Comments by Statewatch on Proposed Regulation on Data Protection in EU Institutions for House of Lords Select Committee on the European Union
The broad thrust of the proposed Regulation and its underlying principles is to be welcomed. The Commission has acted promptly to implement its obligations under Article 286 EC and has seriously attempted to address a number of important issues. The decision to base the provisions of this proposal on the 1995 data protection Directive of the European Parliament and the Council, but with a number of detailed changes to the provisions of that Directive is a step in the right direction.
However, the proposal could be improved or clarified in a number of key respects.
1) Chapter 1
a) Article 1
It would be useful, to avoid any confusion, if the Regulation expressly spelled out the principle (mentioned in the explanatory memorandum) that it is without prejudice to rights in other EC measures. b) Article 3
It would similarly be useful, to avoid any confusion, if the Regulation expressly spelled out that it applied to acts of the Community institutions falling within Title VI (and indeed Title V) of the EU Treaty. This extension of scope is particularly welcome and important, because it will be a first step in coordinating and streamlining the data protection provisions applying to Title VI measures, in accordance with the recent report of this Committee.
2) Chapter 2
a) Article 5
It would be preferable to keep 'consent of the data subject' at the top of the list of the criteria for making processing legitimate. This would take account of the principle that the interest of the data subject is paramount.
b) Article 8
The Commission has not considered what rules should apply where a Member State has completely or partly failed to implement the Directive. In such a case, there should be rules allowing for a Community body to withhold a transfer of data to the Member State in question.
c) Article 10(4)
The broad scope of this derogating provision should be questioned, given the cardinal importance of the rule in Article 10. In our view, Article 10(4) should either be abolished altogether or replaced by an exhaustive list or a more precise definition of possible additional exemptions. The Commission gives the example of unauthorized use of computer networks. If this is a risk, Article 10(4) could simply provide for a specific exemption addressed to this issue, rather than a very broad general exemption. In any event, to a large extent, processing for such purposes may fall under Article 10(5). Exemptions from Article 10 are of great importance to human rights protection, and so should only be adopted after a full EC legislative procedure, including the opportunity for national parliaments to examine the proposal.
d) Articles 11 and 12
The detail of these provisions compared to the Directive is positive. However, the proviso inserted at the end of Articles 11(1)(f) and 12(1)(f) should be questioned. Such information should always be provided. In addition, persons should be informed of their ability to bring a legal action pursuant to Article 29 of the Regulation. The necessity for the inclusion of Article 11(2) is open to question, which does not transpose any provision of the Directive.
e) Section 5
Articles 13-17 are an improvement upon the relevant provisions of the Directive. However, it could be suggested that a general provision imposing time-limits for storing of personal data could be included. Such a provision appears in most Title VI measures. Given the wide variety of circumstances to which the Regulation would apply, this provision would necessarily have to be fairly general. For example, it could require deletion of data two years after storage by an EC institution, unless specific legal provisions in an EC measure authorize storage for specified longer periods. In any event, the provision should require review of the necessity of holding information at a specified interval.
f) Article 18
There are a number of defects with this Article, although it is an improvement upon the text of the Directive. First, the Commission does not explain why there needs to be a derogation from the data quality rules in Article 4(1) of the proposed Regulation. As for the specific exclusions, Article 18(1)(a) should either be amended or subjected to rules agreed with the Data Protection Supervisor. The relevance of Article 18(1)(b) is questionable, at least in such a broad form, to information held by the Community institutions. Article 18(1)(c) is also over-broad, given the effect of the derogation on the core of the protection provided for the Regulation. Article 18(1)(d) should be limited to cases where monitoring is inextricably connected with criminal offences.
Article 18(3) is welcome, but should be amended to make clear when the relevant information has to be disclosed. In addition, persons should be informed of their ability to bring a legal action pursuant to Article 29 of the Regulation. Article 18(4) should make clear that the normal rules of the Regulation shall apply as regards past situations (as suggested in the memorandum), not just future processing after the specific reasons for the derogation have ended.
g) Article 21
It would be preferable to provide for a stronger sanction: any such decision taken after a breach of the Regulation must be considered void. Furthermore, this provision should be extended to any decisions taken by the Community institutions.
3) Chapter III
Article 29 should make clear that complaints to the European Data Protection Supervisor (EDPS) are without prejudice to legal actions before the EC courts.
4) Chapter V
a) Appointment of EDPS
The text of Article 39 clearly provides for joint agreement of the Commission, Council and EP on appointment of the EDPS. This contradicts the text of the explanatory memorandum, which states that the EP has powers to appoint, with the Council and Commission merely consulted. The text of the proposed Regulation should be amended to reflect the interpretation in the memorandum. The EDPS will be more independent if appointed solely by the EP with mere consultation of the other institutions, who will be the subject of many complaints and therefore potentially interested in appointing a 'paper tiger' to the post.
b) Powers of and control of EDPS
The broad powers granted to the European Data Protection Supervisor (EDPS), along with the necessary judicial control (Article 46(7)) are a necessary improvement. It would be preferable if Article 46 also listed the important specific powers granted to the EDPS by the Regulation (in Articles 10(2)(b), 10(4) to (6) and 28).
A number of amendments to assist complainants could be made, to bolster the role of the EDPS, and to ensure public supervision of its activities:
i) Article 41(2)(f) should extend to appeals before the Court of Justice;
ii) the Regulation should specify that the European Ombudsman may investigate complaints against the EDPS;
iii) Article 47 should allow the EDPS to publish special reports on particular matters;
iv) the EDPS should be required to establish and publish rules relating to his or her treatment of complaints, including time limits and other rules for administrative protection;
v) Article 46(5) should also apply upon receipt of a complaint, and during its consideration;
vi) Article 46 should require the EDPS to publish its binding decisions of general application in the Official Journal, particularly those taken pursuant to Articles 10 and 28; and
vii) similarly, the Regulation should provide that the EDPS must publish such decisions in draft form and allow a specific period for comment by the EP, national parliaments, and civil society before adopting such decisions.
It should be recalled that such general decisions by the EDPS cannot be challenged before the Court of Justice by individuals, despite their huge effects on individual human rights. Nor can they be challenged indirectly before the national courts, since they only produce effects at Community level. This is obviously highly objectionable. The Select Committee should take this opportunity to reiterate its support for amending the EC Treaty to relax the excessively strict standing rules of the EC Treaty , at least where the EC institutions have allegedly breached human rights.
Statewatch submission prepared by Steve Peers, Reader in Law, Human Rights Centre, University of Essex, 19 January 2000.
© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.