7.10.2006 |
EN |
Official Journal of the European Union |
C 242/20 |
Opinion of the European Data Protection Supervisor on the Proposal for a Council Regulation on jurisdiction, applicable law, recognition and enforcement of decisions and cooperation in matters relating to maintenance obligations (COM(2005) 649 final)
(2006/C 242/14)
THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to the Treaty establishing the European Community, and in particular its Article 286,
Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular its Article 41,
Having regard to the request for an opinion in accordance with Article 28 (2) of Regulation No 45/2001 received on 29 March 2006 from the Commission;
HAS ADOPTED THE FOLLOWING OPINION:
I. Introduction
Consultation of the EDPS
1. |
The proposal for a Council Regulation on jurisdiction, applicable law, recognition and enforcement of decisions and cooperation in matters relating to maintenance obligations was sent by the Commission to the EDPS by letter dated 29 March 2006. According to the EDPS, the present opinion should be mentioned in the preamble of the Regulation. |
The proposal in its context
2. |
The EDPS welcomes this proposal, to the extent it aims at facilitating the recovery of cross-border maintenance claims within the EU. The proposal has a wide scope, since it addresses matters related to jurisdiction, applicable law, recognition, enforcement and cooperation. This opinion will be limited to the provisions having an impact on personal data protection, in particular those relating to the cooperation and the exchange of information making it possible to locate the debtor and to evaluate his assets and those pertaining to creditor (chapter VIII and Annex V). |
3. |
In particular, the proposal envisages the designation of national central authorities to facilitate the recovery of maintenance claims through the exchange of relevant information. The EDPS agrees that exchange of personal data shall be allowed to the extent it is necessary to locate debtors and evaluate their assets and incomes, while fully respecting the requirements stemming from Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data (Recital 21). Therefore, the EDPS welcomes the reference (Recital 22) to the respect for private and family life, and the protection of personal data, as laid down by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. |
4. |
In particular, the proposal lays down a mechanism of exchange of information about the debtor and the creditor of maintenance obligations, with a view to facilitating the establishment and the recovery of maintenance claims. For this purpose, central national authorities will be designated in order to handle requests of information lodged by national judicial authorities (of other Member States) and collect personal data from different national administrations and authorities in order to fulfil these requests. The usual procedure will be as follows: a creditor will lodge an application through a court; the national central authority, upon request of the Court, will send an application to the central authorities of the requested Member State (through a specific form contained in Annex V); the latter central authorities will gather the requested information and will reply to the requesting central authority, which will then provide the information to the requesting court. |
5. |
The EDPS in this opinion will promote the respect for the fundamental right to protection of personal data, while ensuring efficiency of the proposed mechanisms aimed at facilitating the recovery of cross-border maintenance claims. |
6. |
In this perspective, it is first of all necessary to analyse the context of the proposal, by analysing the relevant specificities of maintenance obligations. Indeed, first of all maintenance obligations are very complex, since they embrace a variety of situations: claims may relate to children, to spouses or divorced spouses, and even to parents or grandparents. Furthermore, maintenance claims are based on ongoing and dynamic situations, and they can be managed both by private and public parties (1). |
7. |
This complexity, which is confirmed by the Commission's Impact Assessment (2), increases if one considers the huge differences in this field between the 25 Member States. Indeed, substantive and procedural laws differ broadly in matters relating to the establishment of maintenance obligations, their assessment and duration, the investigatory powers of the courts, etc. |
8. |
The diversity of maintenance obligations is already reflected in some provisions of the proposal. For instance, Recital 11 and Article 4(4) specifically refer to maintenance obligations in respect of a minor child, while Recital 17 and Article 15 make a difference between obligations in respect of children, vulnerable adults, spouse and ex-spouses and other kinds of maintenance obligations. |
9. |
The aforementioned considerations shall be duly taken into account also when addressing issues relating to protection of personal data, in particular when assessing the proportionality of the exchange of information. Indeed, different kinds of maintenance obligations may entail different powers of national courts to request information, and may also determine which kind of personal data may be processed and exchanged in a specific case. This is even more important if one considers that the present proposal does not aim at harmonizing Member States' national laws on maintenance obligations. |
The choice of a centralised system
10. |
