30.1.2013   

EN

Official Journal of the European Union

C 28/1

30.1.2013   

EN

Official Journal of the European Union

C 28/2

European Court of Auditors

Unit ‘Audit: Production of Reports’

12, rue Alcide de Gasperi

1615 Luxembourg

LUXEMBOURG

Tel. +352 4398-1

E-mail: eca-info@eca.europa.eu

30.1.2013   

EN

Official Journal of the European Union

C 28/3

1.

On 30 May 2012, the Commission adopted a proposal concerning a recast for a Regulation of the European Parliament and of the Council on the establishment of ‘EURODAC’ for the comparison of fingerprints for the effective application of Regulation (EU) No […/…] (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person) and to request comparisons with EURODAC data by Member States' law enforcement authorities and Europol for law enforcement purposes and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the Area of Freedom, Security and Justice (hereinafter: ‘the Proposal’) (1).

2.

The Proposal was sent by the Commission to the EDPS for consultation on 5 June 2012, pursuant to Article 28(2) of Regulation (EC) No 45/2001. The EDPS recommends that reference to the present consultation be made in the preamble of the Proposal.

3.

The EDPS regrets that the Commission services did not ask the EDPS to provide informal comments to the Commission before the adoption of the Proposal, according to the agreed procedure in relation to Commission documents relating to the processing of personal data (2).

4.

The Proposal was presented to the Home Affairs Ministers at the Justice and Home Affairs Council on 7-8 June 2012 and is currently under discussion within Council and the European Parliament with a view to adopt a regulation under the ordinary legislative procedure by the end of 2012. The present opinion of the EDPS intends to give input to this procedure.

87.

The EDPS notes that over recent years the need of accessing EURODAC data for law enforcement purposes was extensively debated within the Commission, the Council and the European Parliament. He also understands that the availability of a data base with fingerprints can be a useful additional instrument in the combat of crime. However, the EDPS also recalls that this access to EURODAC has a serious impact on the protection of personal data of the persons whose data are stored in the EURODAC system. To be valid, the necessity of such access must be supported by clear and undeniable elements, and the proportionality of the processing must be demonstrated. This is all the more required in case of an intrusion in the rights of individuals constituting a vulnerable group in need of protection, as foreseen in the proposal.

88.

Evidence provided until now — also taking into account the specific context described above — is according to the EDPS not sufficient and up to date to demonstrate the necessity and proportionality of granting access to EURODAC for law enforcement purposes. There are already a number of legal instruments which permit that one Member State consults fingerprints and other law enforcement data held by another Member State. A much better justification, as a precondition for law enforcement access is necessary.

89.

In this context the EDPS recommends that the Commission provides a new impact assessment in which all relevant policy options are considered, in which solid evidence and reliable statistics are provided and which includes an assessment in a fundamental rights perspective.

90.

The EDPS has identified several additional issues which are:

91.

The EDPS stresses the need for clarity on how the provisions of the Proposal specifying certain data protection rights and obligations relate to Council Framework Decision 2008/977/JHA as well as Council Decision 2009/371/JHA (see section 4).

92.

The EDPS recommends:

93.

The EDPS recommends:

30.1.2013   

EN

Official Journal of the European Union

C 28/6

1.

On 4 June 2012, the Commission adopted a proposal for a regulation of the European Parliament and of the Council amending Directive 1999/93/EC of the European Parliament and of the Council as regards electronic identification and trust services for electronic transactions in the internal market (‘the proposal’) (1).

2.

The proposal is part of the measures put forward by the Commission to strengthen the deployment of electronic transactions in the European Union. It follows up on the actions foreseen in the Digital Agenda for Europe (2) relating to improving the legislation on e-signatures (Key Action 3) and providing a coherent framework for the mutual recognition of e-identification and authentication (Key Action 16).

3.

The proposal is expected to enhance trust in pan-European electronic transactions and to ensure cross-border legal recognition of electronic identification, authentication, signature and related trust services in the internal market while guaranteeing a high level of data protection and user empowerment.

4.

A high level of data protection is essential for the use of electronic identification schemes and trust services. The development and use of such electronic means must rely upon the adequate processing of personal data by trust service providers and electronic identity issuers. This is all the more important as such processing will be relied upon, amongst other things, for identifying and authenticating natural (or legal) persons in the most reliable manner.

5.

Before the adoption of the proposal, the EDPS was given the possibility to provide informal comments. Many of these comments have been taken into account in the proposal. As a result, the data protections safeguards in the proposal have been strengthened.

6.

