16.10.2010   

EN

Official Journal of the European Union

C 280/1

1.

Information and communication technologies (ICT) are enabling tremendous capabilities in virtually every aspect of our lives — how we work, play, socialize and educate. They are essential for today's information economy and for society in general.

2.

The European Union is a global force in advanced ICT and is determined to remain so. To meet this challenge, the European Commission is soon expected to adopt a new European Digital Agenda which Commissioner Kroes has confirmed as her priority (4).

3.

The EDPS acknowledges the benefits that arise from ICT and agrees that the EU should do its utmost to boost their development and widespread adoption. He also fully endorses the views of Commissioners Kroes and Reding that individuals should be at the core of this new environment (5). Individuals should be able to rely on ICT's ability to keep their information secure and control its use, as well as be confident that their privacy and data protection rights will be honored in the digital space. Respect of those rights is essential in order to generate consumer trust. And such trust is crucial if citizens are to embrace new services (6).

4.

The EU has a strong data protection/privacy legal framework, the principles of which remain completely valid in the digital age. However, one cannot be complacent. In many instances, ICT raise new concerns that are not accounted for within the existing framework. Some action is therefore necessary to ensure that individual rights, as enshrined in EU law, continue to provide effective protection in this new environment.

5.

This Opinion discusses the measures that could be either promoted or undertaken by the European Union in order to guarantee individuals’ privacy and data protection in a globalised world that will remain technologically driven. It discusses legislative and non-legislative instruments.

6.

After providing an overview of ICT as a new development that creates opportunities but also risks, the Opinion discusses the need to integrate, at practical level, data protection and privacy from the very inception of new information and communication technologies (which is referred to as the principle of ‘privacy by design’). In order to compel compliance with this principle, the Opinion discusses the need to provide for the principle of ‘privacy by design’ into the data protection legal framework in at least two different ways. First, by incorporating it as a general, binding principle and, second, by incorporating it in particular ICT areas, presenting specific data protection/privacy risks which may be mitigated through adequate technical architecture and design. These areas are Radio Frequency Identification (RFID), social network applications and browsers applications. Finally, the Opinion makes suggestions regarding other tools and principles aiming at protecting individual's privacy and data protection in the ICT sector.

7.

In addressing the above, the opinion elaborates on some of the points made by the Article 29 Working Party in its contribution to the public consultation on the future of privacy (7). It furthermore builds on earlier opinions of the EDPS, such as the Opinion of 25 July 2007 on the implementation of the Data Protection Directive, the Opinion of 20 December 2007 on RFID and his two opinions on the ePrivacy Directive (8).

8.

ICT have been compared to other important inventions of the past, such as electricity. While it may be too early to assess their real historical impact, the link between ICT and economic growth in developed countries is clear. ICT have created employment, economic benefits and contributed to overall welfare. The impact of ICT goes beyond the purely economic, since it has played an important role in boosting innovation and creativity.

9.

Furthermore, ICT have transformed the way people work, socialise and interact. For example, people increasingly rely on ICT for social and economic interactions. Individuals can make use of a wide range of new ICT applications such as eHealth, eTransport, eGovernment as well as innovative interactive systems for entertainment and learning.

10.

In the light of such benefits, the European Institutions have all expressed their commitment to support ICT as a necessary tool to improve the competitiveness of European industry and to accelerate Europe’s economic recovery. Indeed, in August 2009 the Commission adopted the Europe's Digital Competitiveness Report (9) and launched a public consultation on appropriate future strategies to boost ICT. On 7 December 2009, the Council put forward a contribution to this consultation, entitled ‘Post i2010 Strategy — Towards an open, green and competitive knowledge society’ (10). The European Parliament has just adopted a report intended to provide guidance to the Commission in defining a digital agenda (11).

11.

With the opportunities and benefits that accompany the development of ICT come new risks, particularly for the privacy and protection of personal data of individuals. ICT often lead to a proliferation (quite often in ways that are out of sight to individuals) in the amount of information that is collected, sorted, filtered, transferred or otherwise retained, and the risks to such data therefore multiply.

12.

For example, RFID chips are replacing barcodes on (some) consumer products. By improving the information flow in the supply chain (and thus reducing the need for ‘safety’ stocks, providing more accurate forecasts, etc.) the new system is supposed to benefit business and consumers alike. However, at the same time, this raises the disturbing possibility of being tracked, for different purposes and by different entities, through tagged personal possessions.

13.

Another example is ‘cloud computing’, essentially the delivery of hosted consumer and non-consumer application services over the Internet. These range from photo libraries, calendars, webmail and customer databases to more complex business-related services. The benefits for both businesses and individuals are clear; cost reduction (costs are incremental), location-less (easy access to information anywhere in the world), automation (no need for dedicated IT resources, and to keep software up to date) etc. At the same time, the risks of security glitches and hacking exist and are very real. There is also the concern of losing access to and control over one's own data.

14.

Benefits and risks have been shown to coexist in other areas using ICT applications. Take eHealth, which can enhance effectiveness, reduce costs, increase accessibility and generally improve the quality of healthcare services. However, eHealth often raises the issue of the legitimacy of secondary uses of eHealth information, requiring a careful analysis of the purposes of any potential secondary use (12). Furthermore, as electronic health records have become more widely used, the systems themselves have been dogged by scandals revealing many cases of hacking into electronic health records.

15.

In sum, some degree of residual risk is likely to persist, even after making the right assessments and applying the necessary measures. A situation of zero risk would be unrealistic. However, as further discussed below, measures can and must be implemented to reduce such risk to appropriate levels.

16.

The potential benefits of ICT can only be enjoyed in practice if they are able to generate trust, in other words, if they can secure user willingness to depend on ICT because of their characteristics and benefits. Such trust will only be generated if ICT are reliable, secure, under individuals’ control and if the protection of their personal data and privacy is guaranteed.

17.

Widespread risks and failures such as those illustrated above, particularly when they entail the misuse or breaches of personal data exposing the privacy of individuals, are likely to endanger user trust in the information society. This could seriously jeopardise the development of ICT and the benefits they could bring.

18.

However, the solution to these risks to privacy and data protection cannot be to eliminate, exclude or refuse to use or promote ICT. This would be neither feasible nor realistic; it would prevent individuals from enjoying the benefits of ICT and would seriously limit the overall advantages to be gained.

19.

The EDPS believes that a more positive solution is to design and develop ICT in a way that respects privacy and data protection. It is therefore crucial that privacy and data protection are embedded within the entire life cycle of the technology, from the very early design stage, right through to their ultimate deployment, use and ultimate disposal. This is usually referred to as ‘privacy by design’ (PbD) and is further discussed below.

20.