As already mentioned, the proposal envisages a system whereby information is exchanged indirectly through the national central authorities rather than directly by the courts. This choice is not neutral from a data protection point of view and should be adequately justified. Indeed, the additional transfers of information between courts and central authorities, as well as the temporary storage of information by the latter authorities will increase the risks for the protection of personal data. |
11. |
The EDPS considers that the Commission, when assessing the various policy options, should consider specifically and in greater detail — both in its preliminary impact assessment study and in the development of the proposal — the impact on the protection of personal data of each of the possible options and the possible safeguards. In particular, with regard to this proposal, it is essential that the provisions regulating the activity of the central authorities precisely circumscribe their tasks and clearly define the functioning of the system. |
II. The relations with current data protection legal framework
12. |
The EDPS notes that the current proposal should not only take into account the complexity of national provisions on maintenance obligations, but should also ensure full compliance with existing national legislation on protection of personal data, adopted pursuant to Directive 95/46/EC. |
13. |
Indeed, the proposal lays down the access by national central authorities to personal data held by different national administrations and authorities. These personal data — that have been collected by different authorities for purposes other than the recovery of maintenance claims — will be gathered by national central authorities and then transmitted to the requesting judicial authority of a Member State through the designated central authority of the latter. From a data protection point of view, this raises different kinds of issues: the change in the purpose of processing, the legal grounds for processing by national central authorities, and the definition of the data protection rules applicable to further processing by judicial authorities. |
Change in the purpose of processing
14. |
One of the basic principles of the protection of personal data is the purpose limitation principle. Indeed, according to this principle personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’ (Article 6(1) of Directive 95/46/EC). |
15. |
However, the change in the purpose for which personal data are processed could be justified by virtue of Article 13 of Directive 95/46/EC, which lays down some exemptions to this general principle. In particular, Article 13(1), letter f) — exercise of official authority — or letter g) — the protection of the data subjects or of the rights and freedoms of others — could justify in this case an exception to the purpose limitation principle and could allow these national administrations and authorities to transmit the requested personal data to the national central authority. |
16. |
Nonetheless, Article 13 of the aforementioned directive requires that these exceptions shall be necessary and based on legislative measures. This means that either the proposed regulation — by virtue of its direct applicability — shall be considered to be sufficient to meet the requirements of Article 13, or Member States will have to adopt specific legislation. In any case, the EDPS strongly recommends that the proposal lays down an explicit and clear obligation for relevant national administrations and authorities to provide national central authorities with requested information. This would ensure that the transmission of personal data by national administrations to national central authorities would be clearly necessary for compliance with a legal obligation to which relevant national administrations are subject, and thus based on Article 7(c) of Directive 95/46/EC. |
Legal grounds for processing of personal data by national central authorities
17. |
Similar considerations shall be made in relation to the legal grounds on which the processing of personal data by national central authorities is based. Indeed, designating or setting up these authorities according to the proposal will entail that they will collect, organize and further transmit personal data. |
18. |
The processing of personal data by national central authorities could be based on Article 7(c) or (e) of Directive 95/46/EC, since this processing would be necessary for compliance with the legal obligations (laid down by the proposal) to which national central authorities are subject or the performance of a public task entrusted to them. |
Processing by judicial authorities and applicability of Directive 95/46/EC
19. |
As far as further processing by judicial authorities is concerned, the legal basis of the regulation shall be taken into account. Indeed, Articles 61 and 67 TEC have been brought within the scope of the EC Treaty by the Treaty of Amsterdam. This means that the scope of application of Directive 95/46/EC, which excludes activities falling outside Community law, covers this area only since the Treaty of Amsterdam entered into force. Therefore, since this area was not covered by the directive when it was adopted, it is likely that not all Member States have fully implemented data protection rules with regard to the activities of civil judicial authorities: harmonisation of national DP law, in particular in this field, is far from being complete. Meanwhile, the Court of Justice confirmed in the Österreichischer Rundfunk case (3), that Directive 95/46/EC has a wide scope and that only specific exceptions to its basic principles can be accepted. Furthermore, the Court laid down a list of criteria that are relevant also with regard to this proposal. In particular, the Court ruled that interference with private life, such as those exceptions to data protection principles that are based on a public interest objective, should be proportionate, necessary, laid down by law and foreseeable. |
