The European Data Protection Supervisor (EDPS) says he supports the EU’s efforts to manage migration and reinforce internal security and offers his advice on the data protection implications of the EU’s recent proposal regarding the management of its external borders. In his Opinion on the proposed European Border and Coast Guard Regulation, he outlines his recommendations to make the proposal clearer and more workable.
Giovanni Buttarelli, EDPS, said: "I fully understand that Europe must urgently put in place meaningful measures to deal with migration and to combat cross-border crime. The legislative proposal aims to serve these two purposes but in the rush to elaborate the text, they have not been treated separately, thus diluting their justification. The ‘mixing’ of objectives may have legal and practical consequences so we urge the EU legislator to deal with the two purposes more clearly and specifically. "
Migration and security are two complex matters for the EU and the proposal reflects this complexity. The EDPS regrets that, despite the pressing political agenda of the European Commission, he was not consulted at an earlier stage of the legislative process since this proposal has clear data protection implications. His recommendations address his main data protection concerns and can help make the proposal more robust to withstand legal scrutiny.
The EDPS recommends that the proposal’s two aims need to be approached separately since different areas of data protection law apply; a distinct assessment of the necessity and proportionality of proposed actions is essential. Clear compliance with data protection principles will make the proposed Regulation more robust and efficient.
The scale and scope of personal data collection must be clarified since the current proposal implies that the new European Border and Coast Guard Agency will turn into a personal data hub where massive amounts of personal information is to be processed for border management.
While the EDPS understands that personal data processing is required to manage migration and combat cross-border crime, this proposal could be a serious intrusion into the rights of migrants and refugees, a vulnerable group of people in need of protection. The EDPS is pleased that several safeguards for fundamental rights have been included in the proposal. In the interests of clarity and transparency, the EDPS recommends that the extent of the processing be outlined in the proposal.
The EDPS also recommends that the division of responsibilities between the new Agency and the EU Member States is made clearer so that there is no diffusion of accountability in the data protection obligations of each.
Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.
More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8)
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.