29.12.2010   

EN

Official Journal of the European Union

C 355/1

1.

Increasing efforts to improve judicial cooperation in criminal matters have been made in recent years. This subject, which now occupies a key position in the Stockholm programme (4), is characterised by the particular sensitivity of personal data involved and by the effects that the related data processing may have on data subjects.

2.

For these reasons, the European Data Protection Supervisor (EDPS) has paid particular attention to this subject (5) and intends through this opinion to emphasise once more the need for protection of fundamental rights as a cornerstone of the Area of Freedom, Security and Justice (AFSJ) as laid out in the Stockholm programme.

3.

This opinion reacts on two initiatives for a Directive of a number of Member States, as foreseen by Article 76 TFEU, namely:

4.

Advising on these initiatives falls within the remit of the task entrusted to the EDPS in Article 41 of Regulation (EC) No 45/2001 for advising EU institutions and bodies on all matters concerning the processing of personal data. This opinion, therefore, comments upon the initiatives as far as they relate to the processing of personal data. Since no request for advice has been sent to the EDPS, this opinion is issued on his own initiative (8).

5.

The EDPS recalls that under Article 28(2) of Regulation (EC) No 45/2001 the Commission is obliged to consult the EDPS when it adopts a legislative proposal relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data. In case of an initiative of Member States this obligation does not apply strictu sensu. However, since the entry into force of the Lisbon Treaty the ordinary legislative procedure also applies to the area of police and judicial cooperation, with one specific exception foreseen in Article 76 TFEU, namely that a quarter of the Member States can take the initiative for EU measures. Under the Lisbon Treaty, these initiatives are aligned as much as possible with Commission proposals and procedural guarantees should be used where possible. It is for this reason that the present initiatives are accompanied by an impact assessment.

6.

It is against this background that the EDPS not only regrets that he was not consulted when the initiatives were issued, but also recommends the Council to establish a procedure in which consultation of the EDPS will take place, in case an initiative introduced by Member States is related to the processing of personal data.

7.

Although the two initiatives have different objectives — i.e. improving protection of victims and cross-border cooperation in criminal matters through the collection of evidence cross border — they have important similarities:

For these reasons, the EDPS considers it appropriate to examine them jointly.

8.

In this framework, it should be mentioned that also the European Commission has recently dealt with the issue of collecting evidence with a view to submitting it to the competent authorities in other Member States (which is the specific object of the EIO initiative). Indeed, a Green Paper (11) was published at the end of 2009 — whose consultation phase is now closed (12) — with the Commission's aim (inferred from the ‘Action Plan Implementing the Stockholm programme’ (13)) of submitting a legislative proposal on obtaining a comprehensive regime on evidence in criminal matters based on the principle of mutual recognition and covering all types of evidence in 2011 (14).

9.

The aforementioned initiatives fit within the trend of the actions of the EU in the AFSJ in recent years. Since September 2001, there has been a significant escalation in the collection and sharing of information within the European Union (and with third countries), thanks also to developments in ICT and facilitated by a number of legal instruments of the EU. Also the EPO and EIO initiatives are aimed at improving the exchange of information relating to natural persons in the AFSJ.

10.

The EPO initiative — based on Article 82(1)(d) of the TFEU — focuses on the protection of the victims of criminal acts, particularly women, and aims to guarantee effective protection for them within the European Union. In order to achieve this goal, the EPO initiative permits the extension of protection measures listed in its Article 2(2) and adopted according to the law of one Member State (the issuing State) in another Member State to which the protected person moves (the executing State) without the need for the victim to start new proceedings or to reproduce any evidence in the executing State.

11.

The protection measures imposed (at the request of the victim) on the person causing danger therefore aim to protect life, physical and psychological integrity, freedom, or sexual integrity of the victim within the EU regardless of national boundaries, and attempt to prevent new crimes against the same victim.

12.

The EPO should be issued, at the request of the victim in the ‘issuing (Member) State’, by any judicial (or equivalent) authority. The process consists of the following steps:

13.

For the achievement of this objective, administrative measures have to be put in place. These will in part cover the exchange of personal information between the ‘issuing’ and the ‘executing’ Member States relating to the person concerned (the ‘victim’) and the person causing danger. The exchange of personal data is foreseen in the following provisions:

14.

The information mentioned in the preceding paragraph clearly falls within the scope of personal data, broadly defined in data protection legislation as ‘any information relating to an identified or identifiable natural person’ (15) and further explained by the Article 29 Working Party. The EPO initiative deals with information about an individual (the victim or the person causing danger) or information that is used or is likely to be used to evaluate, treat in a certain way or influence the status of an individual (in particular, the person causing danger) (16).

15.

The EIO initiative — based on Article 82(1)(a) of the TFEU — requires Member States to collect, store and transmit evidence, even if this is not yet available in the national jurisdiction. The initiative therefore goes beyond the principle of availability, presented in the Hague programme of 2004 as an innovative approach to the cross-border exchange of law enforcement information (17). It also goes beyond Council Framework Decision 2008/978/JHA of 18 December 2008 on the European evidence warrant that is only applicable to (given) evidence which already exists (18).

16.

An EIO is to be issued for the purpose of having one or more specific investigative measure(s) carried out in the executing State with a view to gathering evidence (potentially not in existence when the order is released) and transferring it (Article 12). It applies to almost all investigative measures (see Recitals 6 and 7 of the initiative).

17.

The objective of the EIO initiative is to create a single, efficient and flexible instrument for obtaining evidence located in another Member State in the framework of criminal proceedings, instead of the more complex current legal instrument used by judicial authorities (based on mutual legal assistance, on the one hand, and mutual recognition, on the other) (19).

18.

Clearly, evidence collected by way of an EIO (see also Annex A to the initiative) may contain personal data, as in the case of information on bank accounts (Article 23), information on banking transactions (Articles 24) and monitoring of banking transactions (Article 25) or could cover the communication of personal data (as in the case of video or telephone conference, set out in Articles 21 and 22).

19.

For these reasons the EIO initiative has a significant impact on the right to the protection of personal data. Also considering that the date for implementation of Framework Decision 2008/978/JHA has not yet expired (and it is therefore difficult to assess the effectiveness of the instrument and the need for additional legal measures) (20), the EDPS recalls the need of a periodical verification, in light of the data protection principles, of the effectiveness and of the proportionality of the legal measures adopted in the AFSJ (21). The EDPS therefore recommends adding an evaluation clause to the EIO initiative, requiring the Member States to report on a regular basis on the application of the instrument and the Commission to synthesise these reports and, where relevant, issue appropriate proposals for amendments.

20.

As explained above in points 13, 14 and 18, it is clear that under the proposed directives, personal data will be processed and exchanged by the competent authorities of the different Member States. Under those circumstances, the data subject is protected by the fundamental right to data protection, as recognised in Article 16 TFEU and Article 8 of the EU Charter of Fundamental Rights.

21.

Despite this, in the ‘Detailed statement’ accompanying the EPO initiative the estimated ‘Risk of encroaching upon fundamental rights’ is identified as ‘0’ (zero) (22), and in the impact analysis contained in the ‘Detailed statement’ accompanying the EIO initiative data protection issues are not taken into consideration (23).

22.

The EDPS regrets these conclusions and emphasises the importance of data protection in the particular context in which personal data are processed, namely:

23.

This context gives the data processing operations particular impact and may significantly affect the fundamental rights of the data subject, including the right to the protection of personal data.

24.

Due to the above considerations, the EDPS wonders why the initiatives neither address the protection of personal data (apart from making reference to the duties of confidentiality imposed on the actors involved in an investigation by Article 18 of the EIO initiative), nor explicitly refer to Framework Decision 2008/977/JHA. Indeed, this Framework Decision would be applicable to the processing operations envisaged in the two initiatives (see Article 1(2)(a)).

25.

For this reason, the EDPS welcomes that during the preparatory works in Council related to the EPO initiative, a reference to the Framework Decision 2008/977/JHA has been introduced (25) and is confident that the European Parliament will confirm this change to the original initiatives (26).

26.

