Markets in financial instruments. Recast

2011/0298(COD)

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Commission proposals for a Directive of the European Parliament and of the Council on markets in financial instruments repealing Directive 2004/39/EC of the European Parliament and of the Council, and for a Regulation of the European Parliament and of the Council on markets in financial instruments and amending Regulation on OTC derivatives, central counterparties and trade repositories.

The EDPS was informally consulted prior to the adoption of the proposals. He notes that several of his comments have been taken into account in the proposals.

Several aspects of the proposals have an impact on the rights of individuals relating to the processing of their personal data. These are: 1) obligations to keep records and transaction reporting; 2) powers of competent authorities (including power to inspect and power to require telephone and data traffic); 3) publication of sanctions; 4) reporting of violations, and in particular provisions on whistle-blowing; 5) cooperation between competent authorities of Member States and the ESMA.

The EDPS makes the following recommendations:

Applicability of data protection legislation: insert a substantive provision in the proposals with the following wording: ‘With regards to the processing of personal data carried out by Member States within the framework of this Regulation, competent authorities shall apply the provisions of national rules implementing Directive 95/46/EC. With regards to the processing of personal data carried out by ESMA within the framework of this Regulation, ESMA shall comply with the provisions of Regulation (EC) No 45/2001’.

Obligation to keep records and transaction reporting: replace in Article 22 of the proposed Regulation the minimum retention period of 5 years with a maximum retention period.  The chosen period should be necessary and proportionate for the purpose for which data have been collected.

Duty to record telephone conversation or electronic communications: specify in Article 16.7 of the proposed Directive (i) the purpose of the recording of telephone conversations and electronic communications and (ii) to what kind of telephone conversations and electronic communications it is referred toas well as the categories of data related to the conversations and communications will be recorded. Personal data must adequate, relevant and not excessive in relation to the purposes for which they are collected. The EDPS invites the legislator thoroughly to evaluate which retention period is necessary for the purpose of the recording of telephone conversations and electronic communications within the specific scope of the proposal.

Powers of competent authorities:

·        clarify in Article 71.2(c) of the proposed Directive that the inspection power is limited to the premises of investment firms and does not cover private premises;

·        introduce in Article 71.2(d) concerning the power to require telephone and traffic data, the prior judicial authorisation as a general requirement and the requirement of a formal decision specifying: (i) the legal basis (ii) the purpose of the request (iii) what information is required (iv) the time-limit within which the information is to be provided and (v) the right of the addressee to have the decision reviewed by the Court of Justice;

·        clarify to what telephone and traffic data records Article 71.2(d) is referring.

Publication of sanctions or other measures: in light of doubts expressed in the Opinion, assess the necessity and proportionality of the proposed system of mandatory publication of sanctions. Subject to the outcome of the necessity and proportionality test, in any event provide for adequate safeguards to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an adequate period of time.

Reporting of breaches: with regard to Article 77.1

·        add in letter b) a provision saying that: ‘the identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings’;

·        add a letter d) requiring Member States to put in place ‘appropriate procedures to ensure the right of the accused person of defence and to be heard before the adoption of a decision concerning him and the right to seek effective judicial remedy against any decision or measure concerning him’;

·        remove ‘the principles laid down’ from letter c) of the provision to make the reference to the Directive more comprehensive and binding.

Information exchanges with third countries: in view of the risks concerned in such transfers the EDPS recommends adding specific safeguards such as the case-by-case assessment, the assurance of the necessity of the transfer, the requirement for prior express authorisation of the competent authority to a further transfer of data to and by a third country and the existence of an adequate level of protection of personal data in the third country receiving the personal data.