1.4.2011   

EN

Official Journal of the European Union

C 101/1

1.

On 20 September 2010, the European Commission adopted a proposal for a Regulation on the marketing and use of explosives precursors (3) (‘the Proposal’). On 11 November 2010, the Proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS welcomes the fact that he is consulted by the Commission and that reference to this consultation is made in the recitals of the Proposal.

2.

The main aim of the proposed measures is to reduce the risk of attacks by terrorists or other criminals using home-made explosive devices. To this end, the Regulation limits the access of the general public to certain chemicals, which can be misused as precursors to home-made explosives. In addition, the Proposal places the sales of such chemicals under stricter control by means of reporting suspicious transactions and thefts.

3.

In this opinion, the EDPS calls the legislators’ attention to a number of relevant data protection issues and provides recommendations to ensure the fundamental right to the protection of personal data.

4.

The Proposal addresses the problems of the misuse of certain chemicals, which are widely available to the general public on the market, as precursors to home-made explosives. Articles 4 and 5 of the Proposal deal with the prohibition of sale to the general public, which is combined with a licensing scheme and requirement to record all licensed transactions. Article 6 requires economic operators to report suspicious transactions and thefts. Finally, Article 7 addresses the need for data protection.

5.

The sales of certain chemicals, above specified concentration thresholds, to members of the general public will be prohibited. Sales of higher concentrations would only be allowed to users who can document a legitimate need to use the chemical.

6.

The scope of the prohibition is limited to a short-list of chemical substances and their mixtures (see Annex I to the Proposal), and the sales of these substances to the general public. The restrictions do not apply to professional users or in business-to-business operations. Furthermore, the availability to the general public of the short-listed substances is limited only if they are above certain concentration levels. In addition, substances can still be obtained upon presentation of a license from a public authority (documenting legitimate use). Finally, an exception applies to farmers who are allowed to purchase ammonium nitrate to be used as fertiliser without a license irrespective of concentration thresholds.

7.

Licenses will also be required if a member of the general public intends to import the short-listed substances to the European Union.

8.

An economic operator which makes a substance or mixture available to a licensed member of the general public is required to verify the license presented and keep a record of the transaction.

9.

Each Member State is required to lay down the rules for granting the license. The competent authority in the Member State shall refuse to grant the license to the applicant if there are reasonable grounds for doubting the legitimacy of the intended use. Licenses granted shall be valid in all Member Sates. The Commission may draw up guidelines on the technical details of the licenses to assist their mutual recognition.

10.

The sales of a broader range of chemicals of concern (those listed in Annex II, in addition to all those listed in Annex I, which are already subject to the licensing requirement) will be subject to reporting of suspicious transactions and thefts.

11.

The Proposal requires each Member State to designate a national contact point (with a clearly identified telephone number and e-mail address) for the reporting of suspicious transactions and thefts. Economic operators are required to report any suspicious transactions and thefts without delay, mentioning, if possible, the identity of the client.

12.

The Commission shall draw up and update guidelines to assist the economic operators to recognize and notify suspicious transactions. The guidelines will also include regular updates to a list of additional substances not included in either Annex I or II, for which voluntary reporting of suspicious transactions and thefts is encouraged.

13.

Recital 11 and Article 7 require that the processing of personal data under the Regulation must always be carried out in accordance with EU data protection laws, in particular, Directive 95/46/EC (4) and national data protection laws implementing this Directive. The Proposal contains no further provisions on data protection.

14.

Reporting suspicious transactions and thefts and the licensing and recording scheme foreseen in the Regulation require processing of personal data. They both imply — in any case to some extent — interference with private life and the right to the protection of personal data, and thus require adequate safeguards.

15.

The EDPS welcomes that the Proposal contains a separate provision (Article 7) on data protection. With that said, this single — and very general — provision foreseen in the Proposal is insufficient to adequately address the data protection concerns raised by the proposed measures. In addition, the relevant articles of the Proposal (Articles 4, 5 and 6) also fail to describe in sufficient detail the specificities of the data processing operations foreseen.

16.

To illustrate, with regard to licensing, the Regulation requires that economic operators keep a record of the licensed transactions, without, however, specifying what personal data those records should contain, how long they should be kept, whom they can be disclosed to and under what conditions. Nor is it specified what data will be collected when processing license applications.

17.

As for the requirement to report suspicious transactions and thefts, the Proposal establishes a reporting requirement, without, however, specifying what constitutes a suspicious transaction, what personal data should be reported, how long the information reported should be kept, whom it can be disclosed to and under what conditions. Nor does the Proposal provide further details regarding the ‘national contact points’ to be designated, or any database that these contact points may establish for their Member States, or any eventual database that might be established at EU level.

18.

From a data protection point of view, the collection of data regarding suspicious transactions is the most sensitive subject in the Proposal. The relevant provisions should be clarified so as to ensure that the data processing remains proportionate and abuse is prevented. To achieve this, conditions for processing data should be clearly specified and adequate safeguards should be applied.

19.

Importantly, data should not be used for any other purpose than the fight against terrorism (and other crime involving misuse of chemicals for home-made explosive devices). Data should also not be retained for long periods of time, especially if the number of potential or actual recipients were to be large, and/or if the data were to be used for data mining. This is even more important in those cases where it can be shown that the initial suspicion was unfounded. In those cases there needs to be a specific justification for further retention. By way of illustration, the EDPS mentions in this context the ruling of the European Court of Human Rights in the case of S and Marper v the United Kingdom (2008) (5), according to which the long term retention of the DNA of persons not convicted of a criminal offence was a breach of their right to privacy under Article 8 of the European Convention on Human Rights.

20.

For these reasons, the EDPS recommends that Articles 5, 6 and 7 of the Proposal should contain further and more specific provisions to adequately address these concerns. Some specific recommendations will be made below.

21.

In addition, it should also be considered whether specific and more detailed provisions can be drawn up in an implementing Commission Decision in accordance with Articles 10, 11 and 12 of the Proposal to address additional data protection issues at the practical level.

22.

Finally, the EDPS also recommends that the Commission guidelines on suspicious transactions and on the technical details of the licenses should include further specific provisions on data processing and data protection. Both guidelines, as well as any possible implementing decision in the area of data protection, should be adopted after consulting the EDPS and — where the implementation at the national level is at stake — the Article 29 Data Protection Working Party. The Regulation itself should clearly foresee this and should also specifically list the main issues to be dealt with in the guidelines/implementing decision.

23.

The EDPS recommends that Article 5 of the Regulation should specify a maximum retention period (prima facie, not exceeding two years) as well as the categories of personal data to be recorded (not exceeding name, license number and items purchased). These recommendations flow from the principle of necessity and proportionality: the collection and conservation of personal data should be limited to what is strictly necessary for the purposes pursued (see Article 6(c) and (e) of Directive 95/46/EC). If such specifications are left to national law or practice, this will probably lead to unnecessary uncertainties and unequal treatment of similar situations in practice.

24.

Further, Article 5 of the Regulation should also expressly prohibit — in connection with the licensing procedure — the collection and processing of ‘special categories of data’ (as defined in Article 8 of Directive 95/46/EC) such as, among others, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.

25.

This should also help ensure that applicants will not be treated in a discriminatory way, for example, on account of their race, nationality or political or religious affiliation. In this context, the EDPS emphasizes that ensuring a high level of data protection is also a means contributing to fighting racism, xenophobia and discrimination, which, in turn, can contribute to preventing radicalisation and recruitment into terrorism.

26.

The Regulation provides that license applications are to be rejected if there are reasonable grounds for doubting the legitimacy of the intended use. In this regard, it would be helpful if the guidelines or implementing decision specified the data that can be collected by the licensing authorities in connection with the license application.

27.

The guidelines or implementing decision should provide that the records should only be disclosed to competent law enforcement authorities investigating terrorist activities or other suspected criminal abuse of explosive precursors. The information should not be used for any additional purposes (see Article 6(b) of Directive 95/46/EC).

28.

The EDPS further recommends that the guidelines or implementing decision should specify that the licensing authority — who is best positioned to provide such a notice directly to the data subjects — should inform license holders about the fact that their purchases will be recorded and may be subject to reporting if found ‘suspicious’ (see Articles 10 and 11 of Directive 95/46/EC).

29.

The EDPS recommends that the role and nature of the national contact points should be clarified in the Proposal. The Impact Assessment, in paragraph 6.33 refers to the possibility that these contact points may not only be ‘law enforcement authorities’ but also ‘associations’. The legislative documents provide no further information in this regard. This should be, in particular, clarified in Article 6.2 of the Proposal. In principle, data should be held by law enforcement authorities — if this will not be the case, the reasons for this should be very clearly justified.

30.

Furthermore, Article 6 of the Regulation should specify the personal data to be recorded (not exceeding name, license number, items purchased, and reasons giving rise to suspicion). These recommendations flow from the principle of necessity and proportionality: the collection of personal data should be limited to what is strictly necessary for the purposes pursued (see Article 6(c) of Directive 95/46/EC). In this context, similar considerations apply as expressed in point 23.

31.

Article 6 of the Regulation should also expressly prohibit — in connection with the reporting procedure — the collection and processing of ‘special categories of data’ (as defined in Article 8 of Directive 95/46/EC) such as, among others, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs (see also points 24-25).