PbD can entail different actions, depending on the particular case or application. For example, in some cases it may require eliminating/reducing personal data or preventing unnecessary and/or undesired processing. In other cases, PbD may entail offering tools to enhance individuals’ control over their personal data. Such measures should be considered when standards and/or best practices are defined. They can also be incorporated into the architecture of information and communication systems, or in the structural organisations of the entities that process personal data.

21.

The need for the principle of PbD can be found in many different ICT environments. For example, the healthcare sector increasingly relies on ICT infrastructures which often entail centralised storage of patients’ health related information. The application of the PbD principle in the health sector would require assessing the suitability of different measures such as the possibility of minimising data stored centrally or limiting it to an index, using encryption tools, assigning access rights strictly on ‘a need to know basis’, anonymising data once they are no longer required, etc.

22.

Similarly, transport systems are increasingly provided by default with advanced ICT applications that interact with the vehicle and its environment for different purposes and functions. For example, cars are increasingly equipped with new ICT functionality (GPS, GSM, network of sensors, etc.) providing not only their location but also their technical conditions in real time. This information could be used, for example, to replace the existing road tax system by a usage-dependent road charge. The application of PbD to the design of the architecture of such systems should support the processing and onward transfer of as little personal data as possible (13). In keeping with this principle, decentralised or semi-decentralised architectures limiting the disclosure of location data to a central point would be preferable to centralised ones.

23.

The above examples show that when information and communication technologies are built according to the principle of PbD, the risks to privacy and data protection may be significantly minimised.

24.

An important question is whether economic operators, ICT manufacturers/providers and data controllers are interested in marketing and implementing the PbD principle in ICT. In this context, it is also important to assess user demand for PbD.

25.

In 2007, the Commission issued a communication calling upon businesses to use their power of innovation to create and implement PETs as a way to improve the protection of privacy and personal data from the very beginning of the development cycle (14).

26.

To date however, the available evidence shows that neither ICT manufacturers nor data controllers (in either the private or public sector) have managed to consistently implement or market PbD. Different motivations have been adduced, including lack of economic incentives or institutional support, insufficient demand, etc. (15).

27.

At the same time, user demand for PbD has been rather low. Users’ of ICT products and services may rightly assume that their privacy and personal data are de facto protected, when in many cases, they are not. In some cases, they are simply not in a position to take the security measures necessary to protect either their own personal data or those of others. In many instances this is because they lack the full or even partial knowledge of the risks. For example, generally speaking young people disregard the privacy risks associated with displaying personal information on social networks and often ignore privacy settings. Still other users are aware of the risks but may not have the necessary technical expertise to implement safeguarding technologies, such as those that protect their Internet connection or how to amend browser settings to minimise profiling based on the monitoring of their websurfing activities.

28.

Yet, the risks to the protection of privacy and data protection are very real. If privacy and data protection are not taken into account from the start, it is often too late and economically too cumbersome to fix the systems, and too late to repair the harm already done. The increasing number of data breaches in recent years perfectly illustrates this problem and reinforces the need for privacy by design.

29.

The above clearly suggests that manufacturers and providers of ICT technologies designed to process personal data should have, together with data controllers, a responsibility to design them with inbuilt data protection and privacy safeguards. In many instances this would mean that they should be designed with privacy by default settings.

30.

Against this backdrop, we need to consider what steps should be taken by policy makers to promote PbD in the development of ICT. A first question is whether the existing legal data protection framework contains adequate provisions to ensure the implementation of the principle of PbD by both data controllers and manufacturers/developers. A second question is what should be done in the context of the European Digital Agenda to ensure that the ICT sector generates consumer trust.

31.

The EU has a robust data protection and privacy framework enshrined in Directive 95/46/EC (16), Directive 2002/58/EC (17) and the jurisprudence of the European Court of Human Rights (18) and the Court of Justice.

32.

The Data Protection Directive applies to ‘any operation or set of operations which is performed upon personal data’ (collection, storage, disclosure, etc.). It imposes compliance with certain principles and obligations upon those who process personal data (‘data controllers’). It sets forth individual rights, such as the right to access personal information. The ePrivacy Directive deals specifically with the protection of privacy in the electronic communication sector (19).

33.

The current Data Protection Directive does not contain an explicit requirement for PbD. However, it includes provisions which indirectly, in different situations, may well demand the implementation of the principle of PbD. In particular, Article 17 requires that data controllers implement appropriate technical and organisation measures to prevent unlawful data processing (20). PbD is therefore covered in a very generic way. Furthermore, the provisions of the Directive are mainly addressed to data controllers and their processing of personal information. They do not explicitly require that information and communications technologies are privacy and data protection compliant, which requires also addressing designers and manufacturers of ICT, including the activities carried out at the stage of standardisation.

34.

The ePrivacy Directive is more explicit. Article 14.3 provides that ‘Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications)’. However, this provision has never been used (21).

35.

Whereas the above provisions of the two Directives are helpful towards the promotion of privacy by design, in practice they have not been sufficient in ensuring that privacy is embedded in ICT.

36.

As a result of the above situation, the law does not in a sufficiently precise way require that ICT is designed in accordance with the principle of PbD. Also, data protection authorities do not have enough powers to ensure imbedding PbD. This results in ineffectiveness. For example, data protection authorities may be able to impose sanctions for failure to answer to access requests made by individuals and they will have the competences to require the implementation of certain measures to prevent unlawful data processing. Yet it is not always sufficiently clear whether their powers extend to requiring a system to be designed in a way that facilitates individuals’ data protection rights (22). For example, on the basis of the existing legal provisions it is unclear whether it could be required that the architecture of an information system is designed in a way that facilitates the companies’ response to access requests made by individuals so that such requests can be handled automatically and quicker. Furthermore, later attempts to alter the technology once it has been developed or deployed may result in a patchwork of solutions that do not fully work, besides being economically onerous.

37.

In the EDPS’ view, which is shared with the Article 29 Working Party (23), the current legal framework leaves room for a more explicit endorsement of the principle of PbD.

38.

In the light of the above, the EDPS recommends the Commission to follow four courses of action:

39.

The EDPS proposes to include unequivocally and explicitly the principle of privacy by design into the existing data protection regulatory framework. This would make the principle of PbD stronger, more explicit, and it will compel its effective implementation, in addition to giving more legitimacy to enforcement authorities to require its de facto application in practice. This is particularly necessary in the light of the facts outlined above, not only the importance of the principle itself as a tool to foster trust, but also as an incentive to stakeholders to implement PbD and enhance the guarantees that are provided for in the existing legal framework.

40.

This proposal builds on the Article 29 Working Party's recommendation to introduce the principle of ‘privacy by design’ as a general principle in the data protection legal framework, in particular, in the Data Protection Directive. According to the Article 29 Working Party: ‘This principle should be binding for technology designers and producers as well as for data controllers who have to decide on the acquisition and use of ICT. They should be obliged to take technological data protection into account already at the planning stage of information-technological procedures and systems. Providers of such systems or services as well as controllers should demonstrate that they have taken all measures required to comply with these requirements’.

41.

The EDPS also welcomes Commissioner Viviane Reding's endorsement of the privacy by design principle made in the context of announcing the review of the Data Protection Directive (24).

42.

This leads to the content of such regulation. First and most important, a general privacy by design principle should be technologically neutral. The principle should not intend to regulate technology, i.e. it should not prescribe specific technical solutions. Instead, it should mandate that existing privacy and data protection principles be integrated into information and communication systems and solutions. This would allow stakeholders, manufacturers, data controllers and DPAs, to interpret the meaning of the principle in each individual case. Second, compliance with the principle should be mandatory at different stages, from the creation of standards and the design of the architecture to their implementation by the data controller.

43.

Current and forthcoming legislative instruments must integrate the principle of PbD on the basis of the current legal framework, and, after the adoption of the general provision proposed above, on the basis of the latter provision. For example, according to the current initiatives related to intelligent transport systems the Commission will bear specific initial responsibility in the definition of measures, standardisation initiatives, procedures and best practices. In carrying out these tasks, the PbD should be a guiding principle.

44.

The EDPS further notes that the privacy by design principle is also of specific importance in the area of freedom, security and justice, in particular in relation to the goals of the Information Management Strategy, as foreseen in the Stockholm Programme (25). In his opinion relating to the Stockholm Programme the EDPS emphasised that the architecture for information exchange should be based on ‘privacy by design’ (26): ‘This means, more concretely, that information systems which are designed for purposes of public security should always be built in accordance with the principle of “privacy by design”’.

45.

The Article 29 Working Party's Opinion on the future of privacy (27) insists in even more precise terms that in the area of freedom, security and justice — where public authorities are the main actors and where measures increasing surveillance directly impact on the fundamental rights to privacy and data protection — requirements of privacy by design should be made compulsory. By introducing these requirements in information systems, governments would also stimulate privacy by design in their capacities as launching customers.

46.

Information and communication technologies are increasingly complex and entail greater privacy and data protection risks. In general, digitised information, which is easier to access, copy and transmit is exposed to much higher risks than paper-based information. As we move towards networks of interconnected objects, the risks will increase. The greater privacy/data protection risks are, the greater will be the demand for enhanced data protection/privacy safeguards. Therefore, the justifications for the need to implement PbD are more compelling in the ICT sector. In addition, as discussed above, individuals’ trust in ICT is fundamental if citizens are to embrace these new services, and privacy and data protection are key elements of such trust.

47.

The above underlines that a strategy for the development of ICT must confirm the need for them to be designed with an inherent element of privacy and data protection, i.e. taking into consideration the principle of privacy by design.

48.

Therefore, the European Digital Agenda should explicitly endorse the principle of privacy by design as a necessary element to ensure citizen trust in ICT and online services. It should recognise that privacy and trust go hand in hand, and that privacy by design should be a guiding factor in the development of a trustworthy ICT sector.

49.

The Commission should have privacy by design as a guiding principle in implementing policies, activities and initiatives in specific ICT sectors, including eHealth, eProcurement, eSocial Security, eLearning, etc. Many of these initiatives will be action items in the European Digital Agenda.

50.

This means, for example, that initiatives to ensure that government applications are more efficient and modern so that individuals can interact with administrations, should include the need for them to be designed and operated in accordance with the principle of privacy by design. The same applies to Commission policies and activities that cater for a faster Internet, digital content, or overall encouragement of fixed and wireless communications and data transmission.

51.

The above also includes areas where the Commission is responsible for the large scale IT systems, like SIS and VIS, as well as for those cases whereby the Commission's responsibility is limited to the development and maintenance of the common infrastructure of such a system, such as the European Criminal Records Information System (ECRIS).

52.

How exactly the PbD principle will be developed will depend on each particular sector and situation. For example, when Commission initiatives are accompanied by legislative proposals on a specific ICT sector, in many cases it will be appropriate to include an explicit reference to the notion of PbD applicable to the design of the particular ICT application/system. If action plans for a specific area are designed, they should systematically ensure the application of the legal framework and more specifically guarantee that the relevant ICT technology is built with privacy by design in mind.

53.

As far as research is concerned, the Seventh Framework Programme and the following ones should be used as a tool to support projects that aim at analysing standards, ICT technologies and architecture that better serve privacy and more particularly the principle of privacy by design. In addition, PbD should also be a necessary element to be considered in broader ICT projects that aim at processing personal data of individuals.

54.

In some cases, because of the particular risks for individuals’ privacy and data protection or due to other factors (industry resistance to provide PbD products, consumer demand, etc.) it may be necessary to define more explicit and specific privacy by design measures that must be incorporated into a given type of information and communication product/technology, either or not in legislative instruments.

55.

The EDPS has identified various areas (RFID, social networking and browser applications) that deserve, in his opinion, at this stage careful consideration by the Commission and the more hands-on intervention advocated above. These three areas are discussed further below.

56.

RFID tags can be integrated into objects, animals and people. They can be used to collect and store personal data such as medical records, to trace people's movements or to profile their behaviour for different purposes. This can be done without the individual being aware of it (28).

57.

Effective guarantees regarding data protection, privacy and all associated ethical dimensions are crucial for public trust in RFID and a future Internet of Things. Only then can the technology deliver its numerous economic and societal benefits.

58.

The Data Protection Directive and the ePrivacy Directive apply to the collection of data carried out through RFID applications (29). They require, among others, that adequate privacy safeguards are put in place to operate RFID applications (30).

59.

However, this legal framework does not fully address all the data protection and privacy concerns raised by this technology. This is because the Directives are not sufficiently detailed as to the type of safeguards that should be implemented in RFID applications. The existing rules need to be complemented with additional ones imposing specific safeguards, particularly making mandatory to embed technical solutions (privacy by design) in RFID technology. This is true for tags that store personal information, which should have kill commands and the use of cryptography in tags storing certain types of personal information.

60.

In March 2007, the Commission adopted a Communication (31) recognising, among others, the need for detailed guidance on practical implementation of RFID and the desirability of adopting design criteria to avoid risks to privacy and security.

61.

To achieve these goals, in May 2009, the Commission adopted a recommendation on the implementation of privacy and data protection principles in RFID applications (32). In retail RFID applications, it requires tag deactivation at the point of sale unless individuals have consented. This applies unless a privacy and data protection impact assessment demonstrates that tags do not represent a likely threat to privacy or the protection of personal data, in which case they would remain operational after the point of sale unless the individuals opt-out, free of charge.

62.

The EDPS agrees with the Commission's approach to use self-regulatory instruments. However, as further described below, it is conceivable that self-regulation will not deliver the expected results; therefore he calls upon the Commission to be ready to adopt alternative measures.

63.

The EDPS is concerned that organisations operating RFID applications in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties. Such monitoring might reveal personal data stored in the tag (if any), but might also enable a third party to follow or recognize a person through time by simply using the unique identifiers contained in one or several tags carried by the individual, in an environment that may even be outside of the operational perimeter of the RFID application. He is further concerned that operators of RFID applications may be tempted to unduly rely on the exception, and thus, leave the tag operational after the point of sale.

64.

If the above occurs, it may be too late to mitigate the risks to individuals’ data protection and privacy, which may have already been affected. Further, given the nature of self-regulation, national enforcement authorities may have a weaker position when requiring organisations operating RFID applications to apply specific privacy by design measures.

65.

In the light of the above, the EDPS calls upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails. The Commission's assessment should not be unduly postponed; postponing would put individuals at risk and it would also be counterproductive for industry as the legal uncertainties are too high and entrenched problems are likely to be more difficult and expensive to correct.

66.

Within the measures that may need to be proposed, the EDPS recommends providing for the opt-in principle at the point of sale pursuant to which all RFID tags attached to consumer products would be deactivated by default at the point of sale. It may not be necessary or appropriate for the Commission to specify the concrete technology to be used. Instead, Union law must establish he legal obligation to obtain opt-in consent, leaving room for operators to decide the ways to meet the requirement.

67.

Information produced by RFID tags — for example, product information — may eventually be interconnected into a global network of communication infrastructure. This is usually referred to as the ‘Internet of Things’. The data protection/privacy questions arise because real world objects may be identified by RFID tags that in addition to product information may include personal data.

68.

There are many open questions about who will manage the storage of information related to tagged items. How will it be organised? Who will have access to it? In June 2009, the Commission adopted a Communication on the Internet of Things (33) which has explicitly identified the potential data protection and privacy problems of this phenomenon.

69.

The EDPS would like to stress some of the issues raised by the Communication which, in his view, deserve close attention as the Internet of Things develops. First, the need for a decentralised architecture may facilitate accountability and enforceability of the EU legal framework. Second, the individuals’ right to not be tracked should be preserved, to the extent possible. In other words, there should be very limited cases where individuals’ are tracked through RFID tags without their consent. Such consent should be explicit. This is usually referred to as the ‘silence of chips’ and the right to be left alone. Finally, in designing the Internet of things, the principle of privacy by design should be a guiding principle. For example, this would require that concrete RFID applications which have inbuilt mechanisms to give control to users are designed with privacy by default settings.

70.

The EDPS expects to be consulted as the Commission puts in place the actions envisaged in the Communication, particularly the drafting of the Communication on privacy and trust in the ubiquitous information society.

71.

Social networks are the ‘flavour of the month’. They appear to have surpassed email in popularity. They connect people with others who share similar interests and/or activities. People can have their profiles online and share media files such as videos, photos, music as well as their career profiles.

72.

Young people have rapidly adopted social networking and this trend is continuing. The average age of Internet users in Europe has decreased in the past few years: 9-10 year olds now connect several times a week; 12-14 year olds go online daily, often for one to three hours.

73.

The development of social networks has enabled users to upload onto the Internet information about themselves and third parties. In doing so, according to Article 29 Working Party (34), Internet users act as data controllers ex Article 2(d) of the Data Protection Directive for the data that they upload (35). However, in most cases such processing falls within the household exception ex Article 3.2 of the Directive. At the same time, social networking services are considered data controllers insofar as they provide the means for the processing of user data and provide all the basic services related to user management (e.g. registration and deletion of accounts).

74.

In legal terms this means that Internet users and social networking services share joint responsibility for the processing of personal data as ‘data controllers’ within the meaning of Article 2(d) of the Directive, albeit to different degrees and with different sets of obligations.

75.

Accordingly, users should know and understand that by processing their personal information and that of others, they fall under the provisions of the EU legislation on data protection that requires, among other things, obtaining the informed consent of those whose information is uploaded and granting those concerned with the right of rectification, object, etc. Similarly, social networking services must, among other things, implement appropriate technical and organisational measures to prevent unauthorised processing, taking into account the risks represented by the processing and the nature of the data. This in turn means that social networking services should ensure privacy-friendly default settings, including settings that restrict profile access to the user's own, self-selected contacts. Settings should also require user's affirmative consent before any profile becomes accessible to other third parties, and restricted access profiles should not be discoverable by internal search engines.

76.

Unfortunately, there is a gap between legal requirements and actual compliance. Whereas legally speaking Internet users are considered data controllers and are bound by the EU data protection and privacy legal framework, in reality, they are often unaware of this role. Generally speaking they have a poor understanding that they are processing personal data and that there are privacy and data protection risks involved in publishing such information. Young people in particular post content online underestimating the consequences for them and others, for example, in the context of subsequent enrolment in educational institutions or applications for jobs.

77.

At the same time, social network providers often preselect default settings based on opt-outs, thus facilitating the disclosure of personal information. Some enable profiles to be available to common search engines by default. This raises questions as to whether individuals have actually consented to disclosure, as well as whether social networks have complied with Article 17 of the Directive (described above) requiring them to implement appropriate technical and organisational measures to prevent unauthorised processing.

78.

The above results in an increased risk to individual's privacy and data protection. It exposes Internet users and those whose data has been uploaded to blatant violations of their privacy and data protection.

79.

Against this background, the question that the Commission should address is what should and could be done to address this situation. This Opinion does not provide a comprehensive answer to the question, but instead puts forward a number of suggestions for further consideration.

80.

The first suggestion is to invest in user education. In this regard, the EU institutions and national authorities should invest in educating and raising awareness of the threats posed by social networking websites. For example, Information Society DG has been running the Safer Internet Programme, which aims at empowering and protecting children and young people by, for instance, awareness raising activities (36). Recently the EU institutions launched the ‘Think before you post’ campaign to raise awareness of the risks of sharing personal information with strangers.

81.

The EDPS encourages the Commission to continue to support this type of activity. However, social network providers themselves should also play an active role, as they have a legal and social responsibility to educate users in how to use their services in a safe and privacy-friendly manner.

82.

As described above, when posting information on social networks, the information may be made available by default in a number of different ways. For example, information may be available to the public in general, including search engines, which may index it and thus provide direct links to it. On the other hand, information may be limited to ‘selected friends’ or may be kept completely private. Obviously, the profile permissions and the terminology used vary from site to site.

83.

However, as outlined above, very few users of social networking services know how to control access to the information they post, never mind how to change the default privacy settings. Privacy settings usually remain unchanged because users are unaware of the implications of not changing them or do not know how to do it. More often than not therefore, not changing the privacy settings does not mean that individuals have made an informed decision to accept sharing information. In this context, it is particularly important that third parties such as search engines do not link to individual profiles, on the assumption that users have consented by default (by not changing the privacy settings) to make the information available without restrictions.

84.

Whilst user education may help to address this situation, it will not work on its own. As recommended by the Article 29 Working Party in its Opinion on social networks, social network providers should offer privacy-friendly, free-of-charge default privacy settings. This would make users more aware of their actions, and enable them to make better choices as to whether they want to share information and with whom.

85.

The Commission has entered into an agreement with 20 social network providers known as the ‘Safer Social Networking Principles for the EU’ (37). The aim of the agreement is to improve the safety of minors when using social networking sites in Europe. Such principles include many of the requirements derived from the application of the data protection legal framework described above. They include, for example, the requirement to empower users through tools and technology, to ensure that they can control the use and dissemination of their personal information. It also includes the need to provide privacy settings by default.

86.

Early January 2010, the Commission made available the findings of a report evaluating the implementation of the principles (38). The EDPS is concerned that this report shows that while some steps have been taken, many others have not. For example, the report found problems regarding the communication of the safety measures and tools available on the sites. It also found that less than half of the signatories of the agreement restrict access to the profiles of minors to only their friends.

87.

In this context, the key question is whether additional policy measures are necessary to ensure that social networks set up their services with privacy by default settings. This issue was raised by the former Information Society Commissioner Viviane Reding, who pointed out that legislation may be necessary (39). Along the same lines, the European Economic and Social Committee stated that alongside self-regulation minimum protection standards should be imposed by law (40).

88.

As noted above, the obligation for social network providers to implement by default privacy settings can be deduced indirectly from Article 17 of the Data Protection Directive (41) which obliges data controllers to take appropriate technical and organisational measures (‘both at the time of the design of the processing system and at the time of the processing itself’) to maintain security and prevent unauthorised processing, taking into account the risks represented by the processing and the nature of the data.

89.

However, this Article is far too general and lacks specificity, also in this context. It does not state clearly what is meant by appropriate technical and organisational measures in the context of social networks. Thus, the current situation is one of legal uncertainty, which causes problems for both regulators and individuals whose privacy and personal data are not fully protected.

90.

In light of the above, the EDPS urges the Commission to prepare legislation which would include, at a minimum, an overarching obligation requiring mandatory privacy settings, coupled with more precise requirements:

91.

In addition to providing for mandatory privacy by default settings, a question remains as to whether additional, specific data protection and other measures (for example, regarding protection of minors) may also be appropriate. This raises the broader issue of whether it would be suitable to create a specific framework for these types of services that, in addition to providing for mandatory privacy settings, would regulate other aspects. The EDPS asks the Commission to take this issue into consideration.

92.

Ad network providers use cookies and other devices to monitor the behaviour of individual users when they surf the Internet in order to catalogue their interests and build profiles. This information is then used to send them targeted advertisements (42).

93.

This processing is covered by the Data Protection Directive (when personal data is concerned) and also by Article 5.3 of the ePrivacy Directive. This Article specifically requires that the user is informed and given the opportunity to react by way of consenting to or rejecting the storage of devices such as cookies etc. on his computer or other device (43).

94.

To the present, ad network providers have relied on browser settings and privacy policies to inform users and enable them to consent or reject cookies. They have explained in publishers privacy policies how to opt-out from receiving cookies altogether or to accept them on a case-by-case basis. In doing so, they intended to comply with their obligation to offer users the right to refuse cookies.

95.

Whereas theoretically this method (via the browser) could indeed effectively provide meaningful informed consent, the reality is very different. In general, users lack the basic understanding of the collection of any data, much less from third parties, of the value of such data, its uses, how the technology works and more particularly how and where to opt-out. The steps that users must take to opt-out seem not only complicated but also excessive (first he must set his browser to accept cookies, then exercise the opt-out option).

96.

As a result, in practice very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertisement, but rather because they do not realise that by not using the opt out, they are in fact accepting.

97.

Therefore, while legally speaking, Article 5(3) of the ePrivacy Directive provides for effective legal protection, in practice, Internet users are deemed to consent to be monitored for the purposes of sending behavioural advertisement when in fact, in many, if not most cases, they are fully unaware that the monitoring takes place.

98.

The Article 29 Working Party is preparing an opinion that aims to clarify the legal requirements to engage in behavioural advertisement, which is welcome. However, interpretation may not, in itself, be sufficient to solve this situation and it may be necessary for the European Union to take additional actions.

99.

As described above, web browsers commonly allow a level of control over certain kinds of cookies. Currently, the default settings of most web browsers are accepting all cookies. In other words, by default, the browsers are set to accept all cookies, independently of the purpose of the cookie. Only if the user changes the settings of his/her browser application to deny cookies, which as described above, very few users do, he/she will not receive cookies. Furthermore, there is no privacy wizard on the first install or update of browser applications.

100.

A way to mitigate the above problem would be if browsers would be provided with by default privacy settings. In other words, if they would be provided with the setting of ‘not acceptance of third party cookies’. To complement this and to make it more effective, the browsers should require users to go through a privacy wizard when they first install or update the browser. There is a need for more granularity and clear information on the types of cookies and the usefulness of some of them. Users willing to be monitored for the purposes of receiving advertisement will be duly informed and they would need to change the browser settings. This would give them an enhanced control over their personal data and privacy. This would be, in the EDPS’ view, an effective way to respect and preserve users’ consent (44).

101.

Taking into account, on the one hand, the widespread nature of the problem, in other words, the number of Internet users that are currently monitored on the basis of a consent that is illusory and, on the other, the scale of interest at stake, the need for additional safeguards becomes more acute. The implementation of the PbD principle in web browser applications could make a dramatic difference towards giving individuals control over the data collection practices used for advertising purposes.

102.

For these reasons, the EDPS urges the Commission to consider legislative measures requiring mandatory privacy by default settings in browsers and the provision of the relevant information.

103.

While the PbD principle has a great potential to improve the protection of individuals’ personal data and privacy, the design and implementation in law of complementary principles to ensure consumer trust in ICT are necessary. Against this background, the EDPS addresses the accountability principle and the completion of a mandatory security breach framework applicable across sectors.

104.

The Article 29 Working Party paper entitled ‘Future of Privacy’ (45) recommended including the accountability principle into the Data Protection Directive. This principle, which is recognised in some multinational data protection instruments (46), requires organisations to implement processes to comply with existing laws and to set up methods of assessing and demonstrating compliance with the law and other binding instruments.

105.

The EDPS fully supports the Article 29 Working Party recommendation. He considers that this principle will be highly relevant to foster the effective application of data protection principles and obligations. Accountability will require data controllers to demonstrate that they have put in place the mechanism necessary to comply with applicable data protection legislation. This is likely to contribute to the effective implementation of privacy by design in ICT technologies as a particularly well-suited element to show accountability.

106.

To measure and demonstrate accountability data controllers could use internal procedures and third parties who may perform audits or other types of checks and verifications, which as a result, may award seals or awards. In this context, the EDPS urges the Commission to consider whether, in addition to a general accountability principle, it may be helpful to require by law specific accountability measures such as the need to produce privacy and data protection impact assessments and under which circumstances.

107.

Last year's amendments to the ePrivacy Directive introduced a requirement to notify data breaches to affected individuals and also to the relevant authorities. A data breach is broadly defined as any breach leading to the destruction, loss, disclosure etc. of personal data transmitted, stored or otherwise processed in connection with the service. Notification to individuals will be required if the data breach is likely to adversely affect their personal data or privacy. This may be the case where the breach could lead to identity theft or significant humiliation or reputational damage. Notification to the relevant authorities will be required for every data breach, regardless of whether there is a risk to individuals.

108.

Unfortunately this obligation applies only to providers of publicly available electronic communications services, such as telephone companies, Internet Access Providers, webmail providers, etc. The EDPS urges the Commission to put forward proposals on security breach applying across sectors. As to the content of such framework, the EDPS considers that the security breach legal framework adopted in the ePrivacy Directive strikes an appropriate balance between the protection of individuals’ rights, including their rights to personal data and privacy, and the obligations imposed on covered entities. At the same time, this is a framework with real ‘teeth’, as it is backed by meaningful enforcement provisions, which provide authorities with sufficient powers of investigation and sanction in the event of non-compliance.

109.

Accordingly, the EDPS urges the Commission to adopt a legislative proposal applying this framework across sectors, if necessary with the appropriate adjustments. In addition this would ensure that the same standards and procedures are applied across sectors.

110.

The revised ePrivacy Directive empowers the Commission to adopt technical implementing measures, i.e. detailed measures on security breach notification, through a comitology procedure (47). This empowerment is justified in order to ensure consistent implementation and application of the security breach legal framework. Consistent implementation works towards ensuring that individuals across the Community enjoy an equally high level of protection and that covered entities are not burdened with diverging notification requirements.

111.

The ePrivacy Directive was adopted in November 2009. There does not appear to be any reason justifying postponing the starting of the work towards adopting the technical implementing measures. The EDPS organised two seminars which aimed at sharing and gathering experience on data breach notification. He would be happy to share the results of this exercise and is looking forward to working with the Commission and other stakeholders in fine-tuning the overall data breach legal framework.

112.

The EDPS urges the Commission to take the necessary steps, within a short time-frame. Before adopting technical implementing measures, the Commission must engage in a broad consultation, in which ENISA, the EDPS and Article 29 Working Party must be consulted. Furthermore, the consultation must also include other ‘relevant stakeholders’, particularly in order to inform of the best available technical and economic means of implementation.

113.

Trust, or rather its absence, has been identified as a core issue in the emergence and successful deployment of information and communications technologies. If people do not trust ICT, these technologies are likely to fail. Trust in ICT depends on different factors; ensuring that such technologies do not erode individuals’ fundamental rights to privacy and to the protection of personal data is a key one.

114.

In order to further strengthen the data protection/privacy legal framework, the principles of which remain completely valid in the information society, the EDPS proposes the Commission to embed privacy by design on different levels of law and policy making.

115.

He recommends the Commission to follow four courses of action:

116.

In three designated ICT areas, the EDPS recommends the Commission to evaluate the need to put forward proposals implementing the principle of privacy by design in specific ways:

117.

Finally, the EDPS suggests the Commission to:

16.10.2010   

EN

Official Journal of the European Union

C 280/16

1.

On 3 December 2008 the Commission adopted a Proposal for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE) (hereinafter ‘the Proposal’) (1). The Proposal aims to recast Directive 2002/96/EC on waste electrical and electronic equipment (WEEE) adopted on 27 January 2003 (hereinafter ‘the Directive’) (2) without changing either the drivers or the rationale for collecting and recycling WEEE.

2.

The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001 (3). Acting on his own initiative, the EDPS has therefore adopted the current opinion based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of the Proposal.

3.

The EDPS is aware that this advice comes at a late stage in the legislative process but nevertheless considers it appropriate and useful to issue this opinion, since the Proposal raises significant data protection issues not addressed in the text. This opinion is not meant to modify the main and predominant purpose and content of the Proposal, whose ‘centre of gravity’ (4) remains in the protection of the environment, but only to bring an additional dimension which is becoming increasingly important to our information society (5).

4.

The EDPS, also aware of the limited scope of the recasting procedure, nevertheless urges the legislator to take these recommendations into account in accordance with Article 8 of the Interinstitutional Agreement on the recasting procedure (which provides for the possibility of amending unchanged provisions) (6).

5.

The purpose of the Proposal is to update the existing Directive relating to the disposal, reuse and recycling of WEEE. Technical, legal and administrative problems in the first years of implementation of the Directive have led to the Proposal, as was foreseen under Article 17(5) of the Directive.

6.

Electric and electronic equipment (EEE) is a wide product group that includes a diverse set of media capable to store personal data — such as IT and telecommunications equipment (e.g. personal computers, laptops, electronic communication terminals) — characterised in the present techno-economic context by increasingly fast innovation cycles and, due to technological convergence, by the availability of multi-purpose devices. Developments in electronic storage media are accelerating rapidly, particularly in relation to storage capacity and size, and therefore market forces cause the turnover of EEE (containing large amounts of, often sensitive, personal data) to accelerate similarly. The results being not only that the WEEE ‘is considered the fastest growing waste stream in the EU’ (7), but also, in the case of inappropriate disposal, that there is an obvious increased risk of loss and dispersion of personal data stored within this type of EEE.

7.

For a long time the European Union's policies on the environment and sustainable development have been aimed at reducing waste of natural resources and introducing measures to prevent pollution.

8.

The disposal, reuse and recycling of WEEE are included within this framework. These measures seek to prevent the disposal of electrical and electronic equipment along with mixed waste, placing an obligation on producers to provide disposal in the manner prescribed by the Directive.

9.

In particular, among the various measures envisaged by the Directive, it is worth highlighting those designed to reuse (i.e. any operation by which WEEE or components thereof are used for the same purpose for which they were conceived, including the continued use of the equipment or components thereof which are returned to collection points, distributors, recyclers or manufacturers), recycle (i.e. the reprocessing in a production process of the waste materials for the original purpose or for other purposes) and find other forms of recovery of WEEE so as to reduce the disposal of waste (see Articles 1 and 3(d) and (e) of the Directive).

10.

These operations, in particular the reuse and recycling of the WEEE, especially IT and telecommunications equipment, may present a risk, greater than in the past, that those collecting the WEEE or selling and purchasing the used or recycled devices might become aware of any personal data stored within. Such data can often be sensitive or refer to large numbers of individuals.

11.

For all these reasons, the EDPS considers it urgent for all stakeholders (users and producers of EEE) to be made aware of the risks to personal data, especially in the final stage of the EEE life-cycle. At this stage, although the EEE are economically less valuable, they are likely to contain a large amount of personal data and therefore likely to have a high ‘intrinsic’ value for the data subject and/or others.

12.

The EDPS has no observations on the general objective of the Proposal and fully supports the initiative taken, which is intended to improve environmental-friendly policies in the area of WEEE.

13.

However, the Proposal, as well as the Directive, focuses solely on the environmental risks related to the disposal of WEEE. It does not take into account other additional risks to individuals and/or organisations that may arise from the operations of disposal, reuse or recycling of WEEE, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data stored in the WEEE.

14.

It is important to note that Directive 95/46/EC (8) applies to ‘any operation or set of operations which is performed upon personal data’, including their ‘erasure or destruction’ (Article 2(b)). Disposal of EEE can involve data processing operations. For this reason there is an overlap between the Proposal and the just mentioned Directive, and as such data protection rules could apply to activities covered by the Proposal.

15.

The EDPS intends to highlight the significant risks that may affect individuals and/or organisations acting as ‘data controllers’ (9) where the WEEE, particularly IT and telecommunications equipments, contain personal data relating to the users of those devices and/or third parties at the time of disposal. The unlawful access to or disclosure of such personal information, sometimes consisting of special categories of data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life (so called ‘sensitive data’) (10), are indeed capable of affecting the privacy and dignity of the persons to whom the information relates, as well as other legitimate interests of those individuals/organisations (e.g. economic ones).

16.

In general terms, the EDPS considers it necessary to emphasise the importance of the adoption of appropriate security measures at every stage (from beginning to end) of the processing of personal data, as repeatedly stated in other opinions (11). This applies a fortiori in the delicate phase in which the data controller intends to dispose of devices containing personal data.

17.

Indeed, the respect of security measures is often a pre-condition in order to effectively guarantee the right to the protection of personal data.

18.

It would therefore be inconsistent to introduce the duty to put in place (sometimes costly) security measures in the ordinary course of processing operations of personal data (as envisaged by Article 17 of Directive 95/46/EC, when applicable (12)) and then simply omit to consider the introduction of adequate safeguards regarding the disposal of the WEEE.

19.

It would be similarly inconsistent to give importance to the issue of data security to the extent that data breach notification had to be introduced via Article 3 of Directive 2009/136/EC (13) and then not provide any guarantee or safeguard during the disposal of WEEE as well as in the event of WEEE reuse or recycling.

20.

The EDPS regrets that the Proposal does not take into account the potentially damaging effects of the WEEE disposal on the protection of personal data stored in ‘used’ equipment.

21.

This aspect was also not considered in the impact assessment made by the Commission (14) although experience has shown that failing to take appropriate security measures in case of WEEE disposal could jeopardise the protection of personal data (15). Due to the complexity of the issues involved (for example the multitude of legitimate methods, technologies and stakeholders in the disposal cycle of the WEEE), the EDPS considers that it would have been appropriate to carry out a ‘privacy and data protection impact assessment’ on the processes related to WEEE disposal.

22.

Nevertheless, the EDPS strongly advises that ‘Best Available Techniques’ for privacy, data protection and security in this area should be developed.

23.

As further evidence, during the public consultation prior to the recast of the Directive, issues relating to the security and protection of personal data have sometimes been raised by stakeholders, particularly IT and electronic communications companies (16).

24.

Finally, it is worth highlighting that some national data protection authorities have published guidelines to minimise the risks which may result from failure to take the necessary security measures, particularly at the disposal of materials subject to the application of the Directive (17).

25.

The EDPS reiterates that Directive 95/46/EC is applicable at the disposal stage of the WEEE containing personal data. Data controllers — in particular those using IT and communications devices — are therefore required to comply with their security obligations to prevent the improper disclosure or dissemination of personal data. To this end and in order not to be held liable for the breach of security measures, the data controller in the public or private sector, with the cooperation of the data protection officers (where present), should adopt appropriate policies for disposal of WEEE containing personal data.

26.

Where data controllers disposing of EEE do not have the required skills and/or technical know-how to erase the personal data concerned, they could entrust this task to qualified processors (e.g. assistance centres, equipment manufacturers and distributors) under the conditions provided in Article 17(2), (3) and (4) of Directive 95/46/EC. These processors will in turn certify the performance of the operations in question and/or undertake them.

27.

Due to these considerations, the EDPS comes to the conclusion that the recast of the Directive should add data protection principles to the provisions dedicated to the protection of the environment.

28.

The EDPS therefore recommends the Council and the European Parliament to include a specific provision in the current Proposal stating that the Directive applies to the disposal of WEEE without prejudice to Directive 95/46/EC.

29.

Being in a situation allowing autonomous decisions regarding the data held on the EEE, those in charge of disposal operations could be considered as ‘data controllers’ (18). They must therefore adopt internal procedures to avoid unnecessary processing operations on any personal data stored in the WEEE, namely other operations than those strictly necessary to verify the effective elimination of the data contained therein.

30.

Moreover, they must not allow unauthorised individuals to gain knowledge of or process data stored on EEE. In particular, when storage media are recycled or reused, and thus re-enter the market, there is an increased risk of improper disclosure or dissemination of personal data, as well as a need to prevent unauthorised access to personal data.

31.

The EDPS therefore recommends that the Council and the European Parliament include a specific provision in the current Proposal to prohibit the marketing of used devices which have not previously undergone appropriate security measures, in compliance with state-of-the-art technical standards (for example multi-pass overwriting), in order to erase any personal data they may contain.

32.

The forthcoming legal framework on e-waste should not only include a specific provision regarding the wider ‘eco-design principle’ of the equipment (see Article 4 of the Proposal regarding ‘Product design’) but also — as previously stated in other EDPS’ opinions (19) — one regarding the principle of ‘Privacy by design’ (20) or, more precisely in this area, ‘security by design’ (21). As far as possible, privacy and data protection should be integrated into the design of electrical and electronic equipment ‘by default’, in order to allow users to delete — using a simple means and free of charge — personal data that may be present on devices in the event of their disposal (22).

33.

This approach is clearly supported by Article 3.3(c) of Directive 1999/5/EC (23) concerning the design of radio and telecommunications terminal equipment and by Article 14(3) of the Directive 2002/58/EC (24).

34.

Therefore, producers should ‘build in’ privacy and security safeguards via technological solutions (25). In this framework, initiatives aimed at advising those concerned of the need to erase any personal data before the disposal of WEEE (including producers making free software available for this purpose) should also be fostered and supported (26).

35.

In consideration of the above, the EDPS recommends that data protection authorities, in particular through the Article 29 Working Party, and the EDPS are closely involved in initiatives related to the disposal of WEEE, through consultation at a sufficiently early stage before the development of relevant measures.

36.

Considering the context in which personal data are processed, the EDPS advises that the Proposal should include specific provisions:

37.

The EDPS strongly recommends, therefore, that the Proposal is amended, in line with Directive 95/46/EC, as follows:

—   recital 11:

—   Article 2(3):

38.

In addition, the EDPS considers it appropriate that the following amendments should be taken into consideration:

—   Article 4(2):

—   Article 8(7):

—   Article 14(6):

16.10.2010   

EN

Official Journal of the European Union

C 280/22

16.10.2010   

EN

Official Journal of the European Union

C 280/26

16.10.2010   

EN

Official Journal of the European Union

C 280/29

16.10.2010   

EN

Official Journal of the European Union

C 280/30

16.10.2010   

EN

Official Journal of the European Union

C 280/31

16.10.2010   

EN

Official Journal of the European Union

C 280/32

(1)

Article 173 of the Treaty assigned the European Union and the Member States the task of ensuring that the conditions necessary for the competitiveness of the Union’s industry exist. Article 191 of the TFEU provides that the Union policy on the environment shall contribute to promoting measures preserving, protecting and improving the quality of the environment and combating climate change.

(2)

As part of the Commission's industrial policy, the CARS 21 process (‘Competitive Automotive Regulatory System for the 21st century’), which was originally launched in 2005, made recommendations for the short-, medium and long-term public policy in the regulatory framework for the European Union automotive industry that enhances global competitiveness and employment while sustaining further progress in safety and environmental performance at a price affordable to the consumer.

(3)

In its Communication ‘EUROPE 2020 — a European strategy for smart, sustainable and inclusive growth’ (1) the Commission presents proposals to modernise and to decarbonise the transport sector and to promote new technologies including electric cars. The Flagship Initiative ‘An industrial policy for the globalisation era’ aims to establish an industrial policy creating the best environment to maintain and develop a strong, competitive and diversified industrial base in Europe as well as promoting sustainability by supporting the transition of manufacturing sectors to greater energy and resource efficiency. The Flagship Initiative ‘Resource Efficient Europe’ will encourage wide-ranging infrastructure measures such as the deployment of grid infrastructures of electrical mobility, intelligent traffic management and above all promoting new technologies including electric and hybrid cars.

(4)

The Communication of the Commission ‘A European strategy on clean and energy efficient vehicles’ (2) defines short- to long-term goals to support research and innovation, to seek solutions of power generation and distribution, to stimulate employment and to encourage market uptake of green vehicles by consumers.

(5)

It is therefore necessary to set up a group of experts in the field of competitiveness and sustainable growth of the European Union automotive industry, building on the CARS 21 process, and to define its tasks and structure.

(6)

The group should help to identify policies and measures at European Union level, national level and by other stakeholders fostering the competitiveness and sustainable growth of the European Union automotive industry.

(7)

The group should be composed of representatives of the European Parliament, the Commission, the Member States and relevant stakeholders of industry and civil society, in particular representatives of consumers, trade unions and non-governmental organisations.

(8)

Rules on disclosure of information by members of the group should be provided for, without prejudice to the Commission's rules on security as set out in the Annex to Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal Rules of Procedure (3).

(9)

Personal data should be processed in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (4).

(10)

It is appropriate to fix a period for the application of this Decision. The Commission will in due time consider the advisability of an extension,

1.

to assist the Commission in questions related to the competitiveness and sustainable growth of the automotive industry;

2.

to conduct economic and statistical analysis of the factors driving the structural changes in the automotive industry as well as other factors that influence the competitive position of the European Union automotive industry;

3.

to assist the Commission in implementing the policy set out by the EUROPE 2020 strategy, its flagship initiative on a resource efficient Europe, its flagship initiative on an industrial policy for the globalisation era and the Communication on clean and energy efficient vehicles COM(2010) 186 as to achieve the goal of maintaining a competitive and sustainable European Union automotive industry;

4.

to contribute to ensuring a smooth and balanced economic and social transition, through a pro-active anticipation and management of restructuring processes, skills needs and the related qualification needs, taking into account the results of the ‘European Partnership for the Anticipation of Change in the Automotive sector’;

5.

to formulate a set of sector-specific policy recommendations addressed to policy makers at the European Union and national level, as well as to the industry and civil society organisations;

6.

to develop principles of good conduct in order to promote transparency in commercial and contractual relations between the parties to vertical agreements in the motor vehicle sector;

7.

to advise on specific aspects of the implementation of the Commission's 2020 Strategy for smart, sustainable and inclusive growth.

16.10.2010   

EN

Official Journal of the European Union

C 280/35

1.

On 8 October 2010, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which BASF SE (‘BASF’, Germany) acquires within the meaning of Article 3(1)(b) of the Merger Regulation sole control of Cognis GmbH (‘Cognis’, Germany), by way of purchase of shares.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope the EC Merger Regulation. However, the final decision on this point is reserved.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by e-mail to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.5927 — BASF/Cognis, to the following address:

16.10.2010   

EN

Official Journal of the European Union

C 280/36

1.

On 8 October 2010, the Commission received a notification of a proposed concentration pursuant to Article 4 and following a referral pursuant to Article 4(5) of Council Regulation (EC) No 139/2004 (1) by which the undertakings Citigroup Venture Capital International Investment G.P. Limited (‘CVCII’, Jersey), controlled by Citigroup, Inc. (USA), and Advance Properties OOD (‘Advance Properties’, Bulgaria) acquire within the meaning of Article 3(1)(b) of the Merger Regulation joint control of Huvepharma AD (‘Huvepharma’, Bulgaria), currently under sole control of Advance Properties, by way of purchase of shares.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope of the EC Merger Regulation. However, the final decision on this point is reserved. Pursuant to the Commission Notice on a simplified procedure for treatment of certain concentrations under the EC Merger Regulation (2) it should be noted that this case is a candidate for treatment under the procedure set out in the Notice.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by email to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.5982 — CVCII/Advance Properties/Huvepharma, to the following address:

16.10.2010   

EN

Official Journal of the European Union

C 280/37

The Minister for Economic Affairs

For the attention of J. C. De Groot, Director for the Energy Market

ALP/562

Bezuidenhoutseweg 30

Postbus 20101

2500 EJ Den Haag

NEDERLAND

16.10.2010   

EN

Official Journal of the European Union

C 280/39