Nos avis portent principalement sur des propositions législatives et sont adressés au législateur de l'UE (le Parlement européen, le Conseil et la Commission européenne), dans le but de signaler les principales préoccupations en matière de protection des données ainsi que nos recommandations.
Ces avis sont rendus en réponse aux demandes de la Commission, qui est légalement tenue de demander notre avis sur toute proposition législative ou projet d'actes d'exécution ou délégués, ainsi que sur les recommandations et propositions au Conseil dans le cadre d'accords internationaux conformément à l'article 42(1) du règlement (UE) 2018/1725 lorsqu'il y a un impact sur la protection des données personnelles.
Nous émettons également des avis d'initiative dans le cadre de notre rôle de conseil sur toutes les questions relatives au traitement de données personnelles.
Deuxième avis relatif au réexamen de la directive 2002/58/CE concernant le traitement des données à caractère personnel et la protection de la vie privée dans le secteur des communications électroniques (directive "vie privée et communications électroniques"), JO C 128, 06.06.2009, p. 28
This Opinion follows upon a first EDPS Opinion, as well as Comments, in which recommendations were made to help ensure that the proposed changes effectively provide for the best possible protection of personal data.
This Second Opinion comes as a response to the Council's Common Position which, on a number of critical points, fails to endorse some of the data protection safeguards proposed by the European Parliament and the European Commission or previously recommended by the EDPS. The recommendations presented in this Opinion aim at streamlining some of the provisions of the Directive, while at the same time ensuring an adequate level of data protection and privacy.
The Opinion particularly focuses on the provisions relating to the setting up of a mandatory security breach notification system for which the Supervisor believes there is still some room for improvement.
Avis sur la communication de la Commission intitulée "Vers une stratégie européenne en matière d'e-Justice", JO C 128, 06.06.2009, p. 13
The Communication aims to propose an e-Justice Strategy that intends to increase citizens' confidence in the European area of Justice. E-Justice's primary objective should be to help justice to be administered more effectively throughout Europe, for the benefit of the citizens. The EU's action should enable citizens to access information without being hindered by the linguistic, cultural and legal barriers stemming from the multiplicity of systems. A draft action plan and timetable for the various projects are annexed to the Communication.
E-Justice has a very wide-ranging scope, including in general the use of ICT in the administration of justice within the European Union. This covers a number of issues like projects providing litigants with information in a more effective way. This includes online information on judicial systems, legislation and case law, electronic communication systems linking litigants and the courts and the establishment of fully electronic procedures. It covers also European projects like the use of electronic tools to record hearings and projects involving information exchange or interconnection.
The EDPS supports the present proposal to establish e-Justice and recommends taking into account the observations made in his opinion, which includes:
Taking into account the recent Framework decision on the protection of personal data in the field of police and judicial cooperation in criminal matters - including its shortcomings - not only when implementing the measures envisaged in the Communication, but also with a view to starting as soon as possible the reflections on further improvements of the legal framework for data protection in law enforcement;
Including administrative procedures in e-Justice. As part of this new element, e-Justice projects should be initiated to enhance the visibility of data protection rules as well as national data protection authorities, in particular in relation to the kinds of data processed in the framework of e-Justice projects;
Maintaining a preference for decentralized architectures;
Ensuring that the interconnection and interoperability of systems duly takes into account the purpose limitation principle;
Allocating clear responsibilities to all actors processing personal data within the envisaged systems and providing mechanisms of effective coordination between data protection authorities;
Ensuring that processing of personal data for purposes other than those for which they were collected should respect the specific conditions laid down by the applicable data protection legislation;
Clearly defining and circumscribing the use of automatic translations, so as to favour mutual understanding of criminal offences without affecting the quality of the information transmitted;
Clarifying Commission responsibility for common infrastructures, such as the s-TESTA;
With regard to the use of new technologies, ensuring that data protection issues are taken into account at the earliest possible stage ("privacy-by-design") as well as fostering technology tools allowing citizens to be in better control of their personal data even when they move between different Member States.
Avis concernant la proposition de directive relative à l'application des droits des patients en matière de soins de santé transfrontaliers, JO C 128, 06.06.2009, p. 20
The proposal aims at establishing a Community framework for the provision of cross-border healthcare within the EU, for those occasions where the care patients seek is provided in another Member State than in their home country. The implementation of such a scheme requires the exchange of personal data relating to the health of patients between authorized organisations and healthcare professionals of different Member States.
The EDPS welcomes the proposal and expresses his support to the initiatives of improving the conditions for cross-border healthcare. He expresses concerns, however, about the fact that EC healthcare related initiatives are not always well co-ordinated with regard to ICT use, privacy and security, thus hampering the adoption of a universal data protection approach towards healthcare. This is also evident in the proposal where references to data protection are mainly of a general nature and do not adequately reflect the specific privacy-related needs of cross-border healthcare.
