or future proposals. In particular, Article 14 of Regulation (EC) No 45/2001 establishes an obligation for the controller to rectify without delay inaccurate or incomplete personal data, while Article 17 obliges to notify rectification or erasure of data — as in the case of de-listing — to third parties to whom data have been disclosed, unless this proves impossible or involves a disproportionate effort.

40.

Furthermore, the EDPS welcomes that all proposals envisage the explicit appointment of a unit of the European Commission as controller, thus enhancing the visibility of the controller and facilitating the exercise of data subjects’ rights as well as the allocation of responsibilities under Regulation (EC) No 45/2001.

41.

An important question, which is currently not explicitly addressed by the proposals but is implicit in the listing procedure, is ensuring that personal data are adequately protected when they are exchanged by the EU with third countries and international organisations, such as the United Nations.

42.

In this regard, the EDPS would like to draw attention to Article 9 of Regulation (EC) No 45/2001, which lays down the conditions for transfer of personal data to recipients, other than Community bodies, which are not subject to Directive 95/46/EC. A broad gamut of solutions is available, ranging from the consent of the data subject (paragraph 6(a)) and the exercise of legal claims (paragraph 6(d)) — which could be useful in case the information has been provided by the listed person with a view to trigger a review of the listing — to the existence within the UN or the relevant third country of mechanisms to ensure an adequate protection for personal data transmitted from the EU.

43.

The EDPS, recalling that the various processing activities envisaged should be in line with this system, recommends the legislator to ensure that adequate mechanisms and safeguards — such as specifications in the proposals as well as arrangements with the UN or other relevant third countries — are put in place with a view to ensure an adequate protection of personal data exchanged with third countries and international organisations.

44.

The EDPS considers that the issue of restrictions and limitations to certain fundamental rights, such as the protection of personal data, plays a crucial role in the area of restrictive measures, since they may be necessary in order to ensure the effective and proper enforcement of the restrictive measures.

45.

The European Convention of Human Rights, the EU Charter of Fundamental Rights as well as the specific legal instruments on data protection, including Article 20 of Regulation (EC) No 45/2001, allow this possibility, subject to certain conditions which have been reaffirmed and clarified both by the European Court of Human Rights and the European Court of Justice (20). In a nutshell, these restrictions to the fundamental right to data protection should be based on legislative measures and shall comply with a strict proportionality test, i.e. should be limited — both in their substance and in their application in time — to what is necessary to pursue the public interest at stake, as confirmed by the extensive case law of the Court of Justice, also in the area of restrictive measures. General, disproportionate or unforeseeable restrictions would not meet this test.

46.

For example, information to the persons concerned will need to be delayed, insofar as it is needed to preserve the ‘surprise effect’ of the decision to list this person and to freeze his or her assets. However, as the CFI pointed out in its case law (21), further refusing or delaying this information, even after the freezing, would be unnecessary and thus disproportionate. Proportionate and temporary restrictions to the right of access by listed persons to personal data concerning them — including information on the decisions on which the listing is based — may also be envisaged, but a blanket and permanent exclusion of this right would not respect the essence of the fundamental right to the protection of personal data.

47.

Regulation (EC) No 45/2001 already offers a legal framework allowing for both restrictions and safeguards. Paragraphs 3 and 4 of Article 20 contain rules relating to the application of a restriction. According to paragraph 3, the institution involved should inform the data subject of the principal reasons on which the restriction is based and of his or her right to have recourse to the EDPS. Paragraph 4 contains a further rule which relates specifically to a restriction of the right of access. It states that the EDPS, when investigating a complaint on the basis of the previous paragraph, shall only inform the data subject of whether the data have been processed correctly and if not, whether any necessary corrections have been made (22).

48.

All the current proposals address the issue of the restrictions to data protection rights only partly or implicitly, thus leaving room for conflicting norms and different possible interpretations that are likely to end up before the courts. The negotiations on the proposal on Al-Qaida seem to go in the direction of reducing the references to data protection rights and necessary restrictions.

49.

Against this background, the EDPS recommends the legislator to address this delicate issue, by clarifying in the current proposals or in another legal instrument the restrictions to data protection principles as well as the safeguards that may be necessary in the area of restrictive measures. This would make restrictions foreseeable and proportionate, thus ensuring at the same time the effectiveness of the restrictive measures, the respect of fundamental rights and the reduction of the litigation before the courts. Furthermore, this reflects the Stockholm Programme where it clearly states that the EU shall foresee and regulate the circumstances in which interference by public authorities with the exercise of data protection rights is justified (23).

50.

Pursuant to Article 32(4) of Regulation (EC) No 45/2001, as well as Article 23 of Directive 95/46/EC, any person who has suffered damage as a result of unlawful processing of data is entitled to receive compensation from the controller for the damage suffered, unless the controller proves that he is not responsible for the event giving rise to the damage. It is a specification of the general legal notion of liability, by a reversal of the burden of proof.