32.

Finally, Article 6 should set a maximum retention period, taking into account the purposes of the data storage. The EDPS recommends that — unless a suspicious transaction or theft has led to a specific investigation and the investigation is still ongoing — all reported suspicious transactions and thefts should be deleted from the database after the lapse of a specified period (prima facie, at the latest two years following the date of report). This should help ensure that in cases where the suspicion has not been confirmed (or even investigated further), innocent individuals would not be kept on a ‘black-list’ and ‘under suspicion’ for an unduly long period of time (see Article 6(e) of Directive 95/46/EC). Too wide divergences on this point at the national level should in any case be avoided.

33.

This limitation is also necessary to ensure the principle of data quality (see Article 6(d) of Directive 95/46/EC) as well as other important legal principles such as the presumption of innocence. This may not only result in a more adequate level of protection for the individuals, but at the same time, should also allow law enforcement to more effectively focus on those more serious cases where the suspicion will likely be ultimately confirmed.

34.

What transaction might be ‘suspicious’ is not defined in the Proposal. However, Article 6(6)(a) of the Proposal foresees that the Commission ‘shall draw up and update guidelines’ and shall provide information on ‘how to recognize and notify suspicious transactions’.

35.

The EDPS welcomes that the Proposal requires the Commission to draw up guidelines. These should be sufficiently clear and concrete and prevent an overbroad interpretation so as to minimize the transmissions of personal data to law enforcement authorities and to prevent any arbitrary or discriminatory practices, for example, on account of race, nationality or political or religious affiliation.

36.

The guidelines/implementing rules should further provide that the information should be kept secure and confidential and should only be disclosed to competent law enforcement authorities investigating terrorist activities or other suspected criminal abuse of explosive precursors. The information should not be used for additional purposes, for instance, to investigate unrelated matters by tax or immigration authorities.

37.

The guidelines/implementing decision should further specify who should have access to the data received (and stored) by the national contact points. Access/disclosures should be limited on a strict need-to-know basis. Publication of a list of possible recipients should also be considered.

38.

The guidelines/implementing decision should provide for rights of access to data subjects, including, when appropriate, correction or deletion of their data (see Articles 12-14 of Directive 95/46/EC). The existence of this right — or any potential exceptions under Article 13 — may have important implications. For example, under the general rules, the data subject has also the right to know if his/her transaction has been reported as suspicious. The (potential) use of this right, however, could prevent the seller of explosives precursors to communicate suspicious transactions of the buyer. Therefore, any exceptions should be clearly justified and specifically set forth, preferably in the Regulation, or in any event, in the guidelines/implementing decision. A redress mechanism should also be foreseen, with the involvement of the national contact points.

39.

The EDPS welcomes that Article 16 of the Proposal provides for a review of the Regulation (five years after adoption). Indeed, the EDPS is of the Opinion that any new instruments should prove in periodic reviews that they continue to constitute effective means of fighting terrorism (and other criminal activity). The EDPS recommends that the Regulation should specifically provide that during such a review, the Regulation's effectiveness, as well as its effects on fundamental rights, including data protection, should also be considered.

40.

The EDPS recommends adding to the Proposal further, more specific provisions to adequately address data protection concerns. In addition, the Commission guidelines on suspicious transactions and on the technical details of the licenses — and an eventual implementing decision on data protection — should also include further specific provisions on data processing and data protection. The guidelines (and the implementing decision, if any) should be adopted after consulting the EDPS and — where appropriate — the Article 29 Working Party with representatives of data protection authorities in the Member States.

41.

Article 5 of the Regulation should specify a maximum retention period (prima facie, not exceeding two years) for the recorded transactions as well as the categories of personal data to be recorded (not exceeding name, license number and items purchased). Processing of special categories of data should be expressly prohibited.

42.

The role and nature of the contact points should be clarified in Article 6 of the Proposal. This provision should also specify a maximum retention period for the data reported on suspicious transactions (prima facie, not exceeding two years) as well as the personal data to be recorded (not exceeding name, license number, items purchased, and reasons giving rise to suspicion). Processing of special categories of data should be expressly prohibited.

43.

Further, the guidelines/implementing decision should specify the data that can be collected by the licensing authorities in connection with the license application. They should also clearly limit the purposes for which data can be used. Similar provisions should also apply to the records of suspicious transactions. The guidelines/implementing decision should specify that the licensing authority should inform license holders about the fact that their purchases will be recorded and may be subject to reporting if found ‘suspicious’. The guidelines/implementing decision should further specify who should have access to the data received (and stored) by the national contact points. Access/disclosures should be limited on a strict need-to-know basis. They should also provide for appropriate rights of access to data subjects and clearly set forth and justify any exceptions.

44.

The effectiveness of the measures foreseen should be periodically reviewed, at the same time also considering their impact on privacy.

1.4.2011   

EN

Official Journal of the European Union

C 101/6

1.

On 22 November 2010, the Commission adopted a Communication entitled ‘EU Internal Security Strategy in Action: Five steps towards a more secure Europe’ (hereinafter the ‘Communication’) (3). The Communication was sent to the EDPS for consultation.

2.

The EDPS welcomes the fact that he was consulted by the Commission. Already before the adoption of the Communication, the EDPS provided informal comments on the draft text, some of which have been taken into account in the final version of the Communication.

3.

The EU Internal Security Strategy (hereinafter the ISS), addressed in the Communication, was adopted on 23 February 2010 under the Spanish Presidency (4). The strategy lays out a European security model, which integrates among others action on law enforcement and judicial cooperation, border management and civil protection, with due respect for shared European values, such as fundamental rights. Its main objectives are to:

4.

The ISS aims to target the most urgent threats and challenges to EU security such as serious and organised crime, terrorism and cybercrime, the management of EU external borders and building resilience to natural and man-made disasters. The strategy provides for general guidelines, principles and directions on how the EU should react to these issues and it calls upon the Commission to propose timed actions to implement the strategy.

5.

Furthermore, it is important to refer in this context to the recent Justice and Home Affairs Council Conclusions on the creation and implementation of an EU policy cycle for organised and serious international crime adopted on 8-9 November 2010 (5) (hereinafter ‘November 2010 Conclusions’). This document follows the Council's Conclusion on the Architecture of Internal Security of 2006 (6), and calls upon the Council and the Commission to define a comprehensive ISS based on the EU common values and principles as reaffirmed in the EU Charter on Fundamental Rights (7).

6.

Amongst the directions and goals that should drive the implementation of the ISS, the November 2010 Conclusions refer to the reflection on a proactive and intelligence-led approach, stringent cooperation between the EU agencies, including further improving their information exchange and the aim of making citizens aware of the importance of the Union's work to protect them. Moreover, the Conclusions call the Commission to develop together with the experts of relevant agencies and Member States a Multi-Annual Strategic Plan (hereinafter MASP) for each priority, defining the most appropriate strategy to tackle the problem. It also calls on the Commission to develop through consultation with the Member States' and EU Agencies' experts an independent mechanism to evaluate the implementation of the MASP. The EDPS will come to these issues later on in this Opinion as they are closely linked or have significant impact on the protection of personal data, privacy and other related fundamental rights and freedoms.

7.

The Communication proposes five strategic objectives, all having links with privacy and data protection:

8.

The ISS in Action as proposed in the Communication, puts forward a shared agenda for Member States, the European Parliament, the Commission, the Council, agencies and others, including civil society and local authorities, and proposes how they all should work together over the next four years to achieve the goals of the ISS.

9.

The Communication builds on the Lisbon Treaty and acknowledges the guidance provided by the Stockholm Programme (and its Action Plan) which highlight in Chapter 4.1 the need for a comprehensive ISS based on respect for fundamental rights, international protection and the rule of law. Moreover, in accordance with the Stockholm Programme, developing, monitoring and implementing the internal security strategy should become one of the priority tasks of the Internal Security Committee (COSI) set up under Article 71 TFEU. In order to ensure the effective enforcement of the ISS, it should also cover security aspects of an integrated border management and, where appropriate, judicial cooperation in criminal matters relevant to operational cooperation in the field of internal security. It is also important to mention in this context that the Stockholm Programme calls for an integrated approach to ISS which should also take into account the external security strategy developed by the EU as well as other EU policies, in particular those concerning the internal market.

10.

The Communication refers to various policy areas which form part of or have impact on a broadly understood concept of ‘internal security’ in the European Union.

11.

The aim of this Opinion is not to analyze all policy areas and specific topics covered by the Communication, but to:

12.

The EDPS will do so by highlighting in particular the links between the ISS and the Information Management Strategy and the work on the comprehensive data protection framework. Moreover, the EDPS will refer to such concepts as: Best Available Techniques and ‘Privacy by design’, privacy and data protection impact assessment, and data subject's rights, which have direct impact on the design and implementation of the ISS. The Opinion will also comment on a number of chosen policy areas such integrated border management, including EUROSUR and the processing of personal data by FRONTEX, as well as other fields such as cyberspace and TFTP.

13.

