Avis du CEPD

Avis sur la proposition de directive facilitant l'application transfrontière de la législation dans le domaine de la sécurité routière, JO C 310, 5.12.2008, p. 1

The EDPS issued an opinion on the proposal for a Directive facilitating cross-border enforcement in the field of road safety.

The proposal aims at reducing fatalities, injuries and material damage resulting from traffic accidents. In this context, the proposal intends to establish a system to facilitate the cross-border enforcement of sanctions for specified road traffic offences.

In order to contribute to a non discriminatory and more effective enforcement towards traffic offenders, the proposal foresees the establishment of a system of cross-border exchange of information between Member States.

The EDPS considers that the proposal provides for sufficient justification for the establishment of the system for the cross-border exchange of information, and that it limits the quality of data to be collected and transferred adequately.

He also welcomes the redress procedure foreseen in the proposal and, in particular, the fact that access to personal data will be possible in the country of residence of the data subject.

The EDPS also made the following recommendations:

• on the information of data subjects: the way data subjects will be informed of the fact they have specific rights of access to their data and possible correction of these data will depend on the format of the offence notification. It is therefore important that the proposal lists all information relevant for the data subject, in a language that he/she understands.
• on the security of the system: the EDPS has noted that it is foreseen to make use of an already existing infrastructure to exchange the information. The EDPS has no objection to this objective as far as it limits financial or administrative burdens. He insists however on the fact that this should not lead to interoperability with other databanks. The EDPS welcomes the proposed limit on the possibilities of use of the data by Member States other that the one where the offence was committed.

Avis sur l'initiative en vue de l'adoption d'une décision du Conseil sur le renforcement d'Eurojust et modifiant la décision 2002/187/JAI, JO C 310, 5.12.2008, p.1

On 25 April 2008, the EDPS adopted an opinion on the Initiative of 14 Member States with a view to adopting a Council Decision concerning the strengthening of Eurojust. The initiative aims at further enhancing the operational effectiveness of Eurojust. The EDPS was not asked for advice on this initiative, although a significant part of the initiative deals with the - conditions for - processing of personal data by Eurojust. The opinion was therefore issued on his own initiative.

In his opinion, the EDPS emphasises that he understands the need to improve the legal framework of Eurojust. However, he regrets that the initiative was not accompanied by an impact assessment, together with an analysis of the shortcomings of the existing rules and the expected effectiveness of the new provisions.

Furthermore, the opinion highlights the various arguments in favour of waiting for the entry into force of the Lisbon Treaty. Other issues addressed in the opinion are the provisions on data protection, the relations with third parties and the supervision.

Avis sur la proposition de règlement instaurant un code de conduite pour l'utilisation de systèmes informatisés de réservation, JO C 233, 11.09.2008, p. 1

The EDPS issued an opinion on the proposal for a Regulation on a Code of conduct for computerised reservation systems (CRSs).

The objective of the proposal is to update the provisions of the Code of Conduct for Computerized Reservation Systems that was established in 1989 by Regulation 2299/89. The Code would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers.
A specific article on data protection has been developed in the proposal with a view to complementing the provisions of Directive 95/46/EC which continues to apply as a lex generalis.

The EDPS welcomes the inclusion of such principles in the proposal. He stresses that these provisions could nevertheless be usefully complemented by additional safeguards on three points:

• ensuring the fully informed consent of data subjects for the processing of sensitive data;
• providing for security measures taking into account the different services offered by CRSs;
• protecting marketing information relating to individuals from access by third parties.

With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical enforcement, taking into account the complexity of the CRS network.

It is deemed as essential to put the CRS question in this global context and to be aware of the implications of having a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third state authorities.

The EDPS considers it as decisive that effective compliance is ensured by competent authorities for enforcement (i.e. the Commission), as foreseen in the proposal, as well as data protection authorities.

Avis sur la proposition de directive modifiant, entre autres, la directive 2002/58/CE concernant le traitement des données à caractère personnel et la protection de la vie privée dans le secteur des communications électroniques (directive "vie privée et communications électroniques"), JO C 181, 18.07.2008, p. 1

The EDPS adopted an opinion on the European Commission's proposal amending, among others, the Directive on Privacy and electronic communications (usually referred to as the ePrivacy Directive).

On the whole, the EDPS supports the Commission's drive to enhance the protection of individuals' privacy and personal data in the electronic communications sector. He particularly welcomes the proposed creation of a mandatory security breach notification system and the possibility for legal persons (e.g. consumer associations and Internet service providers) to take legal action against spammers. The clarification regarding the inclusion of a number of RFID applications in the scope of application of the Directive also represents a significant progress.

The EDPS however feels that the opportunity of this review should be used to its full potential so as to ensure that the proposed changes provide for a proper protection of personal data and privacy. He calls for further improvements to the Directive that should include the following:

• security breach notification: the obligation to notify any breach of security should not only apply to providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services, etc.);
• scope of the Directive: the Directive should broaden its scope of application to include providers of electronic communication services also in mixed (private/public) and private networks;
• right of action against spammers: the new possibility given to legal persons to take action against those who infringe spam provisions should be extended to cover infringement to any provision of the ePrivacy Directive.

Avis concernant la proposition de règlement modifiant le règlement (CE) n° 2252/2004 du Conseil établissant des normes pour les éléments de sécurité et les éléments biométriques intégrés dans les passeports et les documents de voyage délivrés par les Etats membres, JO C 200, 06.08.2008, p. 1

On 26 March 2008, the EDPS adopted an opinion on the Commission's proposal aiming at revising the 2004 Council Regulation that sets out minimum standards for security features and biometrics in passports and travel documents.

The EDPS welcomes the introduction of exemptions from giving fingerprints based on the age of the person or his/her inability to provide fingerprints. However, he still considers these exemptions as insufficient to remedy the imperfections of biometrics, such as the impact of misidentification or failure to enrol.
The EDPS' opinion includes the following recommendations:

• fingerprints from children: the proposed six-year age limit should be considered as a provisional one, or brought in line with international practice (14 years). After three years, the age limit should be reviewed and defined by an in-depth study which is to identify the accuracy of the systems obtained under real conditions;
• fingerprints from the elderly: an age limit for elderly, based on similar experiences already in place (79 years), should be introduced as an additional exemption;
• principle of "one person-one passport": this principle should be applied only to children above the relevant age limit;
• "breeder" documents: additional measures should be proposed to harmonise the production and the use of documents required in Member States to issue passports (“breeder” documents).

The EDPS recalls that exemptions should in no way stigmatize or discriminate individuals who will be exempt, because of their age as a precautionary principle or because they present obviously unreadable fingerprints