The EU Data Protection Reform

Transcription

1 Background paper N 2 January 2015 The EU Data Protection Reform Clearswift The European Commission has published in 2012 a proposal for a new legal framework for the protection of personal data in the EU. The European Parliament and the Council of the EU are now working on the proposal, composed of a Regulation and a Directive. The reform could have important consequences for sport organisations, especially with regard to the fight against doping and match-fixing, which requires the collection and transfer of sensitive data. 1. The EU Data Protection Reform general state of play 2. Impact on sport 3. Analysis of most relevant topics for sport and recommendations

2 The European Commission has published in 2012 a proposal for a new legal framework for the protection of personal data in the EU (the existing Directive 95/46/EC dates back to 1995). The proposed framework consists of two legislative proposals: a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. However, the specificity of sport, in particular its voluntary nature and its contribution to the public interest, has not been sufficiently taken into account in the Commission s proposal. The reform could therefore jeopardise the capacity of sport organisations to effectively fight against doping and match-fixing if adequate provisions are not included. 1. The EU Data Protection Reform general state of play January 2012 Legislative proposals published by the European Commission October 2012 Debate starts in Council October 2013 Vote in LIBE committee (European Parliament) March st reading position adopted by European Parliament December 2014 Council has reached partial general approach on public sector provisions, rules on territorial scope, chapter IV, chapter V. However, the rule is nothing is agreed until everything is agreed. Spring Trilogues are expected to start EP Rapporteurs General Data Protection Regulation LIBE Jan Philipp ALBRECHT (Greens, DE) Directive LIBE Marju LAURISTIN (S&D, EST) Shadows: EPP Axel VOSS (DE) EPP Axel VOSS (DE) S&D Marju LAURISTIN (EST) Greens Jan Philipp ALBRECHT (DE) ALDE Sophia IN T VELD (NL) ALDE Sophia IN T VELD (NL) ECR Timothy KIRKHOPE (UK) ECR Timothy KIRKHOPE (UK) GUE/NGL Cornelia ERNST (DE) GUE/NGL Cornelia ERNST (DE) 2

3 Opinion rapporteurs: EMPL Nadja HIRSCH (ALDE, DE) ITRE Sean KELLY (EPP, IRL) IMCO Lara COMI (EPP, IT) JURI Marielle GALLO (EPP, FR) JURI Axel VOSS (EPP, DE) 2. Impact on sport Council configuration : Justice and Home Affairs (JHA) Sport organisations have implemented methods to fight against doping and match-fixing which require the transfer of sensitive data. The reform of personal data protection could make it more difficult to collect and transfer these sensitive data. Such a situation is highly paradoxical since European institutions repeatedly called upon sport organisations to take up their responsibility in fighting doping and match-fixing and in preserving the integrity of sport Calls on sport organisations to fight against doping and match-fixing The European institutions and the Council of Europe have repeatedly emphasized the need to fight more efficiently against doping and match-fixing, including through the exchange of information: - Council of Europe Convention on the Manipulation of Sports Competitions (CETS No. 215), July 2014, signed by 8 EU Member States already Recital: Emphasizing that sports organisations bear the responsibility to detect and sanction the manipulation of sports competitions committed by persons under their authority Article 7.1: Each Party shall encourage sports organisations and competition organisers to adopt and implement rules to combat the manipulation of sports competitions ( ). Article 12.1: Without prejudice to Article 14, each Party shall facilitate, at national and international levels and in accordance with its domestic law, exchanges of information between the relevant public authorities, sports organisations, competition organisers, sports betting operators and national platforms. In particular, each Party shall undertake to set up mechanisms for sharing relevant information when such information might assist in the carrying out of the risk assessment referred to in Article 5 and namely the advanced provision of information about the types and object of the betting products to the competition organisers, and in initiating or carrying out investigations or proceedings concerning the manipulation of sports competitions. Article 14.1: Each Party shall adopt such legislative and other measures as may be necessary to ensure that all actions against the manipulation of sports competitions comply with relevant 3

