Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Serious cross-border threats to health

2011/0421(COD)

Opinion of the European Data Protection Supervisor on the proposal for a decision of the European Parliament and of the Council on serious cross-border threats to health

The Proposal aims at replacing Decision 2119/98/EC setting up a network for the epidemiological surveillance and control of communicable diseases in the Community, which is the current legal basis for the Early Warning and Response System (‘EWRS’). The latter has been the subject of a prior check Opinion of the EDPS.

The EDPS welcomes the references to Regulation (EC) No 45/2001 and Directive 95/46/EC in Article 18 of the proposal and the fact that the reference to the applicable data protection legislation inArticle 18 now encompasses all personal data processing under the scope of the proposal. He also welcomes the specific data protection safeguards for contact tracing set forth, or required to be adopted by the Commission, under Article 18.

However, the following elements of the Proposal still require, or would benefit from, clarification, further detail or other improvements from the point of view of data protection:

·        contact tracing,

·        ad hoc surveillance,

·        controller-processor relationship,

·        retention period, and

·        security measures.

The EDPS notes that several aspects of the proposal are not elaborated in the text itself, but will be the subject of delegated and implementing acts, such as the list of communicable diseases to which the proposal shall apply and the procedures for the information exchange in the EWRS. Other aspects will be clarified in guidelines and recommendations to be adopted by the Commission, such as the data protection guidelines for the EWRS.

Whilst details can of course be regulated in delegated and implementing acts, and such additional provisions are certainly of great benefit, the EDPS recommends that the proposal itself also provide more guidance on some of the points mentioned above.

Recommendations: in general, the EDPS recommends that some essential elements, including certain essential data protection safeguards, should be also included in the text of the proposal itself. In addition, some clarifications are also necessary due to the expansion of the scope of the proposal to additional health threats beyond communicable diseases, which have not been subject to the prior checking procedure and also not discussed in the guidelines.

More particularly, the EDPS recommends that the Proposal should:

  • provide a clearer definition for contact tracing, including also its purposes and scope, which might be different for communicable diseases and other heath threats;
  • define more clearly how the individuals used for contact tracing will be determined, which sources might be used to obtain contact details and how these individuals will be informed of the processing of their personal data;
  • include criteria to be used when assessing whether contact tracing measures are necessary and proportionate;
  • specify at least the main categories of data to be processed for contact tracing;
  • for the system of ad hoc surveillance, specify the kinds of data to be processed and take measures to minimise the processing of personal data, for example by using appropriate anonymisation techniques and restricting the processing to aggregate data as far as possible;
  • clarify the relationship between ad hoc surveillance networks and the EWRS;
  • clarify the role of the ECDC in ad hoc surveillance networks;
  • clarify the tasks and responsibilities of all actors involved from the data protection point of view in order to obtain legal certainty on the issue of controllership;
  • establish legally binding retention periods at least for contact tracing;
  • include in Article 18 a more specific reference to the requirements on data security and confidentiality.