The EDPS regrets that a similar recital has not yet been introduced in the EIO initiative, which involves a much more intense exchange of personal data. The EDPS welcomes in this context that the European Commission, commenting on the EIO initiative, suggests that a reference (both in the recital and in the body of the proposal) to the applicability of the Framework Decision 2008/977/JHA should be introduced (27).

27.

Therefore, and without prejudice to Section III below, both initiatives should include a specific provision clarifying that Framework Decision 2008/977/JHA applies to the data processing foreseen in the initiatives.

28.

Both initiatives once again raise the fundamental issue of the incomplete and inconsistent application of data protection principles in the field of judicial cooperation in criminal matters (28).

29.

The EDPS is aware of the importance of enhancing the effectiveness of judicial cooperation between Member States, also in the fields covered by the EPO and the EIO initiatives (29). The EDPS furthermore sees the advantages and the need to share information, but wishes to underline that the processing of such data must be in conformity — inter alia (30) — with the EU rules on data protection. This is even more evident in light of the Lisbon Treaty introducing Article 16 TFEU and giving binding force to Article 8 Charter of Fundamental Rights of the European Union.

30.

Situations which involve the cross-border exchange of information within the EU deserve special attention since the processing of personal data in more than one jurisdiction increases the risks to the rights and interests of natural persons involved. The personal data will be processed in multiple jurisdictions where the legal requirements as well as the technical framework are not necessarily the same.

31.

It furthermore leads to legal uncertainty for the data subjects: parties from other Member States may be involved, the national laws of various Member States might be applicable and might differ from the laws data subjects are used to, or apply in a legal system which is unfamiliar to the data subject. This requires greater efforts to ensure compliance with the requirements stemming from EU legislation on data protection (31).

32.

In the EDPS’ view, clarifying the applicability of Framework Decision 2008/977/JHA, as proposed in point 27, is only a first step.

33.

The specific challenges for effective protection in the area of judicial cooperation in criminal matters, combined with a not fully satisfactory Framework Decision 2008/977/JHA (see points 52–56) may call for specific provisions on data protection, when specific legal instruments of the EU require the exchange of personal data.

34.

Effective protection of personal data (as highlighted in point 29) is not only important for the data subjects but also contributes to the success of the judicial cooperation itself. In fact, the willingness to exchange these data with authorities of other Member States will increase if an authority is assured of the level of protection, accuracy and reliability of personal data in that other Member State (32). In short, setting a (high) common standard for data protection in this sensitive area will promote mutual confidence and trust between Member States and reinforce the judicial cooperation based on mutual recognition, improving data quality in the exchange of information.

35.

In this specific context, the EDPS recommends including specific safeguards for data protection in the EPO and EIO initiatives, in addition to the general reference to Framework Decision 2008/977/JHA (as proposed in paragraph 27).

36.

Some of these safeguards are of a more general nature and are meant to be included in both initiatives, in particular the safeguards aiming at improving the accuracy of the data, as well as the security and confidentiality. Other safeguards relate to specific provisions in either the EPO or the EIO initiative.

37.

In those situations foreseen by the initiatives where data are exchanged between Member States specific emphasis should be put on ensuring the accuracy of the information. The EDPS welcomes in this respect that the EPO initiative contains in Article 14 clear obligations on the competent authority of the issuing state to inform the competent authority of the executing state of any modification or of the expiry or the revocation of the protection order.

38.

The EDPS also notes that the need for translation might affect the accuracy of the information, especially since the initiatives relate to specific legal instruments which may have a different meaning in different languages and different legal systems. In this context, the EDPS while welcoming the fact that the EPO initiative addresses the issue of translations (Article 16), also suggests including a similar provision in the EIO initiative.

39.

The growth of cross-border cooperation which could result from the adoption of the two initiatives requires a careful consideration of security aspects of cross-border transmission of personal data related to the execution of EPOs or EIOs (33). This is necessary, not only to meet the security standards in the processing of personal data required by Article 22 of Framework Decision 2008/977/JHA, but also to ensure the secrecy of investigations and the confidentiality of the concerned criminal proceedings which is regulated under Article 18 EIO initiative and, as a general rule for personal data resulting from cross-border exchange, under Article 21 of Framework Decision 2008/977/JHA.

40.

The EDPS emphasises the need for secure telecommunication systems in the transmission procedures. He therefore welcomes the provision for use of the European Judicial Network (34) as a tool to ensure that EPO and EIO are correctly addressed to the competent national authorities, in this way preventing or minimising the risk that inappropriate authorities are involved in the exchange of personal data (see Article 7(2) and (3) of the EPO initiative and Article 6(3) and (4) of the EIO initiative).

41.

Therefore, the initiatives should include provisions requiring the Member States to ensure that:

42.

Furthermore, the EDPS recommends the introduction of provisions ensuring that substantive data protection principles are observed when processing personal data, and to have the necessary internal mechanisms in place to demonstrate compliance to external stakeholders. Such provisions would be instruments to make data controllers accountable (according to the ‘accountability principle’ which is discussed in the context of the current review of the data protection framework (35)). It requires them to carry out the necessary measures to ensure compliance. These provisions should include:

43.

Considering the particularly intrusive characteristics of certain investigative measures, the EDPS calls for a thorough reflection on the admissibility of evidence gathered for purposes other than the prevention, investigation, detection or prosecution of crime or the enforcement of criminal sanctions and the exercise of the right of defence. In particular the use of evidence obtained under Article 11(1)(d) of the FD 2008/977/JHA should be carefully considered (36).

44.

An exception to the application of the provision of Article 11(1)(d) should therefore be included in the EIO initiative, stating that evidence gathered under the EIO may not be used for other purposes than the prevention, investigation, detection or prosecution of crime or the enforcement of criminal sanctions and the exercise of the right of defence.

45.

In relation to the EPO initiative, the EDPS recognises that the personal data exchanged between the competent authorities and listed in Annex I to the initiative (relating to both the victim and the person causing danger) are adequate, relevant and not excessive in relation to the purposes for which they are collected and further processed.

46.

However, it is not sufficiently clear from the initiative — especially in Article 8(1)(b) — which personal data relating to the victim will be communicated to the person causing danger by the competent authority of the executing State.

47.

The EDPS believes it is appropriate to consider the circumstances and content of the protection measures issued by the judicial authority in the issuing Member State prior to informing the person causing the danger. The latter should therefore be given only those personal data of the victim (which in some cases may include contact data) strictly relevant for the full execution of the protection measure.

48.

The EDPS is aware that providing contact information (e.g. telephone numbers, address of the victim as well as of other places usually frequented, like workplace or children's school) may actually endanger the physical and psychological well-being of the victim, as well as affect his/her right to privacy and to protection of personal data. On the other hand, an indication of the relevant addresses may in some cases be necessary in order to warn the person causing danger of the places where he/she is forbidden to go. This is to enable compliance with the order and to prevent any potential penalties for its violation. Moreover, depending on the circumstances, the identification of the location(s) where the person causing danger is prohibited may be required in order not to unnecessarily limit his freedom of movement.

49.

In light of these considerations, the EDPS highlights the importance of this topic and recommends that the EPO initiative clearly states that, depending on the circumstances of the case, the person causing the danger should be given only those personal data of the victim (which in some cases may include the contact data) strictly relevant for the full execution of the protection measure (37).

50.

Finally, the EDPS asks for the clarification of the expression ‘electronic means’ contained in Recital 10 of the EPO initiative. In particular, it should be explained if personal data are processed using ‘electronic means’ and, in this case, what guarantees are provided.

51.

Framework Decision 2008/977/JHA applies to all exchange of personal data under the EPO and EIO initiatives.

52.

Although the EDPS has recognised that the Framework Decision 2008/977/JHA — when implemented by the Member States — is an important step forward for data protection in police and judicial cooperation (38), the Framework Decision itself is not fully satisfactory (39). The main unresolved concern relates to its limited scope. The Framework Decision is restricted to exchanges of personal data in the area of police and justice between authorities and systems in different Member States and at EU level (40).

53.

Even if this concern can not be resolved in the context of the EPO and EIO initiatives, the EDPS insists on highlighting that the lack of a (high) common standard of data protection in judicial cooperation could imply that a judicial authority at national or EU level, when dealing with a criminal file comprising information originating from other Member States (including, e.g. evidence collected on the basis of an EIO) would have to apply different data processing rules: autonomous national rules (which must comply with Council of Europe Convention 108) for data originating in the Member State itself and the rules implementing Framework Decision 2008/977/JHA for data originating from other Member States. Different ‘pieces of information’ thus could fall within different legal regimes.

