Avis du CEPD

Avis sur la recommandation pour un règlement du Conseil modifiant le règlement (CE) n° 2533/98 du 23 novembre 1998 concernant la collecte d'informations statistiques par la Banque centrale européenne, JO C 192, 15.08.2009, p. 1

On 23 November 1998, the Council of the European Union adopted Regulation (EC) No 2533/98 concerning the collection of statistical information by the European Central Bank (ECB). In order to maintain this Regulation as an effective instrument to carry out the statistical information collection tasks of the European System of Central Banks, the Governing Council of the European Central Bank adopted a Recommendation for a Council Regulation amending Regulation No 2533/98.

The Opinion analyses the Recommendation and gives some further reflexion on the relation between statistical confidentiality and data protection.

More specifically the EDPS:

• welcomes that the proposed amendments contain a specific reference to the data protection legal framework;
• underlines the need for further clarification of some concepts common to data protection and statistics;
• considers that the purpose limitation principle should be ensured in the widening of scope of the Regulation;
• stresses the need to assess the necessity of processing payment statistics which may contain personal information about natural persons;
• advocates for further collaboration between the European Statistical System and the ECB in view of ensuring the respect of the data quality principle as well as the data minimization principle;
• suggests that access to statistical information for research purposes should be provided in such a way that the reporting agent cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party.

Avis sur la proposition de directive relative aux normes de qualité et de sécurité des organes humains destinés à la transplantation, JO C192, 15.08.2009, p. 6

The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.

The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.

• Basic principles for national security measures may include the following:
• adoption of a specific information security policy;
• definition of a confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing;
• addressing security mechanisms in the national databases, based on the concept of "privacy by design" (i.e. application of data protection requirements as early as possible in the life cycle of new technological developments);
• ensuring regular monitoring and independent audits of the security policies in place.

With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.

Avis sur la proposition de règlement du Conseil instituant un régime communautaire de contrôle afin d'assurer le respect des règles de la politique commune de la pêche, JO C 151, 03.07.2009, p. 11

There are different reasons why data protection provisions in the context of this proposal are relevant. First, the proposal foresees the processing of various data, which in certain cases, can be considered as personal data. Moreover, the proposal also foresees transfers of these data and exchanges of information, both between Member States and with the Commission or the Community Fisheries Control Agency. The EDPS also notes that the proposal foresees the use of aggregated data in certain circumstances. All these aspects require respecting the data protection legal framework.

The EDPS welcomes that reference to privacy and data protection is made within the current proposal. However, some amendments are needed in order to provide clear requirements, both for the Member States and for the Commission to address the data protection aspects of the system.

Avis sur la proposition de règlement concernant la création du système "Eurodac" pour la comparaison des empreintes digitales aux fins de l'application efficace du règlement (CE) n° [.../...] (établissant les critère et mécanismes de détermination de l'Etat membre responsable de l'examen d'une demande de protection internationale présentée dans l'un des Etats membres par un ressortissant de pays tiers ou un apatride) [COM(2008) 825], JO C 229, 23.09.2009, p. 6

The Proposal is a revision of the EURODAC Regulation and its implementing regulation, Council Regulation No 407/2002/EC, and it aims at inter alia:

• improving the efficiency of the implementation of the EURODAC Regulation,
• ensuring consistency with the asylum acquis evolved since the adoption of the above-mentioned Regulation,
• updating a number of provisions taking account of factual developments since the adoption of the Regulation,
• establishing a new management framework.

The EDPS supports this Proposal and draws attention to the need to ensure full consistency between the EURODAC and Dublin Regulations. The EDPS sees the need for a better coordination and harmonization at EU level of the procedures for fingerprinting, whether they concern asylum seekers or any other persons subject to the EURODAC procedure. He draws special attention to the question of the age limits for fingerprinting, and in particular the difficulties occurring in several Member States to determine the age of young asylum seekers. The EDPS insists on a clarification of the provisions regarding the rights of the data subjects, and in particular he underlines that the national data controllers are primarily responsible to ensure the application of these rights.

Avis sur la proposition de règlement établissant les critères et mécanismes de détermination de l'Etat membre responsable de l'examen d'une demande de protection internationale présentée dans l'un des Etats membres par un ressortissant de pays tiers ou un apatride [COM(2008) 820 final)], JO 229, 23.09.2009, p. 1

The primary aim of the Proposal is to increase the efficiency of the Dublin system and to ensure higher standards of protection afforded to applicants for international protection subject to the Dublin procedure. Furthermore, it aims to reinforce the solidarity towards those Member States which are faced with situations of particular migratory pressures.

The EDPS supports the Commission's Proposal for a Regulation and shares the understanding of the reasons to revise the existing system. The EDPS considers that some of the observations made in this opinion can be further developed when seeing the practical implementation of the revised system. In particular, he intends to contribute to the definition of implementing measures concerning the exchange of information through the DubliNet.