Various EU strategies based on the Lisbon Treaty and the Stockholm programme and having a direct or indirect impact on data protection, are being currently discussed and proposed at EU level. The ISS is one of them and it is closely linked with other strategies (either addressed in recent Commission's Communications or envisaged for the near future) such as the EU Information Management Strategy and the European Information Exchange Model, the strategy on the implementation of the EU Charter of Fundamental Rights, the comprehensive data protection strategy and the EU Counter-terrorism policy. In this Opinion, the EDPS pays particular attention to the links with the Information Management Strategy and the comprehensive data protection framework based on Article 16 TFEU, which have most evident policy links with the ISS from a data protection perspective.

14.

All these strategies constitute a complex ‘patchwork’ of interrelated policy guidelines, programmes and action plans which call for a comprehensive and integrated approach at EU level.

15.

In more general terms, this approach of ‘linking the strategies’ if taken on board in the future actions would show that there is a vision at EU level when it comes to EU strategies and, that these strategies, and the recently adopted Communications which elaborate on them, are closely interlinked, which is the case, the Stockholm Programme being the common reference point for all of them. It would also result in positive synergies between different policies falling within the area of freedom, security and justice and would avoid any possible duplication of work and efforts in this area. Equally important, this approach would also lead to more effective and coherent application of data protection rules in the context of all interlinked strategies.

16.

The EDPS highlights that one of the pillars of the ISS is an efficient information management in the European Union which should be grounded on the principles of necessity and proportionality in order to justify the need for exchange of information.

17.

Moreover, as mentioned in the EDPS opinion on the Communication on Information Management (8), the EDPS underlines that all new legislative measures which would facilitate the storage and exchange of personal data should only be proposed if they are based on concrete evidence of their need (9). This legal requirement should be transformed into a pro-active policy approach when implementing the ISS. The need of a comprehensive approach to the ISS inevitably also leads to the need for assessment of all instruments and tools existing already in the field of internal security before proposing new ones.

18.

In this context, the EDPS also suggests more frequent use of clauses providing for periodical evaluation of existing instruments, such as included in the Data Retention Directive which is currently being evaluated (10).

19.

The Communication refers to the protection of personal data in the paragraph ‘Security policies based on common values’ where it mentions that the tools and actions to be used to implement the ISS must be based on common values including the rule of law and respect of fundamental rights as laid down in the EU Charter of Fundamental Rights. In this context, it stipulates that ‘Where efficient law enforcement in the EU is facilitated through information exchange, we must also protect the privacy of individuals and their fundamental right to protection of personal data’.

20.

That is a welcome statement. However as such it cannot be considered as sufficiently addressing the issue of data protection in the ISS. The Communication neither elaborates on data protection (11) nor explains how respect for privacy and protection of personal data will be ensured in practice in the actions implementing the ISS.

21.

According to the EDPS ISS in Action should have as one of its objectives a broadly understood protection which would ensure the right balance between on the one hand, the protection of citizens against the existing threats and, on the other hand, the protection of their privacy and the right to the protection of personal data. In other words, security and privacy concerns must be equally taken serious in the development of the ISS which would be in line with the Stockholm Programme and the Council Conclusions.

22.

In short, providing security while fully respecting privacy and data protection should be mentioned as a very objective of the EU Internal Security Strategy. This should be reflected in all actions taken by Member States and EU institutions to implement the strategy.

23.

In this context the EDPS refers to the Communication (2010) 609 on a comprehensive approach on personal data protection in the European Union. (12) The EDPS will soon issue an opinion on this Communication, but emphasises here that efficient ISS can not be put in place without the support of a solid data protection scheme complementing it and providing for mutual trust and better effectiveness.

24.

It is clear that some of the actions that derive from the ISS objectives may increase the risks for individuals’ privacy and data protection. To counterbalance these risks, the EDPS would like to specifically draw attention to such concepts as ‘Privacy by design’, privacy and data protection impact assessment, data subject rights and best available techniques (BATs). All of them should be taken into account in the implementation of the ISS and can usefully contribute to more privacy friendly and data protection oriented policies in this field.

25.

The EDPS has advocated on various occasions and in various opinions the concept of ‘built in’ privacy (‘Privacy by design’ or ‘Privacy by default’). This concept is currently developed both for the private and public sector, and therefore must also play an important role in the context of EU internal security and the area of police and justice (13).

26.

The Communication does not mention this concept. The EDPS suggests that this concept is referred to in the targeted actions to be proposed and undertaken to implement the ISS, in particular in the context of Objective 4 ‘Strengthen security through border management’ where there is clear mention of an enhanced use of new technologies for border checks and border surveillance.

27.

The EDPS encourages the Commission to reflect — as part of the future work on the design and implementation of the ISS based on the Communication — on what should be meant by a real ‘privacy and data protection impact assessment’ (PIA) in the area of freedom, security and justice, and in particular in the ISS.

28.

The Communication refers to threat and risk assessments. This is welcomed. However it does not — in any point — refer to privacy and data protection impact assessments. The EDPS believes that the work on the implementation of the Communication on ISS provides a good opportunity to elaborate such privacy and data protection impact assessments in the context of internal security. The EDPS notes that neither the Communication nor the Commission's Impact Assessment Guidelines (14) specifies this aspect and develops it into a policy requirement.

29.

Therefore, the EDPS recommends that in the implementation of future instruments a more specific and rigorous impact assessment on privacy and data protection is conducted, either as a separate assessment or as part of the general fundamental rights’ impact assessment carried out by the Commission. This impact assessment should not only state general principles or analyze policy options, as it is the case currently, but should also recommend specific and concrete safeguards.

30.

Consequently, specific indicators and features should be developed to ensure that each proposal having impact on privacy and data protection in the field of EU Internal Security is subject to thorough consideration, including such aspects as proportionality, necessity and purpose limitation principle.

31.

Additionally, it could be helpful in this context to refer to Article 4 of the RFID Recommendation (15) in which the Commission called upon the Member States to ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments. Furthermore, the Madrid Resolution, adopted in November 2009 by the International Conference of Privacy and Data Protection Commissioners, encouraged the implementation of PIAs prior to the implementation of new information systems and technologies for the processing of personal data or substantial modifications in existing processing.

32.

The EDPS notes that the Communication does not address specifically the issue of the data subjects' rights which constitute a vital element of data protection and should have impact on the design of ISS. It is essential to ensure that across all different systems and instruments dealing with EU internal security, the persons subject to them enjoy similar rights relating to how their personal data are processed.

33.

Many of the systems referred to in the Communication establish specific rules on data subjects' rights (targeting also such categories of persons as victims, suspected criminals or migrants), but there is a lot of variation between the systems and instruments, without good justification.

34.

Therefore, the EDPS invites the Commission to look more carefully into the issue of the alignment of data subjects' rights in the EU in the context of the ISS and Information Management Strategy in the near future.

35.

Particular attention should be paid to redress mechanisms. The ISS should guarantee that whenever individuals’ rights have not been fully respected, data controllers should provide for complaints procedures which are easily accessible, effective and affordable.

36.

The implementation of the ISS will inevitability build upon the use of an IT infrastructure that will support the actions envisaged in the Communication. Best Available Techniques (BATs) can be seen as enablers of the correct balance between the achievement of the objectives of the ISS and respect of the rights of individuals. In the present context, the EDPS would like to reiterate the recommendation made in previous opinions (16) regarding the need for the Commission to define and promote together with industry stakeholders concrete measures for the application of BATs. Such application means the most effective and advanced stage in the development of activities and their methods of operation, which indicate the practical suitability of particular techniques for providing the results envisioned in an efficient way and in compliance with the privacy and data protection EU framework. This approach is fully in line the ‘privacy by design’ approach, mentioned before.

37.

Where relevant and feasible, reference documents on BATs should be elaborated to provide guidance and greater legal certainty for the actual implementation of the measures framed by the ISS. This could also promote the harmonisation of such measures throughout the different Member States. Last but not least, the definition of privacy and security friendly BATs will facilitate the supervisory role of Data Protection Authorities by providing them with privacy and data protection compliant technical references adopted by data controllers.

38.

The EDPS also notes the importance of a correct alignment of the ISS with the activities already carried out under the seventh Framework Programme for Research and Technological Development and the Security and Safeguarding Liberties Framework Program. A joint vision pursuing to provide BATs will enable the innovation in the knowledge and capabilities required to protect citizens while respecting fundamental rights.

39.

Finally, the EDPS points to the role which European Network and Information Security Agency (ENISA) can play in the elaboration of guidelines and the assessment of the security capabilities required to ensure the integrity and availability of the IT systems, and also in the promotion of these BATs. With regard to this, the EDPS welcomes the inclusion of the Agency as key player in the improvement of capabilities for dealing with cyber attacks and fighting against cybercrime (17).

40.

In this context, more clarification is also needed when it comes to the actors which form part of or contribute to the ISS architecture. The Communication refers to various actors and stakeholders such as citizens, judiciary, EU agencies, national authorities, police, and business. The specific roles and competences of these actors should be better addressed in the specific actions to be proposed in the implementation of the ISS.

41.

The Communication refers to the fact that with the Lisbon Treaty, the EU is better placed to exploit synergies between border management policies on persons and goods. In relation to movement of persons, it mentions that ‘the EU can treat migration management and the fight against crime as twin objectives of the integrated border management strategy’. The document perceives border management as a potentially powerful means of disrupting serious and organised crime (18).

42.

The EDPS also notes that the Communication identifies three strategic strands: 1) an enhanced use of new technology for border checks (the SIS II, VIS, entry/exit system and registered traveller programme); 2) an enhanced use of new technology for border surveillance (European Border Surveillance System, EUROSUR) and 3) an enhanced coordination of Member States through FRONTEX.

43.

The EDPS wishes to use the opportunity of this Opinion to recall his requests made in a number of previous opinions that a clear policy on border management — fully respecting data protection rules — is established at EU level. The EDPS believes that the current work on the ISS and Information Management are very good occasions to take more concrete steps towards a coherent policy approach to these areas.

44.

The EDPS notes that the Communication does not only refer to the existing large scale-systems and those that might be put in operation in the near future (such as SIS, SIS II and VIS), but — in the same lines — also to the systems that might be proposed by the Commission in the future but the decision on which has not been taken yet (i.e. Registered Travellers Programme (RTP) and Entry/exit system). It should be recalled in this context that the objectives and legitimacy of the introduction of these systems still need to be clarified and demonstrated, also in light of the results of specific impact assessments carried out by the Commission. If this does not happen, the Communication can be read as anticipating the decision making process, and consequently not taking into account the fact that the final decision on whether the RTP and the entry/exit system should be introduced in the European Union has not yet been taken.

45.

The EDPS therefore suggests that in the future work on the implementation of the ISS, such anticipations are avoided. As mentioned earlier, any decision on the introduction of new privacy intrusive large-scale systems should only take place after an adequate evaluation of all existing systems has taken place, with due regard to necessity and proportionality.

46.

The Communication mentions that the Commission will present a legislative proposal to set up EUROSUR in 2011 to contribute to internal security and the fight against crime. It is also mentioned that EUROSUR will make use of new technologies developed through EU funded research projects and activities, such as satellite imagery to detect and track targets at the maritime border, e.g. tracing fast vessels transporting drugs to the EU.

47.

In this context, the EDPS notes that it is not clear whether and if so to which extent the legislative proposal on EUROSUR to be presented by the Commission in 2011 will also envisage the processing of personal data in the context of EUROSUR. The Commission has not taken a clear position on this in the Communication. This issue is even more relevant given that the Communication makes clear links between EUROSUR and FRONTEX at tactical, operational and strategic level (see comments below on FRONTEX) and asks for close cooperation between the two.

48.

The EDPS has issued an opinion on the revision of the FRONTEX Regulation on 17 May 2010 (19) in which he called for real debate and in-depth reflection on the issue of data protection in the context of strengthening the existing tasks of FRONTEX and granting it new responsibilities.

49.

The Communication refers to the need to enhance the contribution of FRONTEX at the external borders under Objective 4 Strengthen security through border management. In this context, the Communication mentions that based on experience and in the context of the EU overall approach to information management, the Commission considers that enabling FRONTEX to process and use this information, with a limited scope and in accordance with clearly defined personal data management rules, will make a significant contribution to dismantling criminal organisations. This is a new approach compared to the Commission proposal on the revision of the FRONTEX Regulation, currently subject to discussion in the European Parliament and the Council, which was silent about processing of personal data.

50.

Against this background, the EDPS welcomes the fact that the Communication provides for some indication as to the circumstances when such processing might prove necessary (e.g. risk analysis, better performance of joint operations or exchange of information with Europol). More specifically, the Communication explains that currently the information on criminals involved in trafficking networks — which FRONTEX comes across — cannot be further used for risk analysis or better targeting future joint operations. Moreover, relevant data on suspected criminals do not reach the competent national authorities or Europol for further investigations.

51.

Nevertheless, the EDPS notes that the Communication does not refer to the ongoing discussion on the revision of the FRONTEX legal framework which, as mentioned earlier, tackles this issue in order to provide for legislative solutions. Moreover, the wording of the Communication emphasising the role of FRONTEX in the context of the objective to dismantle criminal organisations, can be read as broadening the mandate of FRONTEX. The EDPS suggests that this point is taken into account both in the revision of the FRONTEX Regulation and in the implementation of ISS.

52.

The EDPS also draws attention to the need to ensure that there is no duplication of tasks between Europol and FRONTEX. In that context, the EDPS welcomes that the Communication mentions that duplication of tasks between FRONTEX and Europol should be avoided. However, this issue should also be more clearly addressed both in the revised FRONTEX Regulation and in the actions implementing the ISS which provide for close cooperation between FRONTEX and EUROPOL. This is of particular importance from the point of view of the principles of purpose limitation and data quality. This remark also applies to the future cooperation with such agencies as the European network and Information Security Agency (ENISA) or the European Asylum Support Office.

53.

The Communication does not address specifically the current phenomenon of the increased use of biometric data in the area of freedom, security and justice, including the EU large-scale IT systems and other border management tools.

54.

The EDPS therefore takes this opportunity to recall his suggestion (20) that this matter of high sensitivity from the perspective of data protection is taken seriously into account in the implementation of the ISS, in particular in the context of border management.

55.

The EDPS also recommends that a clear and strict policy on the use of biometrics in the area of freedom, security and justice based on a serious evaluation and a case-by-case assessment of the need for the use of biometrics in the context of the ISS, with full respect for such fundamental data protection principles as proportionality, necessity and purpose limitation, is developed.

56.

The Communication announces that the Commission will develop in 2011 a policy for the EU to extract and analyse financial messaging data held on its own territory. In this context, the EDPS refers to his Opinion of 22 June 2010 on processing and transfer of Financial Messaging Data from the EU to the US for purposes of the Terrorist Finance Tracking Programe (TFTP II) (21). All critical remarks expressed in that Opinion are equally valid and applicable in the context of the envisaged work on a EU framework on financial messaging data. Therefore, they should be taken into account in the discussions on this issue. Particular attention should be paid to the proportionality of extracting and processing large amounts of data on people who are not suspects, and to the issue of effective oversight by independent authorities and by the judiciary.

57.

The EDPS welcomes the importance attached in the Communication to preventive actions at EU level and is of the view that the strengthening of security in IT networks is an essential factor contributing to a well-functioning information society. Also, the EDPS supports the specific activities improving capacities to deal with cyber attacks, building capacities in law enforcement and judiciary bodies, and creating partnerships with the industry to empower citizens and business. Also, ENISA’s role as facilitator of many of the actions provided in this objective is welcome.

58.

However, the ISS in Action does not elaborate on law enforcement actions envisaged in cyberspace, how these activities could put individual rights at risk and what the required safeguards should be. The EDPS calls for a more ambitious approach on appropriate guarantees; this approach should be set forth to protect the fundamental rights of all individuals, including those who may be affected by actions designed to counter any possible criminal activities in this area.

59.

The EDPS asks for linking various EU strategies and Communications in the process of the implementation of the ISS. This approach should be followed by a concrete action plan supported by a real assessment of needs, the outcome of which should be a comprehensive, integrated and well-structured EU policy on ISS.

60.

The EDPS also takes this opportunity to highlight the importance of the legal requirement of a real assessment of all existing instruments to be used in the context of the ISS and information exchange before proposing new ones. In this context, the inclusion of provisions requiring regular assessments of the efficiency of relevant instruments is highly recommended.

61.

The EDPS suggests that in the preparation of the Multi-Annual Strategic Plan requested by the November 2010 Council Conclusions, account is taken of the ongoing work on the comprehensive data protection framework on the basis of Article 16 TFEU, in particular Communication (2009) 609.

62.

The EDPS makes a number of suggestions on notions and concepts relevant from a data protection perspective which should be taken into account in the field of ISS, such as Privacy by design, Privacy and Data Protection Impact Assessment, Best Available Techniques.

63.

The EDPS recommends that in the implementation of future instruments an impact assessment on privacy and data protection is conducted, either as a separate assessment or as part of the general fundamental rights’ impact assessment carried out by the Commission.

64.

He also invites the Commission to develop a more coherent and consistent policy on the prerequisites for use of biometrics in the field of ISS, and more alignment at EU level in terms of data subjects' rights.

65.

The EDPS finally makes a number of comments on the processing of personal data in the context of border management and in particular by FRONTEX and possibly in the context of EUROSUR.

1.4.2011   

EN

Official Journal of the European Union

C 101/14

1.

On 11 October 2010, the European Commission adopted an Amended proposal for a Regulation of the European Parliament and of the Council on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EC) No (…/…) (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person) (‘the Proposal’) (3). On the same day, the Proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS welcomes the fact that he is consulted by the Commission and asks that reference to this consultation is made in the recitals of the Proposal.

2.

Eurodac was established by Regulation (EC) No 2725/2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (4). A recast proposal for the amendment of the Eurodac Regulation was adopted by the Commission in December 2008 (5) (hereafter the December 2008 proposal). The EDPS commented on that proposal in an opinion of February 2009 (6).

3.

The December 2008 proposal was designed to ensure a more efficient support to the application of the Dublin Regulation and to properly address data protection concerns. It also aligned the IT management framework to that of the SIS II and VIS Regulations by providing for the taking over of the tasks of the operational management for Eurodac by the future Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (7) (hereinafter: IT Agency) (8).

