OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
on the Commission proposal for a Regulation of the European Parliament and of the Council
on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation)
In this Opinion, the EDPS focuses his analysis on three main issues: (a) how data protection is addressed in the proposal; (b) data protection aspects of electronic identification schemes to be recognised and accepted across borders; and (c) data protection aspects of electronic trust services to be recognised and accepted across borders.
Notwithstanding his general support for the proposal, the EDPS provides the following general recommendations:
- data protection provisions included in the proposal should not be restricted to trust service providers and should also be applicable to the processing of personal data in the electronic identification schemes described in Chapter II of the proposal,
- the proposed regulation should set a common set of security requirements for trust service providers and electronic identification issuers. Alternatively, it could allow the Commission to define where needed, through a selective use of delegated acts or implementing measures, the criteria, conditions and requirements for security in electronic trust services and identification schemes,
- electronic trust service providers and electronic identification issuers should be required to provide the users of their services with: (i) appropriate information on the collection, communication, and retention of their data, as well as (ii) a means to control their personal data and exercise their data protection rights,
- a more selective inclusion in the proposal of the provisions empowering the Commission to specify or detail concrete provisions after the adoption of the proposed regulation by delegated or implementing acts.
Some specific provisions concerning the mutual recognition of electronic identification schemes should also be improved:
- the proposed Regulation should specify which data or categories of data will be processed for cross- border identification of individuals. This specification should contain at least the same level of detail as provided in annexes for other trust services and should take into account the respect of the principle of proportionality,
- the safeguards required for the provision of identification schemes should at least be compliant with the requirements set forth for the providers of qualified trust services,
- the proposal should establish appropriate mechanisms to set a framework for the interoperability of national identification schemes.
Lastly, the EDPS also makes the following recommendations in relation to the requirements for the provision and recognition of electronic trust services:
- it should be specified with regard to all electronic services if personal data will be processed,
- the Regulation should take appropriate safeguards to avoid any overlap between the competences of the supervisory bodies for electronic trust services and those of data protection authorities,
- the obligations imposed on electronic trust service providers concerning data breaches and security incidents should be consistent with the requirements established in the revised e-privacy Directive and in the proposed Data Protection Regulation,
- more clarity should be provided to the definition of private or public entities that can act as third parties entitled to carry out audits or that can verify electronic signature creation devices, as well as on the criteria under which the independence of these bodies will be assessed,
- the Regulation should be more precise in setting a time limit for the retention of the data.