54.

The consequences of applying a ‘double’ data protection standard to each criminal file with cross-border elements are relevant in day to day practice (for instance, retention of the information laid down by applicable laws of each of the transmitting bodies; further processing restrictions requested by each of the transmitting bodies; in case of a request from a third country, each transmitting body would give its consent according to its own evaluation of adequacy and/or international commitments; and differences in the regulation of the right of access by the data subject). In addition, citizens’ protection and rights could vary and be subject to different broad derogations depending on the Member State where processing takes place (41).

55.

The EDPS therefore uses the occasion to reiterate his opinions regarding the need for a comprehensive data protection legal framework covering all areas of EU competence, including police and justice, to be applied to both personal data transmitted or made available by competent authorities of other Member States and to domestic processing in AFSJ (42).

56.

Finally, the EDPS observes that the data protection rules should apply to all sectors and to the use of data for all purposes (43). Of course, duly justified and clearly drafted exceptions should be possible, particularly regarding personal data processed for law enforcement purposes (44). Gaps in the protection of personal data are contrary to the current (renewed) legal framework of the European Union. Article 3(2) of Directive 95/46/EC — excluding from the scope of application of the directive the police and justice area — does not fulfil the philosophy contained in Article 16 TFEU. Moreover, these gaps are not sufficiently covered by Council of Europe Convention No 108 (45), by which all the Member States are bound.

57.

The EDPS recommends with regard to both the EPO and the EIO initiatives:

58.

The EDPS recommends with regard to the EPO initiative:

59.

The EDPS recommends with regard to the EIO initiative:

60.

Moreover, and more in general, the EDPS:

29.12.2010   

EN

Official Journal of the European Union

C 355/10

1.

On 15 June 2010, the Commission adopted a Proposal for a Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (TFTP) (hereinafter ‘the proposal’). The proposal (including the text of a draft agreement with the United States) was sent to the EDPS for consultation. The EDPS welcomes this consultation and recommends that a reference to this opinion is included in the preamble of the Proposal.

2.

The Commission proposal is triggered by the changes in the architecture of SWIFT (3), which as from 1 January 2010 ensures that SWIFT financial transaction messages which are internal to the European Economic Area and Switzerland will remain within the European zone — as different from the transatlantic zone — and will no longer be mirrored in the US operating centre.

3.

With the current proposal the Commission envisages an international agreement between the EU and the US, which, based on Articles 216 (international agreements), 82 (judicial cooperation) and 87 (police cooperation) of the Treaty on the Functioning of the European Union, would require transfer to the United States Department of Treasury of relevant financial messaging data which are necessary for the purpose of the US Treasury Department's Terrorist Finance Tracking Programme.

4.

In particular, further to the decision of the European Parliament of 11 February 2010 to withhold its consent with regard to the interim agreement signed on 30 November 2009, the new draft aims at addressing in particular the concerns with regard to the protection of personal data, a fundamental right which after the entry into force of the Lisbon Treaty has acquired even more relevance in the legal framework of the European Union.

5.

The proposal highlights the relevance of data protection by explicitly referring to relevant articles of the Treaties and of other international instruments and by acknowledging its nature of fundamental right. However, it does not envisage using Article 16 TFEU as a legal basis, despite the fact that Article 1.1 of the proposed agreement underlines a high level of data protection as one of its main purposes. In this regard, the EDPS reiterates that this agreement not only relates to the exchange of personal data, but also to the protection of these data. Article 16 TFEU is therefore not less relevant as legal basis than Articles 82 and 87 TFEU relating to law enforcement cooperation that have been chosen as legal bases.

6.

The proposal is subject to the procedure of Article 218 (6) TFEU. According to this procedure, the Council can only adopt a decision authorising the conclusion of the agreement after obtaining the consent of the European Parliament. This proposal thus represents a crucial ‘test-case’ in applying the new Lisbon procedures to an international agreement on the protection of personal data. Ensuring that data protection principles and safeguards are satisfactorily laid down in this agreement will pave the way to be successful in other negotiations.

7.

In this context, the EDPS underlines the importance of the negotiations for an agreement between the European Union and the United States of America on protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The draft mandate to start these negotiations was adopted by the Commission on 26 May 2010. In the presentation of this draft mandate, the Commission emphasised the need for a solid agreement on personal data protection (4).

8.

Against this background, the EDPS recommends adding to the current proposal a strong link to the negotiations with the US on this general transatlantic data protection framework. It should be ensured that these standards would be applicable also to the TFTP II agreement. The EDPS recommends including this requirement in the current agreement, or at least agreeing with the government of the United States that a possible future agreement on data protection would cover the exchanges foreseen under the present proposal.

9.

Finally, the EDPS is actively contributing to the positions of the Article 29 Data Protection Working Party and of the Working Party on Police and Justice. Besides the points made or to be made in those positions, this opinion analyses the current proposal by building on earlier comments of the EDPS, relating to both the interim agreement and the ongoing negotiations with the United States.

10.

The EDPS acknowledges that this proposal envisages certain substantial improvements with respect to the interim TFTP I agreement, such as:

11.

In addition, further to the requests of the European Parliament and of European data protection authorities, the proposal lays down a series of provisions (Articles 14-18) dealing with data subjects’ rights, such as the right to be informed, the right of access, the right to rectification, erasure or blocking, as well as the right to obtain redress. However, the concrete enforceability of these provisions and the procedures to be followed by non US citizens or residents are still not clear (see below paragraph II.2.3).

12.

The EDPS fully shares the need to ensure, as envisaged by Article 1.1 of the proposal, full respect for the privacy and the protection of personal data. In this perspectives, the EDPS points out that there are still some open questions to address and key elements to improve in order to meet the conditions of the EU legal framework on the protection of personal data.

13.

The EDPS is fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data as well as to banking secrecy provisions. This is already the case in a series of EU instruments (6) containing a number of measures aimed at combating the misuse of the financial system for the purpose of money laundering and terrorist financing. These instruments also contain specific provisions allowing exchange of information with third countries authorities as well as safeguards for the protection of personal data, in line with Directive 95/46/EC.

14.

Furthermore, the agreement on mutual legal assistance between the EU and the US explicitly allows the exchange between law enforcement authorities of information relating to bank accounts and financial transactions, and it provides conditions and limitations with regard to this exchange. Also at international level, the so-called Egmont Principles (7) set the basis for the international exchange of financial transactions information between Financial Intelligence Units, while establishing limitations and safeguards with regard to the use of exchanged data. In addition, instruments for the exchange of data between the US and Europol and Eurojust are already in place, ensuring at the same time exchange of information and protection of personal data.

15.

Against this background, the Commission proposal highlights the usefulness of the TFTP Programme, as put forward by the US Treasury and by the eminent person's reports. However, the condition laid down by Article 8 ECHR in order to justify interference with private life is ‘necessity’ rather than ‘usefulness’.

16.

According to the EDPS, sufficient evidence is needed of the real added value of this agreement taking into account already existing instruments, or, in other words, to which extent the agreement is really necessary in order to obtain results that could not be obtained by using less privacy-intrusive instruments, such as those already laid down by the existing EU and international framework. According to the EDPS, this added value should be unambiguously established, as a precondition for any agreement with the US on the exchange of financial data, also in view of the intrusive nature of the agreement (see also paragraphs 18-22 on proportionality).

17.

The EDPS is not in a position to judge the necessity of this agreement. However, even if the necessity of the agreement is demonstrated, other points still deserve the attention of the negotiators.

18.

Proportionality is also the main criterion when assessing the amount of personal data transferred and their storage period. Article 4 of the proposal narrows the scope of the US requests. However, the proposal still foresees that personal data will be transferred to the US authorities in bulk and then kept in principle for a period of 5 years irrespective of whether they have extracted or there is a proved link with a specific investigation or prosecution.

19.

The proposal, in spite of the requests of the European Parliament and of the European data protection authorities, is still based on the concept that personal data will be transmitted in bulk to the US Treasury. With regard to this point, it is important to clarify that the fact that the current SWIFT system does not allow a targeted search cannot be considered as a sufficient justification to make bulk data transfers lawful according to EU data protection law.

20.

Therefore, EDPS believes that solutions should be found to ensure that bulk transfers are replaced with mechanisms allowing financial transaction data to be filtered in the EU, and ensuring that only relevant and necessary data are sent to US Authorities. If these solutions could not be found immediately, then the Agreement should in any event strictly define a short transitional period after which bulk transfers are no longer allowed.

21.

With regard to the storage period, the EDPS acknowledges that the proposal correctly establishes maximum retention periods as well as mechanisms to ensure that personal data are deleted when they are no longer necessary. However, the provisions of Article 6 of the proposal concerning non-extracted data seem to go in the opposite direction. First of all, the concept of ‘non-extracted data’ is not self-evident and should thus be clarified. Secondly, the reasons for which it is necessary to keep non-extracted data for 5 years are not proved.

22.

The EDPS fully acknowledges the need to ensure that personal data necessary for a specific anti-terrorism investigation or prosecution are accessed, processed and kept for as long as it is necessary, in some cases even beyond 5 years, as it may be the case that personal data are needed for long lasting investigations or judicial procedures. However, assuming that non-extracted data are data which have been transferred in bulk and which have neither been accessed nor used for a specific prosecution or investigation, the storage period allowed to keep these data should be much more limited. In this perspective, it is useful to highlight that the German Federal Constitutional Court has deemed that in the case of retention of telecommunications data, a storage period of 6 months is already very long and accordingly needs an adequate justification (8). The Constitutional Court seemed to consider this 6 months period as a maximum for data that were not related to any specific investigation.

23.

According to the negotiating mandate, a judicial public authority should have the responsibility to receive the requests from the US Treasury, assess their compliance with the agreement and, where appropriate, require the provider to transfer the data on the basis of a ‘push’ system. Both the European Parliament and the EDPS welcomed this approach, which represents a crucial guarantee — in line with national constitutions and legal systems of Member States — to ensure lawful and balanced transfers of data as well as independent oversight.

24.

However, the proposal assigns this task to Europol, which is an EU Agency for the prevention and combat of organised crime, terrorism and other forms of serious crime, affecting two or more Member States (9). It is obvious that Europol is not a judicial authority.

25.

Moreover, Europol has specific interests in the exchange of personal data, on the basis of the proposed agreement. Article 10 of the proposal gives Europol the power to request for relevant information obtained through the TFTP, if it has a reason to believe that a person or an entity has a nexus to terrorism. It is hard to reconcile this power of Europol, which may be important for the fulfilment of Europol's task and which requires good relations with the US Treasury, with the task of Europol to ensure independent oversight.

26.

Furthermore, the EDPS wonders to which extent the current legal framework entrusts Europol — especially without changing its legal basis pursuant to the ordinary procedure established by the Lisbon Treaty — with the tasks and powers to make an administrative request coming from a third country ‘binding’ (Article 4.5) on a private company, which will thus become ‘authorized and required’ to provide data to that third country. In this context it is useful to note that it is under the present state of EU law not evident whether a decision of Europol vis-à-vis a private company would be subject to judicial control by the European Court of Justice.

27.

Against this background, the EDPS reiterates his position that, also with a view to respect the negotiating mandate and the current EU legal framework, the task to assess the requests of US Treasury should be entrusted to a public judicial authority.

28.

As already mentioned in the introductory part of this opinion, the proposal lays down a series of data subjects’ rights, such as the right to be informed, the right of access, the right to rectification, erasure or blocking, as well as the right to obtain redress. However, it is important on the one hand to improve some elements of these provisions, and on the other hand to ensure their effective enforceability.

29.

With regard to the right to have access to one’s own personal data, the agreement lays down a series of limitations. The EDPS acknowledges that, especially in the context of fight to terrorism, limitations to data subjects’ rights may be put in place insofar as they are necessary. However, the proposal should make clear that, while disclosure to a person of his personal data may well be limited in the circumstances mentioned in Article 15.2, disclosure of this information to the European national data protection authorities should in all cases be possible, in order to allow these authorities to effectively fulfil their supervisory task. Of course, data protection authorities will be bound by a duty of confidentiality in performing their tasks and will not disclose the data to the person concerned, as long as the conditions for an exception subsist.

30.

With regard to the right of rectification, Article 17. 2 states that ‘Each Party shall, where feasible, notify the other if it becomes aware that material information it has transmitted to or received from the other Party under this Agreement is inaccurate or unreliable’. The EDPS believes that the obligation to rectify inaccurate or unreliable data is a fundamental guarantee not only for the data subject, but also for the effectiveness of the action of law enforcement authorities. In this perspective, authorities exchanging data should put in place mechanisms to ensure that this rectification is always feasible, and the proposal should thus delete the words ‘where feasible’.

31.

However, the main concern of the EDPS relates to the concrete enforceability of these rights. On the one hand, for reasons of legal certainty and transparency, the proposal should specify in further details which are the concrete procedures that data subjects may use in order to enforce the rights recognised by the agreement, both in the EU and in the US.

32.

On the other hand, Article 20.1 explicitly and clearly states that the agreement ‘shall not create or confer any right or benefit on any person or entity, private or public’. The EDPS notes that this provision seems to annul or at least question the binding effect of those provisions of the agreement providing for data subjects’ rights which are currently yet neither recognised nor enforceable under US law, in particular when data subjects are non US citizens or permanent residents. For example, the US Privacy Act provides a qualified right of access to personal information which is stronger than the general right of access granted to the general public by the US Freedom of Information Act. However, the US Privacy Act clearly states that a request for access to one's own records is only possible for ‘a citizen of the United States or an alien lawfully admitted for permanent residence’ (10).

33.

The EDPS therefore recommends that the current formulation of Article 20.1 should be revised in order to ensure that the rights conferred by the proposal are clearly stated and effectively enforceable also in US territory.

34.

Article 12 of the proposal lays down various levels of monitoring of the conditions and safeguards established by the agreement. ‘Independent overseers’ will monitor in real time and retrospectively the searches put in place by the US Treasury. Furthermore, ‘an independent person appointed by the European Commission’ will carry out an ongoing monitoring of the first level of oversight, including its independence. It should be clarified what the tasks of this independent person will be, how it will be guaranteed that he can actually fulfil his tasks and to whom he reports.

35.

Article 13 also establishes a mechanism for a joint review, to be carried out after 6 months and then at regular intervals. This joint review will be carried out by a joint EU-US delegation, including for the EU delegation representatives of two data protection authorities, and will result in a report that the Commission will present to the European Parliament and the Council.

36.

The EDPS highlights that independent supervision is a key element of the right to the protection of personal data, as confirmed by Article 16 TFEU and Article 8 of the Charter of the Fundamental Rights of the Union. Recently, the Court of Justice established strict criteria for independence in its Judgement of 9 March 2010, Commission v. Germany (11). It is obvious that the same strict criteria can not be imposed on third countries, but it is also clear that there can only be an adequate protection of personal data (12) in so far as there are sufficient guarantees for independent oversight. This is also a condition for international agreements with countries whose legal system does not establish the necessity of control by an independent authority.

37.

Against this background, it is crucial that at least the modalities of the oversight and of the joint review, as well as the powers and the guarantees of independence of the persons involved in the oversight are clearly defined in the agreement rather than being ‘jointly coordinated’ or determined at a later stage by the parties. In particular, it is important to ensure that both the person appointed by the European Commission and the representatives of European data protection authorities are put in a position to act independently and to effectively carry out their supervisory tasks.

38.

Furthermore, the proposal should not only fix the date of the first joint review, to take place after 6 months, but also the timeline of the following review, that may for example take place every year thereafter. The EDPS also recommends to establish a link between the outcome of these joint reviews and the duration of the agreement.

39.

In this context, the EDPS emphasises that a sunset clause is desirable, also in the light of the possible availability of more targeted solutions on the longer term. A sunset clause could also be a good incentive to ensure that the necessary efforts are put in the development of such solutions which would mean that there will be no reason any more for sending bulk data to he US Treasury.

40.

