Nos avis portent principalement sur des propositions législatives et sont adressés au législateur de l'UE (le Parlement européen, le Conseil et la Commission européenne), dans le but de signaler les principales préoccupations en matière de protection des données ainsi que nos recommandations.
Ces avis sont rendus en réponse aux demandes de la Commission, qui est légalement tenue de demander notre avis sur toute proposition législative ou projet d'actes d'exécution ou délégués, ainsi que sur les recommandations et propositions au Conseil dans le cadre d'accords internationaux conformément à l'article 42(1) du règlement (UE) 2018/1725 lorsqu'il y a un impact sur la protection des données personnelles.
Nous émettons également des avis d'initiative dans le cadre de notre rôle de conseil sur toutes les questions relatives au traitement de données personnelles.
Avis sur l'initiative en vue de l'adoption d'une décision du Conseil sur le renforcement d'Eurojust et modifiant la décision 2002/187/JAI, JO C 310, 5.12.2008, p.1
On 25 April 2008, the EDPS adopted an opinion on the Initiative of 14 Member States with a view to adopting a Council Decision concerning the strengthening of Eurojust. The initiative aims at further enhancing the operational effectiveness of Eurojust. The EDPS was not asked for advice on this initiative, although a significant part of the initiative deals with the - conditions for - processing of personal data by Eurojust. The opinion was therefore issued on his own initiative.
In his opinion, the EDPS emphasises that he understands the need to improve the legal framework of Eurojust. However, he regrets that the initiative was not accompanied by an impact assessment, together with an analysis of the shortcomings of the existing rules and the expected effectiveness of the new provisions.
Furthermore, the opinion highlights the various arguments in favour of waiting for the entry into force of the Lisbon Treaty. Other issues addressed in the opinion are the provisions on data protection, the relations with third parties and the supervision.
Avis sur la proposition de règlement instaurant un code de conduite pour l'utilisation de systèmes informatisés de réservation, JO C 233, 11.09.2008, p. 1
The EDPS issued an opinion on the proposal for a Regulation on a Code of conduct for computerised reservation systems (CRSs).
The objective of the proposal is to update the provisions of the Code of Conduct for Computerized Reservation Systems that was established in 1989 by Regulation 2299/89. The Code would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers. A specific article on data protection has been developed in the proposal with a view to complementing the provisions of Directive 95/46/EC which continues to apply as a lex generalis.
The EDPS welcomes the inclusion of such principles in the proposal. He stresses that these provisions could nevertheless be usefully complemented by additional safeguards on three points:
ensuring the fully informed consent of data subjects for the processing of sensitive data;
providing for security measures taking into account the different services offered by CRSs;
protecting marketing information relating to individuals from access by third parties.
With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical enforcement, taking into account the complexity of the CRS network.
It is deemed as essential to put the CRS question in this global context and to be aware of the implications of having a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third state authorities.
The EDPS considers it as decisive that effective compliance is ensured by competent authorities for enforcement (i.e. the Commission), as foreseen in the proposal, as well as data protection authorities.
Avis sur la proposition de directive modifiant, entre autres, la directive 2002/58/CE concernant le traitement des données à caractère personnel et la protection de la vie privée dans le secteur des communications électroniques (directive "vie privée et communications électroniques"), JO C 181, 18.07.2008, p. 1
The EDPS adopted an opinion on the European Commission's proposal amending, among others, the Directive on Privacy and electronic communications (usually referred to as the ePrivacy Directive).
On the whole, the EDPS supports the Commission's drive to enhance the protection of individuals' privacy and personal data in the electronic communications sector. He particularly welcomes the proposed creation of a mandatory security breach notification system and the possibility for legal persons (e.g. consumer associations and Internet service providers) to take legal action against spammers. The clarification regarding the inclusion of a number of RFID applications in the scope of application of the Directive also represents a significant progress.
The EDPS however feels that the opportunity of this review should be used to its full potential so as to ensure that the proposed changes provide for a proper protection of personal data and privacy. He calls for further improvements to the Directive that should include the following:
security breach notification: the obligation to notify any breach of security should not only apply to providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services, etc.);
scope of the Directive: the Directive should broaden its scope of application to include providers of electronic communication services also in mixed (private/public) and private networks;
right of action against spammers: the new possibility given to legal persons to take action against those who infringe spam provisions should be extended to cover infringement to any provision of the ePrivacy Directive.
Avis concernant la proposition de règlement modifiant le règlement (CE) n° 2252/2004 du Conseil établissant des normes pour les éléments de sécurité et les éléments biométriques intégrés dans les passeports et les documents de voyage délivrés par les Etats membres, JO C 200, 06.08.2008, p. 1
On 26 March 2008, the EDPS adopted an opinion on the Commission's proposal aiming at revising the 2004 Council Regulation that sets out minimum standards for security features and biometrics in passports and travel documents.
The EDPS welcomes the introduction of exemptions from giving fingerprints based on the age of the person or his/her inability to provide fingerprints. However, he still considers these exemptions as insufficient to remedy the imperfections of biometrics, such as the impact of misidentification or failure to enrol. The EDPS' opinion includes the following recommendations:
fingerprints from children: the proposed six-year age limit should be considered as a provisional one, or brought in line with international practice (14 years). After three years, the age limit should be reviewed and defined by an in-depth study which is to identify the accuracy of the systems obtained under real conditions;
fingerprints from the elderly: an age limit for elderly, based on similar experiences already in place (79 years), should be introduced as an additional exemption;
principle of "one person-one passport": this principle should be applied only to children above the relevant age limit;
"breeder" documents: additional measures should be proposed to harmonise the production and the use of documents required in Member States to issue passports (“breeder” documents).
The EDPS recalls that exemptions should in no way stigmatize or discriminate individuals who will be exempt, because of their age as a precautionary principle or because they present obviously unreadable fingerprints
Avis concernant la décision de la Commission du 12 décembre 2007 relative à la protection des données à caractère personnel dans le cadre de la mise en oeuvre du Système d'information du marché intérieur (IMI) (2008/49/CE), JO C 270, 25.10.2008, p. 1
This Opinion is part of the broader EDPS efforts to improve the data protection safeguards for this large-scale IT system operated by the European Commission to facilitate information exchanges between competent authorities in Member States in the area of internal market legislation.
The EDPS supports the establishment of this electronic system for the exchange of information. Nevertheless, establishment of a centralized electronic system also creates certain risks. These include, most importantly, that more data might be shared and more broadly than strictly necessary for the purposes of efficient cooperation, and that data, including potentially outdated and inaccurate data, might remain in the electronic system longer than is necessary. The security of a database accessible in 27 Member States is also a sensitive issue, as the system is only as safe as the weakest link in the network permits it to be.
In the Opinion, the EDPS questions the adequacy of the legal basis chosen for the adoption of the IMI Decision. The EDPS recommends that the Commission replaces the IMI Decision by a legal instrument that fulfils the requirement of legal certainty. As an ultimately most sound solution, the EDPS suggests adopting a separate legal instrument for the IMI-system, at the level of the Council and the European Parliament, similar to the Schengen Information System, Visa Information System and other large-scale IT databases.
Additionally, the Opinion provides for a number of suggestions on the provisions regulating the data protection aspects of IMI. These recommendations relate to transparency and proportionality, joint control and allocation of responsibilities, notice to data subjects, rights of access, objection, and rectification, data retention, security measures and joint supervision.
