Avis du CEPD

Avis concernant la communication de la Commission sur le plan d'action pour le déploiement de systèmes de transport intelligents en Europe et la proposition de directive du Parlement européen et du Conseil établissant le cadre pour le déploiement de systèmes de transport intelligents dans le domaine du transport routier et d'interfaces avec d'autres modes de transport, JO C 47, 25.02.2009, p. 6

The EDPS has adopted an opinion on the European Commission's proposed deployment plan for intelligent transport systems (ITS) in Europe that was adopted in December 2008 to accelerate and coordinate their deployment in road transport and their connection with other modes of transport. The deployment of ITS  has considerable privacy implications, for instance because these systems make it possible to track a vehicle and to collect a wide variety of data relating to European road users' driving habits.

The EDPS notes that data protection has been taken into consideration in the proposed legal framework and that it is also put forward as a general condition for the proper deployment of ITS. He however underlines that the Commission's proposal is too broad and too general to adequately address the privacy and data protection concerns raised by ITS deployment in the Member States. In particular, it is not clear when the performance of ITS services will lead to the collection and processing of personal data, what are the purposes and modalities for which data processing may take place, or who will be responsible for compliance with data protection obligations.

The EDPS opinion includes the following main recommendations:

• clarification of responsibilities: it is crucial to clarify the roles of the different actors involved in ITS in order to identify who will bear the responsibility of ensuring that systems work properly from a data protection perspective (who is the data controller?);
• safeguards for the use of location technologies: appropriate safeguards should be implemented by data controllers providing ITS services so that the use of location technologies is not intrusive from a privacy viewpoint. This should notably require further clarification as to the specific circumstances in which a vehicle will be tracked, strictly limiting the use of location devices to what is necessary for that purpose, and ensuring  that location data are not disclosed to unauthorized recipients;
• "privacy by design" approach: the EDPS recommends to consider privacy and data protection from an early stage of the design of ITS to define the architecture, operation and management of the systems. Privacy and security requirements should be incorporated within standards, best practices, technical specifications and systems.

Background information
ITS apply information and communication technologies (satellite, computer, telephone, etc.) to transport infrastructure and vehicles with the intention to make transport safer and cleaner and to reduce traffic congestion. ITS applications and services are based on the collection, processing and exchange of a wide variety of data, both from public and private sources, including information on traffic and accidents but also personal data, such as the driving habits and journey patterns of citizens. Their deployment will also rely to a large extent on the use of geolocalisation technologies, such as satellite-positioning and RFID tags. As such, ITS constitute a "data-intensive area" and raise a number of privacy and data protection issues that should be carefully addressed in order to ensure the workability of ITS across Europe.

Avis sur la communication de la Commission intitulée "Un espace de liberté, de sécurité et de justice au service des citoyens", JO C 276, 17.11.2009, p. 8

The EDPS has adopted an opinion on the European Commission's Communication of 10 June 2009 entitled “An area of freedom, security and justice serving the citizen”. The Communication is the Commission's contribution to the discussions on the new EU programme for the next five years in the area of justice and home affairs, the so called Stockholm programme, which is due to be adopted by the European Council in December 2009.

The EDPS supports the attention that has been devoted in the Communication to the protection of fundamental rights, and in particular the protection of personal data, as one of the key issues of the future framework for EU action on the questions of citizenship, justice, security, asylum and immigration. He fully endorses the Commission's view that more emphasis should be given to data protection in the areas concerned, and calls for the European Council to follow the same approach when adopting the Stockholm multi-annual programme.

Taking the need for protection of fundamental rights as main angle of the analysis, the EDPS opinion focuses on the following issues:

• need for a comprehensive data protection scheme: the EDPS fully supports the call for a comprehensive data protection scheme covering all areas of EU competence, regardless of the entry into force of the Lisbon Treaty;
• data protection principles: the EDPS welcomes the intention of the Commission to reaffirm a number of basic principles of data protection. He emphasises the importance of the purpose limitation principle as a cornerstone of data protection law. Focus should also be given to the possibilities for improving the effectiveness of the application of data protection principles, in particular through instruments than can reinforce the responsibilities of the data controllers;
• Opinion on the Communication from the Commission to the European Parliament and the Council on an Area of freedom, security and justice serving the citizen, OJ C 276, 17.11.2009, p. 8European information model: the EDPS notes the developments towards a European information model and an EU Information Management Strategy with great interest and underlines the attention that should be given in these projects to data protection elements, to be further elaborated in the Stockholm programme. The architecture for information exchange should be based on "privacy by design" and "Best Available Techniques".

Avis sur l'initiative de la République française en vue de l'adoption d'une décision du Conseil sur l'emploi de l'informatique dans le domaine des douanes, JO C 229, 23.09.2009, p. 12

Avis sur les propositions de règelement et de directive en ce qui concerne la pharmacovigilance, JO C 229, 23.09.2009, p. 19

The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.

A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.

Avis sur la recommandation pour un règlement du Conseil modifiant le règlement (CE) n° 2533/98 du 23 novembre 1998 concernant la collecte d'informations statistiques par la Banque centrale européenne, JO C 192, 15.08.2009, p. 1

On 23 November 1998, the Council of the European Union adopted Regulation (EC) No 2533/98 concerning the collection of statistical information by the European Central Bank (ECB). In order to maintain this Regulation as an effective instrument to carry out the statistical information collection tasks of the European System of Central Banks, the Governing Council of the European Central Bank adopted a Recommendation for a Council Regulation amending Regulation No 2533/98.

The Opinion analyses the Recommendation and gives some further reflexion on the relation between statistical confidentiality and data protection.

More specifically the EDPS:

• welcomes that the proposed amendments contain a specific reference to the data protection legal framework;
• underlines the need for further clarification of some concepts common to data protection and statistics;
• considers that the purpose limitation principle should be ensured in the widening of scope of the Regulation;
• stresses the need to assess the necessity of processing payment statistics which may contain personal information about natural persons;
• advocates for further collaboration between the European Statistical System and the ECB in view of ensuring the respect of the data quality principle as well as the data minimization principle;
• suggests that access to statistical information for research purposes should be provided in such a way that the reporting agent cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party.