Accept Refuse

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52007XX0428(02)

Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 515/97 on mutual assistance between administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (COM(2006) 866 final)

OJ C 94, 28.4.2007, p. 3–11 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, NL, PL, PT, RO, SK, SL, FI, SV)

28.4.2007   

EN

Official Journal of the European Union

C 94/3


Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 515/97 on mutual assistance between administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (COM(2006) 866 final)

(2007/C 94/02)

THE EUROPEAN DATA PROTECTION SUPERVISOR,

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1),

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (2), and in particular its Article 41,

Having regard to the request for an opinion in accordance with Article 28 (2) of Regulation (EC) No 45/2001 received on 4 January 2007 from the Commission;

HAS ADOPTED THE FOLLOWING OPINION:

INTRODUCTION

1.

The goal of the Proposal for a Regulation of the European Parliament and the Council of 13 March amending Council Regulation (EC) No 515/97 on mutual assistance between administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (3) (hereinafter ‘the Proposal’) is twofold. On the one hand, the Proposal aims to bring the existing Council Regulation (EC) No 515/97 in line with the new Community powers in the area of Community customs cooperation. On the other hand, the Proposal aims to strengthen the cooperation and information exchanges between Member States and between them and the Commission.

2.

To achieve its two objectives the Proposal inter alia, increases the functionalities of the existing Custom Information System (‘CIS’) and sets up an additional European Data Directory which will reflect the movements of containers and/or means of transport as well as the goods and persons concerned (‘European Data Directory’).

3.

Furthermore, the Proposal brings into Community law the Customs Files Identification Database (‘FIDE’), originally created by Member States pursuant to Title VI of the Treaty on European Union) (4). From now on, FIDE will fall both within the framework of European Community actions and under the third pillar, with the relevant legal instrument governing the functioning of FIDE in each situation. The same situation applies to CIS (5). In practice, this is achieved by setting up two databases, which are made available to different entities in order to ensure their use for different purposes (first and third pillar).

I.   Consultation with the European Data Protection Supervisor

4.

The Proposal was sent by the Commission to the European Data Protection Supervisor (‘EDPS’) for advice as foreseen in Article 28 (2) of Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). The EDPS received this request on 4 January 2007.

5.

In view of the mandatory character of Article 28 (2) of Regulation (EC) No 45/2001, a reference to this consultation exercise should be mentioned in the preamble of the Proposal, before the recitals. To this end, the EDPS suggests mirroring the language used by other legislative proposals to refer to EDPS Opinions (6), which reads as follows: ‘After consulting the European Data Protection Supervisor’.

II.   Importance of the Proposal from a Data Protection Perspective

6.

The creation and upgrading of the various instruments intended to strengthen Community cooperation, i.e. CIS, FIDES and the European Data Directory, entail an increase in the share of personal information that will be originally collected and further exchanged with Member States' administrative authorities and, in some cases, also with third countries. The personal information processed and further shared may include information relating to individuals' alleged or confirmed involvement in wrongdoing actions in the area of customs or agricultural operations. From this perspective, the Proposal has important effects as far as the protection of personal data is concerned. Furthermore, its importance is enhanced if one considers the type of data collected and shared, notably suspicions of individuals being engaged in wrongdoings, and the overall finality and outcome of the processing.

7.

In the light of the Proposal's effect on the protection of personal data, the EDPS considers relevant to issue the present Opinion analysing the impact of the Proposal on the protection of individuals' rights and freedoms with regard to the processing of personal data.

III.   Main Elements of the Proposal and Initial Comments

8.

The main elements of the Proposal which have significance from a data protection perspective are the following: (i) The creation of an European Data Directory (Articles 18a and 18b); (ii) the provisions updating the rules on CIS (Articles 23 to 37), and (iii) the rules setting forth FIDE as a Community database (Articles 41a to 41d). Also relevant are various provisions, including those dealing with supervision on data protection, which have been amended to take account of the adoption of Regulation (EC) No 45/2001 (Articles 37, 42, and 43).

9.

The EDPS recalls that his previous Opinion on the Proposal for a Regulation on mutual administrative assistance for the protection of the Community administrative against fraud and other illegal activities (7) pointed out the need to adapt some of the provisions of Council Regulation (EC) No 515/97 to bring it in line with the new data protection legislation applicable to EU institutions, namely the Regulation (EC) No 45/2001. The EDPS is therefore pleased by the Proposal's amendments in this direction.