4 national and international personal data protection laws and standards, particularly in the exchange of information covered by this Convention. - European Commission s Communication on the European dimension in sport, 18 January 2011 EU action can help address transnational challenges encountered by sport in Europe such as a coordinated approach to the challenge of doping, fraud and match-fixing. - European Commission s Communication Towards a comprehensive European framework for online gambling, 23 October 2012 Match fixing runs contrary to the principle of fairness in sporting competitions, which is one of the objectives of EU action in the field of sport (Article 165 TFEU). Addressing the issue requires concerted and coordinated efforts from public authorities, sport organisations and gambling operators. - European Parliament s resolution on the European dimension in sport, 2 February 2012 Article 30: Is in favour of greater harmonisation of legislation in order to achieve effective cooperation on the part of the police and the judiciary in the fight against doping and other kinds of manipulation of sports events Article 86: Calls on the European Commissions to tackle the opacity of transfers and matchfixing ( ). - Council Conclusions on combating match-fixing, November 2011 Article 2.1: Match-fixing is besides doping one of the most significant threat to contemporary sport and damages the image of sport by jeopardizing the integrity and unpredictability of sporting competition. Article 3.1: Encourage close cooperation and information sharing between all interested stakeholders in order to combat match-fixing in an effective way ( ) 4

5 - Council Expert Group on good governance : deliverable on principles of good governance in sport, September 2013 In the areas such as match fixing and doping, sporting bodies should continue to develop and apply relevant rules, codes of conduct and educational programmes for its participants and take other steps to minimise the prospect of misconduct by adopting sound financial management principles whilst governments should ensure that relevant laws are fit for purpose and the resources exist that enable law enforcement bodies to take appropriate action when required The potential consequences of the reform on the fight against doping and match-fixing Certain elements in the current proposals create the risk of hindering the hosting of sports events in Europe, penalising European athletes wishing to participate in international competitions and jeopardising joint efforts to effectively fight doping and match-fixing. Furthermore, the current reform could have a negative impact on the fight against organised crime, particular linked to sport. Besides the organisation of sports events, the Olympic Sports Movement is responsible for the development of sport, from grassroots participation to elite competitions, and for the protection of the integrity of competitions against doping and match-fixing. These different activities may require the IOC, the EOC and other sports organisations to process personal data of athletes and other participants, for instance in the following cases: a) investigation of match-fixing cases linked to betting and or other breaches of the IOC Code of Ethics; b) anti-doping controls and investigations; c) accreditation of athletes and other participants to sport events such as the Olympic Games, European Games and Youth Olympic Games; d) sale of tickets to sport events of such as Olympic Games and European Games; e) management and transfer of competitions results; f) communication of athletes biographies to media organisations; g) coordination of various projects for the development of sport and the promotion of Olympic values; h) conservation of archives for the legacy of the Olympic Movement. If the new legal framework on data protection does not take into account the specificities of sport, it would create major obstacles to carry out essential activities by the IOC and other sports organisations. The Data Protection Regulation should thus be applied in respect of the principle of sports specificity as guaranteed by Article 165 TFEU. 5

6 3. Analysis of most relevant topics for sport and recommendations The proposed Regulation details in which cases the processing of personal data is lawful (article 6): - Consent given by the data subject - Necessary for the performance of a contract to which the data subject is party - Necessary for compliance with a legal obligation - Public interest - Legitimate interests pursued by a controller - Necessary for the purposes of historical, statistical or scientific research Some of these points are of crucial importance for the Olympic Sports Movement: - The definition of consent - The definition of public interest - The definition of categories of data that benefit from a derogation With regard to the directive, it lays down the rules relating to the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties. It covers therefore the fight against sports fraud insofar as such as fraud is legally defined as a criminal offence. Considering that the directive does not specify which kinds of offences are covered, the Olympic Sports Movement does not ask for specific amendments on the directive but reiterates its call for sports fraud to be legally defined as a criminal offense at EU level or within all Member States of the EU The definition of consent European Commission s proposal Article 4.8 of the regulation defines a data subject s consent as: any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Article 7 further clarifies the conditions for consent. However it remains to be seen how free consent will be defined in practice. Recital 33 for instance mentions that in order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without 6

7 detriment. Especially to withdraw consent without detriment might be an issue that needs further examination. So if consent is to be applied as a legal basis for processing data of athletes, it therefore has to be shown that this consent has been free, explicit and informed. With regard to the Olympic Games, athletes are free to choose if they want to participate in the competitions. If they want to participate, they provide consent via the accreditation mechanism (e.g. signing of an entry form). It can therefore be argued that this consent is free, explicit and informed. However, the Article 29 Data Protection Working Party has on numerous occasions (e.g. opinion in August 2008, opinion in April 2009, letter to Commissioner Vassiliou in February 2012) questioned if the consent provided by athletes within the structure of the World Anti-Doping Code can really be considered as free. The World Anti-Doping Agency (WADA) has been in contact with the Working Party and openly disagrees with the Working Party on this point, claiming that the consent is both free and informed. It seems therefore that even though consent might be applicable as a legal basis from the point of view of the sports world, it could still be questioned by for instance professional players associations (e.g. EU Athletes) European Parliament Compared to the proposal of the Commission, the Parliament has deleted the reference to a significant imbalance between the position of the data subject and the controller (article 7.4), which is positive. The Parliament has also added that it shall be as easy to withdraw consent as to give it (article 7.3). No agreement yet EU Council However, it is to be noted that on article 44 of the Regulation, which lists the derogations admissible, the Council has added explicitly to the provision regarding consent (point a), but the change has no major consequences since it was already clear that consent has to be explicit. 7

8 Article 44 as amended by the Council a) the data subject has explicitly 1 consented to the proposed transfer, after having been informed that such transfers may involve risks for the data subject due to the absence of an adequacy decision and appropriate safeguards; Our recommendation The reference to a significant imbalance between the position of the data subject and the controller in the Commission s proposal could be used by an athlete to contest processing of his/her data in the frame of the fight against doping. It would create legal uncertainty and should therefore be deleted, as proposed by the European Parliament. More generally, the question of whether the processing of data in the frame of the fight against doping or match-fixing is considered as lawful because of the consent of the athlete remains subject to legal uncertainty. Therefore, the Regulation should provide another clear legal basis, e.g. public interest, for the processing of data in the frame of the fight against doping but also against the manipulation of sports competition, which is not covered by the consent of the data subject The definition of public interest European Commission s proposal Article 6.1 of the Regulation lists public interest as one of the possible grounds for data processing: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (point e). Article 44 of the Regulation also lists a number of derogations for a transfer or a set of transfers of personal data to a third country or an international organisation, including important grounds of public interest (point d). Related to this article, recital 87 provides further information on the derogations admissible for reasons of public interest European Parliament The proposed amendment to recital 87 of the Regulation (derogations should apply to bodies responsible for fighting against match-fixing and fraud in sport ) has not been taken up by the Parliament. 1 UK thought the question of the nature of the consent needed to be discussed in a horizontal manner. 8

9 The Parliament has however added a derogation for transfers between services competent for public health without specifically mentioning doping, which the Council has (see below). Still in recital 87 of the regulation, the Parliament has also added a reference to the prevention of money laundering and the fight against terrorist financing, which could partially cover the fight against manipulation of sport competitions. Recital 87 as amended by the European Parliament (87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters or for public health, or to competent public authorities for the prevention, investigation, detection and prosecution of criminal offences, including for the prevention of money laundering and the fight against terrorist financing. ( ) EU Council While the European Parliament has added public health to the list of derogations, the Council has gone further and mentioned the fight against doping as an example of derogation admissible under the notion of public health in recital 87 Recital 87 as amended by the Council These rules should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange, between competition authorities, between tax or customs administrations, between financial supervisory authorities, between services competent for social security matters or for public health, for example in case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. In article 44, the Council also replaced public interest with important reasons of public interest (point d). The consequences of this amendment could be to restrict a bit the coverage of public interest derogations. Article 44 as amended by the Council d) the transfer is necessary for important reasons of public interest 2 2 DE remarked that the effects of (d) in conjunction with paragraph 5 need to be examined, in particular with respect to the transfer of data on the basis of court judgments and decisions by administrative authorities of third states, and with regard to 9