The EDPS welcomes the fact that he is also formally consulted by the Commission in accordance with Article 28(2) of Regulation (EC) No 45/2001.

7.

The proposal is based on Article 114 of the Treaty on the Functioning of the European Union and sets forth the conditions and mechanisms for mutual recognition and acceptance of electronic identification and trust services among Member States. In particular, it lays down the principles relating to the provision of identification and trusted electronic services, including the rules applicable to recognition and acceptance. It also provides the requirements for the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication and electronic certificates.

8.

In addition, the proposed regulation lays down the rules for the supervision of the provision of trust services and obliges Member States to establish supervisory bodies for this purpose. These bodies will, amongst other tasks, assess the compliance of the technical and organisational measures implemented by the providers of electronic trust services.

9.

Chapter II deals with electronic identification services while Chapter III is dedicated to other electronic trust services such as electronic signatures, seals, time stamps, documents, delivery services, certificates and website authentication. Electronic identification services are related to national identification cards and can be used in the access to digital services and in particular to e-government services; this means that an entity issuing electronic identification is acting on behalf of a Member State and that Member State is responsible for correctly establishing the correlation between a concrete individual and his/her electronic identification means. With regard to other electronic trust services, the provider/issuer is a natural or legal person which is responsible for the correct and safe provision of these services.

10.

The processing of personal data is inherent in the use of identification schemes and to some degree also in the provision of other trust services (for instance in case of electronic signatures). Processing of personal data will be required in order to establish a trustable link between the electronic identification and authentication means used by a natural (or legal) person and that person, in order to certify that the person behind the electronic certificate is truly who he/she claims to be. For instance, electronic identifications or electronic certificates refer to natural persons and will include a set of data unambiguously representing those individuals. In other words, the creation, verification, validation and handling of the electronic means referred to in Article 3(12) of the proposal will, in many cases, involve the processing of personal data and therefore data protection becomes relevant.

11.

It is, therefore, essential that the processing of data in the context of the provision of electronic identification schemes or electronic trust services is done in accordance with the EU data protection framework, in particular with national provisions implementing Directive 95/46/EC.

12.

In this Opinion, the EDPS will focus his analysis on three main issues:

50.

The EDPS welcomes the proposal as it can contribute to mutual recognition (and acceptance) of electronic trust services and identification schemes at European level. He also welcomes the establishment of a common set of requirements that must be fulfilled by the issuers of electronic identification means and by trust service providers. Notwithstanding his general support for the proposal, the EDPS wishes to provide the following general recommendations:

51.

Some specific provisions concerning the mutual recognition of electronic identification schemes should also be improved:

52.

Finally, the EDPS also makes the following recommendations in relation to the requirements for the provision and recognition of electronic trust services:

30.1.2013   

EN

Official Journal of the European Union

C 28/9

1.

On 16 August 2012, the Commission adopted a proposal for a Council regulation amending Regulation (EEC, Euratom) No 354/83, as regards the deposit of the historical archives of the institutions at the European University Institute in Florence (‘the proposal’) (1). The proposal was sent to the EDPS for consultation on the same day.

2.

Before the adoption of the proposal, the EDPS was given the possibility to provide informal comments. Many of these comments have been taken into account in the proposal. As a result, the data protections safeguards in the proposal have been strengthened. The EDPS welcomes the fact that the Commission also consulted him formally after the proposal was adopted and that this Opinion is referred to in the preamble of the proposal.

3.

Council Regulation (EEC, Euratom) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (2) (‘the Archives Regulation’) requires EU institutions and bodies to establish historical archives and to open them to the public once they are 30 years old. The Archives Regulation allows each institution and body to hold its historical archives in whatever place it considers most appropriate.

4.

The objective of the proposal is to amend the Archives Regulation and to make the deposit of paper archives at the European University Institute in Florence (‘EUI’) mandatory for all EU institutions and bodies (with the exception of the Court of Justice and the European Central Bank). In fact, the European Commission, the Council of the European Union and the European Parliament are already depositing their paper archives at the EUI on the basis of contractual arrangements. Thus, as the explanatory memorandum explains, the proposal does not change the status quo but rather ‘aims to confirm the role of the EUI in managing the historical archives of the institutions. It will create a sound legal and financial basis for the partnership between the EU and the EUI.’

5.

The proposal will also not change the existing rules and procedures by which the EU institutions and bodies open their historical archives to the public after 30 years. The proposal will furthermore not change the ownership of the historical archives, which will remain with the depositing institutions/bodies. In short: the proposal contains limited and targeted amendments to the Archives Regulation, rather than proposing a comprehensive modernisation and overhaul.

6.

In order to carry out their tasks, the European institutions and bodies process vast amounts of data, including personal data. Some of the personal data processed may be particularly sensitive from a data protection point of view (3) and/or may have been given to the institutions or bodies concerned in confidence, without the expectation that they will one day become publicly available: for example, personal data contained in medical or personnel files of staff members, or personal data processed in connection with disciplinary and harassment procedures, internal audits, various types of complaints or petitions, and trade, competition, anti-fraud, or other investigations.

7.

Some of these personal data, including some of those posing prima facie the greatest risks to the individuals concerned, are destroyed after a specified period of time, once they are no longer in use for the initial purposes for which they were collected (or for other compatible ‘administrative’ purposes).

8.

However, a significant portion of the documents held by the European institutions and bodies, including, possibly, the personal data in them, will not be destroyed but rather will ultimately be transferred to the historical archives of the European Union, and will be made publicly available for historical, statistical and scientific purposes (4).

9.

It is important that European institutions and bodies have clear policies of what personal data should or should not go to the historical archives, and how to safeguard those personal data that will be preserved and made publicly available via the historical archives. These policies need to ensure protection of privacy and the personal data of the individuals concerned, and to balance the protection of these fundamental rights with the right of access to documents and the legitimate interests in historical research.

10.

For the moment, although document management, data retention and archiving policies exist at many European institutions and bodies (see, for example, the Common Conservation List (‘CCL’), an internal administrative document issued by the Commission (5)), these policies provide only limited guidance on data protection. The CCL and similar documents should be further developed or complemented with more specific and more nuanced guidance on data protection.

11.

In addition, it is to be noted that the existing policies are formulated in internal documents, rather than in a legislative instrument adopted by Council and Parliament. Indeed, beyond a brief reference in its Article 2(1) to ‘documents covered by the exception relating to privacy and integrity of the individual, as defined in Article 4(1)(b) of Regulation (EC) No 1049/2001’ (6), the current text of the Archives Regulation does not specify what personal data may be transferred to the historical archives, and thus, ultimately disclosed publicly.

12.

The referred Article 4(1)(b) of Regulation (EC) No 1049/2001, in turn, must be interpreted in accordance with applicable data protection laws, including Regulation (EC) No 45/2001, and in accordance with the jurisprudence of the Court of Justice of the European Union. To decide what personal data should be placed in the historical archives, thus, requires a complex case-by-case analysis.

13.

The revisions of Directive 95/46/EC (7) and Regulation (EC) No 1049/2001 are currently both underway, and the revision of Regulation (EC) No 45/2001 should also follow in due course. While it is hoped that these legislative changes will contribute to clarity, due to their general nature, it is unlikely that they will provide sufficiently specific guidance to European institutions and bodies with regard to their archiving practices. As for the Archives Regulation itself, the Commission has proposed limited amendments only, not affecting Article 2(1) and other substantive provisions.

14.

The EDPS, in this Opinion, will suggest a few targeted changes that can be included on the occasion of the current, more limited review of the Archives Regulation. Additionally, he will highlight the need for adoption of specific measures, including adequate implementing rules, to ensure that data protection concerns are effectively addressed in the context of legitimate record keeping for historical purposes.

15.

To provide context, Section 2 will briefly discuss some general data protection issues and current trends related to the opening up and digitalisation of EU historical archives, anonymisation and de-anonymisation, as well as the Commission's open data initiatives.

65.

The EDPS welcomes that the proposal addresses data protection concerns, involving in particular:

66.

To address remaining data protection concerns, the EDPS recommends that the proposed amendment to the Archives Regulation:

30.1.2013   

EN

Official Journal of the European Union

C 28/12

30.1.2013   

EN

Official Journal of the European Union

C 28/13

1.

On 18 January 2013, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which the Belgian state investment fund Société Fédérale de Participations et d'Investissement/Federale Participatie- en Investeringsmaatschappij (‘SFPI’, Belgium) acquires within the meaning of Article 3(1)(b) of the Merger Regulation sole control of the whole of the undertaking Dexia SA/NV (‘Dexia’, Belgium) by way of purchase of shares.

2.

The business activities of the undertakings concerned are:

3.

On preliminary examination, the Commission finds that the notified transaction could fall within the scope the EC Merger Regulation. However, the final decision on this point is reserved.

4.

The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission.

Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax (+32 22964301), by e-mail to COMP-MERGER-REGISTRY@ec.europa.eu or by post, under reference number COMP/M.6812 — SFPI/Dexia, to the following address:

30.1.2013   

EN

Official Journal of the European Union

C 28/14