|
11.10.2017 |
EN |
Official Journal of the European Union |
C 340/6 |
Summary of the Opinion on the proposal for a Regulation establishing a single digital gateway and the ‘once-only’ principle
(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)
(2017/C 340/03)
The Proposal is among the first EU instruments that explicitly refer to and implement the principle of ‘once-only’, which is aimed at ensuring that citizens and businesses are requested to supply the same information only once to a public administration, which can then re-use the information they already have. The Proposal foresees that the exchange of evidence for specified cross-border procedures (such as, for example, requesting recognition of a diploma) would be initiated by the explicit request of a user and it would take place in a technical system established by the Commission and Member States, with a built-in preview mechanism ensuring transparency towards the user.
The EDPS welcomes the Commission's proposal to modernise administrative services and appreciates their concerns for the impact this Proposal may have on the protection of personal data. The Opinion is issued upon the specific request of both the Commission and of the Parliament. It is also inspired by the priorities of the Estonian Presidency of the Council, which specifically includes ‘digital Europe and the free movement of data’.
In addition to providing specific recommendations to further improve the quality of legislation, the EDPS also wishes to seize this opportunity to provide an introductory overview of key issues related to the ‘once-only’ principle in general, although many such concerns are not necessarily borne out by the Proposal in its present form. These relate, in particular, to the legal basis of the processing, purpose limitation, and data subject rights. The EDPS stresses that in order to ensure successful implementation of EU-wide ‘once-only’, and enable lawful cross-border exchange of data, ‘once-only’ must be implemented in line with relevant data protection principles.
With regard to the Proposal itself, the EDPS supports the efforts made to ensure that individuals remain in control of their personal data, including by requiring ‘an explicit request of the user’ before any transfer of evidence between competent authorities and by offering the possibility for the user to ‘preview’ the evidence to be exchanged. He also welcomes the amendments to the IMI Regulation that confirm and update the provisions on the coordinated supervision mechanism foreseen for IMI and would also enable the European Data Protection Board (‘EDPB’) to benefit from the technical possibilities offered by IMI for information exchange in the context of the General Data Protection Regulation (GDPR).
The Opinion provides recommendations on a range of issues, focusing on the legal basis for the cross-border exchange of evidence, purpose limitation, and the scope of the ‘once-only principle’ as well as practical concerns surrounding user control. Key recommendations include clarifying that the Proposal does not provide a legal basis for using the technical system for exchanging information for purposes other than those provided for in the four directives listed or otherwise foreseen under applicable EU or national law, and that the Proposal does not aim to provide a restriction on the principle of purpose limitation under the GDPR; as well as clarifying a range of issues relating to the practical implementation of user control. With regard to the amendments to the IMI Regulation, the EDPS recommends adding the GDPR to the Annex of the IMI Regulation to allow the potential use of IMI for the purposes of data protection.
1. INTRODUCTION AND BACKGROUND
On 2 May 2017, the European Commission (‘Commission’) adopted a Proposal for a Regulation of the European Parliament and of the Council on establishing a single digital gateway to provide information, procedures, assistance and problem solving services and amending Regulation (EU) No 1024/2012 (1) (‘Proposal’).
The aim of the Proposal is to facilitate citizens' and businesses' cross-border activities by offering them user-friendly access, through a single digital gateway, to information, procedures and assistance and problem-solving services they need for exercising their internal market rights. In this respect, this Proposal represents an important initiative in the Commission's journey to develop a deeper and fairer internal market as well as a Digital Single Market (2).
Articles 4 to 6 of the Proposal outline the ‘gateway services’ offered by the single digital gateway. These closely mirror the title of the Proposal itself and include:
|
— |
access to information, |
|
— |
access to procedures and |
|
— |
access to assistance and problem solving services. |
It is also notable that the Proposal, in its Article 36, seeks to amend several provisions of Regulation (EU) No 1024/2012 (the ‘IMI Regulation’) (3), which establishes the legal basis for the operation of the Internal Market Information System (‘IMI’) (4).
The Proposal is among the first EU instruments that explicitly refer to and implement the principle of ‘once-only’ (5). The Proposal refers to the notion of once-only and its benefits by explaining that ‘citizens and businesses should not have to supply the same information to public authorities more than once for the cross-border exchange of evidence’ (6). The Proposal foresees that the exchange of evidence for specified procedures would be initiated by the request of a user and it would take place in the technical system established by the Commission and Member States (7) (for further details, see Section 3 below).
This Opinion is in response to a request of the Commission and a subsequent separate request of the European Parliament (‘Parliament’) to the European Data Protection Supervisor (‘EDPS’), as an independent supervisory authority, to provide an opinion on the Proposal. The EDPS welcomes that he has been consulted by both institutions. The Opinion follows an informal consultation by the Commission of the EDPS prior to the adoption of the Proposal.
The EDPS takes note and welcomes the Commission's proposal to modernise administrative services by facilitating the availability, quality and accessibility of information across the European Union. He also highlights, in particular, that the ‘once-only’ principle could contribute towards these goals, subject to compliance with applicable data protection law and respect for the fundamental rights of individuals.
The EDPS appreciates the Commission's and Parliament's concerns for the impact this Proposal may have on the protection of personal data. He welcomes that many of his informal comments have been taken into account. In particular, he supports:
|
— |
the efforts made to ensure that individuals remain in control of their personal data, including by requiring ‘an explicit request of the user’ before any transfer of evidence between competent authorities (Article 12(4)), and by offering the possibility for the user to ‘preview’ the evidence to be exchanged (Article 12(2)(e)); |
|
— |
the efforts made to define the material scope of application for the principle of ‘once-only’ (Article 12(1)); and |
|
— |
the explicit requirement of using anonymous and/or aggregate data for collection of relevant user feedback and statistics (Articles 21-23); |
|
— |
moreover, he welcomes the proposed amendment of the IMI Regulation which confirms and updates the provisions on coordinated supervision mechanism foreseen for IMI in order to ensure a consistent and coherent approach (Article 36(6)(b); |
|
— |
finally, more general provisions showing commitment to ensuring the respect for the fundamental rights of individuals, including the right to protection of personal data, such as those in recitals 43 and 44 and Article 29 are also welcome. |
The purpose of this Opinion is to provide specific recommendations to address remaining data protection concerns and thereby further improve the quality of legislation (see Section 3 below). Of the three gateway services listed above, this Opinion will focus on ‘access to procedures’ (Article 5) and in particular, the provisions relating to the ‘cross-border exchange of evidence between competent authorities’ under Article 12, as these are most relevant for the protection of personal data. The remainder of the Proposal (including its provisions on access to information and access to assistance and problem-solving services) raises fewer relevant concerns. Further, the EDPS also briefly comments on selected amendments to the IMI Regulation.
In addition, the EDPS wishes to seize this opportunity to provide an introductory overview of key issues related to the ‘once-only’ principle in general, although many such concerns are not necessarily borne out by the Proposal in its present form (see Section 2 below).
4. CONCLUSIONS
The EDPS welcomes the Commission's proposal to modernise administrative services by facilitating the availability, quality and accessibility of information across the European Union and appreciates the Commission's and Parliament's consultation and concerns for the impact this Proposal may have on the protection of personal data.
In addition to providing specific recommendations to further improve the quality of legislation, he also wishes to seize this opportunity to provide an introductory overview of key issues related to the ‘once-only’ principle in general, although many such concerns are not necessarily borne out by the Proposal in its present form. These relate, in particular to:
|
— |
the legal basis for the processing, |
|
— |
purpose limitation |
|
— |
and data subject rights. |
The EDPS stresses that in order to ensure successful implementation of EU-wide ‘once-only’, and enable lawful cross-border exchange of data, once-only must be implemented in line with relevant data protection principles.