The EDPS defines two main areas of concern regarding data protection in cross-border healthcare: a) the different security levels which may be applied by the Member States for the protection of personal data, and b) privacy integration in e-health applications. To this end, the EDPS makes the following recommendations:
Provision of a clear definition for 'health data'.
Introduction of a specific Article on data protection, clearly describing the responsibilities of the Member States and identifying areas for further development.
Adoption of a Community mechanism for the definition of a commonly acceptable security level for health data to be applied by the Member States.
Incorporation of the notion of 'privacy by design' already in the proposed Community template for e-Prescription.
Introduction of a more explicit reference to the specific requirements relating to subsequent use of data concerning health as laid down in Article 8 of Directive 95/46.
Avis concernant le rapport final du Groupe de contact à haut niveau UE/Etats-Unis sur le partage d'informations et la protection de la vie privée et des données à caractère personnel, JO C 128, 06.06.2009, p. 1
The opinion relates to the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection, which was presented by the EU Presidency in June 2008. The Report defines common principles on privacy and data protection as a first step towards the exchange of information between the EU and the US to fight terrorism and serious transnational crime. It also identifies options for a possible instrument that would apply the agreed common principles to data transfers.
The EDPS welcomes the progress achieved by the EU and US authorities to ensure an effective regime for privacy and personal data protection in the exchange of law enforcement information. He however emphasises the need for a careful analysis of the considered ways forward and recommends the development of a road map towards a possible agreement. Such a road map would involve all stakeholders at the different stages of the procedure and contain guidance for the continuation of the work, a timeline, as well as a further elaboration of the data protection principles on the basis of a common understanding on essential issues, such as the scope and nature of an agreement.
The EDPS calls for clarification and concrete provisions regarding the main following aspects:
nature and scope of an instrument on information sharing: for the sake of legal certainty, the EDPS shares the report's preferred option for the adoption of a legally binding instrument. This general instrument would need to be combined with specific agreements on a case by case basis to reflect the many specificities of data processing in the field of security and justice. The scope of application should also be clearly circumscribed and provide for a clear and common definition of law enforcement purposes at stake;
redress mechanisms: as one of the most prominent outstanding issues of the report, the availability of adequate means for redress needs to be properly addressed. Strong redress mechanisms, including administrative and judicial remedies, should be available to all individuals, irrespective of their nationality;
measuresguaranteeing the effective exercise of individuals' rights: further work is needed not only with regard to redress and oversight mechanisms, but also concerning the transparency of data processing and the conditions of access and rectification to personal data.
The EDPS emphasizes that the conclusion of an agreement between the EU and the US should take place under the Lisbon Treaty - depending on its entry into force – to guarantee better legal certainty, full involvement of the European Parliament and judicial control of the European Court of Justice.
Avis sur le Livre vert de la Commission intitulé "Exécution effective des décisions judiciaires dans l'Union européenne: la transparence du patrimoine des débiteurs" - COM(2008) 128 final, JO C 20, 27.01.2009, p 1
On the 22 September, the EDPS adopted an Opinion on the Commission Green paper on the Effective Enforcement of Judgements in the European Union: the Transparency of Debtors' Assets. The Green paper focuses on possible measures at EU level that can be adopted with a view to improve the transparency of the debtor's assets and the right of creditors to obtain information with a view to effectively enforce their rights whilst respecting the principles for the protection of debtor's privacy pursuant to the provisions of Directive 95/46. The Green paper analyzes in detail the current situation as well as a broad range of possible options to reach these objectives.
The EDPS opinion is mainly aimed at providing guidance with regard to data protection issues that may arise in possible legislative initiatives stemming from this Green paper and complements the public consultation launched by the Commission in March. In particular, the EDPS welcomes the Green paper and the broad consultation to which it has been submitted and recommends that:
Possible legislative actions stemming from the Green paper should ensure that the processing of personal data carried out by the whole range of enforcement authorities is clearly based on at least one of the legal grounds laid down by Article 7 of Directive 95/46/EC, and in particular its letter c) and/or e);
The proportionality principle is duly taken into account not only with regard to the data elements to be disclosed by the debtors, but also with regard to other aspects such as the period of time during which the data are stored and disclosed, the entities having access to data, and the modalities of disclosure;
Any measures on transparency of debtors' assets respect the purpose limitation principle and that any necessary exception would comply with the conditions laid down by Article 13 of Directive 95/46;
Aspects concerning the provision of information to the debtors, the rights of data subjects, and the security of processing are duly taken into account.
The EDPS will remain available to provide informal comments on draft proposals arising from this Green paper and expects to be consulted on any adopted legislative proposals pursuant to Article 28(2) of Regulation 45/2001.
