9.2.2012   

EN

Official Journal of the European Union

C 35/1


Opinion of the European Data Protection Supervisor on the legal proposals for the common agricultural policy after 2013

2012/C 35/01

THE EUROPEAN DATA PROTECTION SUPERVISOR,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1),

Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (2),

Having regard to the request for an Opinion in accordance with Article 28(2) of Regulation (EC) No 45/2001,

HAS ADOPTED THE FOLLOWING OPINION:

1.   INTRODUCTION

1.1.   Consultation of the EDPS

1.

On 12 October 2011, the Commission adopted the following proposals (hereinafter: the proposals) on the common agricultural policy (hereinafter: ‘CAP’) after 2013, that were sent to the EDPS for consultation on the same day:

proposal for a Regulation of the European Parliament and of the Council establishing rules for direct payments to farmers under support schemes within the framework of the common agricultural policy (hereinafter: ‘the direct payments regulation’) (3),

proposal for a Regulation of the European Parliament and of the Council establishing a common organisation of the markets in agricultural products (hereinafter: ‘the single CMO regulation’) (4),

proposal for a Regulation of the European Parliament and of the Council on support for rural development by the European Agricultural Fund for Rural Development (EAFRD) (hereinafter: ‘the rural development regulation’) (5),

proposal for a Regulation of the European Parliament and of the Council on the financing, management and monitoring of the common agricultural policy (hereinafter: ‘the horizontal regulation’) (6),

proposal for a Council regulation determining measures on fixing certain aids and refunds related to the common organisation of the markets in agricultural products (7),

proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 73/2009 as regards the application of direct payments to farmers in respect of the year 2013 (8),

proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 1234/2007 as regards the regime of the single payment scheme and support to vine-growers (9).

2.

The EDPS welcomes the fact that he is formally consulted by the Commission and that a reference to the present Opinion is included in the proposed preambles of the direct payments regulation, the Single CMO regulation, the rural development regulation and the horizontal regulation.

1.2.   Objectives of the proposals and processing of personal data

3.

The Proposals aim at providing a framework for (1) viable food production, (2) sustainable management of natural resources and climate action, and (3) balanced territorial development. To this end, they establish several support schemes for farmers as well as other measures to stimulate agricultural and rural development.

4.

In the course of these programmes, personal data — mainly relating to aid beneficiaries but also to third parties — are processed at various stages (processing of aid applications, ensuring the transparency of payments, control and fight against fraud, etc.) While the bulk of the processing is carried out by and under the responsibility of the Member States, the Commission is able to access most of these data. Beneficiaries and in some instances third parties (-e.g. for the purpose of fraud checks — have to provide information to the designated competent authorities.)

1.3.   Aim of the Opinion of the EDPS

5.

The relevance of data protection in the context of the CAP has been brought to light by the Court of Justice in its Schecke ruling, annulling EU legislation on the publication of names of beneficiaries of agricultural funds (10). The EDPS is aware that in this case, data protection aspects are not at the core of the proposals. However, insofar as the proposals relate to the processing of personal data, there are pertinent comments to be made.

6.

The goal of this Opinion is not to analyse the whole set of proposals, but to offer input and guidance for designing the processing of personal data necessary for the administration of the CAP in a way that respects the fundamental rights to privacy and data protection and, at the same time, ensures an effective administration of aid, the prevention and investigation of fraud and that spending is transparent and accountable.

7.

To this end, the present Opinion is structured in two parts: a first, more general part includes analysis and recommendations relevant for most of the proposals. This mostly refers to comments on delegated and implementing powers for the Commission. A second part then discusses specific provisions contained in several of the proposals (11) and gives recommendations to address the issues identified therein.

2.   ANALYSIS OF THE PROPOSALS

2.1.   General comments

8.

As mentioned, most processing operations are carried out by the Member States. However, the Commission can have access to personal data in many cases. Therefore, the EDPS welcomes that references to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001 are included in the preambles of the relevant proposals (12).

9.

In general, it is observed that many questions central to data protection are not included in the present proposals, but will be regulated by implementing or delegated acts. This applies, for example, to measures to be adopted regarding the monitoring of aid, the establishment of IT systems, transfers of information to third countries and on-the-spot checks (13).

10.

Article 290 TFEU sets out the conditions for the exercise of delegated powers by the Commission. It may be given the power ‘to supplement or amend certain non-essential elements of the legislative act.’ Also, the ‘objectives, content, scope and duration of the delegation’ shall be explicitly defined. Regarding implementing powers, Article 291 TFEU establishes that these may be granted to the Commission when ‘uniform conditions for implementing legally binding Union acts are needed’. Appropriate scrutiny by the Member States shall be ensured.

