Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Customs enforcement of intellectual property rights

2011/0137(COD)

Opinion of the European Data Protection Supervisor on the proposal for a regulation of the

European Parliament and of the Council concerning customs enforcement of intellectual property rights.

The EDPS recalls that the proposal establishes the procedure through which right holders can apply to require the customs department of a Member State to take action in that Member State (‘national application’) or the customs departments of more than one Member State to take action in each and respective Member State (‘EU application’).

The proposal also establishes the process through which the relevant customs departments take a decision on the application, the actions that the customs authorities (or offices) should consequently take (i.e. suspension of the release, detention or destruction of goods) and the connected rights and obligations.

In this context, the processing of data provided by the draft regulation does not only cover the personal data of the holder of the right in the context of the transfer of applications and decisions from right holders to custom authorities, between the Member States and between Member States and the Commission. It also covers the consignor, consignee, the declarant or holder of the goods as well as other information related to the goods.

The EDPS welcomes the specific reference in the proposal to the applicability of Directive 95/46/EC and Regulation (EC) No 45/2001 to the personal data processing activities covered by the Regulation.

He highlights the following points with a view to improving the text from a data protection perspective:

Right of information of the data subject: whilst the Commission is empowered to adopt implementing acts, Article 6(3) already contains a list of required information to be provided by the applicant, including the applicant's  personal data. In determining the essential content of the application, Article 6(3) should also require the customs authorities to provide to the applicant and any other potential data subject (e.g. consignor, consignee or holder of the goods) with the information pursuant to the national rules implementing Article 10 of Directive 95/46/EC. In parallel, the application should also embody the similar information to be provided to the data subject for processing by the Commission pursuant to Regulation (EC) No 45/2001 (in view of the storing and processing operations in COPIS).

The EDPS therefore recommends that Article 6(3) includes, in the list of information to be provided to the applicant, the information to be provided the data subject pursuant to Article 10 of Directive 95/46/EC and Article 11 of Regulation (EC) No 45/2001.

In addition, the EDPS asks to be consulted when the Commission exercises its implementing power, in order to ensure that the new model (national or EU) application forms are ‘data protection compliant’.

Time limit for the retention of personal data: the EDPS would like to stress that the application submitted by the right holder (and in particular, the personal data therein) should not be stored or retained by the national customs authorities and in the COPIS database beyond the date of expiry of the decision. He suggests inserting a provision in the proposalwhich imposes a limit to the retention of personal data linked to the duration of the period of validity of the decisions. Any extension of the duration of the retention date should be avoided or, if justified, should fulfil the principles of necessity and proportionality in relation to the purpose, which needs to be clarified. Including a provision in the proposal, which would be equally applicable throughout the Member States and to the Commission, would guarantee simplification, legal certainty and effectiveness, as it would avoid conflicting

interpretations.

Legal basis for establishment of COPIS: the legal basis for the creation of the COPIS database seems currently to be limited to the combined provisions of the new Articles 6(4) and 31. However, there is at this stage no further detailed legal provision adopted through the ordinary legislative procedure in which the purpose and characteristics of COPIS are determined. This is particularly worrying in the EDPS' view. Personal data of individuals (names, addresses and other contact details as well as related information on suspected offences) will be the object of an intense exchange between the Commission and Member States and will be stored for an undefined period of time within the database, yet there is no legal text on the basis of which an individual could verify the legality of such processing. Furthermore, the specific access rights and management rights in relation to the various processing operations are not explicitly clarified.

The EDPS stresses that the legal basis for instruments which restrict the fundamental right to the protection of personal data, as recognised by Article 8 of the Charter of Fundamental Rights of the Union and in the case law on the basis of Article 8 of the European Convention on Human Rights, and which is recognised by Article 16 of the TFEU, must be laid down in  a legal instrument based on the Treaties and that can be invoked before a judge. This is necessary in order to guarantee legal certainty for the data subject, who must be able to rely on clear rules and invoke them before a court.

The EDPS therefore urges the Commission to clarify the legal basis of the COPIS database by introducing a more detailed provision in an instrument adopted according to the ordinary legislative procedure under the TFEU. Such a provision must comply with the requirements of Regulation (EC) No 45/2001 and, where applicable, Directive 95/46/EC. In particular, the provision establishing the database involving the electronic exchange mechanism must:

·        identify the purpose of the processing operations and establish which are the compatible uses;

·        identify which entities (customs authorities, Commission) will have access to which data stored in the database and will have the possibility of modifying the data;

·        ensure the right of access and information for all the data subjects whose personal data may be stored and exchanged;

·        define and limit the retention period for the personal data to the minimum necessary for the performance of such purpose.

Lastly, the EDPS stresses that the following elements of the database should be defined in the main legislative act:

·        the entity which will be controlling and managing the database

·        the entity in charge of ensuring the security of the processing of the data contained in the database.