In order to enhance the effectiveness of both the oversight and the joint review, information and relevant data should be available on the number of access and redress requests, possible follow-up (deletion, rectification, etc), as well as the number of decisions limiting rights of data subjects. In the same line, as far as the review is concerned, information should be available and reported on the quantity not only of messages ‘accessed’ by the US Treasury but also of the messages ‘provided’ to the US Treasury. This should be specified in the agreement.

41.

Furthermore, the powers and competences of European data protection authorities should not be in any way limited by this proposal. In this perspective, the EDPS notes that the proposal makes a step back with respect to the interim TFTP agreement. Indeed, while the previous agreement stated in its preamble that ‘this Agreement does not derogate from the existing powers of data protection authorities in Member States to protect individuals with regard to the processing of their personal data’, the proposal now refers to ‘the supervision of competent data protection authorities in a manner consistent with the specific provisions of this agreement’. The EDPS therefore recommends that the proposal clearly states that the agreement does not derogate or limit the powers of European data protection authorities.

42.

The EDPS acknowledges that this proposal envisages certain substantial improvements with respect to the interim TFTP I agreement, such as the exclusion of SEPA data, a more limited definition of terrorism, and more detailed provisions on data subjects’ rights.

43.

The EDPS notes however that an essential prerequisite to the assessment of the legitimacy of a new TFTP agreement should be met. The necessity of the scheme must be established in relation to already existing EU and international instruments.

44.

Would this be the case, the EDPS points out that there are still some open questions to address and key elements to improve in order to meet the conditions of the EU legal framework on the protection of personal data, such as:

29.12.2010   

EN

Official Journal of the European Union

C 355/16

1.

On 20 July 2010, the Commission adopted a Communication entitled ‘Overview of information management in the area of freedom, security and justice’ (hereinafter the ‘Communication’) (3). The Communication was sent to the EDPS for consultation.

2.

The EDPS welcomes the fact that he was consulted by the Commission. Already before the adoption of the Communication, the EDPS was given the possibility to give informal comments. Many of these comments have been taken into account in the final version of the document.

3.

The EDPS welcomes the objective of the Communication which is to provide ‘for the first time, a full overview of the EU-level measures in place, under implementation or consideration that regulate the collection, storage or cross-border exchange of personal information for the purpose of law enforcement and migration management’ (4). The aim of the document is also to provide citizens with an overview of what information is collected, stored and exchanged about them, for what purpose and by whom. Moreover, according to the Commission, the Communication should also serve as a transparent reference tool for all stakeholders who wish to take part in a debate about the future direction of the EU policy in this area. Thus it should contribute to an informed policy dialogue with all stakeholders.

4.

In concrete terms, the Communication mentions that it aims to clarify the main purpose of the instruments, their structure, the types of personal data they cover, ‘the list of authorities with access to such data’ (5) and the provisions on data protection and data retention. In addition, Annex I contains a limited number of examples illustrating how these instruments operate in practice.

5.

Furthermore, the document sets out the broad principles (‘Substantive principles’ and ‘Process-oriented principles’) that the Commission intends to follow in the future development of instruments for data collection, storage and exchange. Under ‘Substantive principles’, the Communication lists such principles as safeguarding fundamental rights, in particular the right to privacy and data protection, necessity, subsidiarity and accurate risk management. ‘Process-oriented principles’ include cost-effectiveness, bottom-up policy design, clear allocation of responsibilities, and review and sunset clauses.

6.

These principles, according to the Communication, will be used when evaluating existing instruments. Adopting such a principled approach to policy development and evaluation should, in the Commission's view, enhance the coherence and effectiveness of current and future instruments in a way that fully respects citizens’ fundamental rights.

7.

The EDPS notes that the Communication is an important document that gives a comprehensive overview of the existing and (possible) future instruments for information exchange in the area of freedom, security and justice. It contains an elaboration of the Chapters 4.2.2 (Managing the flow of information) and 5.1 (Integrated management of the external borders) of the Stockholm programme (6). It will play an important role in the future development of this area. It is for this reason that the EDPS deems it useful to comment on the different elements of the Communication, despite the fact that the text of the Communication itself will not be changed.

8.

The EDPS intends to provide a few additional notions that in his view have to be taken into account in the further development of the area of freedom, security and justice. This opinion specifies a number of notions that have been provided earlier in the EDPS Opinion of 10 July 2009 on the Communication on an area of freedom, security and justice serving the citizen (7), and in a number of other opinions and comments. It also elaborates on the views presented on earlier occasions. In this context, reference should also be made to the Report on the Future of Privacy, adopted by the Article 29 Working Party and the Working Party on Police and Justice on 1 December 2009. This report, constituting a joint contribution to the consultation of the European Commission on the legal framework for the fundamental rights to protection of personal data, and supported by the EDPS, gave important directions as to the future of data protection, also applicable to the information exchange in the area of police and judicial cooperation in criminal matters.

9.

The EDPS welcomes the Communication as a reply to the call by the European Council (8) for developing EU-level information management instruments in accordance with an EU Information Management Strategy, and for reflecting on a European Information Exchange Model.

10.

Furthermore, the EDPS notes that the Communication should also be read as a response to the Stockholm programme, mentioned earlier on, which calls for coherence and consolidation in developing the information exchange in the field of EU internal security. More precisely, Chapter 4.2.2 of the Stockholm programme invites the European Commission to assess the need for developing a European Information Exchange Model based on the evaluation of the current instruments, including the Prüm framework and the so-called Swedish Framework Decision. These assessments should help to determine whether these instruments function as originally intended and meet the goals of the Information Management Strategy.

11.

Against this background, it is useful to highlight the fact that the Stockholm programme refers to a strong data protection regime as the main prerequisite for the EU Information Management Strategy. This strong emphasis on data protection is fully in line with the Lisbon Treaty which, as mentioned earlier, contains a general provision on data protection giving everyone — including third-country nationals — a right to data protection enforceable before a judge, and obliges the Council and the European Parliament to establish a comprehensive data protection framework.

12.

The EDPS also supports the requirement of the Information Management Strategy that all new legislative measures which would facilitate the storage and exchange of personal data should only be proposed if they are based on concrete evidence of their need. The EDPS has advocated this approach in various opinions on legislative proposals related to the area of freedom, security and justice, e.g. on the Second Generation SIS (9), on law enforcement access to Eurodac (10), on the revision of Eurodac and Dublin Regulations (11), on the commission the communication on Stockholm programme (12) and on PNR (13).

13.

Indeed, the need for assessment of all existing instruments on information exchange before proposing new ones is of essential importance. This is even more important if one considers the fact that the current framework is a complex patchwork of different instruments and systems of which some have only recently been implemented so that their effectiveness could not yet be assessed, some are in the process of implementation and some new ones are still in the legislative pipeline.

14.

This is why the EDPS notes with satisfaction that the Communication makes a clear link with other exercises launched by the Commission in order to take stock and evaluate this area, as follow-up to the Stockholm programme.

15.

In this context, the EDPS welcomes in particular an ‘information mapping’ exercise initiated by the Commission in January 2010 and conducted in close cooperation with an Information Mapping Project Team made up of representatives of EU and EFTA Member States, Europol, Eurojust, Frontex and the EDPS (14). As mentioned in the Communication, the Commission aims to present to the Council and the European Parliament the results of the ‘information mapping’ exercise still in 2010. As the next step, it also aims at presenting a communication on the European Information Exchange Model.

16.

In the EDPS's view, making a clear link between the Communication and the ‘information mapping’ exercise is most welcome, as both are clearly interlinked. It is obviously still early to assess what the outcome of these exercises and, more generally, of the discussions on the European Information Exchange Model will be (so far the ‘mapping exercise’ has only been presented by the Commission as a ‘stock-taking exercise’). The EDPS will continue to follow this work. Moreover, already at this stage, he draws attention to the need to provide for synergies and avoid diverging conclusions of all the exercises undertaken by the Commission in the context of the discussions on the European Information Exchange Model.

17.

Furthermore, the EDPS wishes to refer to the ongoing review of the data protection framework, and more in particular to the intention of the Commission to come up with a comprehensive framework for data protection, including police and judicial cooperation in criminal matters.

18.

