Securities settlement in the EU and central securities depositories (CSDs)

Executive summary of the Opinion of the European Data Protection Supervisor on the Commission proposal for a regulation of the European Parliament and of the Council on improving securities settlement in the European Union and on central securities depositories (CSDs) and amending Directive 98/26/EC.

The EDPS welcomes the fact that he is consulted by the Commission and recommends that references to this Opinion are included in the preambles of the proposed regulation. The EDPS begins by recalling that any trade in securities on or off a trading venue is followed by a post-trade flow of processes, leading to the settlement of the trade, which means the delivery of securities to the buyer against the delivery of cash to the seller. CSDs are key institutions that enable settlement by operating securities settlement systems. They are the institutions that facilitate the transactions concluded on the markets. CSDs also ensure the initial recording and the central maintenance of securities accounts that record how many securities have been issued by whom and each change in the holding of those securities.

While generally safe and efficient within national borders, CSDs combine and communicate less safely across borders, which means that an investor faces higher risks and costs when making a cross-border investment. The absence of an efficient single internal market for settlements also raises other important concerns such as the limitation of security issuers' access to CSDs, different national licensing regimes and rules for CSDs across the EU, and limited competition between different national CSDs. These barriers result in a very fragmented market while cross-border transactions in Europe continue to increase and CSDs become increasingly interconnected.

Recommendations: the EDPS states that the proposal contains provisions which may in certain cases have data protection implications for the individuals concerned such as the investigative powers of the competent authorities, the exchange of information, the keeping of records, the outsourcing of activities, the publication of sanctions and the reporting of breaches.

Accordingly, the EDPS makes some recommendations, the main ones being as follows:

·        the rephrasing of provisions emphasising the full applicability of existing data protection legislation in one general provision referring to Directive 95/46/EC as well as Regulation (EC) No 45/2001 and the clarification of the reference to Directive 95/46/EC by specifying that the provisions will apply in accordance with the national rules which implement Directive 95/46/EC. The EDPS furthermore recommends including this type of overarching provision in a substantive provision of the proposal;

·        the limitation of competent authorities’ access to documents and information to specifically identified and serious violations of the proposal and in cases where a reasonable suspicion (which should be supported by concrete initial evidence) exists that a breach has been committed;

·        the introduction of a requirement for competent authorities to request documents and information by formal decision, the specification of the legal basis and the purpose of the request and what information is required, the time limit within which the information is to be provided, as well as the right of the addressee to have the decision reviewed by a court of law;

·        the specification of the kind of personal information that can be processed and transferred under the proposal, the definition of the purposes for which personal data can be processed and transferred by competent authorities and the fixing of a proportionate data retention period for the above processing or at least the introduction of precise criteria for its establishment;

·        in view of the risks concerned regarding transfers of data to third countries, the addition of specific safeguards such as a case-by-case assessment and the existence of an adequate level of protection of personal data in the third country receiving the personal data;

·        the replacement of the minimum retention period of five years in Article 27 of the proposal with a maximum retention period when records contain personal data. The chosen period should be necessary and proportionate for the purpose for which data are processed,

·        the rephrasing of Article 28.1(i) as follows: ‘The CSD ensures that the service provider provides its services in full compliance with the national rules, applicable to the CSD, implementing Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The CSD is responsible (…)’;

·        the addition in Article 62.2(b) of a provision saying that the identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings’;

·        the assessment of the necessity and proportionality of the proposed system of mandatory publication of sanctions. Subject to the outcome of the necessity and proportionality test, in any event provide for adequate safeguards to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an adequate period of time.

Lastly, the EDPS notes that there are comparable provisions to the ones referred to in this Opinion in several pending and possible future proposals, such as those discussed in the EDPS Opinions on the European Venture Capital Funds and the European Social Entrepreneurship Funds, and the legislative package on the revision of the banking legislation, credit rating agencies, markets in financial instruments (MiFID/MiFIR) and market abuse. Therefore, the EDPS recommends reading this Opinion in close conjunction with his Opinions on these initiatives.