Opinion 2011/C 216/04of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories.
The EDPS points out that he has not been consulted by the Commission, although this is required by Regulation (EC) No 45/2001, but has instead adopted this Opinion acting on his own initiative.
Access to records of telephone and data traffic: the proposal empowers ESMA to require records of telephone and data traffic in order to carry out duties related to the supervision of trade repositories. However, the scope of the provision and in particular the exact meaning of ‘records of telephone and data traffic’ is not clear. Nevertheless, it cannot be excluded that the records of telephone and data traffic concerned include personal data within the meaning of Directive 95/46/EC and Regulation (EC) No 45/2001 and, to the relevant extent, Directive 2002/58/EC (the e-Privacy Directive), i.e. data relating to the telephone and data traffic of identified or identifiable natural persons. As long as this is the case, it should be assured that the conditions for fair and lawful processing of personal data, as laid down in the Directives and the Regulation, are fully respected.
In order to be considered necessary and proportionate, the power to require records of telephone and data traffic should be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it. As it is currently framed, the provision at stake does not meet these requirements as it is too broadly formulated. In particular, the personal and material scope of the power, the circumstances and the conditions under which it can be used are not sufficiently specified. Neither does the proposal provide for important procedural guarantees or safeguards against the risk of abuses.
The EDPS notes that this observation is also relevant for the application of existing legislation and for other pending and possible future proposals containing equivalent provisions. The market abuse Directive (Directive 2003/6/EC), the MIFID Directive (Directive 2004/39/EC on markets in financial instruments), the UCITS Directive (Directive 2009/65/EC on undertakings for collective investment in transferable securities), the current Regulation on credit rating agencies (Regulation (EC) No 1060/2009) all contain similar powers. This is particularly the case where the power in question is entrusted, as in this proposal, to an EU authority without referring to the specific conditions and procedures laid down in national laws (e.g. the proposal for a Regulation on amending Regulation (EC) No 1060/2009 on credit rating agencies.
Accordingly, the EDPS advises the legislator to:
- clearly specify the categories of telephone and data traffic records which trade repositories are required to retain and/or to provide to the competent authorities. Such data must be adequate relevant and not excessive in relation to the purpose for which they are processed;
- limit the power to require access to records of telephone and data traffic to trade repositories;
- make explicit that access to telephone and data traffic directly from telecom companies is excluded;
- limit access to records of telephone and data traffic to identified and serious violations of the proposed regulation and in cases where a reasonable suspicion (which should be supported by concrete initial evidence) exists that a breach has been committed;
- clarify that trade repositories shall provide records of telephone and data traffic only where they are requested by formal decision specifying, among others, the right to have the decision reviewed by the Court of Justice;
- require that the decision shall not be executed without prior judicial authorisation from the national judicial authority of the Member State concerned (at least where such authorisation is required under national law);
- require the Commission to adopt implementing measures setting out in detail the procedures to be followed, including adequate security measures and safeguards.
Other parts of the proposal: the EDPS goes on to make certain observations on other parts of the proposal, referring particularly to the need for purpose limitation which is a basic requirement of data protection law, as well as necessity and data quality. He points out that the proposal obliges financial counterparties and non-financial counterparties meeting certain threshold conditions to report the details of any OTC derivative contract they have entered into and any modification or termination thereof to a registered trade repository. Such information is meant to be held by trade repositories and made available by the latter to various authorities for regulatory purposes. In case one of the parties to a derivative contract subject to the above clearing and reporting obligations is a natural person, information about this natural person constitutes personal data which is processed under Directive 95/46/EC. Even in case where the parties to the transaction are not natural persons, personal data may still be processed in the framework of the proposal, such as the names and contact details of the directors of the companies. The provisions of Directive 95/46/EC (or Regulation (EC) No 45/2001) would therefore be applicable to the present operations.
The EDPS also makes certain observations on on-site inspections and international transfers of personal data.
He advises the legislator to:
- include a reference to Directive 95/46/EC and Regulation (EC) No 45/2001 at least in the recitals of the proposed Directive and preferably in a substantive provision as well, stating that the provisions of the proposed regulation are without prejudice to, respectively, the Directive and the Regulation;
- specify the kind of personal information that can be processed under the Proposal in compliance with the necessity principle, define the purposes for which personal data can be processed by the various authorities/entities concerned and fix precise, necessary and proportionate data retention periods for the above processing;
- limit the power to carry out on-site inspections and to impose periodic penalty payments only to trade-repositories and other legal persons clearly and substantially related to them, since this is not clear in the text. Should the Commission indeed envisage allowing inspections of non-business premises of natural persons, this should be made clear and more stringent requirements should be inserted in order to ensure compliance with necessity and proportionality principles (particularly with regards to the indication of the circumstances in which and the conditions on which such inspections can be carried out);
- several provisions of the proposed regulation allow for broad exchanges of data and information between ESMA, competent authorities of Member States and competent authorities of third countries. The text must make explicit that international transfers of personal data should be in conformity with the relevant rules of Regulation (EC) No 45/2001 and Directive 95/46/EC, introduce clear limits as to the kind of personal information that can be exchanged and define the purposes for which personal data can be exchanged.