With regard to this, the EDPS notes that the Communication refers — under ‘Safeguarding fundamental rights, in particular the right to privacy and personal data protection’ — to Article 16 of the Treaty on the Functioning of the European Union (TFEU) providing a legal basis for the work on such a comprehensive data protection scheme. He also notes in this context that the Communication mentions that it is not analysing specific data protection provisions of the instruments under discussion given that on the basis of the above mentioned Article 16, the Commission is now working on a new comprehensive framework for the protection of personal data in the EU. He hopes that in that context a good overview will be provided of the existing and possibly diverging data protection schemes and that the Commission will base further decision making on this overview.

19.

Last but not least, although the EDPS welcomes the objectives and the main content of the Communication, he also draws attention to the fact that this document should be only considered as a first step in the evaluation process, and that it should be followed by further concrete measures the outcome of which should be a comprehensive, integrated and well-structured EU policy on information exchange and management.

20.

In the text of the Communication, the Commission refers to the purpose limitation principle as ‘a key consideration for most of the instruments covered in this communication’.

21.

The EDPS welcomes the emphasis in the Communication on the purpose limitation principle which requires that the purposes for which personal data are collected should be clearly specified not later than at the time of collection, and that data should not be processed for purposes incompatible with those initial purposes. Any deviation from the purpose limitation principle should constitute an exception and should only be implemented subject to strict conditions and with the necessary safeguards, legal, technical and otherwise.

22.

However, the EDPS regrets that the Communication describes this fundamental data protection principle as a key consideration only ‘for most of the instruments covered in this communication’. Moreover, on page 22 the Communication refers to SIS, SIS II and VIS and mentions ‘that with exception of these centralised information systems, purpose limitation appears to be a core factor in the design of EU-level information management measures’.

23.

This wording might be read as suggesting that this principle has not been a key consideration in all cases and for all systems and instruments related to the exchange of information in the EU. With regard to this, the EDPS notes that exceptions and restrictions to this principle are possible and may be necessary, as is recognised in Article 13 of Directive 95/46/EC and Article 3.2 of Framework Decision 2008/977/JHA (15). However, it is compulsory to ensure that any new instrument relating to information exchange in the EU is proposed and adopted only if the purpose limitation principle has been duly considered and that any possible exceptions and restrictions to this principle are decided on a case-by-case basis and after serious assessment. These considerations are also relevant for SIS, SIS II and VIS.

24.

Any other practice would be contrary to Article 8 of the Charter of Fundamental rights of the Union and to the EU law on data protection (e.g. Directive 95/46/EC, Regulation (EC) No 45/2001 or the Framework Decision 2008/977/JHA) as well as to the jurisprudence of the European Court of Human Rights. Non-respect of the principle of purpose limitation might also lead to so called ‘function creep’ of these systems (16).

25.

The Communication (on page 25) refers to the requirements laid down in the jurisprudence of the European Court of Human Rights relating to the ‘proportionality test’ and it declares that ‘in all future policy proposals, the Commission will assess the initiative's expected impact on individuals’ right to privacy and personal data protection and set out why such an impact is necessary and why the proposed solution is proportionate to the legitimate aim of maintaining internal security within the European Union, preventing crime and managing migration’.

26.

The EDPS welcomes the above cited statements as he has also been insisting on the fact that the respect of proportionality and necessity should be predominant in taking any decisions on the existing and new systems involving collection and exchange of personal data. Looking prospectively, it is also essential for the current reflection on what the EU Information Management Strategy and the European Information Exchange Model should look like.

27.

Against this background, the EDPS welcomes the fact that differently from the wording used by the Commission when referring to the purpose limitation principle (see paras 20-22 of this Opinion), with regard to necessity, the Commission commits itself to assessing all future policy proposals in so far as the impacts on individuals’ right to privacy and personal data are concerned.

28.

Having said that, the EDPS draws attention to the fact that all these requirements regarding proportionality and necessity are derived from the existing EU law (in particular the Charter of Fundamental Rights which is now part of EU primary law) and the well-established jurisprudence of the European Court of Human Rights. In other words, the Communication does not bring in any new elements. Instead, in the EDPS's view, the Communication should not merely repeat these requirements, but should provide for concrete measures and mechanisms which would ensure that both necessity and proportionality are respected and practically implemented in all proposals having impact on individuals’ rights. The Privacy impact assessment, discussed in-paras 38-41 could be a good instrument for this goal. Moreover, this assessment should not only cover the new proposals but also the existing systems and mechanisms.

29.

In addition, the EDPS also takes this opportunity to stress that when considering proportionality and necessity in the EU Information Management Strategy, one should insist on the need for a right balance between data protection, on the one hand, and law enforcement, on the other hand. This balance does not mean that data protection would hamper the use of information necessary to solve a crime. All information that is necessary for this purpose can be used, in accordance with data protection rules (17).

30.

The Stockholm programme requests an objective and comprehensive assessment of all the instruments and systems dealing with the exchange of information in the European Union. Of course, the EDPS fully supports this approach.

31.

The Communication seems, however, not fully balanced. It seems to give priority, at least when it comes to figures and statistics, to those instruments that proved successful over the years and are considered ‘success stories’ (e.g. number of successful hits in SIS and Eurodac). The EDPS does not question the overall success of these systems. However, as an example, he mentions that the activity reports of the Joint Supervisory Authority for SIS (18) reveal that in a non-trivial number of cases, alerts in SIS were outdated, misspelled or wrong, which led (or could have led) to negative consequences for the individuals concerned. Such information is missing in the Communication.

32.

The EDPS would advise the Commission to reconsider the approach taken in the Communication. The EDPS suggests that in the future work on information management also failures and weaknesses of the system are reported — such as, for instance, the number of people wrongly arrested or inconvenienced in any way following a false hit in the system — in order to ensure a fair balance.

33.

For instance, the EDPS suggests that the data on SIS/Sirene hits (Annex 1) are complemented by a reference to the work conducted by the JSA on the reliability and accuracy of the alerts.

34.

Amongst ‘Process-oriented principles’ listed on pages 26-27, the Communication refers to the principle of ‘Clear allocation of responsibilities’, in particular when it comes to the issue of the initial design of governance structures. The Communication refers in this context to the problems with the SIS II project and future responsibilities of the IT Agency.

35.

The EDPS wishes to use this opportunity to stress the importance of the principle of ‘accountability’ which should also be implemented in the field of judicial and police cooperation in criminal matters and play an important role in the conception of the new and more developed EU policy on exchange of data and information management. The principle is currently being discussed in the context of the future of the European data protection framework, as a tool to further induce data controllers to reduce the risk of non-compliance by implementing appropriate mechanisms for effective data protection. Accountability requires that controllers put in place internal mechanisms and control systems that ensure compliance and provide evidence — such as audit reports — to demonstrate compliance to external stakeholders, including supervisory authorities (19). The EDPS has also stressed the need for such measures in his opinions on VIS and SIS II in 2005.

36.

The Commission refers to the concept of ‘Privacy by design’ on page 25 of the Communication (under Substantive principles ‘Safeguarding fundamental rights, in particular the right to privacy and personal data protection’) declaring that ‘when developing new instruments that rely on the use of information technology, the Commission will seek to follow the approach known as “privacy by design”’.

37.

The EDPS welcomes the reference to this concept (20) which is currently developed for both private and public sectors in general, and must also play an important role in the area of police and justice (21).

38.

The EDPS is convinced that this Communication provides a good opportunity to reflect more on what should be meant by a real ‘privacy and data protection impact assessment’ (PIA).

39.

The EDPS notes that neither the general guidelines described in this Communication nor the Commission's Impact Assessment Guidelines (22) specify this aspect and develop it into a policy requirement.

40.

Therefore, the EDPS recommends that for future instruments a more specific and rigorous impact assessment on privacy and data protection is conducted, either as a separate assessment or as part of the general fundamental rights’ impact assessment. Specific indicators and features should be developed to ensure that each proposal having impact on privacy and data protection is subject to thorough consideration. The EDPS also suggests that this issue be part of the ongoing work on the comprehensive data protection framework.

41.

Additionally, it could be helpful in this context to refer to Article 4 of the RFID Recommendation (23) in which the Commission called upon the Member States to ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments. Also the Madrid Resolution, adopted in November 2009 by the International Conference of Privacy and Data Protection Commissioners, encouraged the implementation of PIAs prior to the implementation of new information systems and technologies for the processing of personal data or substantial modifications in existing processing.

42.

The EDPS notes that the Communication does not address specifically the important issue of the data subjects’ rights which constitute a vital element of data protection. It is essential to ensure that across all different systems and instruments dealing with information exchange, the citizens enjoy similar rights relating to how their personal data are processed. Indeed, many of the systems referred to in the Communication establish specific rules on data subjects’ rights, but there is a lot of variation between the systems and instruments, without good justification.

43.

Therefore, the EDPS invites the Commission to look more carefully into the issue of the alignment of data subjects’ rights in the EU in the near future.

44.

Although the Commission refers to the use of biometrics (24), it does not address specifically the current phenomenon of the increased use of biometric data in the area of the exchange of information in the EU, including in the EU large-scale IT systems and other border management tools. The Communication also does not provide any concrete indication as to how the Commission intends to deal in the future with this issue and whether it is working on a comprehensive policy with regard to this growing tendency. This is regrettable given that this matter is of high importance and sensitivity from the perspective of data protection.

45.

Against this background, the EDPS wishes to mention that he has, on many occasions, in various fora and in different opinions (25) emphasised the possible risks linked to the major impacts of the use of biometrics on individuals’ rights. On these occasions, he also suggested the insertion of stringent safeguards for the use of biometrics in particular instruments and systems. The EDPS also drew attention to a problem related to inherent inaccuracies in the collection and comparison of biometric data.

46.

For these reasons, the EDPS takes this opportunity to ask the Commission to develop a clear and strict policy on the use of biometrics in the area of freedom, security and justice based on a serious evaluation and a case-by-case assessment of the need for the use of biometrics, with full respect for such fundamental data protection principles as proportionality, necessity and purpose limitation.

47.

On an earlier occasion (26), the EDPS raised a number of concerns regarding the concept of interoperability. One of the consequences of interoperability of systems is that it could be an incentive to propose new objectives for large scale IT systems which go beyond their original purpose and/or for the use of biometrics as primary key in this field. Specific safeguards and conditions are needed for different kinds of interoperability. The EDPS also stressed in this context that interoperability of the systems must be implemented with due respect for data protection principles and in particular the purpose limitation principle.

48.

Against this background, the EDPS notes that the Communication does not refer specifically to the issue of interoperability of the systems. The EDPS therefore calls on the Commission to develop a policy on this essential aspect of the EU information exchange, which should be part of the evaluation exercise.

49.

The Communication contains a chapter on legislative proposals to be presented by the Commission in the future. Amongst others the document refers to a proposal on a Registered Travellers Programme (RTP) and a proposal relating to an Entry/Exit System (EES). The EDPS would like to make a few remarks on both above mentioned proposals, on which, as the Communication suggests, the Commission has already taken a decision.

50.

As highlighted in point 4 of this Opinion, the Communication aims at presenting ‘a full overview of the EU-level measures (…) that regulate the collection, storage and cross-border exchange of personal information for the purpose of law enforcement and migration management’.

51.

In that context, the EDPS wonders what the final objective of the Registered Travellers Programme will be and how this proposal, currently under consideration by the Commission, will be covered by the purposes of law enforcement and migration management. The Communication states on page 20 that ‘this programme would allow certain groups of frequent travellers from third countries to enter the EU (…) using simplified border checks at automated gates’. Thus, the purpose of the instruments seems to be facilitation of travelling of frequent travellers. These instruments would therefore have no (direct or clear) link with law enforcement and migration management purposes.

52.

When referring to the future EU Entry/Exit System, the Communication (page 20) mentions the problem of ‘overstayers’ and states that this category of people ‘constituted the largest group of irregular migrants in the EU’. The latter argument is presented as the reason why the Commission decided to propose the introduction of an entry/exit system for third-country nationals entering the EU for short stays of up to three months.

53.

In addition, the Communication mentions that ‘the system would record the time and place of entry and length of authorised stay and would transmit automated alerts to the competent authorities identifying individuals as “overstayers”. Based on biometric data verification, it would deploy the same biometric matching system and operational equipment as that used by SIS II and VIS’.

54.

The EDPS considers that it is essential to specify the target group of overstayers with reference to an existing legal definition or supporting it with any reliable figures or statistics. This is even more important given that all calculations regarding the number of ‘overstayers’ within the EU are currently based only on pure estimations. It should also be clarified what measures would be taken towards ‘overstayers’ once they have been identified by the system, given that the EU lacks a clear and comprehensive policy on people who ‘overstay’ on the EU territory.

55.

Moreover, the wording of the Communication suggests that the decision to introduce the system has already been taken by the Commission, whereas at the same time the Communication mentions that the Commission is currently conducting an impact assessment. The EDPS emphasises that a decision to introduce such a complex and privacy-intrusive system should only be taken on the basis of a specific impact assessment providing concrete evidence and information on why such a system is necessary and why alternative solutions based on the existing systems could not be envisaged.

56.

Lastly, the Commission seems to link this future system with the biometric matching system and operational equipment of the SIS II and VIS. However, this is done without referring to the fact that neither SIS II nor VIS have gone live yet and that the exact dates of their entry into operation are unknown at this stage. In other words, the entry/exit system would heavily depend on biometric and operational systems which are not in operation yet, as a result of which their performance and functionalities could not possibly have been subjected to an adequate assessment.

57.

In the context of the initiatives to be studied by the Commission — thus on which the Commission has not taken a final decision — the Communication, based on the requests made in the Stockholm programme, refers to three initiatives: an EU terrorist finance tracking system (equivalent to the US TFTP), an Electronic System of Travel Authorisation (ESTA) and a European Police Records Index System (EPRIS).

58.

The EDPS will follow closely all the developments related to these initiatives and will make comments and suggestions when appropriate.

59.

The EDPS fully supports the Communication which provides for a full overview of the EU information exchange systems both in place and planned in the future. The EDPS has advocated the need for assessment of all existing instruments on information exchange before proposing new ones in numerous opinions and comments.

60.

The EDPS also welcomes the reference in the Communication to the ongoing work on the comprehensive data protection framework on the basis of Article 16 TFEU, which should be taken into account also in the context of the work on the overview of the EU information management.

61.

The EDPS considers this Communication as a first step in the evaluation process. It should be followed by a real assessment the outcome of which should be a comprehensive, integrated and well-structured EU policy on information exchange and management. In that context, the EDPS is happy to see the link made with other exercises launched by the Commission as a reaction to the Stockholm programme, in particular the ‘information mapping’ exercise conducted by the Commission in close cooperation with an Information Mapping Project Team.

62.

The EDPS suggests that in the future, work on information management also deficiencies and weaknesses of the systems are reported and taken into consideration, such as for instance the number of people wrongly arrested or inconvenienced in any way following a false hit in the system.

63.

The purpose limitation principle should be considered a key consideration for all instruments dealing with information exchange in the EU, and new instruments can only be proposed if the purpose limitation principle has been duly considered and respected during their elaboration. This continues to be the case during their implementation.

64.

The EDPS also encourages the Commission to ensure by developing concrete measures and mechanisms, that the principles of necessity and proportionality are respected and practically implemented in all new proposals having impact on individuals’ rights. There is also a need for evaluation of the already existing systems with regard to this matter.

65.

The EDPS is also convinced that this Communication provides an excellent opportunity to launch a discussion on and better specify what is really meant by a ‘privacy and data protection impact assessment’.

66.

He also invites the Commission to develop a more coherent and consistent policy on the prerequisites for use of biometrics, a policy on systems operability and more alignment at the EU level in terms of data subjects rights.

67.

The EDPS also welcomes the reference to the concept of ‘privacy by design’ which is currently developed for both private and public sectors in general, and must therefore also play an important role in the area of police and justice.

68.

Last but not least, the EDPS draws attention to his remarks and concerns about the chapter titled ‘Legislative proposals to be presented by the Commission’ regarding the Entry/Exit System and the Registered Travellers Programme.

29.12.2010   

EN

Official Journal of the European Union

C 355/24

—

in the merger section of the Competition website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/en/index.htm) under document number 32010M5952. EUR-Lex is the on-line access to the European law.

