EDPS Opinion on the proposed common framework for European statistics relating to persons and households

Similar documents
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

EUROPEAN UNION. Brussels, 25 April 2014 (OR. en) 2013/0084 (COD) PE-CONS 63/14 STATIS 39 SOC 185 ECOFIN 237 CODEC 711

DECISIONS. (Text with EEA relevance) Having regard to the Treaty on the Functioning of the European Union, and in particular Article 149 thereof,

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

New model of governance and accountability of data protection by Union institutions and bodies

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 4 October 2017

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a. REGULATION (EU) No / OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COUNCIL OF THE EUROPEAN UNION. Brussels, 23 May 2014 (OR. en) 9371/14 Interinstitutional File: 2010/0208 (COD) LIMITE

THE PRINCIPLE OF SUBSIDIARITY

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Official Journal of the European Union. (Legislative acts) DIRECTIVES

Council of the European Union Brussels, 17 November 2017 (OR. en)

5965/18 OM/vc 1 DGG 1B

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION. of

Council Directive 98/59/EC of 20 July 1998 on the approximation of the laws of the Member States relating to collective redundancies

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Colleges and public authority status under data protection legislation

NB: Unofficial translation, legally binding texts are those in Finnish and Swedish Ministry of the Environment, Finland. Climate Change Act 609/2015

10972/14 IV/NC/kp DGB 2

5. Dealt with in Brussels by The Transport, Telecommunications and Energy Council Working Party on Land Transport

COMMISSION DELEGATED DIRECTIVE../ /EU. of XXX

EU GENERAL DATA PROTECTION REGULATION

COMMISSION IMPLEMENTING REGULATION (EU) /... of XXX

EN United in diversity EN A7-0170/27. Amendment

EBA/RTS/2017/ December Final Report. Draft regulatory technical standards. on central contact points under Directive (EU) 2015/2366 (PSD2)

COMMISSION DELEGATED DIRECTIVE (EU).../ of XXX

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2016/0404(COD)

COMMISSION OF THE EUROPEAN COMMUNITIES. Draft. COMMISSION REGULATION (EU) No /

Explanatory Memorandum: The Natural Mineral Water, Spring Water and Bottled Drinking Water (Wales) (Amendment) Regulations 2010

DRAFT OPINION. EN United in diversity EN. European Parliament 2017/0035(COD)

Consultation Paper. Draft Regulatory Technical Standards

Council of the European Union Brussels, 3 March 2017 (OR. en) Mr Jeppe TRANHOLM-MIKKELSEN, Secretary-General of the Council of the European Union

Official Journal of the European Union DIRECTIVE 2003/54/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 26 June 2003

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

EBA FINAL draft Regulatory Technical Standards

8459/17 CB/ek 1 DGE 2B

COMMISSION STAFF WORKING DOCUMENT

EBA/CP/2016/ December Consultation Paper. Draft Guidelines on supervision of significant branches

This document will be the basis for legal-linguistic revision in view of the common position.

VETERINARY AND PHYTOSANITARY MATTERS

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

A8-0244/ AMENDMENTS by the Committee on Employment and Social Affairs, and the Committee on Culture and Education

COMMISSION REGULATION (EU)

L 96/26 EN Official Journal of the European Union. REGULATION (EC) No 552/2004 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.

14186/17 CB/OTS/ek 1 DGE 2B

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. on certain aspects concerning contracts for the supply of digital content

4. EU Charter of Fundamental Rights

COUNCIL OF THE EUROPEAN UNION. Brussels, 16 June /09 Interinstitutional File: 2009/0076 (COD) ENV 440 MI 246 AGRI 267 CHIMIE 50 CODEC 849

10349/14 GS/np 1 DG D 2B

General Personal Data Protection Policy

EUROPEA U IO. Brussels, 12 June 2009 (OR. en) 2007/0195 (COD) PE-CO S 3648/09 E ER 170 CODEC 701

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

EUROPEAN UNION. Brussels, 11 September 2009 (OR. en) 2008/0151 (COD) PE-CONS 3663/09 ENER 191 ENV 383 CODEC 758

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

FAQ on the 10th company law directive with regard to the cross-border merger of limited liability companies (2005/56/EC) 1

Consultation Paper. Draft Implementing Standards

1. Context. 1.1 Scope

EU Charter of Fundamental Rights

EBA/CP/2013/12 21 May Consultation Paper

Commission Directive 2008/62/EC

The Electricity and Gas Sector in the EU: the Dilemmas of Public Service Obligations in the Context of State Aid

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

ARTICLE 29 DATA PROTECTION WORKING PARTY

15489/14 TA/il 1 DG E 2 A

(Text with EEA relevance) Having regard to the Treaty on the Functioning of the European Union, and in particular Article 192(1) thereof,

European Parliament resolution of 8 March 2011 on the revision of the General Product Safety Directive and market surveillance (2010/2085(INI))

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION INTERPRETATIVE COMMUNICATION

CM1702. Note on the interparliamentary scrutiny of Europol

Clean Power for Transport. The Directive on the deployment of alternative fuels infrastructure

Council of the European Union Brussels, 15 December 2017 (OR. en)

1. Council conclusions on strengthening the balance in the pharmaceutical systems in the EU and its Member States

Seveso Directive 82/501/EEC ("Seveso I")

COMMISSION STAFF WORKING DOCUMENT. Vademecum on European standardisation in support of Union legislation and policies PART III

UK Research and Innovation (UKRI) Data Protection Policy

DER BINNENMARKT IST DER MOTOR DES WIRTSCHAFTSWACHSTUMS

(Non-legislative acts) REGULATIONS

Release into Environment of Genetically Modified Organisms Act 1

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

5853/12 GS/np 1 DG H 2B

PRESENTATION BY. Michael GIBBONS. Member of the Better Regulation Task Force

Guidelines on the management body of market operators and data reporting services providers

Council of the European Union Brussels, 5 October 2017 (OR. en) Mr Jeppe TRANHOLM-MIKKELSEN, Secretary-General of the Council of the European Union

Council of the European Union Brussels, 4 July 2014 (OR. en) Mr Uwe CORSEPIUS, Secretary-General of the Council of the European Union

DIRECTIVE 2006/42/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 May 2006 on machinery, and amending Directive 95/16/EC (recast)

A questionnaire for senior management

AmCham EU s position on Directive on certain aspects concerning contracts for the supply of digital content

IVD Regulation 2017/746

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,27May 2014 (OR.en) 10296/14 LIMITE JUR321 JAI368 POLGEN75 FREMP104

EUROPEAN PARLIAMENT AND COUNCIL

Council of the European Union Brussels, 12 April 2018 (OR. en)

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

SPICe briefing THE SUBSIDIARITY PROTOCOL IN THE TREATY OF LISBON. 24 April /21

The Proposal for a Regulation of the European Parliament and of the Council on Agricultural Product Quality Schemes

15724/1/17 REV 1 KM/CB/ek 1 DGE2B

European Union (Withdrawal) Bill House of Lords Committee stage 5 March 2018

Transcription:

Opinion 2/2017 EDPS Opinion on the proposed common framework for European statistics relating to persons and households 1 March 2017 1 P a g e

The European Data Protection Supervisor (EDPS) is an independent institution of the EU. The Supervisor is responsible under Article 41.2 of Regulation 45/2001 With respect to the processing of personal data for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institutions and bodies, and for advising Community institutions and bodies and data subjects on all matters concerning the processing of personal data. The Supervisor and Assistant Supervisor were appointed in December 2014 with the specific remit of being more constructive and proactive, and they published in March 2015 a five-year strategy setting out how they intended to implement this remit, and to be accountable for doing so. This Opinion provides comments and actionable recommendations on how to better safeguard the right to the protection of personal data in the proposed common framework for European statistics relating to persons and households. 2 P a g e

Executive Summary The Proposal aims at establishing a common framework for European statistics relating to persons and households based on data collected primarily from samples at individual level. The Proposal, in relevant part, contains references to the use of administrative records, as well as to other sources or innovative approaches to provide statistical data in the context of big data. New innovative approaches can bring promises for statistics and research, but will also pose risks, raise challenges, and legislators must ensure that any potential benefits should never come at the expense of individuals rights. To provide effective protection for the right of privacy and the right to the protection of personal data, legislators should anticipate the potential risks and challenges that these promising techniques may bring and provide for appropriate safeguards. To this end, we recommend revising Article 8 in order to ensure that any data processing involving administrative records and other data sources must be done in compliance with applicable data protection laws and that any direct provision of data by individuals (apart from certain exceptions as provided by law and subject to appropriate safeguards) must be made on a voluntary basis. With regard to linking administrative records, as foreseen in Article 11, we also highlight the need for ensuring that any such linking must be done in compliance with data protection law, subject to necessity, proportionality, and specific safeguards under Member State or Union law. 3 P a g e

TABLE OF CONTENTS Contents 1. BACKGROUND AND PURPOSE OF THE PROPOSAL... 5 2. OVERVIEW AND KEY CONCERNS... 5 3. RECOMMENDATIONS... 6 3.1 REFERENCES TO APPLICABLE DATA PROTECTION LAW (RECITAL 20)... 6 3.2 REFERENCES TO SUBSTANTIAL PUBLIC INTEREST (RECITAL 20)... 6 3.3 DEFINITION OF ADMINISTRATIVE RECORDS (ARTICLE 2(E) AND RECITAL 4)... 7 3.4 DATA SOURCES AND METHODS (ARTICLE 8)... 7 3.5 SAMPLING FRAMES (ARTICLE 11)... 8 4. CONCLUSIONS... 9 NOTES... 10 4 P a g e

THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty of the Functioning of the European Union, and in particular its Article 16, Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof, Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular Article 28(2) thereof, HAS ADOPTED THE FOLLOWING OPINION: 1. BACKGROUND AND PURPOSE OF THE PROPOSAL 1 On 8 August 2016, the European Commission ( Commission ) published a Proposal for a Regulation of the European Parliament and of the Council establishing a common framework for European statistics relating to persons and households, based on data at individual level collected from samples (hereafter: the Proposal ) 1. On the same day, the Commission requested the European Data Protection Supervisor ( EDPS ), as an independent advisory body, for his Opinion. The Council of the European Union ( Council ) also submitted a request on 25 November 2016. 2 As set out in its Article 1 ( Subject matter ), the purpose of the Proposal is to establish a common framework for European statistics relating to persons and households, based on data at individual level collected from samples. 3 The EDPS takes note of the policy objectives of the Proposal. He welcomes: the fact that he has been consulted and that a reference to this consultation has been made in Recital 23 of the proposed Regulation; the inclusion of Recital 20 referring to applicable data protection law (Regulation 95/46/EC and Regulation (EC) No 45/2001 of the European Parliament and of the Council); as well as the reference to data protection rules when linking different records regarding an individual (Article 11). 2. OVERVIEW AND KEY CONCERNS 4 Our main concern is the ambiguity in the current draft surrounding the possibility of the use of administrative data and big data sources such as telephone location data, corporate and tax records, social security and medical records, records of unemployment 5 P a g e

offices and organisations managing social security. While big data may promise new possibilities and increased efficiencies for the production of official statistics, it also poses specific risks, and therefore, we suggest careful scrutiny of any relevant provisions 2. 5 We would also welcome more clarity on the fact that whenever any information is directly provided by individuals, this should be done on a voluntary basis, using consent under Articles 6 and 7 of the General Data Protection Regulation ( GDPR ) 3 as a legal basis for the processing of personal data; unless the provision of information is specifically required under Union or Member States law in accordance with applicable data protection law. 6 In light of these concerns, we would particularly welcome if the legislators could introduce more clarity in the way Article 8 (on data sources and methods) is drafted. 7 Other relevant provisions that the EDPS considers could be improved may include the following: Article 2(e) on the definition of administrative records ; Recital 4 on the use of administrative sources for statistical purposes; Recital 20 on applicable data protection law and the notion of substantial public interest ; Article 11(1) on sampling frames. 3. RECOMMENDATIONS 3.1 References to applicable data protection law (Recital 20) 8 Depending on the date of entry into force of the proposed Regulation, references to applicable law in Recital 20 may need to be updated. In particular, they may need to be replaced by references to the General Data Protection Regulation (GDPR), which will become applicable on 25 May 2018, and by references to the new legal instrument replacing Regulation 45/2001. 9 We would also welcome a reference, in a recital, to compliance with the safeguards relating to processing for statistical purposes under Article 89 of the GDPR. 10 Considering that the Proposal foresees use of data from new data sources, which might include, for example, location data obtained from mobile telephone records (see Section 3.4 discussing Article 8 below), we also recommend a specific reference to the eprivacy Directive 4 currently under revision (or to the new eprivacy Regulation if appropriate considering the timelines). 3.2 References to substantial public interest (Recital 20) 11 To enable easier reference for non-experts, we recommend that the words under Article 8(4) of Directive 95/46/EC be added after the phrase substantial public interest. Should the text refer to the GDPR, the appropriate reference would be Article 9(2)(g) of the GDPR. 6 P a g e

3.3 Definition of administrative records (Article 2(e) and Recital 4) 12 Article 2(e) of the Proposal defines administrative records as data generated by a nonstatistical source, usually a public body, the aim of which is not to provide statistics, for its own purposes. The term, administrative records is then used in Article 8 as well as in Recital 4. 13 This definition of administrative records appears to be very broad and appear to include, in practice, any other data sources, which is another term also used in Article 8. The term administrative data, as defined, can thus include, for example, not only administrative records of public bodies but also sources such as mobile phone location data, which is, in the sense as the term is commonly used in everyday language, not always considered as an administrative record. 14 This in itself does not appear to have a direct impact on the level of protection of personal data, considering that Article 8, in any event, includes any other data sources. Nevertheless, for the sake of clarity, the legislators could consider revising Article 2(e) and more narrowly defining administrative records. Alternatively, the legislators could delete Article 2(e) altogether, and instead, in Article 8, refer to administrative records created by an organisation, usually a public body, for other, non-statistical purposes, and any other sources, methods or innovative approaches.... 15 Further, as we noted above, Recital 4 specifically encourages use of administrative sources for statistical purposes. We welcome the fact that the recital highlights the need to ensure quality, accuracy, timeliness and comparability of those statistics. To further improve this provision, we recommend adding a reference to the protection of personal data. For example, the following text can be added at the end of the paragraph: as well as safeguarding the right to the protection of personal data. 3.4 Data sources and methods (Article 8) 16 In addition to data directly provided by the respondents, Article 8 also refers to administrative records and any other sources, methods or innovative approaches in so far as they allow for the production of data that are comparable and compliant with the applicable specific requirements laid down by this Regulation. 17 Article 8 reflects the intention, set forth on page 13 of the Explanatory Memorandum, to allow and promote the use of new forms of data collection and of alternative data sources, including administrative data and estimates obtained from modelling and big data. See also Recital 4 of the Proposal, already mentioned above, promoting the use of administrative sources, thanks to technological advances and Article 13 on feasibility and pilot studies, which also discusses the use of other data sources. 18 In the field of statistics, as in other fields, big data may bring benefits, such as increased efficiency. However, it can also create additional risks. The new data protection framework, and the adoption of the GDPR in particular, aims to address these risks in a way that provides protection but also allows flexibility for further data use, including for statistical purposes. 7 P a g e

19 Further legislative measures in the field of national or Union law governing statistics, however, will likely to be still required, in order to allow more widespread use of big data in statistics in a way compatible with applicable data protection law. 20 The current Proposal should not provide the illusion that Article 8 itself is providing a sufficient legal basis for using big data for the purposes of the Proposal. It is essential that the recitals and Article 8, combined, make it clear that any such use of big data sources is subject to applicable data protection law, including the need for an appropriate legal basis under Article 6 of the GDPR. 21 To this effect, we recommend that Article 8 be revised as follows: Article 8 Data sources and methods 1. Member States shall provide the data referred to in Article 1 by using one or a combination of the following sources, provided that they meet the quality requirements given in Article 12 and are collected and further processed in accordance with and subject to safeguards provided for in applicable data protection laws: (a) (b) information directly provided by the respondents on a voluntary basis, on the basis of the consent of the data subjects providing the data under Article 7 of [the GDPR] (unless the provision of information is specifically required under Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subjects rights and freedoms and legitimate interest); administrative records and any other sources, methods or innovative approaches in so far as they allow for the production of data that are comparable and compliant with the applicable specific requirements laid down by this Regulation. 2. Member States shall provide the Commission (Eurostat) with detailed information on the sources and methods used. 3.5 Sampling frames (Article 11) 22 Article 11(1) provides that the sampling frames shall also include the information needed to link persons to other administrative records, in so far as is allowed under data protection rules. 23 We recommend that the second part of the sentence be rephrased to read: insofar as linking to such other records is necessary and proportionate, and specifically permitted under applicable Union or Member State law, to which the controller is subject and which also lays down suitable measures to safeguard the data subjects rights and freedoms and legitimate interest. 8 P a g e

4. CONCLUSIONS 24 The EDPS recommends: including a reference to the eprivacy Directive when referring to applicable law in Recital 20 as well as making the necessary updates to all relevant references, if needed, in light of the current review of the data protection framework; clarifying references to substantial public interest in Recital 20; substantially revising Article 8 in order to ensure that any data processing involving administrative records and other data sources must be done in compliance with applicable data protection laws and that any direct provision of data by individuals (apart from certain exceptions as provided by law and subject to appropriate safeguards) must be made on a voluntary basis; with regard to linking administrative records, as foreseen in Article 11, ensuring that any such linking must be done in compliance with data protection law, subject to necessity, proportionality, and specific safeguards under Member State or Union law; considering a revision of the definition of administrative record in Article 2(e) and adding a reference to the protection of the right to the protection of personal data in the related Recital 4. Brussels, 1 March 2017 Wojciech Rafał WIEWIÓROWSKI Assistant European Data Protection Supervisor 9 P a g e

Notes 1 COM(2016)551 final. 2 On the opportunities, risks and challenges posed by big data, see EDPS Opinion7/2015 on Meeting the challenges of big data': https://secure.edps.europa.eu/edpsweb/webdav/site/mysite/shared/documents/consultation/opinions/201 5/15-11-19_Big_Data_EN.pdf. See more specifically Section 1. 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); OJ L 119, 04.05.2016, p.1, available at: http://eur-lex.europa.eu/legal-content/en/txt/pdf/?uri=oj:l:2016:119:full. 4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.7.2002, p.37; amended by Directive 2009/136/EC. 10 P a g e

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback