Opinions 2011

In this Opinion the European Data Protection Supervisor (EDPS) provides a series of recommendations to further strengthen the data protection framework for the Internal Market Information System ('IMI'). The EDPS supports a consistent approach to data protection in establishing an electronic system for the exchange of information, including relevant personal data.

The EDPS welcomes the fact that the Commission has proposed a horizontal legal instrument for IMI in the form of a Parliament and Council Regulation (*), which aims at comprehensively highlighting the most relevant data protection issues for IMI. The EDPS cautions that establishment of a single centralized electronic system for multiple areas of administrative cooperation also creates risks. With regard to the legal framework for IMI to be established in the proposed Regulation, the EDPS calls attention to two key challenges: the need to ensure consistency, while respecting diversity, and the need to balance flexibility and legal certainty.

The EDPS acknowledges the need for flexibility to cover administrative cooperation in different policy areas but insists that this flexibility should be accompanied by legal certainty. Against this background, the EDPS recommends that functionalities of IMI that are already foreseeable should be further clarified and that the inclusion of new functionalities should require appropriate procedural safeguards, such as preparation of a data protection impact assessment and consultation of the EDPS and national data protection authorities.

The Opinion also calls for further strengthening of data subjects´ rights and for reconsideration of the extension of the currently applicable 6-months retention period unless adequate justifications are provided.

Finally, the EDPS welcomes the provisions on coordinated supervision and recommends that these should be further strengthened in order to guarantee effective and active cooperation among the data protection authorities involved.

Background information

IMI is an online application that allows national, regional and local authorities in European Union Member States to communicate quickly and easily with their counterparts in other European countries. IMI helps users find the right authority to contact in another country and communicate with them using pre-translated sets of standard questions and answers. IMI is designed as a flexible system that can be used for many pieces of single market legislation. Currently, it covers the following instruments: the Professional Qualifications Directive (2005/36/EC) and the Services Directive (2006/123/EC).

The main aim of the Proposal is to prevent market manipulation and insider trading on wholesale energy (gas and electricity) markets. The Proposal contains several provisions relevant to the protection of personal data, including those on market monitoring and reporting and investigation and enforcement. The EDPS recommendations included the following:

The Proposal should clarify whether any personal data may be processed in the context of market monitoring and reporting and which safeguards will apply. If, in contrast, no processing of personal data is expected (or such processing would only be exceptional and would be restricted to rare cases, where a wholesale energy trader might be an individual rather than a legal entity), this should be clearly set forth in the Proposal, at least in a recital.

Provisions on data protection, data security and accountability should be clarified and further strengthened, especially if the processing of personal data would play a more structural role. The Commission should ensure that adequate controls are in place to ensure data protection compliance and provide evidence thereof ("accountability").

The Proposal should clarify whether on-site inspections would be limited to a business property (premises and vehicles) of a market participant or also apply to private properties (premises or vehicles) of individuals. In the latter case, the necessity and proportionality of this power should be clearly justified and a judicial warrant and additional safeguards should be required. This should be clearly foreseen in the proposed Regulation.

The scope of the powers to require "existing telephone and existing data traffic records" should be clarified. The Proposal should unambiguously specify what records can be required and from whom. The fact that no data can be required from providers of publicly available electronic communications services should be explicitly mentioned in the text of the proposed Regulation, at least in a recital. The Proposal should also clarify whether the authorities may also require private records of individuals, such as employees or executives of the market participant under investigation (e.g. text messages sent from personal mobile devices or browsing history of home internet use). If this would be the case, the necessity and proportionality of this power should be clearly justified and the Proposal should also require a warrant from a judicial authority.

With regard to reporting of suspected market abuse, the Proposal should explicitly provide that any personal data contained in these reports should only be used for purposes of investigating the suspected market abuse reported. Unless a suspected market abuse has led to a specific investigation and the investigation is still on-going (or a suspicion has proved to be well-founded and has led to a successful investigation), all personal data related to the reported suspected market abuse should be deleted from the records of all recipients after the lapse of a specified period (unless otherwise justified, at the latest two years following the date of report). In addition, parties to an information exchange should also send each other an update in case a suspicion proves to be unfounded and/or an investigation has been closed without taking further action.

The EDPS has adopted an opinion on a proposal for a Regulation which is intended to modify the current rules concerning investigations conducted by OLAF. The stated aim of the proposal is to increase the efficiency, effectiveness and accountability of OLAF, while safeguarding its investigative independence.

The EDPS supports the objectives of the proposed amendments and, in this respect, welcomes the proposal. However, despite the overall positive impression, the EDPS considers that from the point of view of the protection of personal data, the proposal could be further improved without jeopardising the objectives that it pursues.

Therefore the EDPS makes a number of recommendations that should be addressed by the modification of the text, and most importantly:

• the proposal should clearly mention the right to information of the different categories of data subjects, as well as the right of access and rectification in relation to all the phases of the investigations carried out by OLAF;
• the proposal should clarify the relationship between the need for confidentiality of the investigations and the data protection regime applicable during the investigations;
• the proposal should clarify the general data protection principles on the basis of which OLAF can transmit and receive information, including personal data, with other EU bodies and agencies, third countries and international organisations;
• the provisions of the proposal should give the Director General the task of ensuring that a strategic and comprehensive overview of the different processing operations of OLAF is carried out, kept up to date and made transparent, or at least that the need for this should be explained in a recital.