29.12.2010   

EN

Official Journal of the European Union

C 355/24

—

in the merger section of the Competition website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/en/index.htm) under document number 32010M6040. EUR-Lex is the on-line access to the European law.

29.12.2010   

EN

Official Journal of the European Union

C 355/25

—

in the merger section of the Competition website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/en/index.htm) under document number 32010M6072. EUR-Lex is the on-line access to the European law.

29.12.2010   

EN

Official Journal of the European Union

C 355/26

29.12.2010   

EN

Official Journal of the European Union

C 355/27

Občina Benedikt

Čolnikov trg 5

SI-2234 Benedikt

SLOVENIJA

1.

Investment in agricultural holdings for primary production:

2.

Aid for investment to conserve traditional landscapes and buildings:

3.

Aid for land re-parcelling:

4.

Aid to encourage the production of quality agricultural products:

5.

Aid for providing technical support in the agricultural sector:

Občina Piran

Tartinijev trg 2

SI-6330 Piran

SLOVENIJA

Regione del Veneto

Palazzo Balbi

Dorsoduro 3901

30123 Venezia VE

ITALIA

Tel. +39 412795030

Fax +39 412795085

E-mail: dir.formazione@regione.veneto.it

Provincie Utrecht

Postbus 80300

3508 TH Utrecht

NEDERLAND

1.

Up to 100 % reimbursement of the costs of removal and destruction of fallen stock where there is an obligation to perform TSE tests on the fallen stock;

2.

Up to 100 % reimbursement of the costs of removal and up to 75 % of the costs of destruction of fallen stock:

3.

Up to 61 % reimbursement of the costs of removal and up to 59 % reimbursement of the costs of destruction:

Lietuvos Respublikos žemės ūkio ministerija

Gedimino pr. 19

LT-01103 Vilnius

LIETUVA/LITHUANIA

Department of Agriculture, Fisheries and Food

Agriculture House

Kildare Street

Dublin 2

IRELAND

29.12.2010   

EN

Official Journal of the European Union

C 355/34

1.

Malta Freeport

2.

Mġarr Yacht Marina

3.

Msida Yacht Marina

4.

Valletta’ Seaport

1.

Malta International Airport, Luqa

29.12.2010   

EN

Official Journal of the European Union

C 355/35

1.

A tendering procedure is opened for the reduction in the import duty on sorghum falling within CN code 1007 00 90 originating in third countries.

2.

The tendering procedure shall be conducted in accordance with Commission Regulation (EU) No 1262/2010 (1).

1.

The deadline for the submission of tenders for the first partial invitation to tender shall be 10:00 (Brussels time) on 13 January 2011.

The deadline for the submission of tenders under subsequent partial invitations to tender shall be on the following days at 10:00 (Brussels time):

2.

This notice is published for the purposes of the present invitation to tender only. Until such time as it is amended or replaced, its terms shall apply to each partial award held during the period of validity of this invitation.

1.

Tenders must be submitted in writing and delivered no later than the dates and times indicated in Title II, either by personal delivery against a receipt or by electronic means, to one of the following addresses:

Delivery address:

Tenders not submitted by electronic means must be enclosed in two sealed envelopes, one inside the other. The inner envelope must be marked ‘Tender under invitation to tender for the reduction in the import duty on sorghum — Regulation (EU) No 1262/2010’.

Once submitted, no tender may be withdrawn before the Member State concerned has informed the successful bidder of the result of the tender.

2.

The tender, as well as the proof and statement referred to in Article 7(3) of Commission Regulation (EC) No 1296/2008 (2), must be worded in the official language or one of the official languages of the Member State to whose competent authority the tender is addressed.

(a)

the right to the issue in the Member State in which the tender is submitted of an import licence specifying the reduction in the import duty referred to in the tender, for the quantity offered;

(b)

the obligation to apply in the Member State referred to in point (a) for an import licence for that quantity.

29.12.2010   

EN

Official Journal of the European Union

C 355/37

1.

A tendering procedure is opened for the reduction in the import duty on maize falling within CN code 1005 90 00 originating in third countries.

2.

The tendering procedure shall be conducted in accordance with Commission Regulation (EU) No 1262/2010 (1).

1.

The deadline for the submission of tenders for the first partial invitation to tender shall be 10:00 (Brussels time) on 13 January 2011.

The deadline for the submission of tenders under subsequent partial invitations to tender shall be on the following days at 10:00 (Brussels time):

2.

This notice is published for the purposes of the present invitation to tender only. Until such time as it is amended or replaced, its terms shall apply to each partial award held during the period of validity of this invitation.

1.

Tenders must be submitted in writing and delivered no later than the dates and times indicated in Title II, either by personal delivery against a receipt or by electronic means, to one of the following addresses:

Delivery address:

Tenders not submitted by electronic means must be enclosed in two sealed envelopes, one inside the other. The inner envelope must be marked ‘Tender under invitation to tender for the reduction in the import duty on maize — Regulation (EU) No 1262/2010’.

Once submitted, no tender may be withdrawn before the Member State concerned has informed the successful bidder of the result of the tender.

2.

The tender, as well as the proof and statement referred to in Article 7(3) of Commission Regulation (EC) No 1296/2008 (2), must be worded in the official language or one of the official languages of the Member State to whose competent authority the tender is addressed.

(a)

the right to the issue in the Member State in which the tender is submitted of an import licence specifying the reduction in the import duty referred to in the tender, for the quantity offered;

(b)

the obligation to apply in the Member State referred to in point (a) for an import licence for that quantity.

29.12.2010   

EN

Official Journal of the European Union

C 355/39

1.

A tendering procedure is opened for the reduction in the import duty on maize falling within CN code 1005 90 00 originating in third countries.

2.

The tendering procedure shall be conducted in accordance with Commission Regulation (EU) No 1262/2010 (1).

1.

The deadline for the submission of tenders for the first partial invitation to tender shall be 10:00 (Brussels time) on 13 January 2011.

The deadline for the submission of tenders under subsequent partial invitations to tender shall be on the following days at 10:00 (Brussels time):

2.

This notice is published for the purposes of the present invitation to tender only. Until such time as it is amended or replaced, its terms shall apply to each partial award held during the period of validity of this invitation.

1.

Tenders must be submitted in writing and delivered no later than the dates and times indicated in Title II, either by personal delivery against a receipt or by electronic means, to one of the following addresses:

Delivery address:

Tenders not submitted by electronic means must be enclosed in two sealed envelopes, one inside the other. The inner envelope must be marked ‘Tender under invitation to tender for the reduction in the import duty on maize — Regulation (EU) No 1262/2010’.

Once submitted, no tender may be withdrawn before the Member State concerned has informed the successful bidder of the result of the tender.

2.

The tender, as well as the proof and statement referred to in Article 7(3) of Commission Regulation (EC) No 1296/2008 (2), must be worded in the official language or one of the official languages of the Member State to whose competent authority the tender is addressed.

(a)

the right to the issue in the Member State in which the tender is submitted of an import licence specifying the reduction in the import duty referred to in the tender, for the quantity offered;

(b)

the obligation to apply in the Member State referred to in point (a) for an import licence for that quantity.

29.12.2010   

EN

Official Journal of the European Union

C 355/41

1.

On 17 December 2010, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which Veolia Eau — Compagnie Génerale des Eaux SCA (‘Veolia Eau’, France), belonging to the group Veolia Environnement, and Electricité de France International SA (‘EDFI’, France), belonging to the group Electricité de France (‘EDF’), acquire within the meaning of Article 3(1)(b) of the Merger Regulation joint-control of Société d'Energie et d'Eau du Gabon (‘SEEG’, Gabon), by way of a purchase of shares of SEEG's holding company, Veolia Water India Africa SA (‘VWIA’, France) currently solely controlled by Veolia Eau.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope of the EC Merger Regulation. However, the final decision on this point is reserved. Pursuant to the Commission Notice on a simplified procedure for treatment of certain concentrations under the EC Merger Regulation (2) it should be noted that this case is a candidate for treatment under the procedure set out in the Notice.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by email to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.6105 — Veolia/EDF/Société d'Energie et d'Eau du Gabon, to the following address: