14.7.2010   

EN

Official Journal of the European Union

C 190/2

1.

On 19 February 2010, the Commission adopted a proposal for a Council Decision on a Union position within the EU-Japan Joint Customs Cooperation Committee concerning the mutual recognition of Authorised Economic Operator programmes in the European Union and in Japan (3).

2.

The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001. The current opinion is therefore based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of the Decision.

3.

The EDPS has identified some shortcomings and lack of clarity as far as the protection of personal data is concerned. After a description of the context and background of the proposal in Chapter III, these comments will be developed in Chapter IV.

4.

The EDPS has issued a policy paper which describes his consultative role: The EDPS as an advisor to the Community Institutions on proposals for legislation and related documents (4). This consultative role is built upon Articles 28.2 and 41 of Regulation (EC) No 45/2001. Furthermore, recital 17 of the Regulation states that ‘The effectiveness of the protection of individuals with regard to the processing of personal data in the Union presupposes the consistency of the relevant rules and procedures applicable to activities pertaining to different legal contexts.’ Indeed, consistency is to be regarded as an indispensable element to achieve a high level of data protection on the European level, which also includes external action of the Union.

5.

This wide responsibility of the EDPS has been acknowledged by the European Commission, and it is standing practice that the EDPS is consulted by the Commission on all relevant proposals, on both legislative and non-legislative instruments. The scope of the advisory task of the EDPS concerns ‘matters concerning the processing of personal data’. This implies that all legislation that includes provisions on the processing of personal data or includes provisions that have an effect (or a potential effect) on such processing should be subject to consultation. The same goes for all instruments falling within the Union's external competences.

6.

The policy paper also describes the timing for consultation. A consultation at an early stage in the legislative process enables the EDPS to act effectively and propose modifications of a text. This informal consultation on the draft text is to be sent to the EDPS by the responsible service of the Commission, where appropriate, before the formal proposal is adopted. After the adoption of the proposal, a second step is the formal consultation. At this stage, the advice of the EDPS is published in the Official Journal (C series).

7.

In the case of the present proposal, as mentioned above, the EDPS has received neither the draft proposal nor the proposal for consultation after its adoption. The EDPS is particularly disappointed by this course of events since, as will be explained below, his involvement would have provided an ideal opportunity to add value to the proposal.

8.

The purpose of the proposal is to mutually recognise the Authorised Economic Operator (AEO) programmes of the Union and Japan to be compatible and equivalent and the corresponding AEO statuses granted to be mutually accepted.

9.

EU-Japan relations in the area of customs are based on the Agreement on Cooperation and Mutual Administrative Assistance in Customs Matters (CCMAAA) (5) that entered into force on 1 February 2008. According to the CCMAAA, customs cooperation covers all matters relating to the application of customs legislation. The CCMAAA also calls for the Union and Japan to make cooperative efforts in order to develop trade facilitation actions in the field of customs in accordance with international standards (6). Mutual recognition of Authorised Economic Operator (AEO) programmes and security measures both enhances end-to-end supply chain security and facilitates trade.

10.

The proposal also stipulates that, among other issues, the customs authorities maintain the compatibility of the systems, and that each customs authority provides comparable benefits to economic operators holding AEO status. It is also stated that customs authorities have to enhance communication as well as exchange information. The proposal lists the details to be exchanged on AEOs.

11.

Article IV of the Annex to the proposal is related to Information Exchange and Communication. It is specified that the information and related data, notably on members of the programmes, are exchanged in a systematic manner by electronic means. The details to be exchanged on economic operators authorised by the AEO programmes are mentioned, including, for instance, the name of the economic operator holding AEO status, the address of the economic operator concerned, etc.

12.

The regime for AEOs is established in Article 5.a of Regulation (EC) No 648/2005 of the European Parliament and of the Council (7). It is specified that ‘1. (…). An authorised economic operator shall benefit from facilitations with regard to customs controls relating to security and safety and/or from simplifications provided for under the customs rules. (…)’.

13.

An ‘economic operator’ is defined in Article 1.12 of Commission Regulation (EC) No 1875/2006 (8) as ‘a person who, in the course of his business, is involved in activities covered by customs legislation’. An economic operator might therefore be a natural or legal person. The notion of ‘economic operator’ includes the AEO, as meant in paragraph 9. Thus, the information on some AEOs, might be considered as ‘personal data’ as defined in Articles 2(a) of Regulation (EC) No 45/2001 and Directive 95/46/EC, at least the information of those AEOs who are natural persons. Even the information on AEOs that are legal persons might in some cases be considered as personal data. In these cases, the determining factor is whether the information ‘relates to’ an ‘identifiable’ natural person (9). As a consequence, there is no doubt that personal data might be exchanged in the context of the proposal in question.

