3.7.2009   

EN

Official Journal of the European Union

C 151/11

1.

On 14 November 2008, the Commission adopted a Proposal for a Council Regulation establishing a Community control system for ensuring compliance with the rules of the Common Fisheries Policy (hereinafter: ‘the proposal’). The proposal was sent by the Commission to the EDPS for consultation, in accordance with Article 28(2) of Regulation (EC) No 45/2001 (1).

2.

On the same day, the Commission adopted two other instruments as part of the fisheries package. First, the Commission adopted a Communication on the proposal for a Council Regulation establishing a Community control system for ensuring compliance with the rules of the Common Fisheries Policy. Second, it also adopted a Commission staff working document (Impact Assessment) accompanying the Proposal for a Council Regulation establishing a Community control system for ensuring compliance with the rules of the Common Fisheries Policy. Those two documents formed, together with the proposal, the package sent to the EDPS for consultation.

3.

The objective of the Common Fisheries Policy, as set out in Council Regulation (EC) No 2371/2002 of 20 December 2002 on the conservation and sustainable exploitation of resources under the Common Fisheries Policy (2), is to ensure exploitation of living aquatic resources in such a way that ensures sustainable economic, environmental and social conditions.

4.

The proposal establishes a Community system for control, monitoring, surveillance, inspection and enforcement of the rules of the Common Fisheries Policy.

5.

The EDPS welcomes the fact that he is consulted on this issue and that reference to this consultation is made in the preamble of the proposal, in a similar way to a number of other legislative texts on which the EDPS has been consulted, in accordance with Regulation (EC) No 45/2001.

6.

The EDPS recalls that he provided informal comments on 3 October 2008 on a draft proposal. In these comments, he underlined that the data protection legal framework has to be considered not only in respect of the transfer and exchange of personal data but also in respect of the collection of these data.

7.

Finally, the EDPS emphasises that this opinion addresses only a few provisions of the proposal, namely Recitals 36 to 38 and Articles 102 to 108.

8.

There are different reasons why data protection provisions in the context of this proposal are relevant. First, the proposal foresees the processing of various data, which in certain cases, can be considered as personal data. For instance, when a vessel's identification is required, it will normally contain a reference to the master of the vessel or his representative. In certain provisions, the proposal also clearly underlines the need to communicate the name of the vessel's owner or master. In such cases, the data not only relate to the vessel, but also to identifiable individuals who play a role in the way in which that vessel is used and compliance with the rules of the Common Fisheries Policy is ensured. Moreover, the proposal also foresees transfers of these data and exchanges of information, both between Member States and with the Commission or the Community Fisheries Control Agency. The EDPS also notes that the proposal foresees the use of aggregated data in certain circumstances. All these aspects require respecting the data protection legal framework.

9.

The EDPS is glad to see that the proposal clearly specifies that the European legal framework relating to the protection of personal data (Directive 95/46/EC (3) and Regulation (EC) No 45/2001) shall apply to the processing of personal data carried out in the application of the Regulation, whether by Member States or by the Commission. These principles are contained both in Recitals 36 to 38 and in Articles 104 and 105.

10.

Without doubt, and as specified in the recitals, clear rules for the processing of personal data are needed for reasons of legal certainty and transparency, and to ensure the protection of fundamental rights, and in particular, the right to the protection of the private life and the personal data of individuals.

11.

Article 104 of the proposal concerns specifically the protection of personal data, while Article 105 deals with confidentiality, professional and commercial secrecy. The former Article deals with the general principles established in Directive 95/46/EC and Regulation (EC) No 45/2001, while the latter further develops specific aspects relating to the confidentiality of the processed data.

12.

The EDPS welcomes the limitations and references made in both Articles as to the use and transmission of the data of natural persons with respect for Directive 95/46/EC and Regulation (EC) No 45/2001.

13.

The EDPS would like to comment on Article 104, paragraph 2, further to which ‘the names of natural persons shall not be communicated to the Commission or to another Member State except in the case where such communication is expressly provided for in this Regulation or if it is necessary for the purposes of preventing or pursuing infringements or the verification of apparent infringements. The data referred to in paragraph 1 shall not be transmitted unless they are aggregated with other data in a form, which does not permit the direct or indirect identification of natural persons’. First, the EDPS considers that the current drafting of Article 104, paragraph 2, unduly restricts the scope of the protection. The text should make clear that the protection does not cover only the transfer of the names of natural persons but also other personal data (4). He therefore asks a revision of the wording so as to reflect this aspect. Moreover, the EDPS would also suggest amending the second sentence of the paragraph, so that it reads: ‘The data referred to in this Article…’ to be more consistent, as paragraph 1 is mainly a reference to the Community legal framework for the protection of personal data.

14.

Article 105 deals with confidentiality and professional and commercial secrecy. This provision applies, regardless of whether data can be considered as personal data or not. Paragraphs 1 to 3 apparently aim to set out the general principles of confidentiality, whereas paragraph 4 is designed to give additional protection in certain cases, although the object of this paragraph is not entirely clear. The EDPS found a great similarity between Article 105, paragraph 4(a) of the proposal and Article 4, paragraph 1(b) of Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, which the EDPS has thoroughly analysed (5). Article 4(1)(b) of this Regulation was widely criticized as being ambiguous about the precise relation between access to documents and the rights to privacy and the protection of personal data. The Article was also disputed before the Court of First Instance (6). An appeal on grounds of law is now pending before the Court of Justice (7). The EDPS invites the Community legislator to clarify Article 105, paragraph 4 of the proposal as to the harms envisaged, which would undermine the protection of personal data in the context of the Common fisheries policy and on the consequences in terms of public access or other relevant situations covered by this provision.

15.

The EDPS suggests that the Community legislator also clarifies the relations between Article 105, paragraph 4 and Article 105, paragraph 6. Although one seems to relate to public access and its possible limitations and the other relates to further legal actions and proceedings, the distinction is not clear from the wording used. Further clarification should be made.

16.

Without prejudice to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001, the EDPS acknowledges that exemptions and restrictions to the protection of personal data may be applied in line with Article 13 of Directive 95/46/EC (8). However, the EDPS would like the Community legislator to mention the specific cases in which such exemptions may take place and to clarify the situations in which such use of data may take place, if this could be relevant in the present context.

17.

Article 102, paragraph 3 of the proposal states: ‘Member States shall set up a computerized database for the purpose of the validation system referred to in paragraph 1, having regard to the data quality principle applicable to computerized databases’ (9). The EDPS is pleased to see that Article 102 of the proposal implements the data quality principle (10) when Member States shall set up a computerised database which allows the identification of fishing vessels or operators for which inconsistencies of data were repeatedly found, and permits the correction of incorrect data entries.

18.

A first example of the implementation of the data quality principle consists of the necessary features of the computerised system. According to Article 102, paragraph 1, the computerised system shall include: procedures for checking the quality of all data recorded in accordance with the Regulation; cross-checks, analysis and verification of all data recorded in accordance with the Regulation; procedures for checking compliance with deadlines for the submission of all data recorded in accordance with the Regulation. As another example of the implementation of the data quality principle, Article 102, paragraph 2, specifies that the validation system shall allow the immediate identification of inconsistencies of related data and their consequent follow-up. The EDPS considers that a consequent follow-up would consist of the deletion of inconsistencies and outdated data. Therefore, some automated check of the duration of storage of the data should be implemented to ensure that inconsistencies do not remain in the system.

19.

Another reason to insist on the respect of the data quality principle can be found in Article 103, which deals with the communication of the data from the computerised database. This article foresees that the Commission has direct real time access at any time without prior notice, to the computerised database of each Member State. The purpose of Commission access is precisely to enable the Commission to control the quality of the data.

20.

However, Article 103 also states that the Commission shall be given the possibility to download these data for any period or number of vessels. In this respect, the EDPS invites the Community legislator to consider introducing additional rules regarding the control over the information downloaded by Commission officials, which will be in compliance with the specified purpose of the Regulation. Such access to the information should respect the limitations of the Regulation itself.

21.

