Opinion of the European Data Protection Supervisor (EDPS) on the Commission proposals for a Regulation of the European Parliament and of the Council on insider dealing and market manipulation, and for a Directive of the European Parliament and of the Council on criminal sanctions for insider dealing and market manipulation.
The proposed Regulation and Directive were sent by the Commission to the EDPS for consultation and received on 31 October 2011. On 6 December 2011, the Council of the European Union consulted the EDPS on the proposals.
The EDPS notes that several of the measures planned in the proposals to achieve the increasing of market integrity and investor protection impact upon the rights of individuals relating to the processing of their personal data. While the proposed Regulation contains several provisions that may affect the individual's right to protect their personal data, the proposed Directive does not as such involve processing of personal data.
This opinion is based on the proposed Regulation and notably on the following issues :
1. Applicability of data protection legislation : the EDPS very much welcomes this overarching provision and appreciates in general the attention specifically paid to the data protection legislation in the proposed Regulation. However, the EDPS suggests that the provision should be rephrased emphasising the applicability of existing data protection legislation. Moreover, the reference to Directive 95/46/EC should be clarified by specifying that the provisions will apply in accordance with the national rules which implement Directive 95/46/EC.
2. Insider lists : the proposed Regulation contains the obligation for issuers of a financial instrument or emission allowances market participants to draw up a list of all persons working for them, under a contract of employment or otherwise, who have access to inside information.
The EDPS acknowledges the necessity of such list as an important tool for competent authorities when investigating possible insider dealing or market abuse. However, as far as these lists will involve the processing of personal data, main data protection rules and guarantees should be laid down in the basic law. Therefore the EDPS recommends making an explicit reference to the purpose of such list in a substantive provision of the proposed Regulation. the EDPS recommends: (i) including the main elements of the list (in any event the reasons for persons to be included) in the proposed Regulation itself; (ii) including a reference to the need to consult the EDPS in so far as the delegated acts concern the processing of personal data.
3. Powers of the competent authorities : two powers in particular need particular attention due to their interference with the rights of privacy and data protection: the power to enter private premises in order to seize documents in any form and the power to require existing telephone and data traffic records. The EDPS recommends :
4. Systems in place to detect and report suspicious transactions : the proposed Regulation foresees that any person who operates the business of a trading venue shall adopt and maintain effective arrangements and procedures aimed at preventing and detecting market abuse.
As far as these systems will most probably involve personal data (e.g. monitoring of transactions made by persons referred to on insider's list), the EDPS would underline that these standards should be developed according to the principle of ‘privacy by design’, i.e. the integration of data protection and privacy from the very inception of new products, services and procedures that entail the processing of personal data. In addition, the EDPS recommends including a reference to the need to consult the EDPS in so far as these regulatory standards concern the processing of personal data.
5. Exchange of information with third states : the EPDS notes the reference to Directive 95/46/EC, particularly to Articles 25 or 26 and the specific safeguards mentioned in Article 23 of the proposed Regulation concerning the disclosure of personal data to third countries.
6. Publication of sanctions : the proposed Regulation obliges Member States to ensure that the competent authorities publish every administrative measure and sanction imposed for breaches of the proposed Regulation without undue delay, including at least information on the type and nature of the breach and the identity of persons responsible for it, unless such disclosure would seriously jeopardise the stability of financial markets. The EDPS is not convinced that the mandatory publication of sanctions, as it is currently formulated, meets the requirements of data protection law as clarified by the Court of Justice in the the Schecke judgment. He takes the view that the purpose, necessity and proportionality of the measure are not sufficiently established and that, in any event, adequate safeguards should be provided for against the risks for the rights of the individuals should have been foreseen.
7. Reporting of breaches : Article 29 of the proposed Regulation requires Member States to put in place effective mechanisms for reporting breaches, also known as whistle-blowing schemes. While they may serve as an effective compliance tool, these systems raise significant issues from a data protection perspective.
The EDPS highlights the need to introduce a specific reference to the need to respect the confidentiality of whistleblowers' and informants' identity. The EDPS recommends to add in letter b of Article 29.1 the following provision: ‘the identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings. The EDPS is pleased to see that Article 29.1 (c) requires Member States to ensure the protection of personal data of both accused and the accusing person, in compliance with the principles laid down in Directive 95/46/EC. He suggests however removing 'the principles laid down in', to make the reference to the Directive more comprehensive and binding.