4.

The Commission then adopted an amended proposal in September 2009 in which it introduced the possibility for Member States’ law enforcement authorities and Europol to access the Eurodac central database for the purposes of prevention, detection and investigation of terrorist offences and other serious criminal offences.

5.

In particular, that proposal introduced a bridging clause to allow access for law enforcement purposes as well as the necessary accompanying provisions and amended the December 2008 proposal. It was presented at the same time as a Proposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes (9) (hereafter: the Council Decision), spelling out the exact modalities of such access. The EDPS issued an opinion on this proposal in December 2009 (10).

6.

With the entry into force of the Lisbon Treaty and the abolition of the pillar system, the proposal for a Council Decision lapsed; it had to be formally withdrawn and replaced with a new proposal to take account of the new framework of the TFEU.

7.

The Explanatory Memorandum to the Proposal states that, with a view to progressing on the negotiations on the asylum package (11) and facilitating the conclusion of an agreement on the Eurodac Regulation, the Commission has found it more appropriate to withdraw from the Eurodac Regulation those provisions referring to the access for law enforcement purposes.

8.

The Commission also considers that withdrawing that (rather controversial) part of the proposal and enabling thereby the swifter adoption of the new Eurodac Regulation will also facilitate the timely set up of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, since that Agency is planned to be also responsible for the management of Eurodac.

9.

As a consequence, while the present amended proposal introduces two technical provisions, its main purpose is to amend the previous proposal (i.e. from September 2009) by deleting from it the option of access for law enforcement purposes. It was therefore not considered necessary to conduct a new impact assessment specifically for the present proposal.

10.

The EDPS has already contributed several opinions in this area, as mentioned above. The purpose of the present opinion is to recommend improvements to the proposal; these recommendations are either based on new developments or on recommendations previously made and not yet taken on board, in situations where the EDPS finds that his arguments have not been met adequately or that these recommendations are supported by new arguments.

11.

The present opinion will focus on the following points:

12.

The EDPS welcomes the fact that the possibility to give law enforcement an access to Eurodac has been left out of the current proposal. Indeed, while the EDPS does not dispute that governments need appropriate instruments to guarantee the security of the citizen, he had expressed strong doubts as to the legitimacy of this proposal, based on the following considerations.

13.

Measures to combat terrorist offences and other serious offences can be a legitimate ground to allow processing of personal data — even if incompatible with the purposes for which the data were originally collected — provided that the necessity of the intrusion is supported by clear and undeniable elements, and the proportionality of the processing is demonstrated. This is all the more required since the proposals concern a vulnerable group in need of higher protection because they flee from persecution. Their precarious position has to be taken into account in the assessment of the necessity and proportionality of the proposed action. The EDPS emphasised, more concretely, that the necessity should be proven by the demonstration of substantial evidence of a link between asylum applicants and terrorism and/or serious crime. This had not been done in the proposals.

14.

On a more general level, the EDPS has advocated the need for assessment of all existing instruments on information exchange before proposing new ones in numerous opinions and comments, and with particular emphasis in the recent opinions on the ‘Overview of information management in the area of freedom, security and justice’ (12) and on ‘the EU Counter-Terrorism Policy: main achievements and future challenges’ (13).

15.

Indeed, assessing the effectiveness of existing measures while considering the impact on privacy of new envisaged measures is crucial and should vest an important role in European Union's action in this area, in line with the approach put forward by the Stockholm Programme. In this case, special attention should for instance be devoted to the implementation of exchange of data under the Prüm mechanism. Exchange of fingerprints is foreseen in this context, and it should be demonstrated that the system has severe insufficiencies which justifies the access to a database such as Eurodac.

16.

Finally, in these opinions as in many others before, the EDPS recommends that special attention be paid to those proposals resulting in collections of personal data of broad categories of citizens, rather than only suspects. Specific consideration and justification should also be given to those cases where processing of personal data is foreseen for purposes other than those for which they were initially collected, such as in Eurodac.

17.

In conclusion, the EDPS welcomes the deletion of this element from the current proposal.

18.

The collection and further processing of fingerprints obviously occupy a central place in the Eurodac system. It should be emphasized that the processing of biometric data such as fingerprints poses specific challenges and creates risks which have to be addressed. In the context of the Proposal, the EDPS wants to specifically underline the problem of so-called ‘failure to enrol’ — the situation in which a person finds him/herself if for some reason, their fingerprints are not usable.

19.

Failure to enrol may occur when individuals have temporarily or permanently damaged fingertips or hands. This may be due to various factors, such as illness, disability, wounds and burns. It can also in some cases, be linked to ethnicity or occupation. In particular, it seems that a non-trivial number of agricultural and construction workers have fingerprints which are damaged to the point of being unreadable. In other cases, the frequency of which is difficult to evaluate, it may happen that refugees self-mutilate, in order to avoid being fingerprinted.

20.

The EDPS recognises that it can be difficult to distinguish those third country nationals who have voluntarily damaged their fingerprints to frustrate the identification process from those with genuinely unreadable fingerprints.

21.

It is however extremely important to ensure that ‘failure to enrol’ on its own does not lead to a denial of rights for asylum seekers. It would not be acceptable, for instance, that failure to enrol would be construed systematically as an attempt to fraud and would lead to a refusal to examine an asylum application or a withdrawal of assistance to the asylum seeker. If it were the case, it would mean that the possibility to be fingerprinted would be one of the criteria to recognise the status of asylum seeker. The purpose of Eurodac is to facilitate the application of the Dublin Convention, and not to add a criterion (‘having usable fingerprints’) for granting someone the status of asylum seeker. This would be a violation of the purpose limitation principle, and of at least the spirit of the right to asylum.

22.

Finally, the EDPS also insists that the present proposal should be consistent with the other directives relevant in this area. In particular, the ‘Qualification Directive’ insists that each application shall be considered on its own merit, and does certainly not mention the impossibility to enrol as a criterion for examining the asylum application (14).

23.

The current proposal already envisages partly the failure to enrol in its Articles 6.1 and 6.2 (15).

24.

However, these provisions only envisage the hypothesis of temporary failure to enrol, whereas in a significant number of cases this impossibility will be permanent. Article 1 of the Regulation amending the Common Consular Instructions (16) provides for such cases and stipulates that: ‘(…) Member States shall ensure that appropriate procedures guaranteeing the dignity of the applicant are in place in the event of there being difficulties in enrolling. The fact that fingerprinting is physically impossible shall not influence the grant or refusal of a visa’.

25.

In order to cater for these cases in the context of Eurodac, the EDPS recommends adding to Article 6 a provision inspired by this, along the following line: ‘Temporary or permanent impossibility to provide usable fingerprints shall not adversely affect the legal situation of the individual. In any case, it can not represent sufficient grounds to refuse to examine or to reject an asylum application’.

26.

The EDPS notes that effective implementation of the right to information is crucial for the proper functioning of Eurodac. In particular, it is essential to ensure that information is provided in a way that enables the asylum seeker to fully understand his situation as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case. The EDPS also reminds that the right of access is a cornerstone of data protection, as mentioned in particular in Article 8 of the EU Charter of Fundamental Rights.

27.

The EDPS had already underlined this item in his previous opinion on Eurodac. Since the proposed modification has not been accepted, the EDPS wants to emphasize the importance of this question.

28.

Article 24 of the Proposal reads as follows:

‘A person covered by this Regulation shall be informed by the Member State of origin in writing, and where appropriate, orally, in a language which he or she understands or may reasonably be presumed to understand of the following:

(…)

29.

The EDPS suggests that the wording of Article 24 should be reformulated to clarify the rights to be given to the applicant. The wording as proposed is unclear, as it can be interpreted as considering ‘the right to receive information on the procedures for exercising those rights (…)’ apart from the right of access to data and/or the right to request inaccurate data be corrected (…). Moreover, according to the current wording of the above-mentioned provision, the Member States are to inform the person covered by the Regulation not of the content of the rights but of their ‘existence’. As the latter seems to be only a stylistic issue, the EDPS suggests that Article 24 be redrafted as follows: ‘A person covered by this Regulation shall be informed by the Member State of origin (…) of (…)(g) the right of access to data relating to him/her, and the right to request that inaccurate data relating to him/her be corrected or that unlawfully processed data relating to him/her be deleted’.

30.

Article 4(1) of the Proposal stipulates: ‘After a transitional period, a Management Authority, funded from the general budget of the European Union, shall be responsible for the operational management of Eurodac. The Management Authority shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the Central System’. Although the EDPS welcomes the requirement laid down in Article 4(1), he wishes to note that the expression ‘best available technology’ referred to in the above-mentioned provision, should be replaced with the wording ‘best available techniques’ which includes both the technology used and the way in which the installation is designed, built, maintained and operated.

31.

This is important because the concept of ‘best available techniques’ is broader and covers various aspects contributing to the application of ‘Privacy by Design’ which is considered a key principle in the review of the EU data protection legal framework. It underlines that data protection can be implemented through different means, not all of a technological nature. It is indeed important to examine not only the technology but also the way the technology is used as a tool to achieve the purpose of the data processing at hand. Business processes must be oriented toward the achievement of this purpose which is translated into procedures and organisational structures.

32.

In this regard, and on a more general level, the EDPS would like to reiterate the recommendation made in previous opinions (17) regarding the need for the Commission to define and promote together with industry stakeholders ‘Best Available Techniques’ following the same procedure adopted by the Commission in the environmental field (18). ‘Best Available Techniques’ would mean the most effective and advanced stage in the development of technology and their methods of operation which indicate the practical suitability of particular techniques for providing, in compliance with the privacy and data protection EU framework, a defined detection threshold. These BATs will be designed to prevent and, where that is not practicable, to mitigate to an appropriate level the security risks related to this data processing and minimize as much as possible their impact on privacy.

33.

This process should also provide reference documents on ‘Best Available Techniques’ which may offer very useful guidance for the management of other EU large-scale IT systems. It will also enhance the harmonisation of such measures throughout the EU. Last but not least, the definition of privacy and security friendly BATs will facilitate the supervisory role of Data Protection Authorities by providing them privacy and data protection compliant technical references adopted by data controllers.

34.

The EDPS notes that the Proposal does not address the issue of subcontracting parts of the tasks of the Commission (19) to another organisation or entity (such as a private company). Nevertheless, subcontracting is commonly used by the Commission in the development and management both of the system and the communication infrastructure. While subcontracting of activities does not in itself run contrary to data protection requirements, important safeguards should be put in place to ensure that the applicability of Regulation (EC) No 45/2001, including the data protection supervision by the EDPS, remains entirely unaffected by the subcontracting. Furthermore, additional safeguards of a more technical nature should also be adopted.

35.

In this regard, the EDPS suggests that similar legal safeguards as envisaged in the SIS II legal instruments should be provided mutatis mutandis in the framework of the revision of the Eurodac Regulation, specifying that even when the Commission subcontracts a part of its tasks to another body or organisation, it shall ensure that the EDPS has the right and is able to fully exercise his tasks, including carrying out on-the-spot checks and to exercise any other powers conferred on him by Article 47 of Regulation (EC) No 45/2001.

36.

The EDPS welcomes the fact that he is consulted by the Commission and asks that reference to this consultation is made in the recitals of the Proposal.

37.

The EDPS welcomes the fact that the possibility to give law enforcement an access to Eurodac has been left out of the current proposal.

38.

The collection and further processing of fingerprints occupy a central place in the Eurodac system. The EDPS emphasizes that the processing of biometric data such as fingerprints poses specific challenges and creates risks which have to be addressed. In particular, the EDPS underlines the problem of so-called ‘failure to enrol’ — the situation in which a person finds him/herself if for some reason, their fingerprints are not usable. Failure to enrol on its own should not lead to a denial of rights for asylum seekers.

39.

The EDPS recommends adding to Article 6a of the proposal a provision along the following line: ‘Temporary or permanent impossibility to provide usable fingerprints shall not adversely affect the legal situation of the individual. In any case, it can not represent sufficient grounds to refuse to examine or to reject an asylum application’.

40.

The EDPS notes that effective implementation of the right to information is crucial for the proper functioning of Eurodac, so as to ensure that information is provided in a way that enables the asylum seeker to fully understand his situation, as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case. The EDPS suggests that the wording of Article 24 of the Proposal should be reformulated to clarify the rights to be given to the asylum applicant.

41.

The EDPS recommends amending Article 4(1) of the Proposal, using the expression ‘Best Available Techniques’ instead of ‘Best Available Technologies’. Best Available Techniques include both the technology used and the way in which the installation is designed, built, maintained and operated.

42.

The EDPS recommends as regards on the issue of subcontracting a part of the Commission tasks to another organisation or entity (such as a private company) that safeguards should be put in place to ensure that the applicability of Regulation (EC) No 45/2001, including the data protection supervision by the EDPS remains entirely unaffected by the subcontracting of activities. Furthermore, additional safeguards of a more technical nature should also be adopted.

1.4.2011   

EN

Official Journal of the European Union

C 101/20

1.

On 30 September 2010, the Commission adopted a proposal for a Regulation of the European Parliament and of the Council concerning ENISA, the European Network and Information Security Agency (3).

2.

ENISA was established in March 2004 for an initial period of five years by Regulation (EC) No 460/2004 (4). In 2008, Regulation (EC) No 1007/2008 (5) extended the mandate until March 2012.

3.

As follows from Article 1(1) of Regulation (EC) No 460/2004, the Agency was established for the purpose of ensuring a high and effective level of network and information security within the Union and for contributing to the smooth functioning of the internal market.

4.

The Commission proposal intends to modernise the Agency, to strengthen its competences, and to establish a new mandate for a five year period that will enable the continuity of the Agency beyond March 2012 (6).

5.

The proposed Regulation finds its legal basis in Article 114 of the TFEU (7), which confers competence on the Union to adopt measures with the aim of establishing or ensuring the functioning of the internal market. Article 114 TFEU is the successor of Article 95 of the former EC Treaty on which the previous regulations on ENISA were based (8).

6.

The Explanatory Memorandum which accompanies the proposal refers to the fact that preventing and combating crime has become a shared competence following the entry into force of the Lisbon Treaty. This has created an opportunity for ENISA to play a role as a platform on Network Information Security (NIS) aspects of the fight against cybercrime and to exchange views and best practices with cyber defence, law enforcement and data protection authorities.

7.

Out of several options the Commission chose to propose an expansion of the tasks of ENISA and to add law enforcement and data protection authorities as fully fledged members of its permanent stakeholders’ group. The new list of tasks does not include operational ones, but updates and reformulates the current tasks.

8.

On 1 October 2010, the proposal was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS welcomes that he was consulted on this matter and recommends that a reference to this consultation is made in the recitals of the proposal, as is usually done in legislative texts on which the EDPS has been consulted in accordance with Regulation (EC) No 45/2001.

9.

Prior to the adoption of the proposal, the EDPS has been informally consulted and provided several informal comments. However, none of these remarks were taken into account in the final version of the proposal.

10.

The EDPS underlines that security of data processing is a crucial element of data protection (9). In this respect, he welcomes the proposal's objective to strengthen the competences of the Agency so that it can fulfil more effectively its current tasks and responsibilities and at the same time, expand its field of activity. The EDPS furthermore welcomes the inclusion of data protection authorities and law enforcement bodies as fully fledged stakeholders. He considers the extension of ENISA's mandate a way to encourage at European level professional and streamlined management of security measures for information systems.

11.

The overall assessment of the proposal is positive. However, on several points the proposed Regulation is unclear or incomplete which raises concerns from a data protection perspective. These issues will be explained and discussed in the next chapter of this opinion.

12.

The expanded tasks of the Agency which relate to the involvement of law enforcement bodies and data protection authorities are formulated in a very general way in Article 3 of the proposal. The Explanatory Memorandum is more explicit in that respect. It refers to ENISA as interfacing with cybercrime law enforcement bodies and carrying out of non-operational tasks in the fight against cybercrime. However, these tasks have not been included or have only been mentioned in very general terms in Article 3.

13.

In order to avoid any legal uncertainty, the proposed Regulation should be clear and unambiguous about the tasks of ENISA. As stated, security of data processing is a crucial element of data protection. ENISA will play an increasingly important role in that area. It should be clear to citizens, institutions and bodies what kind of activities ENISA could be engaged in. Such dimension is even more important should the expanded tasks of ENISA include the processing of personal data (see pts. 17-20 below).

14.

Article 3(1)(k) of the proposal states that the Agency carries out any other task conferred on the Agency by another Union legislative act. The EDPS has concerns about this open ended clause since it creates a potential loophole that may affect the coherence of the legal instrument and could lead to ‘function creep’ of the Agency.

15.

One of the tasks referred to in Article 3(1)(k) of the proposal is contained in Directive 2002/58/EC (10). It provides that the Commission is required to consult the Agency on any technical implementing measures applicable to notifications in the context of data breaches. The EDPS recommends that this activity of the Agency is described in greater detail while delimiting it to the security area. Given the potential impact ENISA might have on the policy development in this area, this activity should have a clearer and more prominent position within the proposed Regulation.

16.

The EDPS furthermore recommends the inclusion of a reference to Directive 1999/5/EC (11) in Recital 21 given the particular task of ENISA referred in Article 3(1)(c) of the current proposal to assist the Member States and the European institutions and bodies in their efforts to collect, analyse and disseminate network and information security data. This should fuel ENISA promotional exercises in favour of NIS (Network Information Security) best practices and techniques, as it will better illustrate possible constructive interactions between the Agency and the standardisation bodies.

17.

The proposal does not specify whether the tasks attributed to the Agency might include the processing of personal data. Therefore, the proposal does not contain a specific legal basis for the processing of personal data, in the meaning of Article 5 of Regulation (EC) No 45/2001.

18.

However, some of the tasks attributed to the Agency might involve (at least to a certain extent) the processing of personal data. It is, for instance, not excluded that the analysis of security incidents and data breaches or the execution of non-operational functions in the fight against cybercrime might involve the collection and analysis of personal data.

19.

