Opinion of the European Data Protection Supervisor on the proposal for a regulation amending Regulation (EC) No 273/2004 on drug precursors and the proposal for a regulation amending Council Regulation (EC) No 111/2005 laying down rules for the monitoring of trade between the Community and third countries in drug precursors.
On 27 September 2012, the Commission adopted the proposal for a regulation amending Regulation (EC) No 273/2004 on drug precursors and the proposal for a Regulation amending Council Regulation (EC) No 111/2005 laying down rules for the monitoring of trade between the Community and third countries in drug precursors.
The EDPS was consulted on the same day.
The proposals aim to implement the 1988 UN Convention against illicit drug trafficking and psychotropic substances. The UN Convention and the Regulations aim at recognising and protecting legal trade of drug precursors while, at the same time, discouraging their diversion for illicit purposes.
Currently, measures to control intra-EU trade imply the processing of data of operators since they include the obligation for certain industry operators to appoint a responsible officer and notify his contact details to the competent authorities, obtain a licence or registration, ask customers to declare the uses of the drug precursors provided to them and immediately notify the competent authorities in case they suspect an order or transaction might be aimed at diverting drug precursors for illicit purposes.
As regards the control of external trade, the processing of data of operators is also necessary, as operators are obliged, for example, to apply to competent authorities for authorisation before importing or exporting drug precursors. Obligations for EU competent authorities include notifying certain third countries before an export of drug precursors takes place, and communicating to the Commission the result of their monitoring measures.
Following criticisms by the UN International Narcotics Control Board (INCB) on specific weaknesses of the current measures, the new proposals include, among others, the following amendments to the Regulations:
- the creation of a European Database on Drug Precursors,
- the reinforcement of the harmonised registration provisions,
- the extension of the registration requirement to users of acetic anhydride.
EDPS’s position: the EDPS welcomes the general references to the applicability of EU data protection legislation, the fact that many of the categories of data to be processed are specified and the fact that the principle of purpose limitation is mentioned in the external trade proposal.
However, he recommends laying down in the main legislative texts the essential elements of the processing operations such as the exclusion of the processing of sensitive data. All the categories of data to be processed should also be specified preferably in the proposals, and at least by delegated acts.
He also recommends:
- laying down maximum retention periods in the proposals for all processing operations and specifying in the proposals that data on suspicious transactions has to be deleted as soon as they are not necessary any more,
- adding a new article to the proposals on how information on the processing operations should be provided to data subjects,
- as regards international transfers of personal data, including data protection safeguards in the text of the external trade regulation and in an international binding text or in binding agreements with the recipient third countries,
- as regards the European Database, if operators need to have access to it or it is to be used for additional purposes, this should be specified in the substantive part of the proposals, ensuring the supervision of the European database by a system of coordinated supervision between the EDPS and national Data Protection Authorities, similar to what is foreseen for the Internal Market Information System,
- as regards the register of European operators and the processing of summaries of transactions through the European database, specific data protection and security safeguards should be added, preferably to the proposals and at least by delegated or implementing acts.
As regards the principle of purpose limitation, the EDPS would like to remind that the interconnection and exchange or correlation of data of the European database with other databases managed by the Commission or by other entities for different purposes should in principle not be allowed.