With regard to the Proposal itself, the EDPS supports:
|
— |
the efforts made to ensure that individuals remain in control of their personal data, including by requiring ‘an explicit request of the user’ before any transfer of evidence between competent authorities (Article 12(4)), and by offering the possibility for the user to ‘preview’ the evidence to be exchanged (Article 12(2)(e)); and |
|
— |
the efforts made to define the material scope of application for the principle of ‘once-only’ (Article 12(1)); |
|
— |
moreover, he welcomes the proposed amendment of the IMI Regulation which confirms and updates the provisions on coordinated supervision mechanism foreseen for IMI in order to ensure a consistent and coherent approach (Article 36(6)(b); |
|
— |
he also welcomes the inclusion of EU bodies in the definition of IMI actors in the Proposal, which may help enable the European Data Protection Board (‘EDPB’) to benefit from the technical possibilities offered by IMI for information exchange. |
With regard to the legal basis of the processing, the EDPS recommends that one or more recitals be added to clarify that:
|
— |
the Proposal itself does not provide a legal basis for exchanging evidence, and that any exchange of evidence under Article 12(1) must have an appropriate legal basis elsewhere, such as in the four directives listed in Article 12(1) or under applicable EU or national law; |
|
— |
the legal basis for the use of the technical system specified in Article 12 for the exchange of evidence is performance of a task in the public interest under Article 6(1)(e) of the GDPR; and that |
|
— |
users have the right to object to the processing of their personal data in the technical system pursuant to Article 21(1) of the GDPR. |
With regard to purpose limitation, the EDPS recommends that one or more recitals be added to clarify that:
|
— |
the Proposal does not provide a legal basis for using the technical system for exchanging information for purposes other than those provided for in the four directives listed or otherwise foreseen under applicable EU or national law; |
|
— |
and that the Proposal does not in any way aim to provide a restriction on the principle of purpose limitation pursuant to Articles 6(4) and 23(1) of the GDPR. |
On the notion of ‘explicit request’, the EDPS recommends that the Proposal clarify (preferably in a substantive provision):
|
— |
what makes the request ‘explicit’ and how specific the request must be; |
|
— |
whether the request can be submitted via the technical system referred to in Article 12(1); |
|
— |
what are the consequences if the user chooses not to make an ‘explicit request’, and |
|
— |
whether such request can be withdrawn. (For specific recommendations, see Section 3.3 above). |
In relation to the issue of ‘preview’, the EDPS recommends that:
|
— |
the Proposal clarify what are the choices for the user who avails herself of the possibility to ‘preview’ the data to be exchanged; |
|
— |
in particular, Article 12(2)(e) should clarify that the user is offered a possibility of preview in a timely manner before the evidence is made accessible to the recipient; and can withdraw the request for the exchange of the evidence (see also our related recommendations on ‘explicit requests’); |
|
— |
this can be done, for example, by inserting the words at the end of the sentence in Article 12(2)(e): ‘before it is made accessible to the requesting authority, and may withdraw the request at any time’). |
With regard to the definition of evidence and the range of online procedures covered, the EDPS recommends:
|
— |
replacing the reference to Article 2(2)(b) in Article 3(4) by reference to Article 12(1) or providing another legislative solution that would result in a similar effect; |
|
— |
the EDPS also emphasises that he welcomes the efforts made in the Proposal to limit the information exchange to the online procedures listed in Annex II and the four specifically listed directives; |
|
— |
therefore, he recommends that the scope of the Proposal remain clearly defined and continue to include Annex II and the references to the four specifically listed directives. |
Finally, the EDPS recommends:
|
— |
adding the GDPR to the Annex of the IMI Regulation to allow the potential use of IMI for the purposes of data protection; and |
|
— |
adding data protection supervisory authorities to the list of assistance and problem solving services listed in Annex III. |
Done at Brussels, 1 August 2017.
Giovanni BUTTARELLI
European Data Protection Supervisor
(1) Proposal for a Regulation of the European Parliament and of the Council on establishing a single digital gateway to provide information, procedures, assistance and problem solving services and amending Regulation (EU) No 1024/2012, COM(2017) 256 final, 2017/0086 (COD) (henceforth, the Proposal).
(2) Explanatory memorandum to the Proposal, p. 2.
(3) Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 on administrative cooperation through the Internal Market Information System and repealing Commission Decision 2008/49/EC (the ‘IMI Regulation’) (OJ L 316, 14.11.2012, p. 1).
(4) See also EDPS Opinion of 22 November 2011 on the Commission Proposal for a Regulation of the European Parliament and of the Council on administrative cooperation through the Internal Market Information System
(‘IMI’) available at https://edps.europa.eu/sites/edp/files/publication/11-11-22_imi_opinion_en.pdf
(5) See also Article 14 of the Proposal for a Directive of the European Parliament and Council on the legal and operational framework of the European services e-card introduced by Regulation… [ESC Regulation], COM(2016) 823 final, 2016/0402(COD).
(6) Recital 28 of the Proposal.
(7) Article 12(1) and (4) of the Proposal.