51.

In this perspective, restrictive measures are based on processing and publication of personal data, which in case of unlawfulness may by itself — irrespective of the restrictive measures taken — give rise to non-material damage, as already recognised by the CFI (24).

52.

The EDPS points out that this non-contractual liability for a processing of personal data in breach of applicable data protection law remains valid and cannot be deprived of its essential content, even if some of the current proposals (25) exclude liability, except in case of negligence, for those natural and legal persons implementing restrictive measures.

53.

Listed individuals have the right to judicial remedy as well as to administrative remedies before competent data protection supervisory authorities. The latter remedies include hearing complaints lodged by data subjects, pursuant to Article 32 of Regulation (EC) No 45/2001, and rely on the power of the EDPS to obtain from a controller or Community institution or body access to all personal data and to all information necessary for his enquiries (see Article 47(2)(b) of Regulation (EC) No 45/2001).

54.

Independent supervision of compliance with data protection rules is a cornerstone principle of data protection, now explicitly reaffirmed, with regard to processing of personal data carried out in all EU activities, not only by Article 8 of the EU Charter of Fundamental Rights, but also by Article 16 TFEU and Article 39 TEU.

55.

As already mentioned in his opinion of 28 July 2009 (26), the EDPS is concerned that the condition contained in the current proposals that classified information shall only be released with the consent of the originator may not only impinge on the supervisory powers of the EDPS in this area, but may also affect the effectiveness of the judicial review, by impinging on the ability of the ECJ to review whether a fair balance is struck between the need to combat international terrorism and the protection of fundamental rights. As stated by the CFI in its judgment of 4 December 2008, access to classified information can be necessary to enable the Court to do so (27).

56.

Against this background, the EDPS recommends that the current proposals ensure that the existing judicial remedies and independent supervision by data protection supervisory authorities are fully applicable and that their effectiveness is not prejudiced by the conditions imposed on the access to classified documents. In this respect, a first step would be replacing in relevant Articles of current proposals (28) the word ‘released’ with ‘publicly disclosed’.

57.

The EDPS firmly believes that fighting those who undermine the respect of fundamental rights shall be done through the respect of fundamental rights.

58.

In this perspective, as already done in his opinion of 28 July 2009 with regard to restrictive measures with regard to Al-Qaida, the EDPS welcomes the intention of the Commission to improve the current legal framework by enhancing the listing procedure and by taking explicitly into account the right to the protection of personal data.

59.

In the light of the tools offered by the Lisbon Treaty as well as of the long-term vision put forward by the Stockholm Programme, the EDPS highly recommends the Commission to abandon the current piecemeal approach — whereby specific, and sometimes different, rules on the processing of personal data are adopted for each country or organisation — and to propose a general and consistent framework for all targeted sanctions implemented by the EU against natural or legal persons, entities or bodies, which ensures the respect of fundamental rights of individuals concerned, and in particular the respect of the fundamental right to the protection of personal data. Necessary restrictions to these rights should be clearly laid down by law, be proportionate and in any case respect the essence of these rights.

60.

The EDPS welcomes the references in the current proposals to the applicability of Regulation (EC) No 45/2001, as well as to the data subjects’ rights stemming from it.

61.

With regard to data quality and purpose limitation, the EDPS recommends some amendments in order to ensure that only necessary data are processed, that these data are kept up to date and for no longer than necessary. In particular, the EDPS recommends that effective mechanisms to de-list natural persons as well as to review EU lists at regular intervals, are implemented with regard to all current and future proposals in this area.

62.

The EDPS recommends addressing more explicitly, in all current and future proposals in this area, the right of information of the listed persons, as well as the conditions and the modalities of the restrictions which may be necessary.

63.

The EDPS strongly recommends the legislator to address in the current and future proposals the essential issue of the right of listed individuals to have access to the personal data concerning them contained in classified documents, subject to the proportionate restrictions that may be necessary in certain circumstances.

64.

The EDPS recommends the legislator to ensure that adequate mechanisms and safeguards — such as specifications in the proposals, as well as arrangements with the UN or other relevant third countries — are put in place with a view to ensure an adequate protection of personal data exchanged with third countries and international organisations.

65.

The EDPS recommends the legislator to clarify in the current proposals or in another legal instrument the restrictions to data protection principles as well as the safeguards that may be necessary in the area of restrictive measures, with a view to making restrictions foreseeable and proportionate.

66.

The EDPS notes that the principle of liability for unlawful processing of personal data remains valid and cannot be deprived of its essential content.

67.

The EDPS recommends ensuring that the existing judicial remedies and independent supervision by data protection supervisory authorities are fully applicable and that their effectiveness is not prejudiced by the conditions imposed on the access to classified documents.