10.

Furthermore, the EDPS is glad to see that the provisions setting forth the European Data Directory and those updating the rules on the CIS contain safeguards intended to ensure the protection of individuals' personal information and privacy. The EDPS also welcomes the decision to bring FIDES within the scope of Community law, hence under the coverage of Regulation (EC) No 45/2001.

11.

The EDPS understands the relevance of the goals pursued by the Proposal, namely to strengthen the cooperation both between Member States and between them and the Commission. He further recognises the need to set up or update existing instruments such as CIS and FIDE in order to meet these goals. Moreover, the EDPS is pleased to see that in carrying out this endeavour, the Proposal has included data protection safeguards that take into account current data protection legislation applying to EU institutions. However, the EDPS considers that there is room for improvement in order to ensure the Proposal's overall compatibility with the existing legal framework on data protection and the effective protection of individuals' personal data. Towards this end, the EDPS makes the comments and suggestions described in the next section.

ANALYSIS OF THE PROPOSAL

I.   Creation of the European Data Directory

12.

Pursuant to Article 18a1 of the Proposal the Commission will create and manage a European Data Directory with the purpose ‘(to) detect movements of goods that are the object of operations in potential breach of customs and agricultural legislation and means of transports’. The Commission will obtain most of the data from public or private service providers active in the international logistical chain or in the carriage of goods. The Directory may be enriched ‘from other data sources’ex Article 18a2 (b). Article 18a.3 lists the data that may be included in the Directory, including the list of personal data that is concerned (8). The Commission will make the data in the Directory available to the relevant authorities in Member States.

13.

The Proposal asserts that the creation of a Directory will be useful towards detecting operations presenting risk of irregularity in relation to customs and agricultural legislation. However, the EDPS considers that, as it should occur each time a central database containing personal data is created, the need for such a database must be properly and carefully assessed and when the database is established, specific safeguards have to be implemented in the light of the data protection principles. The reason being to avoid any developments which would unduly affect the protection of personal data.

14.

The EDPS considers that the Proposal does not provide sufficient arguments supporting the need for the creation of the Directory. In order to ensure that only truly needed databases are created, the EDPS calls upon the Commission to carry out a proper assessment of the necessity of the creation of the Directory and report about the its findings.

15.

As far as data protection safeguards are concerned, the EDPS notes that the Proposal provides for some safeguards, however, he considers that additional measures are necessary.

I.1.   Application of Regulation (EC) No 45/2001

16.

The EDPS notes that taking into account that the Commission will establish and manage the European Data Directory, and that the Directory will contain personal data, Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data certainly applies to the Directory. Hence, the Commission in its role of data controller of the Directory (9) must ensure compliance with all the provisions contained in this Regulation.

17.

Whereas in the light of the above, Regulation (EC) No 45/2001 applies per se to the creation and management of the Directory, for consistency reasons, the EDPS considers that it would be appropriate to include a new paragraph recalling its application. Indeed, the EDPS notes that Article 34 of the Proposal regarding the Custom Information System (CIS) and the Customs Files Identification Database (‘FIDE’) contains a provision recalling the application of Regulation (EC) No 45/2001. To be congruent with this approach, a similar provision should be included regarding the Directory. Accordingly, the EDPS suggests that Article 18.1 includes a new paragraph borrowing from the language used in Article 34 as follows: ‘The Commission shall regard the European Data Directory as a personal data processing system which is subject to Regulation (EC) No 45/2001’.

18.

The EDPS notes that Article18a.2(b) of the Proposal confirms the application of Regulation (EC) No 45/2001 for certain uses of the Directory, in particular when the Commission uses the Directory to ‘compare and contrast data … to index, to enrich …’. Unless there is a general statement confirming the application of Regulation (EC) No 45/2001 to the Directory as a whole, including the processing operations carried out from the establishment to the management of the Directory, any other activity/stage that is not explicitly mentioned by Article 18a.2 (b) may be deemed as not being covered by Regulation (EC) No 45/2001. This is an additional reason that supports the introduction of the language suggested above.

19.