One additional element which should be taken into consideration in this context relates to the fact that there is currently no mention of a specific storage period of the data contained in the computerised database. However, Article 108 of the proposal foresees that the computerised database is part of the databases which are accessible in the secure part of national websites. For this secure part, a retention period is foreseen (minimum three years). Taking into consideration the comments made below about the retention period of data on the secure part of national websites (chapter V below), the Community legislator should also foresee rules regarding the time of storage of data at the national level which should only be stored as long as necessary for the purpose of this Regulation and then deleted. This provision would be compliant with Article 6(e) of Directive 95/46/EC and Article 4(e) or Regulation (EC) No 45/2001.

22.

Moreover, in cases like the present one, the Commission would be processing data (and sometimes personal data) which would trigger the applicability of Regulation (EC) No 45/2001 to such processing operations. The control of the Commission on the use of these data by its services may lead to the need of prior-checking by the EDPS on the basis of Article 27 of Regulation (EC) No 45/2001. (11) The EDPS invites the Commission to consider the possible need for notification of the system for prior checking.

23.

Article 106 deals with the setting up by each Member State of an official website accessible via Internet and composed of a publicly accessible part and a secure part. Regarding the secure part of the website, Article 108 of the proposal establishes the principles relating to: the lists and databases it contains (paragraph 1); the direct exchange of information with other Member States, the Commission or the body designated by it (paragraph 2); the remote access which is provided to the Commission or body designated by it (paragraph 3); the recipients in the Member States or in the Commission or the body designated by it to which the data are made available (paragraph 4) and the storage period (minimum of three years) of the data (paragraph 5).

24.

The EDPS would like to draw the attention of the Community legislator to Articles 25 and 26 of Directive 95/46/EC which concern the transfer of personal data to third countries′ authorities. Paragraph 2 of Article 108 of the proposal foresees that each Member State shall establish, on the secure part of its website, a national fisheries related information system, which allows for the direct electronic exchange of information with other Member States, the Commission or the body designated by it as referred to in Article 109. However, Article 109 does not refer to a list of designated recipients but stresses that the authorities responsible for the implementation of this Regulation in the Member States shall cooperate with each other, with authorities of third countries, with the Commission and the body designated by it in order to ensure compliance with this Regulation.

25.

The EDPS considers that there is some discrepancy between the content of Article 108, paragraph 2, and Article 109, as regards third countries′ authorities. First, authorities of third countries are said to cooperate with Member States, but no reference in Article 108 is made to them. Second, the EDPS would like to underline that if transfers to third countries are envisaged through this cooperation, Articles 25 and 26 of Directive 95/46/EC will have to be respected, especially the requirement that the third country ensures an adequate level of protection.

26.

As regards the remote access (paragraph 3) provided by the Member State to Commission officials, the EDPS welcomes that it is based on electronic certificates generated by the Commission or the body designated by it.

27.

The EDPS welcomes that paragraph 4 specifies that the recipients of the data shall be bound by the purpose limitation principle and the rules of confidentiality. This is done by allowing access to the data only for specific users authorised to that effect and by limiting access to the data they need in order to carry out their tasks and activities of ensuring compliance with the rules of the Common Fisheries Policy.

28.

The EDPS considers that the storage period (paragraph 5) should be established more precisely by setting a maximum period of retention (instead of only a minimum). Moreover, the Community legislator could also consider establishing a minimum set of rules in view of ensuring the interoperability and other security aspects of the system, possibly under the mechanisms provided by the proposal (Article 111). This comment is also linked to point 21 of this Opinion, regarding the storage within the computerised database (see above).

29.

Several Articles of the proposal refer to its Article 111, which implements a Committee procedure (through the Committee for fisheries and aquaculture - comitology procedure). Although several of the references to Article 111 made throughout the proposal refer to technical aspects, some refer to data protection aspects. For instance:

30.

The EDPS understands that the implementation of these Articles will depend on the adoption of specific rules following the procedure foreseen in Article 111 of the proposal. Given the impact that these detailed rules may have on data protection, the EDPS expects to be consulted before these detailed rules are adopted.

31.

The EDPS has noted the initiative of establishing a Community system for control, monitoring, surveillance, inspection, and enforcement of the rules of the Common Fisheries Policy.

32.

The EDPS welcomes that reference to privacy and data protection is made within the current proposal. However, some amendments are needed, as explained above, in order to provide clear requirements, both for the Member States and for the Commission to address the data protection aspects of the system.

33.

The observations of this opinion, which should be taken into account, include: