Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Mutual assistance and cooperation between administrations to ensure the correct application of the law on customs and agricultural matters: antifraud system and customs risk management

2013/0410(COD)

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)

The Commission proposal amends one of the most important legal instruments for action against breaches of customs legislation. The fight against breaches of Union customs legislation involves extensive exchanges of information - including personal data - in the context of cooperation between competent authorities in the Member States and between the latter and the Commission.

Before the adoption of the proposal, the EDPS was given the possibility to provide informal comments to the Commission. The proposal was sent to the EDPS for consultation on 29 November 2013. Some of these comments have been taken into account. As a result, the data protection safe guards in the Proposal have been strengthened.

The EDPS welcomes the modifications that the Commission brought to the proposal, however, it should be noted that the proposal also contains some rather serious weaknesses that need to be eliminated before its final adoption.

The EDPS wishes to highlight that the Commission should have taken a more comprehensive approach to the legislation on mutual assistance in the customs area, namely by deciding to eliminate the Regulation/Decision dual basis and to substitute it with a single instrument based exclusively on the TFEU, in order to guarantee legal certainty and a seamless data protection regime.

Against this background, the EDPS recommends:

  • the introduction of a new model for the supervision of all databases which involve processing of personal data established on the basis of the Regulation and the proposal. Such model would be based on coordinated supervision which has a three-layered structure: data protection agencies at national level, EDPS at central level and coordination between both;
  • the designation of the EDPS as secretariat of supervision coordination under both the Decision and the Regulation;
  • the introduction of a general provision in the text of the Proposal to clarify that Regulation (EC) No 45/2001 applies to processing of personal data carried out by Union institutions and that national laws implementing Directive 95/46/EC are applicable to the processing carried out by the relevant competent authorities in the various Member States;
  • the substitution of various fragmented provisions with uniform provisions specifying for each database (i) the role of the Commission as data controller or possibly joint data controller together with the relevant national competent authorities; (ii) if needed for the sake of clarity, the supervisory role of the EDPS where the Commission is the controller, as opposed to cases where the processing is under the supervision of national data protection authorities; (iii) the technical measures to be adopted by the Commission in order to ensure security of the processing (possibly, the specific measures could be inserted in a delegated act in order to ensure a more flexible updating); and (iv) the need for prior checking by the EDPS;
  • that the newly introduced retention periods are reconsidered on the basis of an evaluation of the necessity of the duration for each specific case; furthermore the provisions on anonymisation of data should be modified in order to require deletion of the data;
  • as regards the CSM database, the proposal should indicate an exhaustive list of data to be inserted. Alternatively, the text of the proposal should explicitly prohibit that personal data are to be inserted in such database.