Avis du CEPD

Avis sur la communication de la Commission intitulée "Un espace de liberté, de sécurité et de justice au service des citoyens", JO C 276, 17.11.2009, p. 8

The EDPS has adopted an opinion on the European Commission's Communication of 10 June 2009 entitled “An area of freedom, security and justice serving the citizen”. The Communication is the Commission's contribution to the discussions on the new EU programme for the next five years in the area of justice and home affairs, the so called Stockholm programme, which is due to be adopted by the European Council in December 2009.

The EDPS supports the attention that has been devoted in the Communication to the protection of fundamental rights, and in particular the protection of personal data, as one of the key issues of the future framework for EU action on the questions of citizenship, justice, security, asylum and immigration. He fully endorses the Commission's view that more emphasis should be given to data protection in the areas concerned, and calls for the European Council to follow the same approach when adopting the Stockholm multi-annual programme.

Taking the need for protection of fundamental rights as main angle of the analysis, the EDPS opinion focuses on the following issues:

• need for a comprehensive data protection scheme: the EDPS fully supports the call for a comprehensive data protection scheme covering all areas of EU competence, regardless of the entry into force of the Lisbon Treaty;
• data protection principles: the EDPS welcomes the intention of the Commission to reaffirm a number of basic principles of data protection. He emphasises the importance of the purpose limitation principle as a cornerstone of data protection law. Focus should also be given to the possibilities for improving the effectiveness of the application of data protection principles, in particular through instruments than can reinforce the responsibilities of the data controllers;
• Opinion on the Communication from the Commission to the European Parliament and the Council on an Area of freedom, security and justice serving the citizen, OJ C 276, 17.11.2009, p. 8European information model: the EDPS notes the developments towards a European information model and an EU Information Management Strategy with great interest and underlines the attention that should be given in these projects to data protection elements, to be further elaborated in the Stockholm programme. The architecture for information exchange should be based on "privacy by design" and "Best Available Techniques".

Avis sur l'initiative de la République française en vue de l'adoption d'une décision du Conseil sur l'emploi de l'informatique dans le domaine des douanes, JO C 229, 23.09.2009, p. 12

Avis sur les propositions de règelement et de directive en ce qui concerne la pharmacovigilance, JO C 229, 23.09.2009, p. 19

The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.

A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.

Avis sur la recommandation pour un règlement du Conseil modifiant le règlement (CE) n° 2533/98 du 23 novembre 1998 concernant la collecte d'informations statistiques par la Banque centrale européenne, JO C 192, 15.08.2009, p. 1

On 23 November 1998, the Council of the European Union adopted Regulation (EC) No 2533/98 concerning the collection of statistical information by the European Central Bank (ECB). In order to maintain this Regulation as an effective instrument to carry out the statistical information collection tasks of the European System of Central Banks, the Governing Council of the European Central Bank adopted a Recommendation for a Council Regulation amending Regulation No 2533/98.

The Opinion analyses the Recommendation and gives some further reflexion on the relation between statistical confidentiality and data protection.

More specifically the EDPS:

• welcomes that the proposed amendments contain a specific reference to the data protection legal framework;
• underlines the need for further clarification of some concepts common to data protection and statistics;
• considers that the purpose limitation principle should be ensured in the widening of scope of the Regulation;
• stresses the need to assess the necessity of processing payment statistics which may contain personal information about natural persons;
• advocates for further collaboration between the European Statistical System and the ECB in view of ensuring the respect of the data quality principle as well as the data minimization principle;
• suggests that access to statistical information for research purposes should be provided in such a way that the reporting agent cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party.

Avis sur la proposition de directive relative aux normes de qualité et de sécurité des organes humains destinés à la transplantation, JO C192, 15.08.2009, p. 6

The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.

The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.

• Basic principles for national security measures may include the following:
• adoption of a specific information security policy;
• definition of a confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing;
• addressing security mechanisms in the national databases, based on the concept of "privacy by design" (i.e. application of data protection requirements as early as possible in the life cycle of new technological developments);
• ensuring regular monitoring and independent audits of the security policies in place.

With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.