11.

The EDPS considers that the central aspects of the processing envisaged in the proposals and the necessary data protection safeguards cannot be regarded as ‘non-essential elements’. Therefore, at least the following elements should already be regulated in the main legislative texts in order to increase legal certainty (14):

the specific purpose of every processing operation should be explicitly stated; this is especially relevant as regards publication of personal data and transfers to third countries;

the categories of data to be processed should be foreseen and specified because, in many cases, the scope of the processing is currently not clear (15),

access rights should be clarified, in particular as regards access to data by the Commission. In this regard, it should be specified that the Commission may only process personal data where necessary, e.g. for control purposes,

maximum retention periods should be laid down, as in some cases only minimum retention periods are mentioned in the proposals (16),

the rights of data subjects should be specified, especially as regards the right of information; while beneficiaries might be aware of their data being processed, third parties should also be adequately informed that their data could be used for control purposes,

the scope and the purpose of transfers to third countries should also be specified and respect the requirements laid down by Article 25 of Directive 95/46/EC and Article 9(1) of Regulation (EC) No 45/2001.

12.

Once these elements are specified in the main legislative proposals, delegated or implementing acts might be used to implement in more detail these specific safeguards. The EDPS expects to be consulted on the implementing and delegated acts addressing matters of data protection relevance.

13.

In some cases, data relating to (suspected) offences may be processed (e.g. related to fraud). As the applicable legislation on data protection provides for special protection of such data (17), a prior check by the competent national DPAs or the EDPS may be needed (18).

14.

Finally, security measures should be foreseen, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should also be taken into account.

2.2.   Specific comments

Purpose limitation and scope of the processing

15.

Article 157 of the single CMO regulation empowers the Commission to establish implementing acts regarding communication requirements for different purposes (such as ensuring market transparency, control of CAP measures or implementation of international agreements) (19)‘taking into account data needs and potential synergies between data sources’ (20). The EDPS recommends specifying in this provision which data sources are to be used for which specific purposes. In this regard, the EDPS would like to remind the risk that the interconnection between databases can contradict the principle of purpose limitation (21), according to which personal data must not be further processed in a way incompatible with the original purpose of their collection (22).

16.

Article 77 of the rural development regulation establishes a new Electronic Information System to be ‘drawn up in cooperation between the Commission and the Member States’ for monitoring and evaluation purposes. The system will imply the processing of data on the ‘key characteristics of the beneficiary and the project’ provided by the beneficiaries themselves (Article 78). Insofar as this ‘key information’ includes personal data, this should be specified in the provision. Furthermore, the categories of data to be processed should be defined and the EDPS should be consulted on the implementing acts foreseen in Article 74.

17.

Additionally, Article 92 of the same proposal provides for the establishment of a new information system ‘by the Commission, in collaboration with the Member States’ for the secure exchange of ‘data of common interest’. The definition of the categories of data to be exchanged is too broad and should be narrowed in case personal data are to be transferred using this system. In addition, the relation between Article 77 and Article 92 should also be clarified, as it is not clear whether they have the same purpose and scope.

18.

Recital 40 of the horizontal regulation states that Member States should operate an integrated administration and control system (23) for certain payments and ‘be authorised to make use of it also for other Union support schemes’ in order to ‘improve the effectiveness and monitoring of Union support’. This provision should be clarified, especially if it does not only relate to exploiting synergies in terms of infrastructure, but also to making use of the information stored therein for the purpose of monitoring other support schemes.

19.

According to Article 73(1)(c) of the horizontal regulation, applications for aid shall, besides the parcels and payment entitlements, also include ‘any other information provided for in this Regulation or required with a view to the implementation of the relevant sectoral agricultural legislation or by the Member State concerned’ (24). In case it is expected that this information contains personal data, the categories of data required should be specified.

Access rights

20.

The horizontal regulation sets up a number of bodies for practical implementation of the CAP and allocates their tasks (Articles 7 to 15). For the Commission, the following competences are foreseen (Titles IV-VII):

it shall be able to access data processed by these bodies for control purposes (of specific payments and beneficiaries) (25),

it shall also be able to access most of these data for the general evaluation of the measures (26).

21.

