20.4.2010 |
EN |
Official Journal of the European Union |
C 101/1 |
Opinion of the European Data Protection Supervisor on the proposal for a Council Directive on administrative cooperation in the field of taxation
2010/C 101/01
THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to the Treaty on the Functioning of the European Union, and in particular its Article 16,
Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1),
Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular its Article 41 (2),
HAS ADOPTED THE FOLLOWING OPINION:
I. INTRODUCTION
1. |
On 2 February 2009, the Commission adopted a proposal for a Council Directive on administrative cooperation in the field of taxation (3). The proposed Council Directive is intended to replace Council Directive 77/799/EEC concerning mutual assistance by the competent authorities of the Member States in the field of direct taxation. (4) |
2. |
After the entry into force of the Treaty of Lisbon on 1 December 2009, the legal bases of the proposal are Articles 113 and 115 of the TFEU (5). Decisions on these legal bases are adopted in accordance with a special legislative procedure. This implies that the Council decides by unanimity on a proposal of the Commission and after the European Parliament and the European Economic and Social Committee have been consulted. |
3. |
The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001. The current opinion is therefore based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of the proposal. |
4. |
Improving the exchange of information, which in most cases constitutes information (also) relating to natural persons, is one of the main purposes of the proposal. The EDPS is aware of the importance of enhancing the effectiveness of administrative cooperation between Member States in the field of taxation. The EDPS furthermore sees the advantages and need to share information, but wishes to underline that the processing of such data must be in conformity with the EU rules on data protection. |
5. |
Situations which involve the trans-border exchange of personal data within the EU deserve special attention since they imply an increase in scale of the data processing which necessarily leads to bigger risks for the rights and interests of natural persons involved, since — in any event — the same personal data are processed in more than one jurisdiction. It implies greater efforts to ensure compliance with the requirements stemming from EU legislation on data protection. It furthermore leads to legal uncertainty for the data subjects: actors from all other Member States may be involved, national laws of these other Member States might be applicable and might differ slightly from the laws data subjects are used to, or apply in a legal system which is unfamiliar to the data subject. In a cross border context, the responsibilities of the different actors must be clearly addressed, also to facilitate supervision by the competent authorities, as well as judicial control, in different contexts. |
6. |
Unfortunately, the EDPS has only recently become aware of the current proposal. This can be explained by the fact that awareness of data protection requirements in relation to taxation matters is still in its initial phase. The EDPS sees signs that this awareness is increasing, but emphasises that much more can and must be achieved in this respect. |
7. |
The current proposal is a clear example of a lack of data protection awareness since the issue of data protection has almost completely been ignored. Consequently, the proposal contains several elements which do not comply with the applicable data protection requirements. |
8. |
The EDPS is aware of the fact that the procedure in the European Parliament has nearly reached its final stage at Committee level. However, because of the failure to properly address the data protection impact of the proposed cooperation, the EDPS still considers it necessary to present his view on the matter. The EDPS expresses the wish that the comments set out in this opinion will still be taken into account and will foster the system of administrative cooperation to be developed in a way which respects the right to data protection of the European citizens (6). |
II. EU COOPERATION IN THE FIELD OF TAXATION
II.1. Context and scope of the proposal
9. |
As said, the current proposal intends to replace Directive 77/799/EEC. This Directive, adopted on 19 December 1977, deals with exchange of information about taxes on income and capital. |
10. |
Initially, administrative cooperation relating to VAT and excise duties were part of the scope of Directive 77/799/EEC. However, since 7 October 2003 and 16 November 2004 respectively, these subjects are dealt with in separate legal instruments, namely Regulation (EC) No 1798/2003 and Regulation (EC) No 2073/2004 (7). A proposal to recast Regulation (EC) No 1798/2003 was published by the Commission on 18 August 2009 (8). The EDPS presented an opinion on this proposal on 30 October 2009 (9). |
11. |
The Commission proposes to broaden the scope of the new Directive from taxes on income and capital to all indirect taxes. VAT and excise duties remain excluded from the scope. The proposal yet intends to align cooperation on the basis of the new Directive with the cooperation in these two specific areas. Part of the comments set out in part III of this opinion will therefore resemble the ones made in the opinion of 30 October 2009. |
II.2. Substance of the proposal
12. |
After a first chapter containing several general provisions, Chapter II of the proposal deals with the exchange of information between Member States. This is done through liaison offices of competent authorities which are designated by each Member State for the application of the Directive. Information can be exchanged upon request, automatically or spontaneously. |
13. |
Chapter III of the proposal contains provisions on other forms of administrative cooperation than exchange of information, such as simultaneous controls, administrative notification and sharing of best practices and experience. Chapter IV sets out the conditions which govern administrative cooperation. It contains provisions on disclosure of information and documents to other authorities, on requirements for good cooperation, on standard forms and computerised formats and on the use of the common communication network/common system interface (CCN network). |
14. |
Chapter V contains a provision on the evaluation of the administrative cooperation and Chapter VI deals with the exchange of information with third countries. The final Chapter VII introduces a Comitology procedure for the adoption of more detailed rules. |
III. DETAILED ANALYSIS OF THE PROPOSAL
III.1. Applicable data protection rules
15. |
In the data protection legislation, ‘personal data’ is broadly defined as ‘any information relating to an identified or identifiable natural person’ (10). It is clear that under the proposed Directive personal data will be processed and exchanged by the competent authorities of the different Member States. In such a situation, the national rules implementing Directive 95/46/EC are applicable and should be complied with. Although this goes without saying, for the sake of clarity, the EDPS urges the legislator to include a reference to Directive 95/46/EC at least in the recitals of the current proposal and preferably in a substantive provision as well, stating that the provisions of the Directive are without prejudice to the national rules which implement Directive 95/46/EC. |
16. |
Although the Commission is not directly involved in the data exchange between the competent authorities, the proposed Directive shows that the Commission will in certain circumstances process personal data on the basis of the Directive. According to Article 20(2) of the proposal, the Commission is responsible for ‘whatever development of the CCN network necessary to permit the exchange of this information between Member States’. As becomes clear from Article 20(3) this responsibility may under certain conditions involve access to the information which is exchanged through the system. |
17. |
It is not excluded that other provisions imply the processing of personal data by the Commission as well. Article 22, for instance, states that the Commission will receive ‘any relevant information’ necessary for the evaluation of the effectiveness of administrative cooperation in accordance with the Directive. The Commission will furthermore receive ‘statistical data’, a list of which shall be adopted following the comitology procedure laid down in Article 24 of the proposal. |
18. |
In case the Commission is processing personal data, it is bound by the data protection rules applicable to EU institutions and bodies which are laid down in Regulation (EC) No 45/2001 and subject to the supervision of the EDPS (11). For the sake of clarity and in order to prevent any doubt on the applicability of Regulation (EC) No 45/2001, the EDPS urges the legislator to include a reference to the Regulation at least in the recitals of the proposed Directive and preferably in a substantive provision as well stating that the Commission, when it processes personal data on the basis of the Directive, is bound by the provisions of Regulation (EC) No 45/2001. |
19. |
If personal data are processed, Article 16 and 17 of Directive 95/46/EC and Article 21 and 22 of Regulation (EC) No 45/2001 require that the confidentiality and security of the data processing is ensured. It is not stated in so many words in the just cited Article 20 whether the Commission is responsible for the maintenance and security of the CCN network (12). In order to avoid doubts about the responsibility for ensuring such confidentiality and security, the EDPS urges the legislator to define more clearly the responsibility of the Commission in this respect, to emphasise the obligations of the Member States and to put this all in the light of requirements stemming from Directive 95/46/EC and Regulation (EC) No 45/2001. |
III.2. Purpose limitation, necessity and data quality
20. |
A basic requirement of data protection law is that information must be processed for specified, explicit and legitimate purposes and that it may not be further processed in a way incompatible with those purposes (13). The data used to achieve the purposes should furthermore be necessary and should be adequate, relevant and not excessive in relation to the purpose (14). After an analysis of the proposed Directive, the EDPS draws the conclusion that the system of exchange of information set out in the Directive, taken as a whole, does not meet these requirements. |
21. |
As regards the purpose limitation, Article 5(1) of the proposal, which deals with the exchange of information upon request, refers to exchange of information which may be relevant for the ‘correct assessment of taxes’ referred to in Article 2. Article 2 sets out the scope of the Directive by stating to which taxes the Directive applies. The EDPS takes the view that the correct assessment of the taxes referred to is not sufficiently precise. On top of that, the Article does not indicate the need to assess the necessity of the exchange of information. |
22. |
Article 5(1) furthermore fails to specify or put a limit to the kind of data that can be exchanged. It refers, as just quoted, to ‘information which may be relevant’ for the correct assessment of the taxes mentioned. According to Article 5(1), this information includes ‘any information relating to a specific case or cases’. Article 17(1) of the proposal emphasises that such information also includes information the requested Member State does not need for its own tax purposes. Article 5(2) furthermore obliges the requested authority to communicate to the requesting authority any relevant information it has in its possession or it obtains as a result of administrative enquiries. Also Article 9 of the proposal, which deals with the spontaneous exchange of information, speaks about the exchange of ‘any information’ to which is added ‘as referred to in Article 1’. Article 1, however, does not provide any relevant clarification. The use of broad notions in Articles 5, 9 and 17 seems to encourage an exchange of data which is excessive in relation to the purposes and therefore contrary to the data quality principle. |
23. |
Article 8 of the proposal makes it possible to fulfil the standards set out in point 20 above but only with regard to the automatic obligatory exchange of information without a previous request. The Article states that the type of information to be exchanged will be determined through the comitology procedure. This enables the Commission to limit and specify the data to be exchanged, which should indeed be done in accordance with data protection requirements. The Article furthermore makes reference to the necessity of the exchange of information for the correct assessment of taxes referred to in Article 2 and lists several specific situations. However, as said, Article 8 only concerns the obligatory automatic exchange of information, and does not put limitations to the exchange of information upon request or spontaneously. The criticism expressed above with regard to Articles 5, 9 and 17 of the proposal is therefore still valid. |
24. |
On the basis of the foregoing, the EDPS urges the legislator, as regards the data exchange between competent authorities upon request or spontaneously, to specify the kind of personal information that can be exchanged, to better define the purposes for which personal data can be exchanged and assess the necessity of the transfer, or at least assure that the necessity principle is respected. |
25. |
The purpose limitation principle is further put under pressure in Article 15(1) of the proposal. According to this Article, information and documents obtained by a competent authority pursuant to the Directive may be disclosed to other authorities within the same Member State, in so far as this is allowed under the legislation of that Member State, ‘even if that information could be used for other purposes than those referred to in Article 2’. The EDPS wishes to underline that the last part of that provision is completely opposite to the purpose limitation principle. Processing of personal information for other purposes than the original one is only allowed under strict conditions. The purpose limitation principle can be set aside only when it is laid down by law and when it is necessary for important reasons which are exhaustively listed in Article 13 of Directive 95/46/EC. The reference to the legislation of the Member State involved in Article 15(1) could imply such a requirement but is not sufficiently clear. The EDPS therefore urges the legislator to add to Article 15(1) of the proposal that processing of the information for other purposes than those referred to in Article 2 ‘is subject to the conditions set out in Article 13 of Directive 95/46/EC’. |
III.3. Transparency and rights of the data subject
26. |
Articles 10 and 11 of Directive 95/46/EC contain the obligation for the person or entity responsible for the data processing — in data protection terminology referred to as the ‘controller’ (15) — to inform the data subject before the data are collected or, in case the data are not obtained from the data subject, at the time of undertaking the recording of the data. The data subject has to be informed about the identity of the controller, the purpose of the data processing and further information such as the recipients of the data and the existence of the right of access to and the right to rectify the data concerning her or him. Articles 10 and 11 of Directive 95/46/EC can be considered as elaborations of the general principle of transparency which is part of the fairness of processing as required in Article 6(1)(a) of Directive 95/46/EC. |