14.

Personal data will be processed by customs authorities. Article I.2 of the Annex to the proposal foresees that ‘The customs authorities defined in Article 1(c) of the CCMAAA (…) are responsible for implementation of this Decision’. The definition of reference is ‘ “customs authority” shall mean, (…), in the Community, the competent services of the Commission of the European Communities responsible for customs matters and the customs authorities of the Member States of the Community’. Therefore, both Regulation (EC) No 45/2001 and Directive 95/46/EC will be applicable in the present framework (10). Regulation (EC) No 45/2001 applies to the processing by the Commission, Directive 95/46/EC to the processing by the national customs authorities.

15.

Both the Directive and the Regulation foresee analogous rules related to transborder flows of personal data, in Articles 25, 26 and 9, respectively. The principle established therein implies that personal data cannot be transferred from a Member State to a third country, unless the third country ensures an adequate level of protection (or unless adequate safeguards are adopted, or one of the exceptions foreseen would be of application).

16.

The Explanatory Memorandum includes a point on data protection (Point 5). Point 5(1) declares that the Japanese data protection regime is adequate in the sense of Article 9 of Regulation (EC) No 45/2001. Article 9 deals with the regime to be respected in the case of transfers of personal data to recipients, other than Community institutions and bodies, which are not subject to Directive 95/46/EC, such as the case of third countries as Japan.

17.

Article 9.1 of the Regulation stipulates that ‘[p]ersonal data shall only be transferred to recipients, other than Community institutions and bodies, which are not subject to national law adopted pursuant to Directive 95/46/EC, if an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation and the data are transferred solely to allow tasks covered by the competence of the controller to be carried out’.

18.

Article 9.2 states that the assessment of the level of protection afforded by a third country or international organisation shall be done in the light of ‘all circumstances surrounding a data transfer operation or set of data transfer operations’. Furthermore, it provides some examples of aspects to be taken into account in the assessment: ‘(…) particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the recipient third country or recipient international organisation, the rules of law, both general and sectoral, in force in the third country or international organisation in question and the professional rules and security measures which are complied with in that third country or international organisation’. This list is not exhaustive; other elements could also be relevant depending on the actual case.

19.

Article 9 of the Regulation has to be interpreted in the light of Articles 25 and 26 of Directive 95/46/EC. Article 25.6 of the Directive establishes that ‘The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, (…)’. The procedure prescribed in Article 31.2 of the Directive — a comitology procedure — should therefore be respected in order to declare that a third country is ‘adequate’.

20.

In the context of the present proposal, this procedure has not been respected; as a consequence, the declaration made in Point 5(1) as to the adequacy of the Japanese data protection regime is in violation of Article 25.6 of the Directive. The EDPS therefore strongly recommends the deletion of this declaration.

21.

The EDPS acknowledges that Article IV(6) of the Annex to the proposal stipulates that ‘The customs authorities guarantee data protection in accordance with the CCMAAA, in particular Article 16 thereof’. Article 16 deals with ‘Information exchange and confidentiality’, and its paragraph 2 states that ‘Personal data may be exchanged only where the Contracting Party which may receive it undertakes to protect such data in at least an equivalent way to the one applicable to that particular case in the Contracting Party that may supply it. The Contracting Party that may supply the information shall not stipulate any requirements that are more onerous than those applicable to it in its own jurisdiction’.

22.

The EDPS would like to emphasise however, that as described above, the system to analyse a third country's level of protection is the ‘adequacy’ one, and not the ‘equivalence’ one (conf. Union's present international commitments) (11). In any case, Article 16 seems to be of a declarative nature, since no evidence is provided in the CCMAAA of the existence of actual ‘equivalence’. Furthermore, it does not refer to any ‘equivalence’ or even ‘adequacy’ analysis conducted. Hence, this mere declaration in Article 16 cannot be considered as a decisive element in an adequacy assessment, and cannot be the basis for the declaration made in Point 5(1) of the Explanatory Memorandum.

23.

