OPINION OF THE EUROPEAN DATA PROTECTION
SUPERVISOR
on the Commission proposal for a Regulation of the
European Parliament and of the Council
on trust and confidence in electronic transactions in
the internal market (Electronic Trust Services
Regulation)
In this Opinion, the EDPS focuses his analysis on
three main issues: (a) how data protection is addressed in
the proposal; (b) data protection aspects of electronic
identification schemes to be recognised and accepted across
borders; and (c) data protection aspects of electronic trust
services to be recognised and accepted across borders.
Notwithstanding his general support for the proposal,
the EDPS provides the following general recommendations:
- data protection provisions included in the proposal
should not be restricted to trust service providers and should also
be applicable to the processing of personal data in the electronic
identification schemes described in Chapter II of the
proposal,
- the proposed regulation should set a common set of
security requirements for trust service providers and electronic
identification issuers. Alternatively, it could allow the
Commission to define where needed, through a selective use of
delegated acts or implementing measures, the criteria, conditions
and requirements for security in electronic trust services and
identification schemes,
- electronic trust
service providers and electronic identification issuers should be
required to provide the users of their services with: (i)
appropriate information on the collection, communication, and
retention of their data, as well as (ii) a means to control their
personal data and exercise their data protection rights,
- a more selective inclusion in the proposal of the
provisions empowering the Commission to specify or detail concrete
provisions after the adoption of the proposed regulation by
delegated or implementing acts.
Some specific provisions concerning the mutual
recognition of electronic identification schemes should also be
improved:
- the proposed Regulation should specify which data or
categories of data will be processed for cross- border
identification of individuals. This specification should
contain at least the same level of detail as provided in annexes
for other trust services and should take into account the respect
of the principle of proportionality,
- the safeguards required for the provision of
identification schemes should at least be compliant with the
requirements set forth for the providers of qualified trust
services,
- the proposal should establish appropriate mechanisms
to set a framework for the interoperability of national
identification schemes.
Lastly, the EDPS also makes
the following recommendations in relation to the requirements
for the provision and recognition of electronic trust
services:
- it should be specified with regard to all electronic
services if personal data will be processed,
- the Regulation should take appropriate safeguards to
avoid any overlap between the competences of the supervisory bodies
for electronic trust services and those of data protection
authorities,
- the obligations imposed on electronic trust service
providers concerning data breaches and security incidents should be
consistent with the requirements established in the revised
e-privacy Directive and in the proposed Data Protection
Regulation,
- more clarity should be provided to the definition of
private or public entities that can act as third parties entitled
to carry out audits or that can verify electronic signature
creation devices, as well as on the criteria under which the
independence of these bodies will be assessed,
- the Regulation should be more precise in setting a
time limit for the retention of the data.