27. |
The EDPS has noted that the proposal contains no provisions which deal with the transparency principle, for instance on how the exchange of information is communicated to the public at large or how data subjects will be informed about the data processing. The EDPS therefore urges the legislator to adopt a provision in which the transparency of the information exchange is addressed. |
III.4. Transfer of information to a third country
28. |
Article 23 foresees the possibility of information exchange with third countries. It states that ‘competent authorities may communicate, in accordance with their domestic provisions on the communication of personal data to third countries, information obtained in accordance with this Directive’. The EDPS is pleased to see that the Commission has been aware of the specific data protection rules which apply to the exchange of personal data to countries outside the EU. The EDPS wishes to emphasise, however, that such information must, in the first place, be exchanged between the Member States in conformity with data protection rules, before a data protection analysis can take place whether such data can be transferred to a third country. |
29. |
For the sake of clarity, an explicit reference to Directive 95/46/EC could be included in the text, stating that such a transfer should be in conformity with the domestic rules implementing the provisions of Chapter IV of Directive 95/46/EC which deals with the transfer of personal data to third countries. |
III.5. Comitology
30. |
There are several issues with data protection relevance which will be further elaborated in rules adopted following the Comitology procedure as laid down in Article 24 of the proposal. Although the EDPS understands the practical need for using such a procedure, he wishes to underline that the main data protection rules and guarantees should be laid down in the basic law. |
31. |
The EDPS wishes to emphasise that if further rules are discussed through Comitology, this should be done with the data protection requirements stemming from Directive 95/46/EC and Regulation (EC) No 45/2001 in mind. The EDPS furthermore urges the Commission to involve the EDPS and request his advice if further rules with data protection relevance are indeed discussed. |
32. |
In order to ensure the involvement of the EDPS when further rules are adopted on the basis of the Comitology procedure which have data protection relevance, the EDPS recommends the legislator to include in Article 24 a fourth paragraph stating that ‘where implementing measures relate to the processing of personal data, the European Data Protection Supervisor shall be consulted’. |
IV. CONCLUSION AND RECOMMENDATIONS
33. |
In the current Opinion the EDPS has advised the legislator:
|
Done at Brussels, 6 January 2010.
Peter HUSTINX
European Data Protection Supervisor
(1) OJ L 281, 23.11.1995, p. 31.
(3) COM(2009) 29 final of 2 February 2009.
(4) Council Directive 77/799/EEC of 19 December 1977 (OJ L 336, 27.12.1977, p. 15).
(5) See COM(2009) 665 final of 11 December 2009, Annex IV, p. 45.
(6) See also Article 8 of the EU Charter of Fundamental Rights and Article 16(1) TFEU, both of which are binding for the EU institutions and for the Member States when they are implementing Union law.
(7) See Council Regulation (EC) No 1798/2003 of 7 October 2003 (OJ L 264, 15.10.2003, p. 1) and Council Regulation (EC) No 2073/2004 of 16 November 2004 (OJ L 359, 4.12.2004, p. 1).
(8) COM(2009) 427 final of 18 August 2009.
(9) See the EDPS opinion of 30 October 2009, which is available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-10-30_tax_fraud_EN.pdf
(10) See Article 2(a) of Directive 95/46/EC and Article 2(a) of Regulation (EC) No 45/2001. See Opinion 4/2007 of 20 June 2007 of the Article 29 Working Party for an explanation of the concept of ‘personal data’ (available at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf).
(11) See with regard to the processing of statistical data the EDPS opinion of 20 May 2008 (OJ C 308, 3.12.2008, p. 1).
(12) See for relevant comments also the EDPS opinion of 16 September 2008 on the proposal for a Council Decision on the establishment of the European Criminal Records Information System (ECRIS) (OJ C 42, 20.2.2009, p. 1), point 23 and further.
(13) See Article 6(b) of Directive 95/46/EC and Article 4(1)(b) of Regulation (EC) No 45/2001.
(14) The notion of ‘necessity’ can be found throughout Directive 95/46/EC and Regulation (EC) No 45/2001. See notably Article 7 of Directive 95/46/EC and Article 5 of Regulation (EC) No 45/2001. The data quality requirements are contained in Article 6(d) of Directive 95/46/EC and Article 4(c) of Regulation (EC) No 45/2001.
(15) See Article 2(d) of Directive 95/46/EC and Article 2(d) of Regulation (EC) No 45/2001. Both provisions envisage the possibility of single and joint control (‘… alone or jointly with others …’).