External borders: mandate of the Agency for the Management of Operational Cooperation at the External Borders (FRONTEX)

2010/0039(COD)

Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council amending Council Regulation (EC) No 2007/2004 establishing a European Agency for the Management of Operational Cooperation at the External

Borders of the Member States of the European Union (FRONTEX)

The EDPS welcomes the fact that he was informally consulted by the Commission before the adoption of the proposal. Informal comments were issued by the EDPS on 8 February 2010 and resulted in a number of changes in the final version of the proposal adopted by the Commission.

On 2 March 2010, the proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Regulation (EC) No 45/2001.

It is also pertinent to mention that the EDPS issued an Opinion on a notification for Prior Checking received from the Data Protection Officer of FRONTEX concerning the ‘Collection of names and certain other relevant data of returnees for join return operations (JRO)’ (the Prior Check Opinion). The conclusions of the Opinion, the subject of which is the processing of personal data in the context of the preparation and realisation of the JROs under Article 9 of Regulation (EC) No 2007/2004, have been used as a basis for some of the observations and conclusions presented in this opinion.

The main conclusions of this Opinion are as follows :

Noting notes that the proposal aims to allow FRONTEX to fulfil its current tasks and responsibilities, as well as those provided by the proposed Regulation more effectively, the EDPS states that it is striking that the proposed Regulation is almost completely silent about the processing of personal data by FRONTEX, with a sole exception of the last sentence of Article 11 of the proposal. He is of the opinion that the proposed Regulation should — to the extent necessary and appropriate — address clearly the question of the scope of the activities that may give rise to the processing of personal data by FRONTEX. The EDPS believes that a specific legal basis addressing the issue of the processing of personal data by FRONTEX and providing for clarification of the circumstances under which such processing by FRONTEX could take place, subject to strong data protection safeguards and in accordance with the proportionality and necessity principles, is needed. Only where necessary for clearly identified and lawful purposes (in particular JRO) should such processing be allowed.

The legal basis should specify the necessary and appropriate safeguards, limitations and conditions under which such a processing of personal data would take place, in compliance with Article 8 of the European Convention on Human Rights and Article 8 of the EU Charter of Fundamental Rights, including guarantees regarding the data subject’s rights as one of the most important elements.

The Commission’s reluctance to specify this in the proposed Regulation or to clearly state the date by when it will do so, instead preferring to postpone the matter pending new legal and political circumstances, raises serious concerns. In the EDPS’s view, this approach could lead to undesirable legal uncertainty and a significant risk of non-compliance with data protection rules and safeguards.

In order further to improve the proposal, the EDPS also calls on the legislator to clarify in the proposed Regulation that the working arrangement which could be concluded with Europol on the basis of the proposed Article 13 of the FRONTEX Regulation, would exclude the exchange of personal information. Moreover, he also suggests a clarification of Article 11(b) of the proposal. (in order to clarify security obligations with regard to classified and non-classified documents.)