Recital 9 of the proposal refers to the provisions contained in Directive 2002/21/EC (12) which establish that where appropriate, the Agency is notified by the national regulatory authorities in the event of security breaches. The EDPS recommends that the proposal is more detailed about which notifications are meant to be sent to ENISA and about how ENISA should respond to these. Equally, the proposal should address the personal data processing implications that might arise from the analysis of these notifications (if any).

20.

The EDPS invites the legislator to clarify whether, and if so which ENISA activities listed in Article 3 will include the processing of personal data.

21.

Although ENISA plays an important role in the discussion on network and information security in Europe, the proposal is almost silent on the establishment of security measures for the Agency itself (either or not related to the processing of personal data).

22.

The EDPS is of the opinion that the Agency will be in an even better position to promote good practices in relation to security of data processing if such security measures are strongly applied internally by the agency itself. This will foster that the Agency is recognised not only as centre of expertise but also as a point of reference in the practical implementation of Best Available Techniques (BATs) in the field of security. Striving for excellence in security practices implementation should therefore be embedded within the Regulation governing the working procedures of the Agency. The EDPS therefore suggests adding a provision in this sense to the proposal, for instance by requiring that the Agency applies Best Available Techniques which means the most effective and advanced security procedures and their methods of operation.

23.

This approach will allow the Agency to advise on the practical suitability of particular techniques for providing the required security safeguards. Furthermore, the implementation of these BATs should prioritise those ones that allow ensuring the security while at the same time minimising as much as possible the impact on privacy. Techniques which are better in line with the ‘privacy by design’ concept should be selected.

24.

Even with a less ambitious approach, the EDPS recommends, at a minimum, that the Regulation contains the following requirements: (i) the creation of an internal security policy following a comprehensive risk assessment and taking into account international standards and best practices in Member States, (ii) the appointment of a security officer in charge of implementing the policy with the adequate resources and authority, (iii) the approval of this policy after a close examination of the residual risk and the controls proposed by the Management Board, and (iv) a periodic review of the policy with a clear statement of the periodicity timeframe chosen and the objectives of the review.

25.

As already stated, the EDPS welcomes the extension of the Agency's mandate and believes that data protection authorities can greatly benefit from the existence of the Agency (and the Agency from the expertise of these authorities). Given the natural and logical convergence between security and data protection, the Agency and data protection authorities are indeed called to collaborate closely.

26.

Recitals 24 and 25 contain a reference to the proposed EU Directive on cybercrime and mention that the Agency should liaise with law enforcement bodies and also data protection authorities with respect to the information security aspects of the fight against cybercrime (13).

27.

The proposal should also provide concrete channels and collaboration mechanisms that will (i) ensure the consistency of the activities of the Agency with those of the data protection authorities and (ii) enable close cooperation between the Agency and the data protection authorities.

28.

With regards to consistency, recital 27 explicitly refers to the fact that Agency tasks should not enter into conflict with Member States’ data protection authorities. The EDPS welcomes this reference, but notes that no reference is made to the EDPS and the Article 29 Working Party. The EDPS recommends the legislator to also include a similar non-interference provision in the proposal with regard to these two entities. This will create a clearer working environment for all the parties and should frame the collaboration channels and mechanisms that will enable the Agency to assist the different data protection authorities and the Article 29 Working Party.

29.

Accordingly, with regard to close cooperation, the EDPS welcomes the inclusion of a representation of data protection authorities in the Permanent Stakeholders’ group that will advise the Agency in the performance of its activities. He recommends that it is explicitly mentioned that such representation from national data protection authorities should be appointed by the Agency on the basis of a proposal from the Article 29 Working Party. Also, it would be appreciated if a reference were included that provides for the attendance of the EDPS, as such, to those meetings where issues, which are relevant for the cooperation with the EDPS, are meant to be discussed. Moreover, the EDPS recommends that the Agency (advised by the Permanent Stakeholders’ group and with the approval of the Management Board) establishes ad hoc working groups for the different topics where data protection and security overlap to frame this close cooperation effort.

30.

Finally, in order to avoid any possible misunderstanding, the EDPS recommends using ‘data protection authorities’ instead of ‘privacy protection authorities’ and clarify who those authorities are by including a reference to Article 28 of Directive 95/46/EC and the EDPS as provided in Chapter V of Regulation (EC) No 45/2001.

31.

The EDPS notes an inconsistency in the proposed Regulation with regard to who can request assistance from ENISA. From recitals 7, 15, 16, 18 and 36 of the proposal, it follows that ENISA has the capacity to assist Member States bodies and the Union as a whole. However, Article 2(1) only refers to the Commission and the Member States, whereas Article 14 restricts the capacity to make requests for assistance to: (i) the European Parliament, (ii) the Council, (iii) the Commission and (iv) any competent body appointed by a Member State leaving out some of the institutions, bodies, agencies and offices of the Union.

32.

Article 3 of the proposal is more specific and envisages different types of assistance depending on the type of beneficiaries: (i) collection and analysis information security data (in the case of Member States and the European institutions and bodies), (ii) analysis of the state of network and information security in Europe (in the case of Member States and the European institutions), (iii) promotion of the use of risk management and security good practices (across the Union and the Member States), (iv) develop network and information security detection (in the European institutions and bodies) and (v) collaboration in the dialogue and cooperation with third countries (in the case of the Union).

33.

The EDPS invites the legislator to remedy this inconsistency and align the aforementioned provisions. In this respect, the EDPS recommends that Article 14 is amended in a way that it indeed includes all institutions, bodies, offices and agencies of the Union and that it is clear as to the type of assistance that can be required by the different entities within the Union (in case this differentiation is envisaged by the legislator). In the same direction, it is recommended that certain public and private entities could request assistance from the Agency if the support demanded shows a clear potential from an European perspective, and it is aligned with the objectives of the Agency.

34.

The Explanatory Memorandum provides for enhanced competences of the Management Board as regards its supervisory role. The EDPS welcomes this increased role and recommends that several aspects concerning data protection are included among the functions of the Management Board. Additionally, the EDPS recommends that the Regulation specifies unambiguously who is entitled to: (i) establish measures for the application of Regulation (EC) No 45/2001 by the Agency, including those concerning the appointment of a Data Protection Officer, (ii) approve the security policy and the subsequent periodic revisions, and (iii) set the cooperation protocol with data protection authorities and law enforcement bodies.

35.

Although this is already required by Regulation (EC) No 45/2001, the EDPS suggests to include in Article 27 the appointment of the Data Protection Officer since this is of particular importance and should be accompanied by the prompt establishment of the implementing rules regarding the scope of powers and tasks to be entrusted to the Data Protection Officer in accordance with Article 24(8) of Regulation (EC) No 45/2001. More concretely, Article 27 could read as follows:

36.

In case a specific legal basis for the processing of personal data is required, as discussed in pts. 17-20 above, it should also provide for specification as to the necessary and appropriate safeguards, limitations and conditions under which such a processing would take place.

37.

The overall assessment of the proposal is positive and the EDPS welcomes the extension of the Agency’s mandate and the expansion of its tasks by the inclusion of data protection authorities and law enforcement bodies as fully fledged stakeholders. The EDPS considers that the continuity of the Agency will encourage at European level professional and streamlined management of security measures for information systems.

38.

The EDPS recommends that in order to avoid any legal uncertainty, the proposal should be clarified with regard to the expansion of the Agency’s tasks and in particular those that relate to the involvement of law enforcement bodies and data protection authorities. Also, the EDPS draws the attention to the potential loophole created by the inclusion of a provision in the proposal that allows the addition of new tasks to the Agency by any other Union legislative Act without any additional restriction.

39.

The EDPS invites the legislator to clarify whether, and if so which of ENISA’s activities will include the processing of personal data.

40.

The EDPS recommends including provisions on the establishment of a security policy for the Agency itself, in order to reinforce the role of the Agency as enabler of excellence in security practices, and as promoter of privacy by design by integrating the use of best available techniques in security with the respect to personal data protection rights.

41.

The cooperation channels with data protection authorities, including the EDPS and the Article 29 Working Party, should be better defined with the aim of ensuring consistency and close cooperation.

42.

The EDPS invites the legislator to solve some inconsistencies with regard to the restrictions expressed on Article 14 concerning the capacity to request the assistance of the Agency. In particular, the EDPS recommends that these restrictions are waived and all institutions, bodies, agencies and offices of the Union are empowered to request assistance from the Agency.

43.

Finally, the EDPS recommends that the extended capacities of the Management Board include some concrete aspects that could enhance the assurance that good practices are followed within the Agency with regard to security and data protection. Among others, it is proposed to include the appointment of a data protection officer and the approval of the measures aimed at the correct application of Regulation (EC) No 45/2001.

1.4.2011   

EN

Official Journal of the European Union

C 101/25

—

in the merger section of the Competition website of the Commission (http://ec.europa.eu/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—

in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/en/index.htm) under document number 32011M6076. EUR-Lex is the on-line access to the European law.

1.4.2011   

EN

Official Journal of the European Union

C 101/26

1.4.2011   

EN

Official Journal of the European Union

C 101/27

European Court of Auditors

Communication and Reports Unit

12, rue Alcide De Gasperi

1615 Luxembourg

LUXEMBOURG

Tel. +352 4398-1

E-mail: euraud@eca.europa.eu

1.4.2011   

EN

Official Journal of the European Union

C 101/28

1.

‘Community air carrier’ means any air carrier with a valid operating licence issued in accordance with Regulation (EC) No 1008/2008 of the European Parliament and of the Council of 24 September 2008 on common rules for the operation of air services in the Community;

2.

‘traffic right’ means the right for an air carrier, in return for payment, to carry passengers, freight and/or mail on a given air link;

3.

‘Director-General’ means the Director-General of the Directorate-General for Air Transport;

4.

‘Directorate-General for Air Transport’ means the directorate responsible for air transport within the Federal Public Service for Mobility and Transport;

5.

‘scheduled air services’ means a series of flights accessible to the public and intended to ensure, either combined or individually, the transportation of passengers, mail and/or freight in return for payment. This series of flights is operated:

6.

‘bilateral aviation agreement’ means an aviation agreement concluded between Belgium and a non-Community country and any other aviation agreement between the European Union and a non-Community country;

7.

‘designation’ means the right granted to an air carrier to operate scheduled air services in the framework of a bilateral aviation agreement. Such designation may be granted to a single air carrier (single designation) or to several air carriers (multiple designation) in accordance with the provisions of the bilateral aviation agreement concerned;

8.

‘accessibility’ means the possibility, under a bilateral aviation agreement, to be designated and/or to operate the desired number of flights on a given route;

9.

‘Minister’ means the Minister responsible for aviation;

10.

‘IATA season’ means the summer or winter season as defined by the International Air Transport Association (IATA).

1.

the operating licence and the air operator certificate (AOC), unless those documents were issued by Belgium;

2.

the insurance certificate;

3.

evidence that the Community air carrier is established in Belgium in conformity with Community law;

4.

proof of operational capacity and financial fitness within the meaning of Regulation (EC) No 1008/2008 of the European Parliament and of the Council of 24 September 2008 on common rules for the operation of air services in the Community;

5.

the following information on the scheduled air services proposed:

6.

whether the applicant agrees to make available any necessary capacity to meet Belgium's national or international needs in exceptional circumstances.

1.

ask the Community air carrier for additional information; and/or

2.

hold hearings to which all applicants will be called.

1.

the number of Community air carriers that may be designated; or

2.

the number of flights which may be operated on specific routes.

1.

the number of Community air carriers which may be designated; or

2.

the frequency of operations on specific routes,

1.

if comments are expressed, the Minister will take a final decision on the allocation of traffic rights and/or designation within 15 working days following the receipt of such comments; that decision will be notified to applicants by registered letter and published on the website of the Federal Public Service for Mobility and Transport;

2.

if no comments are expressed, the draft decision will become the Minister’s final decision on the allocation of traffic rights and/or designation; that decision will be notified to the applicant(s) by registered letter and published on the website of the Federal Public Service for Mobility and Transport.

1.

the information referred to in Article 4 as submitted by the Community air carrier;

2.

the guarantees provided as regards operational continuity and its inclusion in a coherent business plan;

3.

whether optimum use is made of the limited traffic rights;

4.

the priority nature of the operations performed by a Community air carrier using its own (owned or leased) aircraft as compared with operations where the Community air carrier is satisfied to market flights operated by another air carrier by means of code-sharing arrangements;

5.

the interests of all categories of users;

6.

the ease of access to new routes, markets and regions, whether by means of new links or departures from or arrivals at different Belgian airports;

7.

the contribution towards ensuring a satisfactory level of competition;

8.

any effects of the operation on the creation of jobs, either directly or indirectly, in the air transport sector;

9.

as a secondary consideration, how long the Community air carrier has been actively and repeatedly expressing the desire to obtain the traffic rights which are the subject of its application.

1.

to start operating the air services concerned at the latest at the end of the IATA season following that during which the decision granting designation and/or allocating traffic rights was notified;

2.

to operate the air services concerned in accordance with the file referred to in Article 4. The difference between the original project and actual operations must not be so great that it might have led to another air carrier being chosen when designation was originally granted;

3.

to comply with any conditions laid down by the Director-General, the decisions made by the aviation authorities of the non-Community countries affected by the operation of the air services concerned and the permits issued by them as well as with all relevant international regulations;

4.

to notify the Director-General immediately of the cessation of, or any interruption in, the operation of the air services concerned. If any such interruption continues for more than two seasons, the decision to allocate traffic rights and/or grant designation will be automatically withdrawn at the end of the second season unless the Community air carrier can claim there were exceptional circumstances beyond its control.

1.

either to take no further action on the application;

2.

or to launch a new allocation procedure.

1.4.2011   

EN

Official Journal of the European Union

C 101/34

1.4.2011   

EN

Official Journal of the European Union

C 101/36

1.

On 23 March 2011, the Commission received notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which the undertakings Giesecke & Devrient GmbH (‘G&D’, Germany) and BEB Industrie-Elektronik AG (‘BEB’, Switzerland), which is controlled by Wincor Nixdorf International GmbH (‘WNI’, Germany), belonging to the Wincor Nixdorf Aktiengesellschaft group (Germany), acquire within the meaning of Article 3(1)(b) of the Merger Regulation joint control of the undertaking CI Tech Components AG (Switzerland) by way of transfer of assets and purchase of shares in a newly created company constituting a joint venture.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope of the EC Merger Regulation. However, the final decision on this point is reserved. Pursuant to the Commission Notice on a simplified procedure for treatment of certain concentrations under the EC Merger Regulation (2) it should be noted that this case is a candidate for treatment under the procedure set out in the Notice.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by email to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.6144 — Giesecke & Devrient/Wincor Nixdorf International/BEB Industrie-Elektronik, to the following address:

1.4.2011   

EN

Official Journal of the European Union

C 101/38

1.

On 21 March 2011, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which the undertaking MAN Truck & Bus AG (‘MAN Truck & Bus’, Germany), controlled by MAN SE (‘MAN’, Germany) acquires within the meaning of Article 3(1)(b) of the Merger Regulation sole control of the whole of MAN Camions et Bus S.A.S. (‘MAN Camions et Bus’, France) and MAN Truck and Bus N.V./S.A. (‘MAN Truck and Bus Belgium’, Belgium) by way of purchase of shares.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope of the EC Merger Regulation. However, the final decision on this point is reserved. Pursuant to the Commission Notice on a simplified procedure for treatment of certain concentrations under the EC Merger Regulation (2) it should be noted that this case is a candidate for treatment under the procedure set out in the Notice.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by email to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.6182 — MAN/MAN Camions et Bus/MAN Truck & Bus Belgium, to the following address:

1.4.2011   

EN

Official Journal of the European Union

C 101/39

1.

Common Position 2002/402/CFSP (1) calls upon the Union to freeze the funds and economic resources of Usama bin Laden, members of the Al-Qaida organisation and the Taliban and other individuals, groups, undertakings and entities associated with them, as referred to in the list drawn up pursuant to UNSCR 1267(1999) and 1333(2000) to be updated regularly by the UN Committee established pursuant to UNSCR 1267(1999).

The list drawn up by this UN Committee comprises:

Acts or activities indicating that an individual, group, undertaking, or entity is ‘associated with’ Al-Qaida, Usama bin Laden or the Taliban include:

2.

The UN Committee decided on 23 March 2011 to add Ibrahim Hassan Tali Al-Asiri to the relevant list. He may submit at any time a request to the UN Ombudsperson, together with any supporting documentation, for the decision to include him in the UN list referred to above, to be reconsidered. Such request should be sent to the following address:

See for more information at http://www.un.org/sc/committees/1267/delisting.shtml

3.

Further to the UN decision referred to in paragraph 2, the Commission has adopted Regulation (EU) No 317/2011 (2), which amends Annex I to Council Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban (3). The amendment, made pursuant to Articles 7(1)(a) and 7a(1) of Regulation (EC) No 881/2002, adds Ibrahim Hassan Tali Al-Asiri to the list in Annex I of that Regulation (‘Annex I’).

The following measures of Regulation (EC) No 881/2002 apply to the individuals and entities included in Annex I:

4.

Article 7a of Regulation (EC) No 881/2002 (5) provides for a review process where observations on the grounds for listing are submitted by those listed. Individuals and entities added to Annex I by Regulation (EU) No 317/2011 may make a request for the grounds for their listing to the Commission. This request should be sent to:

5.

The attention of the individuals and entities concerned is also drawn to the possibility of challenging Regulation (EU) No 317/2011 before the General Court of the European Union, in accordance with the conditions laid down in the fourth and sixth paragraphs of Article 263 of the Treaty on the Functioning of the European Union.

6.

Personal data of the individuals concerned will be handled in accordance with the rules of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community (now Union) institutions and bodies and on the free movement of such data (6). Any request, e.g. for further information or in order to exercise the rights under Regulation (EC) No 45/2001 (e.g. access or rectification of personal data), should be sent to the Commission, at the address mentioned under point 4 above.

7.

For good order, the attention of the individuals and entities included in Annex I is drawn to the possibility of making an application to the competent authorities in the relevant Member State(s), as listed in Annex II to Regulation (EC) No 881/2002, in order to obtain an authorisation to use frozen funds and economic resources for essential needs or specific payments in accordance with Article 2a of that Regulation.