It should be noted that the assessment of the level of protection in a certain country may be carried out at different levels and with different legal effects by the European Commission, by data protection authorities and by data controllers. A determination of adequacy by the European Commission on the basis of Article 25.6 of Directive 95/46/EC is binding on the Member States. This also applies to European Union institutions and bodies under Article 9.5 of the Regulation. In the absence of such a decision, the assessment of adequacy is entrusted to data protection authorities in many Member States, and in others to data controllers, under the supervision of data protection authorities. Article 9 of the Regulation clearly follows this latter model.

24.

This means that even if a country, as a whole, has not been declared ‘adequate’ following the procedure mentioned in Article 25.6 of the Directive, the legal data protection regime applicable to a specific transfer or specific set of transfers can be considered ‘adequate’ by the controller (in the context explained below).

25.

In the light of Article 9.2 of the Regulation (as well as Article 25.2 of the Directive), the controller should assess all the circumstances surrounding a data transfer or set of data transfer operations. The analysis has to be conducted in concreto, taking into account the specific characteristics (guarantees and/or risks) of the transfer or set of transfers in question. This assessment would come to a conclusion as to the existing level of protection regarding a specific transfer or set of transfers, and would be limited to the purposes taken into account by the data controller and the recipients in the country of destination. In that case, the controller would assume the responsibility of verifying whether the conditions for adequacy are present. When the analysis is done by the data controller, the conclusion would be subject to the supervision of the data protection authority.

26.

Point 5(1) of the Explanatory Memorandum mentions that the Japanese regime considered is the Japanese Customs Law (Article 108-2), the Law for International Assistance in Investigation and other related matters (Articles 1 and 3), the National Public Service Law (Article 100), the Act on the Protection of Personal Information Held by Administrative Organs (Article 8) and the Act on Access to Information Held by Administrative Organs (Article 5).

27.

The EDPS has no evidence that this regime has been evaluated in the light of the Article 29 Working Party Working Document (WP12) on ‘Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, and in a way respectful of the principles established therein (12).

28.

It should also be borne in mind that the adequacy method implies that both the letter and the practice of the law should be taken into account (objective and functional approach). Hence, the consideration of this legal regime by itself is not sufficient evidence of the implementation of their rules in practice.

29.

This means that some verification of the effective implementation and application of these rules in practice has to be conducted, before it is possible to determine whether an adequate level of protection is effectively ensured for the data transfer operation or set of data transfer operations in question; in this case, for the exchange of information in the context of the AEO programmes.

30.

In light of this, the controllers (in this case, the competent services of the European Commission responsible for customs matters and the customs authorities of the Member States of the Union) must carry out an assessment in order to verify whether a destination country (in this case Japan) effectively provides an adequate level of protection for the specific transfers in question and limited to the specific purposes and recipients in that country (13) (that is the exchange of data for the implementation of the AEO programmes). However, such an assessment was not carried out.

31.

The proposal could have followed this approach, as an alternative to the procedure for ‘adequacy’ of Japan as described above.

32.

The proposal could have also explored whether the controllers could adduce other types of ‘adequate safeguards’, as per Articles 9.7 of the Regulation and 26.2 of the Directive, or whether any of the exceptions mentioned in Articles 9.6 of the Regulation or 26.1 of the Directive was applicable (14).

33.

The data quality principle is described in Article 4 of the Regulation. It defines, among other requisites that ‘[p]ersonal data must be: (…) (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (…)’. The categories of data mentioned in Article IV(4) seem to respect this principle.

34.

Furthermore, Article 4 of the Regulation says: ‘[p]ersonal data must be: (…) (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. (…)’. Therefore, a conservation period for the personal data to be processed will have to be defined.

35.

The Commission will have to provide for mechanisms to guarantee the exercise of the rights of the data subject, such as the right of access and rectification (Articles 13 and 14 of the Regulation).

36.

Articles 11 and 12 of the Regulation provide for information to be supplied to the person concerned and specify the timing of this information. The Commission will have to establish the procedure to follow determining, for instance, whether the information will be provided at the moment of collection of the data (by the third country) or by the Commission itself.

37.

The EDPS is disappointed that the consultation procedure as described in Chapter II was not respected.

38.

The EDPS recommends deleting the declaration of adequacy of the Japanese regime included in Point 5(1) of the Explanatory Memorandum, since this declaration is not compliant with the requirements of Regulation (EC) No 45/2001 and Directive 95/46/EC. He further recommends exploring the different possibilities offered by the Regulation and the Directive in order to ensure the respect of the rules on international transfers.

39.

The EDPS also recommends that the Commission: