This note contains the European Ombudsman's comments on the Commission's proposal for a Statute for the European Data Protection Supervisor.(1)

---

1 The principle of openness

The importance of openness for relations between the Union and its citizens was recognised in 1993 in Declaration 17, attached to the Maastricht Treaty. The European Union has subsequently made great progress in putting the principle of openness into practice.

The Council and Commission adopted a joint Code of Conduct on access to documents, implemented through Council decision 93/731 and Commission decision 94/90. The case law of the Community courts on the interpretation and application of these Decisions has strengthened the right of public access to documents and clarified the scope of the exceptions to that right.

The Amsterdam Treaty incorporated the principle that decisions should be taken "as openly as possible" into the Treaty on European Union (Art. 1). It also included the right of public access to documents of the European Parliament, Council and Commission in the EC Treaty (Art. 255). In December 2000, the right of public access to such documents was enshrined in the Charter of Fundamental Rights of the European Union (Art. 42).

On 30 May 2001, the Council and the European Parliament adopted a Regulation on public access to documents of the Parliament, Council and Commission ("the public access Regulation").(2) The Regulation is a real step forward in openness. The credit for this belongs to the European Parliament, which rejected the Commission's restrictive first draft and negotiated with the Council for greater openness.

 

2 A new threat to openness?

The gains in openness achieved by the European Parliament in the public access regulation are under threat, even before the new Regulation is fully operative. The threat arises from failure to understand the purpose and limits of data protection rules.

For example, in dealing with a complaint to the Ombudsman, the Commission has taken a position which implies that any document containing the name of an individual is covered by the data protection rules.(3) Since most documents contain somebody's name, the Commission's view means that access to documents would, in practice, be decided by applying the data protection rules, not the public access Regulation. The presumption under data protection rules is in favour of confidentiality and reasons must normally be given before information can be given to a third party. The Commission's approach would therefore frustrate the intentions of the European Parliament, which fought hard to achieve a public access Regulation which has a presumption in favour of openness and which citizens can use without giving reasons.

It should also be noted that the European Parliament administration has delayed publishing a list of MEPs' assistants paid from public funds because of concerns about data protection. If generally adopted, this approach could undermine the provision of public registers of documents, which is one of the key achievements of the public access Regulation.

To interpret and apply data protection rules correctly, it is necessary to understand their legal basis and that they exist in order to protect private and family life.

 

3 The legal basis and purpose of data protection rules

According to the drafters of the Charter of Fundamental Rights, the right to protection of personal data is based on:

• Article 286 EC
• Directive 95/46/EC(4) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the data protection Directive)
• Article 8 of the European Convention on Human Rights (ECHR) which guarantees the protection of private and family life.
• the Council of Europe's Convention of 28 January 1981 on Automatic Processing of Personal Data (the data protection Convention).

The most fundamental of these texts is Article 8 ECHR, which guarantees the protection of privacy and family life.

In a judgement of 16 February 2000, the European Court of Human Rights confirmed its earlier case law that it is data relating to the private life of an individual that fall within the scope of Article 8. The Court pointed out that respect for private life comprises the right to establish and develop relationships with other human beings, and explicitly linked this understanding of the notion of "private life" with the objective of the data protection Convention, which is to "secure in the territory of each Party for every individual ... respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him."(5)

The preamble to the data protection Convention and recitals to the data protection Directive also make clear that their purpose is to protect the fundamental right of privacy, not to restrict the information available to citizens about public activities.

This does not exclude the possibility that data concerning an individual's public life may be confidential on grounds other than data protection. The public access Regulation mentions several grounds of public and private interest which could justify such confidentiality, of which data protection is relevant only to one.

 

4 Public access and data protection are not competing rights

The Commission has argued that the right of access to documents and the right to privacy are both legitimate rights and that when they both enter into consideration a balance has to be struck.

It is true that the right of access to documents and the right to privacy are both legitimate rights. However, the idea of striking a balance between them on a case-by-case basis whenever a name is mentioned misrepresents the nature both of dealing with openness in the public sector and the right to privacy.

The principle of openness means that public bodies should take decisions as openly as possible. It is now defined in the public access Regulation. The public access Regulation provides for exceptions to access, including the need to protect the privacy and the integrity of the individual, in particular in accordance with Community legislation regarding the protection of personal data.

The point of this exception is that a public body may, in carrying out its public duties, come into possession of information about the private and family life of individuals. For example, institutions may possess confidential information about the health of members of their staff. Police or immigration authorities may also collect data about individuals' private lives.

However, there is nothing in Article 286 EC or the data protection Directive to suggest that data protection rules should be applied as a general principle of confidentiality in public administration, so as to require a balancing exercise whenever a document contains a name. Such an over-interpretation would damage not only the right of public access to documents, but also the genuine purpose of data protection.

The prevailing principle in public administration is to serve the citizens through decision-making procedures which are open, so that any citizen can carry out "genuine and efficient monitoring of the exercise of the powers vested in the Community institutions."(6)

 

5 The European Data Protection Supervisor

In December 2000, the European and Council adopted Regulation 45/2001 ("the data protection Regulation")(7) under Article 286 (2) EC. This Regulation imposes obligations on the Community institutions and bodies and their staff, additional to those contained in the data protection Directive.

According to Article 49 of the data protection Regulation "any failure to comply with the obligations pursuant to this Regulation, whether intentionally or through negligence on his or her part, shall make an official or other servant of the European Communities liable to disciplinary action."

Article 286 (2) EC also provides for the Council to establish an independent supervisory body responsible for monitoring data protection in the Community institutions and bodies. Regulation 45/2001 provides for a European Data Protection Supervisor, who will have broad powers of investigation and enforcement, including making binding orders.

On 18 July 2001, the Commission presented a proposal for a Decision of the three institutions on the Statute of the European Data Protection Supervisor.(8) This proposal is now being examined by the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (rapporteur Sig.Ra Elena Ornella PACIOTTI). The Committee on Legal Affairs (rapporteur Mr Malcom HARBOUR) is to give an opinion.

The explanatory memorandum accompanying the Commission's proposal states that the institutional profile of the Data Protection Supervisor is based on that of the European Ombudsman (the proposal mistakenly refers to the "European Mediator"). The proposal therefore calls for the following comments from the Ombudsman.

The status of the data protection supervisor

As far as we know, data protection supervisors in the Member States are mostly officials appointed by government. They supervise the processing of personal data by both the private and public sectors. As regards the private sector, they are analogous to other forms of regulation. As regards the public sector, they resemble internal control mechanisms, such as financial controllers and internal auditors who are also independent in the exercise of their functions. A body of this type appears to be foreseen by Article 286 EC which refers only to an "independent supervisory body".

Unlike Ombudsman institutions of the classical type, data protection supervisors are not appointed by Parliament as external control mechanisms for the public sector. The only such institution we know of is in Hungary.

To ensure a proper discussion of the proposed Statute, a survey should be carried out of the position in the different Member States. The research division of the European Parliament has carried out such a survey of Ombudsmen and of the Right to Petition in the Member States.

The Commission's proposal contains no estimate of the potential workload of the Data Protection Supervisor. The following points should be noted in this regard:

First, Regulation 45/2001 requires each institution and body to nominate independent data protection controllers. They will have the primary task of ensuring compliance.

Second, the Data Protection Supervisor will deal only with the Community institutions and bodies. Unlike the national bodies, the Data Protection Supervisor has no competence for the private sector.

Third, Europol and the Schengen information system are subject to a separate scheme.(9) This means that little sensitive personal data is likely to come within the Data Protection Supervisor's mandate. The European Ombudsman's experience is that there have been few complaints - and these only from staff - about failure to protect personal data.

Procedural safeguards

The Data Protection Supervisor will have broad powers of investigation and enforcement, including making binding orders. The draft Statute fails to provide procedural safeguards for the investigation and enforcement powers.

In contrast, the Statute of the European Ombudsman, which the European Parliament laid down in 1994,(10) establishes the Ombudsman's procedures and provides for the Ombudsman to adopt implementing provisions. The Statute and the implementing provisions are annexed to the European Parliament's Rules of Procedure.

To ensure transparency for citizens and the proper use of powers, the Data Protection Supervisor's procedures should be as clearly specified.

The scope of data protection

The effective implementation of the public access Regulation could be undermined if the staff responsible for releasing documents work in fear that they may be punished for violation of data protection rules merely because a document contains a name.

The European Parliament has the opportunity, in dealing with the draft Statute and the Ombudsman's special report on complaint 713/98, to clarify that data protection rules are concerned with the protection of private and family life, in accordance with the case-law concerning the relationship between Article 8 of the European Convention on Human Rights and the Council of Europe's data protection Convention.

This would make clear that the purpose of data protection is not to restrict the information available to citizens about public activities.

It would also reassure staff responsible for implementing the public access Regulation that the mere fact that a document contains a name does not mean that they risk sanctions by giving access to it.

 

6 Conclusions

The Statute of the European data protection Supervisor should:

• be based on a proper survey of the institutional position of data protection officials in the different Member States
• contain procedural safeguards, to ensure that the Supervisor's broad powers of investigation and enforcement are used fairly
• clarify that data protection rules are concerned with the protection of private and family life, in accordance with the case-law concerning the relationship between Article 8 of the European Convention on Human Rights and the Council of Europe's data protection Convention.

 

Jacob Söderman
Strasbourg 14 November 2001

---

(1) Proposal for a Decision of the European Parliament, of the Council and of the Commission on the regulations and general conditions for the performance of the duties of the European Data Protection Supervisor, as foreseen by Article 43 of Regulation 45/2001 (COM (2001) 411 final).

(2) Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, 2001 OJ L 145/43.

(3) See the Ombudsman's special report to the European Parliament of 23 November 2000 in case 713/98. The European Parliament is still dealing with the report.

(4) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31.

(5) Amann v. Switzerland, (Application no. 27798/95) para. 65.

(6) Case T-92/98, Interporc Im- und Export GmbH v Commission ("Interporc II"), [1999] ECR II-3521, paragraph 39.

(7) Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ 2001 L8/1.

(8) Note 1 above

(9) Council Decision on 17 October 2000 establishing a secretariat for the joint supervisory data-protection bodies set up by the Convention on the Establishment of a European Police Office (Europol Convention), the Convention on the Use of Information Technology for Customs Purposes and the Convention implementing the Schengen Agreement on the gradual abolition of checks at the common borders (Schengen Convention, 2000 OJ L 271/1.

(10) European Parliament decision 94/262 of 9 March 1994 on the regulations and general conditions governing the performance of the Ombudsman's duties, OJ 1994, L 113/15.