20. |
The EDPS notes that it would be highly desirable to explicitly clarify the full applicability of data protection rules stemming from Directive 95/46/EC. This could be done by adding a specific paragraph to Article 48, which currently addresses the relations and possible conflicts with other community instruments, but does not mention Directive 95/46/EC. |
The legal basis of the proposal
21. |
The proposed legal basis gives the occasion to reiterate some remarks already made in previous opinions (4). |
22. |
Firstly, the legal basis allows the Council to decide to transfer this area from unanimity to the co-decision procedure. Here again, the EDPS expresses his preference for the latter procedure, which can better guarantee a full involvement of all institutions and that the fundamental right to personal data protection is fully taken into account. |
23. |
Secondly, in this area the Court of Justice, according to Article 68 TEU, still has limited powers, especially with regard to preliminary rulings. This requires even more clarity in the drafting of the provisions of this proposal, also in relation to issues concerning the protection of personal data, with a view to ensuring a uniform application of the proposed regulation. |
Possible future exchanges of personal data with third countries
24. |
The current proposal does not provide for exchanges of personal data with third countries, but international cooperation is explicitly envisaged in the explanatory memorandum. In this context, it is noteworthy to mention the ongoing negotiations for a new comprehensive Convention of the Hague Conference on Private International Law concerning international recovery of maintenance. |
25. |
It goes without saying that this international cooperation is likely to lay down mechanisms for exchanges of personal data with third countries. In this regard, the EDPS would like to stress again that these exchanges should be allowed only if the third country ensures an adequate level of protection of personal data or if the transfer falls within the scope of one of the derogations laid down by Directive 95/46/EC. |
III. Purpose limitation
26. |
In the context of this proposal, specific attention shall be paid to the basic principle of purpose limitation. |
27. |
Indeed, while central national authorities and national courts shall be allowed to carry out their tasks properly, by processing relevant information for the purpose of facilitating the enforcement of maintenance claims, this information shall not be used for incompatible purposes. |
28. |
In the current text, the definition and limitation of purposes is dealt with by Articles 44 and 46. |
29. |
Article 44 lays down the specific purposes for which information shall be provided by national administrations and authorities to the relevant central authorities: to locate the debtor; to evaluate the debtor's assets; to identify the debtor's employer and to identify the bank accounts of the debtor. |
30. |
The EDPS stresses that a complete and precise definition of the purposes for which personal data are processed is essential. In this perspective, the purpose of ‘locating the debtor’ shall be better defined. Indeed, for the purpose of maintenance obligations, locating the debtor shall be construed as referring to a location with a certain degree of stability (i.e., residence, centre of interests, domicile, place of work) — as specified in Annex V, which refers to debtor's address — rather than the location of the debtor in a specific moment in time (such as, for example, temporary location obtained through geolocalisation or GPRS data). The use of the latter data shall be excluded. In addition, a clarification in the concept of location would also help circumscribing the kinds of personal data that might be processed according to this proposal (see further, points 35-37). |
31. |
Furthermore, the EDPS underlines that the proposal also lays down the possibility of exchanging personal data relating to the creditor (see Article 41(1)(a)(i)). The EDPS assumes that this kind of information is collected and processed with a view to assess the financial capacity of the creditor, which may in certain cases be relevant for the evaluation of a maintenance claim. In any event, it is essential that also the purposes for which data on creditor are processed are precisely and explicitly defined in the proposal. |
32. |
EDPS welcomes Article 46, and in particular its paragraph 2, relating to the further use of information collected by the national central authorities. Indeed, the provision makes clear that information transmitted by central authorities to courts may be used only by a court and only to facilitate the recovery of maintenance claims. The possibility to send this information to the authorities in charge of the service of documents or to the competent authorities in charge of the enforcement of a decision is also proportionate. |
IV. Necessity and proportionality of personal data processed
33. |
According to Directive 95/46/EC, personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected or further processed (Article 6(1)(c)). Furthermore, their processing shall be necessary, inter alia, for compliance with a legal obligation or for the performance of a task carried out in the public interests or in the exercise of official authority (Article 7, letters c) and e)). |
34. |
On the contrary, the current proposal defines a minimum amount of information to which central authorities shall be given access, through a non exhaustive list of national administration and authorities. Indeed, Article 44(2) states that information shall include ‘at least’ information held by the administrations and authorities which are responsible in Member States for: taxes and duties; social security; population registers; land registers, registration of motor vehicles and central banks. |
35. |
The EDPS stresses the need to define more precisely both the nature of personal data which can be processed according to this regulation, as well as the authorities whose databases can be accessed. |
36. |
First of all, the kinds of personal data that can be accessed according to the proposed regulation should be limited. Article 44(2) should provide for a well-defined maximum — rather than just minimum — limit to the amount of information that can be accessed. Therefore, the EDPS recommends modifying Article 44(2) accordingly, either by deleting the words ‘at least’ or by providing other limitations to the information that can be transmitted according to the proposed regulation. |
37. |
A limitation should relate not only to the authorities, but also to the kinds of data that can be processed. Indeed, personal data held by the authorities listed in the current proposal may broadly differ depending on the Member State. In some Member states, for instance, population registers may even contain fingerprints. Furthermore, by virtue of the growing interlinking of databases, public authorities may be considered to ‘hold’ an ever increasing amount of personal data which are sometimes extracted from databases controlled by other public authorities or private parties (5). |
38. |
Another important concern relates to special categories of data. Indeed, the current proposal might lead to collection of sensitive data. For instance, information provided by social security institutions may in some cases reveal trade union affiliation or health conditions. These personal data are not only sensitive, but are in most cases unnecessary to facilitate the enforcement of maintenance claims. Therefore, processing of sensitive data should be in principle excluded, pursuant to Article 8 of Directive 95/46/EC. However, in those cases where the processing of relevant sensitive data is necessary for reasons of substantial public interest, exemptions from the general prohibition may be laid down by national law or by decision of the competent supervisory authority, subject to the provision of suitable safeguards (Article 8(4) of Directive 95/46/EC). |
39. |
The current definition of the kinds of personal data that can be accessed by central authorities is so generic that it would leave room even for processing of biometrics data, such as fingerprints or DNA data, in those cases where these data are held by the national administrations listed in Article 44(2). As the EDPS has already pointed out in other opinions (6), processing of these kinds of data, which may well be used to locate/identify a person, may entail specific risks and in certain cases may also reveal sensitive information about the data subject. Therefore, the EDPS considers that processing of biometrics data, which for instance might be considered acceptable for the establishment of a parental relationship, would be disproportionate for the enforcement of maintenance obligations and therefore should not be allowed. |
40. |
Secondly, the principle of proportionality should determine on a case-by-case basis which personal data should be concretely processed within the scope of the potentially available information. Indeed, national central authorities and courts should be allowed to process personal data only to the extent that this is necessary in the specific case to facilitate the enforcement of maintenance obligations (7). |
41. |
Therefore, the EDPS would recommend stressing this proportionality test by substituting in Article 44(1) the words ‘information that can facilitate’ with ‘information necessary to facilitate in a specific case’. |
42. |
In other provisions, the principle of proportionality is already duly taken into account. An example is given by Article 45, according to which a court may at any moment request information to locate the debtor, i.e. information which is strictly necessary to start a judicial procedure, while other personal data can be requested only on the basis of a decision given in matters relating to maintenance obligations. |
43. |
The EDPS would also like to draw the attention of the legislator to the fact that, as already mentioned, the proposed regulation is not confined to recovery of maintenance claims for children, but extends also to maintenance claims by spouses or divorced spouses, and to maintenance of parents or grandparents. |
44. |
With regard to this, the EDPS underlines that each kind of maintenance obligation may require a different balance of interests and thus determine to what extent processing of personal data is proportionate in a specific case. |
V. Proportionality in storage periods
45. |
According to Article 6(e) of Directive 95/46/EC, personal data shall be kept for no longer than it is necessary for the purposes for which they were collected or further processed. Therefore, proportionality is the basic principle also when it comes to assess the period of time during which personal data are stored. |
46. |
As far as storage by central authorities is concerned, the EDPS welcomes Article 46(1), according to which information is deleted after having forwarded it to the court. |
47. |
With regard to storage by competent authorities in charge of the service of documents or the enforcement of a decision (Article 46(2)), the EDPS suggests that the words ‘made use of it’ be substituted with a reference to the time necessary for relevant authorities to fulfil the tasks connected to the purposes for which information was collected. |
48. |
Also with regard to storage by judicial authorities, the EDPS argues that information shall be available for as long as it is necessary for the purpose for which it was collected or it is further processed. Indeed, in the case of maintenance obligations, information in some cases is likely to be needed for quite a long period of time, in order for the judge to be able to periodically reassess both the subsistence of the legal grounds for granting the maintenance obligations and properly quantify these obligations. Indeed, according to the information provided by the Commission, in the EU a maintenance claim is paid for 8 years on average (8). |
49. |
For these reasons, the EDPS prefers a flexible but proportionate storage period rather than a rigid a priori limitation of the storage period to one year (as currently proposed by Article 46(3)), which can prove in certain cases too short for the envisaged purposes of the processing. Therefore, the EDPS proposes to delete the maximum storage period of one year: judicial authorities should be allowed to process personal data for as long as it is necessary in order to facilitate the recovery of the relevant maintenance claim. |
VI. Information to debtor and creditor
50. |
The obligation to provide information to the data subject reflects one of the basic principles of data protection, enshrined in Articles 10 and 11 of Directive 95/46/EC. Furthermore, in this case information to data subjects is even more important since the proposal establishes a mechanism whereby personal data are collected and used for different purposes, and are further transferred and processed through a network that includes national administrations, different national central authorities and national courts. Therefore, the EDPS stresses the needs for a timely, comprehensive and detailed information notice, which would properly inform the data subject about all the various transfers and processing operations to which his/her personal data are subject. |
51. |
In this perspective, the EDPS welcomes the obligation to provide information to the debtor laid down by Article 47 of the proposal. However, a timeframe to provide information should be added to Article 47. Furthermore, the EDPS notes that it is essential that adequate information is also provided to the creditor, in case personal data concerning him/her are exchanged. |
52. |
The exception, according to which the notification to the debtor might be postponed when it might prejudice the effective recovery of a maintenance claim, is proportionate, also in consideration of the maximum length of postponement (no more than 60 days) laid down by Article 47. |
53. |
A last remark concerns Annex V, which contains the application form for the transmission of information. This form currently presents the provision of information to debtor as a choice to be made by ticking the appropriate box. On the contrary, the provision of information shall be presented as a default option and a specific action (i.e. ticking the ‘do not inform’ box) should be required only in those exceptional cases in which information cannot be temporarily provided. |
VII. Conclusions
54. |
The EDPS welcomes this proposal, to the extent it aims at facilitating the recovery of cross-border maintenance claims within the EU. The proposal has a wide scope and shall be considered in its specific context. In particular, the EDPS recommends duly taking into account the complexity and variety of maintenance obligations, the broad differences in Member States laws in this domain, and the obligations on protection of personal data stemming from Directive 95/46/EC. |
55. |
Furthermore, the EDPS considers essential to clarify some aspects of the functioning of the system, such as the change in the purpose for which personal data are processed, the legal grounds for processing by national central authorities, and the definition of the data protection rules applicable to further processing by judicial authorities. In particular, the proposal should ensure that transfers of personal data from national administrations to national central authorities and processing by the latter authorities and national courts are carried out only when they are necessary, clearly defined, and based on legislative measures, according to the criteria laid down by data protection rules and complemented by the case law of the Court of Justice. |
56. |
The EDPS also invites the legislator to specifically address the following substantive points:
|
Done at Brussels on 15 May 2006
Peter HUSTINX
European Data Protection Supervisor
(1) A reference to maintenance obligations paid by public authorities can be found in Article 16 of the proposal.
(2) Commission Staff Working Document — Impact Assessment, of 15 December 2005, pages 4-5.
(3) Judgement of 20 May 2003 in Joined Cases C-465/00, C-138/01 and C-139/01.
(4) Opinion on data retention of 26 September 2005, point 42; Opinion on Data Protection in Third Pillar of 19 December 2005, point 11; Opinion on Schengen Information System II of 19 October 2005, paragraph 9.
(5) See EDPS Opinion on Exchange of information under the principle of availability of 28 February 2006, points 23-27.
(6) Opinion on Schengen Information System II of 19 October 2005, paragraph 4.1; Opinion on Visa Information System of 23 March 2005, paragraph 3.4.
(7) This is also the case of personal data provided by the requesting court with a view to identifying the debtor concerned, as laid down at point 4.1 of Annex V. For example, the provision of address of debtor's family members shall be strictly limited, on a case by case basis and depending on the kind of maintenance obligation concerned.
(8) See Commission Staff Working Document — Impact Assessment, of 15 December 2005, p. 10.