10 Our recommendation The inclusion by the Council of a reference to doping in recital 87, which specifies the notion of public interest, is important for the Olympic Sports Movement and should be kept in the text. The Parliament s amendment adding the the prevention of money laundering and the fight against terrorist financing is also welcome, but should be completed by a clear reference to the prevention of the manipulation of sports competition. Suggested amendment (based on EP and Council current text) Proposal for Regulation Recital 87 (87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters or for public health, for example in case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport, to competent public authorities for the prevention, investigation, detection and prosecution of criminal offences, including for the prevention of money laundering, the prevention of manipulation of sports competitions and the fight against terrorist financing. ( ) 3.3. Special categories of data European Commission s proposal Article 9.1 of the regulation lists the different categories of data that are prohibited to be processed, except in a limited number of situations. It includes genetic or biometric data or data concerning health. Article 9.2 provides derogations in which the processing of data listed in 9.1 is authorized European Parliament Biometric has been added by the Parliament. An amendment on article 9.2 to include non-profitseeking body with a sporting aim within the list of entities authorised to process special categories of data has not been adopted by the Parliament. existing mutual legal assistance treaties. IT raised reservations on the (subjective) use of the concept of public interest. HR suggested adding 'which is not overridden by the legal interest of the data subject'. 10

11 EU Council No agreement yet Our recommendation An amendment to article 9.2 to include non-profit-seeking body with a sporting aim within the list of entities authorised to process special categories of data should be included. It would allow sport organisations to continue their efforts to organize fair and open competitions and to fight efficiently against doping and match-fixing. Furthermore, this derogation clearly states that processing is carried out in the course of the body s legitimate activities and that such data are not disclosed outside that body without the consent of the data subjects. Suggested amendment Proposal for Regulation Article 9, Para 2, point d (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious, sporting or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; Conclusion The Olympic Sports Movement welcomes the reform of the EU data protection legal framework, which needs to be adapted to ensure a high level of data protection to all citizens. However, the Olympic Sports Movement is concerned that this reform would prevent sports organisations to organise fair and open competitions and efficiently fight against doping and match-fixing, repeatedly defined as priorities by the EU itself. In other words, if the data protection reform does not take into account sport specificities, the EU could paradoxically put in jeopardy its own desire to see sport remaining clean. Although several Members of the LIBE Committee of the European Parliament had submitted amendments in line with the position of the Olympic Sports Movement, both on the Regulation and on the Directive, none of the amendments have been taken up in the reports of the LIBE Committee and consequently in the 1 st reading position adopted by the Parliament in March The texts adopted by the Parliament therefore do not sufficiently take into account the sport 11

12 sector s specificities and do not clearly mention the fight against doping or match-fixing for instance. As a consequence, the texts adopted in 1 st reading by the Parliament would, as such, create legal uncertainties for the Olympic Sports Movement. The Council has been more open to take into consideration sports specificities. It has included a mention of the fight against doping but has not, however, included mention of the fight against match-fixing. In view of the upcoming Council negotiations and trilogues, the Olympic Sports Movement recommends: - To clarify the definition of public interest as covering the fight against doping and the prevention of manipulation of sports competitions (recital 87 of the regulation); - To list sports organisations among the entities that can process special categories of data including data concerning health, insofar as it is done in the frame of legitimate activities, such as organising fair and open competitions (article 9.2 of the regulation). Also, further from the Data Protection Reform, the Olympic Sports Movement calls for sports fraud to be legally defined as a criminal offence at EU level or within all Member States of the EU. 12