The EDPS recalls that the Commission, in complying with Regulation (EC) No 45/2001, will be under obligation, among others, to inform individuals whose names are included in the Directory of this fact (10). In particular, it should be kept in mind that such a right exists even if the personal information input in the Directory was collected from public sources. Furthermore, taking into account the purpose of the Directory, the Commission will be bound by Article 27 of Regulation 45/2001, according to which the EDPS must prior check the system before it is implemented (11).

I.2.   Application of the national provisions implementing Directive 95/46/EC

20.

Under Article 18a2(c) of the Proposal, the Commission is empowered to make data available to the Member States' relevant authorities. The EDPS notes that whereas such a transfer is governed by Regulation (EC) No 45/2001, subsequent uses of the data by Member States' authorities will be covered by Directive 95/46/EC. Whereas Article 18a2(c) seems to intend to convey this concept, as further described below, its language could be improved to express this notion more clearly.

21.

Article 18a.2(c) states: ‘In clarmanaging that directory, the Commission is empowered: (c) to make the data in this directory available to the relevant authorities referred to in Article 1(1) for the sole purpose of achieving the objectives of this Regulation and in full compliance with national provisions implementing Directive 95/46/EC’. In the EDPS view, Article 18a.2(c) does not properly reflect the notion that further uses of the personal data by Member States' authorities are regulated by national provisions implementing Directive 95/46/EC. To provide more clarity on this point, the EDPS considers that the final part of Article 18a.2(c) should be amended as follows: ‘… for the sole purpose of achieving the objectives of this Regulation. Subsequent uses of the personal data by those authorities are subject to national provisions implementing Directive 95/46/EC’. In any case, such further use at the national level will have to be compatible with the purpose for which the data are made available by the Commission, unless special conditions are fulfilled (see Article 6.1.b and Article 13.1 of Directive 95/46/EC).

I.3.   Additional Comments

22.

The EDPS supports the approach taken in Article 18.4 of the Proposal to restrict within the Commission the departments empowered to process personal data contained in the European Data Directory. This is in line with Article 22 of Regulation (EC) No 45/2001 which requires data controllers, inter alia, to implement technical and organisational measures, such as ensuring that information is available on a ‘need to know ’basis, to ensure an appropriate level of security of the data.

23.

The last paragraph of Article 18.4 establishes that personal data not necessary for the purposes for which it was collected should have identifying factors removed. It goes on to say that in any event data may not be stored for more than one year. The EDPS welcomes the obligation which is in line with Article 4.1.e of the Regulation which specifies that personal data may be kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which the data were collected or further processed.

24.

As required under Article 22 of Regulation (EC) No 45/2001, the Directory must be adequately protected. Ensuring that an optimal security level for the Directory is respected constitutes a fundamental requirement for the protection of personal data stored in the database. Whereas the provisions that regulate the Customs Information System foresee the implementation of specific security measures, the Proposal is silent as far as the European Data Directory is concerned. The EDPS considers that security matters regarding this Directory should be subject to complementary administrative rules setting forth specific measures to ensure the confidentiality of the information. In adopting these rules, the EDPS should be consulted.

II.   Amendments to the Provisions on the Customs Information System (CIS)

25.

Articles 23 to 41 of Council Regulation (EC) No 515/97 set forth the provisions establishing the Custom Information System, a database managed by the Commission, available to Member States and to the Commission, intended to assist them in preventing, investigating and prosecuting operations that breach custom or agricultural legislation.

II.1.   Broadening the possible uses of the personal data stored in CIS

26.

The Proposal has amended some of the initial provisions establishing the operation and use of CIS. In particular, Article 25 has enlarged the categories of personal data that may be stored in CIS and Article 27 has broadened the list of possible uses of the personal data stored in CIS to include operational analysis enabling, among others, ‘to evaluate the reliability of the information source and the information itself’, ‘to formulate observations, recommendations (…) to detect operations and or identify natural or legal persons’. Furthermore, Article 35.3 opens the possibility to copy the content of CIS into other data processing systems to engage in ‘systems of risk management used to direct national customs controls or in an operational analysis system used to direct coordination actions at community level’.

27.

According to the Proposal, the additional uses outlined above are necessary to assist the detection and prosecution of operations in breach of customs and agricultural legislation. Although the EDPS does not challenge that such needs exist, he considers that the Commission's Proposal should have given more comprehensive information and sound reasons supporting such a need.

28.

The EDPS is glad to see that the above amendments have been accompanied by data protection safeguards. Indeed, the Proposal has kept a closed list of personal data that may be included in CIS (ex Articles 25.1), which can only be included if there is ‘real evidence’that the person has carried out or is about to carry out the wrongdoings (ex Article 27.2). In addition, ex Article 25.3., no sensitive data (12) can be entered in CIS. Furthermore, Article 35.3 has restricted the individuals empowered to copy the content of CIS for the purposes established in the same article and limited the time to retain data copied from CIS. These measures are in line with the data quality principle set forth in Article 4 of Regulation (EC) No 45/2001.

II.2.   Scope of application of Regulation (EC) No 45/2001

29.

Article 34 of the Proposal has taken into account the adoption of Regulation (EC) No 45/2001 which applies to the processing of personal data by Community institutions and bodies. Accordingly, it requires the Commission to consider that Regulation (EC) No 45/2001 applies to CIS. The EDPS confirms that taking into account that CIS contains personal data and that the Commission has access to the database regarding which it has a role of data controller, Regulation (EC) No 45/2001 certainly applies to it. Accordingly, the EDPS welcomes this amendment which reflects the current legal framework on data protection.

30.

The EDPS reminds that as a result of the application of Article 27 of Regulation (EC) No 45/2001, and taking into account that the purposes of CIS may be deemed to present specific risks to the rights and freedoms of data subject, the EDPS must prior check the system.

31.

In addition to the application of Regulation (EC) No 45/2001, Article 34 the Proposal maintains the simultaneous application of the national provisions implementing Directive 95/46/EC. The EDPS considers this to be the correct approach insofar as Member States' authorities have access to CIS as well as the competence to include and further process the data included in the CIS. In sum, the EDPS considers that control for CIS is shared between the Commission and Member States which act as co-controllers of CIS data.

II.3.   EDPS as supervisor of CIS together with national data protection authorities

32.

As a result of the application of Regulation (EC) No 45/2001, the European Data Protection Supervisor is responsible for ensuring the application of the Regulation as far as CIS is concerned. Whereas some of the Articles of the Proposal reflect the EDPS' competences, some do not. In particular, the EDPS regrets that some of the sections of Article 37 dealing with supervision have not been amended accordingly and calls upon the legislators to introduce the amendments described below.

33.

The EDPS notes that Article 37.1 explicitly recognises Member State authorities' competences for the supervision of CIS. However, Article 37.1 does not mention similar EDPS competences under Regulation (EC) No 45/2001. This problem is further emphasized in Article 37.3 which has not been amended by the Proposal. Article 37.3 says ‘The Commission shall take every step within its departments to ensure personal data protection supervision which offers safeguards of a level equivalent to that resulting from paragraph 1…’. In other words, Article 37.1 entrusts the data protection supervision to ‘the Commission’. Evidently, this Article should have been amended to reflect the new EDPS supervisory role. As it stands now, Article 37.3 does not make any sense. To remedy this problem, Article 37.3 should be amended to state that ‘The European Data Protection Supervisor will supervise CIS compliance with Regulation (EC) No 45/2001’.

34.

Furthermore, since CIS is governed not only by Regulation (EC) No 45/2001 but also by the national provisions implementing Directive 95/46/EC, the supervision of CIS falls upon both the EDPS and national data protection authorities. Finally, the supervision activities of the national supervisory authorities and the EDPS should be coordinated to a certain extent, in order to ensure a sufficient level of consistency and overall effectiveness. As stated in previous opinions of the EDPS regarding databases under the supervision of the EU Member States and the EDPS ‘there is a need for a harmonized implementation of the Regulation and for working towards a common approach of common problems’ (13).

35.

Unfortunately, the Proposal does not provide for a coordination procedure in order to structure and enhance the cooperation between the EDPS and national data protection authorities. To remedy this problem, the EDPS mentions as a first option including a new section in Article 37, which deals with data protection supervision, establishing that ‘The EDPS shall convene a meeting with all national supervisory authorities, at least once a year, to address CIS related supervision issues. The members of national data protection authorities and the EDPS shall be referred to as the supervisory authorities’.

36.

A better solution to reflect the layered approach to supervision, as mentioned before, would be to split the provisions on supervision (Article 37) into several provisions, each of them dedicated to a level of supervision, as it has been properly done in the recently adopted legal instruments establishing the Schengen Information System (SIS II). In particular, Articles 44 to 46 of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (14) provide for a well-balanced system of supervision shared between national and European level, with coordination of the two. The EDPS strongly suggests providing for the same system of supervision (with some slight adjustments) for the CIS. Indeed, CIS and SIS II are to a large extent comparable as far as the structure of supervision is concerned.

37.

Article 43.5 foresees that an ad hoc formation of the committee referred to under Article 43.1 (hereinafter ‘ad hoc formation committee’) will meet periodically to examine CIS related data protection problems. The EDPS considers that this ad hoc formation committee should not be considered as the appropriate body to exercise the supervision of CIS, as this competence lies uniquely on the national Member States authorities and the EDPS. The ad hoc formation set forth under Article 43.5 is in fact a ‘comitology ’committee.

38.

However, EDPS considers that the ad hoc formation committee is an appropriate forum to examine data protection problems connected with the operation of the CIS. To this end, the EDPS suggests rephrasing Article 43.5 in order to reflect the tasks and role of the ad hoc formation committee under Article 43.5 as follows: ‘The committee together with the supervisory group referred to under Article … shall examine all problems with the operation of the CIS which are encountered by the supervisory authorities. The Committee shall meet in its ad hoc formation at least once a year’.

39.

The EDPS also wants to draw the attention of the legislator to another characteristic shared by the CIS and SIS II systems: they operate both under First and Third Pillars, which entails the existence of two distinct legal bases for each system. The Third Pillar CIS is governed by the Convention mentioned under point 3 of this opinion. This has a number of consequences, amongst which the structure of the supervision: the First Pillar part of CIS will be supervised by the EDPS and national data protection authorities, while the Third Pillar part is supervised by a Joint Supervisory Authority (composed by representatives of the same national authorities). This constitutes a rather cumbersome system of supervision, which may lead to inconsistencies and not be very effective. This illustrates the difficulties of a complex legal environment such as this one.

40.

It is worth noting that in the framework of the SIS II, the European legislator has opted for a rationalisation of the supervision model, by applying the same layered model as described above in both the First and Third Pillar environments of the system. This is an approach, certainly worth considering, and the EDPS recommends examining further the opportunities it would present for a better and more consistent supervision.

II.4.   Rights of individuals

41.

The data protection rights of individuals under the Proposal, particularly the right of access, are regulated in Articles 36 and 37 which have been partially modified by the Proposal. The EDPS would like to address the following three issues related to the right of access: (i) The applicable law ex Article 36.1; (ii) the limits to the right of access ex Article 36.2 and, (iii) the procedure for individuals to submit access requests ex Article 37.2 of the Proposal.

42.

The applicable law : Article 36.1 which has been left untouched by the Proposal recognises en passage the application of individuals' data protection rights and provides that the right of access will be governed by Member States' laws or the data protection rules applicable to the Commission depending on whether such rights have been invoked respectively in Member States or within the EU institutions. This criterion reflects what was said above regarding Article 34 of the Proposal, namely, that both the Commission and Member States are co-controllers of CIS. The EDPS agrees with this approach and is glad that the Proposal has maintained the language of Article 36.1. It is clear in any case that this provision implicitly refers to the relevant national law implementing Directive 95/46/EC or Regulation (EC) No 45/2001. The applicable law in each case will depend on where the rights are exercised.

43.

The limits to the right of access: The second paragraph of Article 36.2 establishes that ‘access shall be denied during the period when sighting, reporting operations analysis or investigation is ongoing’. For the reasons outlined below, the EDPS would favour an amendment that reads ‘access may be denied ’(as opposed to ‘access shall be denied’).

44.