The first task mentioned in the preceding paragraph will involve the processing of personal data, while for the second task, there is prima facie no need for personal data to be processed: a general evaluation of the measures can be carried out on the basis of aggregated or anonymised data as well. Unless the Commission provides adequate justification for the need to process personal data in this context, it should be clarified that no personal data should be supplied to the Commission for the purpose of the general evaluation of the measures.

22.

Articles 49 to 52 and 61 to 63 of the horizontal regulation establish the rules for on-the-spot-checks (27). The proposal states that these shall mainly be carried out by the competent authorities in the Member States, especially as regards home visits or formal questioning of persons, but that the Commission shall have access to information thus obtained. Here, the legislator should specify that the Commission shall only access these data where necessary for control purposes. The categories of personal data to be accessed by the Commission should also be specified.

23.

For the purpose of monitoring the aid, the horizontal regulation sets up an Administration and Control System (28) (Articles 68-78) consisting of a number of databases:

computerised database (Article 70),

identification system of agricultural parcels (Article 71),

system for the identification and registration of payment entitlements (Article 72),

Aid applications (Article 73).

24.

The computerised database shall consist of one database per Member State (and, optionally, decentralised databases within them). It records data obtained from each beneficiary through aid applications and payment claims. Given that not all the data collected through aid applications may be necessary for control purposes, consideration should be given to possibilities of minimising the processing of personal data in this regard.

25.

Access to the administration and control system is not explicitly regulated. Similar to what has been stated regarding on-the-spot checks, the EDPS recommends the legislator to establish clearly circumscribed rules for access to this system.

26.

As regards checks, the horizontal regulation foresees the scrutiny of commercial documents, including those of third parties (Articles 79-88) (29). These documents may include personal data on third parties. The conditions under which third parties are required to disclose their commercial documents should be specified in the instrument (30).

27.

Article 87 of the same proposal establishes that Commission officials shall have access to all documents ‘prepared either with a view to or following the scrutiny’‘in accordance with the relevant national laws’. This applies both to cases in which they may participate in the scrutiny (paragraph 2) and those in which certain acts are reserved to officials designated by law of the Member State in which the scrutiny takes place (paragraph 4). In both cases, it should be ensured that Commission officials only access these data when necessary (i.e. for control purposes), also in cases where the national law might allow access for other purposes. The EDPS encourages the legislator to insert precisions to this effect in the text.

28.

According to Article 102 of the horizontal regulation, Member States shall communicate certain categories of information, declarations and documents to the Commission. This shall also include ‘a summary of the results of all available audits and checks carried out’ (Article 102(1)(c)(v)). For this case, it should either be specified that no personal data will be included in these summaries or, if personal data are necessary, the purpose for which they need to be communicated should be specified.

Retention periods

29.

Article 70(1) of the horizontal regulation states that the computerised database shall allow consultation ‘through the competent authority of the Member State’ of data from 2000 onwards and allow ‘direct and immediate consultation’ of data relating to ‘at least’ the previous five consecutive calendar years (31).

30.

The system for the identification and registration of payment entitlements allows for ‘verification of the entitlements and for cross-checks with the aid applications and the identification system for agricultural parcels’. Article 72(2) of the horizontal regulation establishes that data shall be available for a period of ‘at least’ four years (32).

31.

In relation to these two systems, the EDPS recalls Article 6(1)(e) of Directive 95/46/EC and Article 4(1)(e) of Regulation (EC) No 45/2001, which establish that data must not be stored in an identifiable way longer than is necessary for the purpose it was collected for. This implies that maximum retention periods have to be defined, not merely minimum retention periods.

International transfers

32.

Article 157(1), second subparagraph of the single CMO regulation states that data may be transferred to third countries and international organisations. The EDPS would like to remind that the transfer of personal data to countries which do not provide for adequate protection could only be justified on a case by case basis if any of the exceptions of Article 26 of Directive 95/46/EC or Article 9(6) of Regulation (EC) No 45/2001 apply (for example, if the transfer is necessary or legally required on important public interest grounds).

33.

In this case, the specific purpose of the transfer (e.g. related to the implementation of international agreements) should be specified (33). The relevant international agreements should include specific safeguards as regards the protection of privacy and personal data and the exercise of these rights by data subjects. In addition, in case data are to be transferred by the Commission, the transfer should be subject to authorisation by the EDPS (34).

Publication of information

34.

Recital 70 of the horizontal regulation states that new rules on the publication of information on beneficiaries ‘taking account of the objections expressed by the Court of Justice’ in the Schecke (35) case are under preparation.

35.

The EDPS would like to remind everyone that the rules on the publication of information related to beneficiaries should respect the principle of proportionality. As confirmed by the Court of Justice (36), a proper balance needs to be struck between the beneficiaries’ fundamental rights to privacy and data protection and the European Union’s interest in guaranteeing transparency and ensuring a sound management of public funds.

36.

This is also relevant as regards Article 157(1), second subparagraph of the single CMO regulation, according to which data may ‘be made public subject to the protection of personal data and the legitimate interest of undertakings in the protection of their business secrets’. Articles 157(2)(d) and 157(3)(c) empower the Commission to adopt delegated acts on ‘the conditions and means of publication of the information’ and implementing acts on the arrangements for making information and documents available to the public.

37.

The EDPS welcomes the fact that the publication of information and documents will be subject to the protection of personal data. However, essential elements such as the purpose of the publication as well as the categories of data to be published should be specified in the proposals, rather than by implementing or delegated acts.

Rights of data subjects

38.

The rights of data subjects should be specified, especially as regards the right of information and the right of access. This is especially relevant as regards Article 81 of the horizontal regulation, according to which commercial documents of beneficiaries, but also of suppliers, customers, carriers and other third parties can be checked. While beneficiaries might be aware of their data being processed, third parties should also be adequately informed that their data could be used for control purposes (e.g. by a privacy notice to be given at the moment of collection and information provided on all relevant websites and documents). The obligation to inform data subjects, including third parties, should be included in the proposals.

Security measures

39.

Security measures should be foreseen, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should be taken into account. A list of security measures to be adopted regarding these computerised databases and systems could be introduced at least by delegated or implementing acts. This is all the more important as the personal data processed in the context of checks and scrutiny might include data on suspected offences.

40.

The EDPS welcomes the requirements laid down by Article 103 of the horizontal regulation regarding confidentiality and professional secrecy for scrutiny in the sense of Articles 79-88 of the same regulation.

3.   CONCLUSIONS

41.

The EDPS considers that the central aspects of the processing operations envisaged in the proposals and the necessary data protection safeguards should be regulated in the main legislative texts rather than in delegated or implementing acts, in order to increase legal certainty:

the specific purpose of every processing operation should be explicitly stated in the proposals, especially as regards publication of personal data and international transfers;

the categories of data to be processed should be specified,

personal data should only be processed if necessary,

access rights should be clarified; in particular, it should be specified that the Commission should only process personal data where necessary, for example, for control purposes,

maximum retention periods should be laid down in the proposals,

the rights of data subjects should be specified, especially as regards the right of information; it should be ensured that not only beneficiaries but also third parties are informed of their data being processed,

the specific purpose(s) and the scope of international transfers should be limited to the extent that is necessary and should be adequately laid down in the proposals.

42.

These elements may be further elaborated in delegated or implementing acts. The EDPS expects to be consulted in this regard.

43.

In addition, security measures should be foreseen at least by implementing or delegated acts, especially as regards computerised databases and systems. The principles of accountability and Privacy by Design should also be taken into account.

44.

Finally, taking into account that in some cases data relating to (suspected) offences may be processed (e.g. related to fraud), a prior check by the competent national DPAs or the EDPS may be needed.

Done at Brussels, 14 December 2011.

Giovanni BUTTARELLI

Assistant European Data Protection Supervisor


(1)  OJ L 281, 23.11.1995, p. 31.

(2)  OJ L 8, 12.1.2001, p. 1.

(3)  COM(2011) 625 final.

(4)  COM(2011) 626 final.

(5)  COM(2011) 627 final.

(6)  COM(2011) 628 final.

(7)  COM(2011) 629 final.

(8)  COM(2011) 630 final.

(9)  COM(2011) 631 final.

(10)  ECJ, 9 November 2010, Volker und Markus Schecke, C-92/09 and C-93/09.

(11)  Many of these provisions are already included in the current legislative framework.

(12)  COM(2011) 625 final: recital 42; COM(2011) 626 final: recital 137; COM(2011) 627 final: recital 67; COM(2011) 628 final: recital 69.

(13)  See, among others, Article 157 of the single CMO regulation; Title VII (Monitoring and evaluation) and Articles 78 and 92 of the rural development regulation; as well as Articles 21-23, 49-52, and Title V, Chapters II and III of the horizontal regulation.

(14)  See also EDPS Opinion on the proposal for a Directive of the European Parliament and of the Council amending Directives 89/666/EEC, 2005/56/EC and 2009/101/EC as regards the interconnection of central, commercial and companies registers (OJ C 220, 26.7.2011, p. 1), Section 3.2; EDPS Opinion of on the proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories (OJ C 216, 22.7.2011, p. 9), pts. 13, 28 and 30; EDPS Opinion on the proposal for a Directive of the European Parliament and of the Council on credit agreements relating to residential property, pts. 7, 12 and 13; all available on http://www.edps.europa.eu

(15)  See, among other, Articles 77 and 92 of the rural development regulation.

(16)  See Articles 70(1) and 72(2) of the horizontal regulation.

(17)  Article 10(5) of Regulation (EC) No 45/2001 and Article 8(5) of Directive 95/46/EC.

(18)  Article 27(2) of Regulation (EC) No 45/2001 and Article 20 of Directive 95/46/EC.

(19)  The purposes of these communication requirements are: ‘implementing this Regulation, monitoring, analysing and managing the market in agricultural products, ensuring market transparency, the proper functioning of CAP measures, of checking, controlling, monitoring, evaluating and auditing CAP measures, implementing international agreements, including notification requirements under those agreements’ (see Article 157(1), first subparagraph).

(20)  The exchange of information for similar purposes is already foreseen in the current legislation (see, for example, Article 36 of Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy (hereinafter: ‘the regulation on the financing of the CAP’) (OJ L 209, 11.8.2005, p. 1); and Article 192 of Council Regulation (EC) No 1234/2007 of 22 October 2007 establishing a common organisation of agricultural markets and on specific provisions for certain agricultural products (OJ L 299, 16.11.2007, p. 1)).

(21)  See also EDPS Opinion on the proposal for a Council Decision on the establishment, operation and use of the Parliament and of the Council on the establishment, operation and use of the Second Generation Schengen Information System (SIS II) (COM(2005) 236 final), and the proposal for a Regulation of the European Parliament and of the Council regarding access to the Second Generation Schengen Information System (SIS II) by the services in the Member States responsible for issuing vehicle registration certificates (COM(2005) 237 final) (OJ C 91, 19.4.2006, p. 38), especially point 10; EDPS Opinion on the communication from the Commission to the European Parliament and the Council — ‘Overview of information management in the area of freedom, security and justice’, especially paragraphs 47-48; and EDPS comments on the communication of the Commission on interoperability of European databases of 10 March 2006; all available on http://www.edps.europa.eu

(22)  See Article 4(1)(b) of Regulation (EC) No 45/2001 as well as the national provisions implementing Article 6(1)(a) of Directive 95/46/EC.

(23)  Already established by Article 14 of the Council Regulation (EC) No 73/2009 of 19 January 2009 establishing common rules for direct support schemes for farmers under the common agricultural policy and establishing certain support schemes for farmers, amending Regulations (EC) No 1290/2005, (EC) No 247/2006, (EC) No 378/2007 and repealing Regulation (EC) No 1782/2003 (OJ L 30, 31.1.2009, p. 16) (hereinafter: ‘the direct payments regulation’).

(24)  Article 19(1)(c) of the direct payments regulation contains similar wording.

(25)  Article 36 of the regulation on the financing of the CAP, already foresees the exchange of data for similar purposes.

(26)  See Article 110.

(27)  On-the-spot-checks are already established by the current legislation (see Articles 36 and 37 of the Regulation on the financing of the CAP).

(28)  Similar to the system already established by Article 14 of the direct payments regulation.

(29)  Scrutiny of commercial documents, including those of third parties, and access to them by the Commission is already laid down in the current legislation (see, for example, Article 15 of Council Regulation (EC) No 485/2008 of 26 May 2008 on scrutiny by Member States of transactions forming part of the system of financing by the European Agricultural Guarantee Fund (Codified version) (OJ L 143, 3.6.2008, p. 1)).

(30)  See also Opinion of the European Data Protection Supervisor of 19 April 2011 for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories (OJ C 216, 22.7.2011, p. 9), especially paragraph 32, available on http://www.edps.europa.eu

(31)  As already stated in Article 16 of the direct payments regulation.

(32)  Article 18 of the direct payments regulation contains a very similar wording.

(33)  Article 157(1), first subparagraph of the single CMO regulation includes a list of purposes for the communication of information to the Commission, but does not specify for which of these purposes data may be transferred to third countries or international organisations.

(34)  Article 9(7) of Regulation (EC) No 45/2001.

(35)  ECJ, 9 November 2010, Volker und Markus Schecke and Eifert, joined Cases C-92/09 and C-93/09.

(36)  ECJ, Schecke, para. 77-88.