Under Regulation (EC) No 45/2001, as a matter of general principle, individuals are entitled to exercise the right of access to their personal data. However, Article 20 of Regulation (EC) No 45/2001 recognises that such a right can be restricted if one of the specific conditions justifying a restriction applies. In other words, individuals have the right of access in principle, but such access can be restricted. Conversely, the language of Article 36.2 ‘access shall be denied’gives no room for assessment on whether access can be granted or not. It basically means that individuals have no such right for a certain period of time. There is no reason why the general approach of Regulation (EC) No 45/2001 would not work for this situation, particularly if Article 20 would enable restriction of access rights during the period foreseen by Article 36.2. Indeed, if the Commission wished to deny access, it could avail itself of Article 20 according to which access can be denied to safeguard the investigation.

45.

The EDPS considers that the Proposal should be formulated in the same approach as Regulation (EC) No 45/2001. The opposite would be in contradiction with the general framework that foresees the right of access under Regulation (EC) No 45/2001. The problem could be solved simply by replacing the word ‘shall ’by ‘may’.

46.

The procedure for individuals to make access requests : The Proposal has amended the old Article 37.2 of Regulation (EC) No 515/97 which dealt with the procedure to launch access requests to obtain information as to whether CIS contained personal information related to an individual. The new Article 37.2 recognises the possibility for individuals to launch access requests with the European Data Protection Supervisor as well as with the national supervisory authorities, depending on whether the data were included in the CIS by the Commission or a Member State.

47.

The EDPS welcomes that this amendment brings the procedure more in line with the current legal framework on data protection. However, for the following reasons, the EDPS considers that the competence of Member States or the Commission should not be dependent on the entity that has introduced the information in CIS. In the first place, the EDPS notes that individuals will most likely not be aware of the entity that has introduced the information in CIS, whether the Commission or a Member State. Accordingly, they will not know which entity is competent to deal with their access request. The procedure to request access will become cumbersome, if individuals are obliged to first ascertain who introduced the data. In the second place, the EDPS considers that this provision contradicts the criterion chosen by Article 36.1 according to which the right of access will be governed by Member States' laws or the data protection rules applicable to the Commission, depending on whether such rights have been invoked in Member States or within EU institutions respectively. Thus, if only for consistency with Article 36, the competence for access requests should depend on whether such access has been invoked with national supervisory authorities or with the EDPS.

48.

In order to solve this problem, the sentence ‘depending whether the data were included in the CIS by a Member State or the Commission’should be replaced by ‘depending whether the rights have been invoked with the national supervisory authorities or with the EDPS’. Also, if this approach is taken, the sentence of paragraph 37.2 that follows makes full sense: ‘If the data were included by another Member State or by the Commission, they shall be checked in close cooperation with the national supervisory authority of that other Member State or with the European Data Protection Supervisor’.

II.5.   Exchanges of Data

49.

The Proposal does not add new elements as far as exchanges of personal data with third countries' authorities are concerned. This matter is addressed in Article 30.4 of the Proposal. The EDPS considers that this article should have been amended to refer to the need for the Commission (not only Member States) to take special measures to ensure the security of the data when they are transmitted or supplied to departments located in third countries. In addition, Article 30.4 should be amended to ensure compliance with legislation applicable to the transfer of personal data to third countries.

III.   Customs Files Identification Database (‘FIDE’)

50.

Articles 41a, b, c and d of the Proposal set forth the rules for the operation of the Customs Files Identification Database. FIDE enables competent authorities to check whether a person or a business has been the subject of a criminal investigation in any Member State.

51.

FIDE already exists as a tool used by Member States under the third pillar (15). Thus, the purpose of Article 41 is to provide a legal basis for the Community FIDE, which the EDPS welcomes.

52.

Because all the provisions of the Proposal that apply to CIS, also apply to FIDE ex Article 41a, the comments made under section II above apply mutatis mutandis to FIDE.

III.1.   Application of Regulation (EC) No 45/2001

53.

The EDPS notes that taking into account that the Commission is competent to process the data contained in FIDE, it should be clear that Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data applies to FIDES. The EDPS considers that it would be appropriate for Article 41 to recall the application of Regulation (EC) No 45/2001 to FIDE and the EDPS supervisory competences to monitor and ensure compliance with the provisions of the Regulation.

54.

The EDPS reminds that as a result of the application of Article 27 of Regulation EC) No 45/2001, and taking into account the purposes of FIDES and the nature of the data included, it may be deemed to present specific risks to the rights and freedoms of the data subject, and thus, the EDPS must prior check the system.

III.2.   Data retention

55.

Article 41d sets forth specific data retention periods. The EDPS considers that the time limits foreseen by Article 41d are reasonable.

56.

It is uncertain how this provision relates to Article 33, regarding CIS. Supposedly, 41d takes priority over the provision on the same subject that deals with CIS, but this is not explicitly mentioned in the Proposal. A provision clarifying this point would be useful.

III.3.   Update of information registered in FIDE

57.

The data quality principle ex Article 4 of Regulation (EC) No 45/2001 requires personal data to be adequate, relevant and not excessive in relation to the purpose for which they are collected. It is clear that the quality of the personal data can only be ensured if its accuracy is regularly and properly checked. The EDPS also welcomes the provision of Article 41d requiring files to be immediately deleted as soon as a person is cleared of suspicion under the laws, regulations and procedures of the supplier Member State.

58.

On the other hand, in order to ensure that data not needed does not remain in FIDE, the EDPS suggest applying to FIDE some of the data retention rules defined for CIS under Article 33. Particularly, the EDPS suggests applying to FIDE the provisions of Article 33.1 according to which the need for the retention of data should be reviewed annually by the supplying partner. To this end, the EDPS suggests the following language to be inserted after Article 41d.2: ‘The need for the retention of data shall be reviewed at least annually by the supplying Member State’.

CONCLUSIONS

59.

The EDPS welcomes being consulted on the Proposal, which foresees the creation or updating of various systems containing personal data: European Data Directory, Custom Information System (CIS) and Customs Files Identification Database (FIDE) in order to strengthen the cooperation and information exchanges both between Member States and between them and the Commission.

60.

On the substance , the EDPS concludes:

The Proposal does not provide sufficient arguments supporting the need for the creation of the European Data Directory. The EDPS calls upon the Commission to carry out a proper assessment of the necessity of the creation of the Directory and report about its findings.

A new paragraph should be inserted in Article 18a.1 recalling the application of Regulation (EC) No 45/2001 to the European Data Directory, along the following lines: ‘The Commission shall regard the European Data Directory as a personal data processing system which is subject to Regulation (EC) No 45/2001’.

It should be clarified that national provisions implementing Directive 95/46/EC apply to uses of the European Data Directory carried out by Member States, the EDPS suggests a modification of Article 18a2(c) as follows: ‘In managing that directory, the Commission is empowered: (c) to make the data in this directory available to the relevant authorities referred to in Article 1(1) for the sole purpose of achieving the objectives of this Regulation. Subsequent uses of the personal data by those authorities are subject to national provisions implementing Directive 95/46/EC’.

The Proposal is silent as far as security measures of the European Data Directory are concerned. The EDPS considers that it would be appropriate to add a new paragraph to Article 18a2 providing for the adoption of complementary administrative rules setting forth specific measures to ensure the confidentiality of the information. In adopting these rules, the EDPS should be consulted.

The Proposal fails to completely recognise the EDPS supervisory role as to the Custom Information System (CIS). To solve this problem, Article 37.3 should be amended to state that ‘The European Data Protection Supervisor will supervise CIS compliance with Regulation (EC) No 45/2001’.

The supervision activities of the national supervisory authorities and the EDPS should be coordinated to a certain extent, in order to ensure a sufficient level of consistency and overall effectiveness in CIS supervision. To this end, the EDPS suggests as a first option including a new section in Article 37, establishing that ‘The EDPS shall convene a meeting with all national supervisory authorities, at least once a year, to address CIS related supervision issues. The members of national data protection authorities and EDPS shall be referred to as supervisory authorities’. However, a better solution would be to follow the more developed model recently adopted for the second generation Schengen Information System (SIS II). In line with this approach in each case, Article 43.5 should also be amended as follows: ‘The committee together with the supervisory group referred to in Article … shall examine all problems with the operation of the CIS which are encountered by the supervisory authorities referred to in Article 37. The Committee shall meet in its ad hoc formation at least once a year’.

Under Article 36.2, second paragraph concerning access to personal data stored in CIS, ‘access shall be denied during the period when sighting, reporting operations analysis or investigation is ongoing’. To ensure consistency with Regulation (EC) No 45/2001 the EDPS would favour an amendment which would read ‘access may be denied’.

Regarding the procedure to request access, whether access must be requested with the EDPS or with national supervisory authorities, the EDPS considers that the proposed system ex Article 37.2 whereby the competent authority depends on whether the data were included in the CIS by a Member State or the Commission, to be very cumbersome. It would also contradict other articles of the Proposal. In order to solve this problem, the sentence ‘depending whether the data were included in the CIS by a Member State or the Commission’of Article 37.2 should be replaced by ‘depending whether the rights have been invoked with the national supervisory authorities or with the EDPS’.

The EDPS considers that it would be appropriate for Article 41a to recall the application of Regulation (EC) No 45/2001 to the Customs Files Identification Directory (FIDE) and the EDPS supervisory competences to monitor and ensure compliance with the provisions of the Regulation.

61.

To ensure that personal data not needed is purged from FIDE, the EDPS suggest the following language to be inserted after Article 41d.2: ‘The need for the retention of data shall be reviewed at least annually by the supplying Member State’.

62.

As to procedure , the EDPS:

recommends that an explicit reference to this Opinion is made in the preamble of the Proposal as follows: ‘After consulting the European Data Protection Supervisor’.

reminds that, as the processing operations of the European Data Directory, CIS, and FIDE present specific risks to the rights and freedoms of data subject, because of the purpose of the database and the nature of the data, in accordance with Article 27 of Regulation EC) No 45/2001, the EDPS must prior check the three systems.

Done at Brussels on 22 February 2007

Peter HUSTINX

European Data Protection Supervisor


(1)  OJ L 281, 23.11.1995, p. 31.

(2)  OJ L 8, 12.1.2001, p. 1.

(3)  OJ L 82, 22.3.1997, p. 1.

(4)  Protocol established in accordance with Article 34 of the Treaty on European Union, amending, as regards the creation of a customs files identification database, the Convention on the use of information technology for customs purposes, CIS Convention The Protocol was adopted by Council Act of 8 May 2003 (OJ C 139, 13.6.2003, p. 2).

(5)  The legal bases for the inter-governmental database is the CIS Convention, Convention drawn up on the basis of Article K.3 of the Treat of the European Union, on the use of information technology for customs purposes, OJ C 316, 27.11.1995, p. 34.

(6)  See Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 1073/1999 concerning investigations conducted by the European Anti Fraud Office (OLAF) {SEC(2006) 638 } /* COM/2006/0244 final — COD 2006/0084.

(7)  Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on mutual administrative assistance for the protection of the financial interest o the Community against fraud and any other illegal activities (COM (2004) 509 final of 20 July 2004), (OJ C 301, 7.12.2004, p.4).

(8)  Article 18.3. (c) Limits the data to no more than ‘the name, maiden name, forenames, aliases, data and place of birth, nationality, sex and address of the owners, shippers, consignees, transit agents, carriers and other intermediaries or persons involved in the international logistical chain and carriage of goods’.

(9)  Data controllers are the people or bodies which determine the purposes and the means of the data processing, both in the public and in the private sector.

(10)  Unless the service providers that transfer the information to the Commission have already informed individuals thereto, in accordance with the national provisions implementing Directive 95/46/EC of 24 October 1995.

(11)  Data processing operations that are subject to prior check by the EDPS include those listed under Article 27 of Regulation 45/2001, including processing of data relating to health and to suspected offences, offences, criminal convictions or security measures; (b) processing operations intended to evaluate personal aspects relating to the data subject, including his or her ability, efficiency and conduct; (c) processing operations allowing linkages not provided for pursuant to national or Community legislation between data processed for different purposes; (d) processing operations for the purpose of excluding individuals from a right, benefit or contract.

(12)  Data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs trade union membership, data concerning health or sexual preference.

(13)  Opinion of 19 October 2005 on three Proposals regarding the Second Generation Schengen Information System (SIS II) (COM (2005)230 final, COM (2005)236 final and COM (2005)237 final), OJ C 91, 19.04.2006, p. 38; Opinion of 23 March 2005 on the Proposal for a Regulation of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between Member States on short stay-visas, OJ C 181, 23.7.2005, p. 13

(14)  OJ L 381, 28.12.2006, p. 4–23

(15)  Created by the Council Act of 8 May 2003 drawing up the Protocol amending the Convention on the use of information technology for customs purposes


Top