EU recommendation on smart metering systems

If we go to the EU Commission web page Energy > Internal market > Smart grids, we find the following enthusiastic text announcing new regulation:

9 March 2012

Preparations for the roll-out of smart metering systems

Commission paves the way for massive roll-out of smart metering systems. When consumers can follow their energy consumption in real time they can better control their energy bills. Smart metering systems will make this possible. Today only 10% of EU households have some sort of smart meter installed. Where economically worthwhile, 80% of all electricity meters in the EU have to be replaced by smart meters by 2020. To facilitate the take-up of this new technology the European Commission has published today a Recommendation to prepare the roll-out of smart-metering systems. It provides step-by-step guidelines for Member States on how to conduct cost-benefit analysis by 3 September 2012. It also sets common minimum functionalities of smart metering systems and addresses data protection and security issues.

Background information is also offered on the web page of the Digital Agenda for Europe: Action 73: Member States to agree common additional functionalities for smart meters Member States to agree by the end of 2011 on common additional functionalities for smart meters (advanced measuring devices, usually for electricity).


Official publication

The recommendation has been published in the Official Journal of the European Union:

COMMISSION RECOMMENDATION 2012/148/EU of 9 March 2012 on preparations for the roll-out of smart metering systems; OJEU 13.3.2012 L 73/9

The Commission recommendation deals with different issues in the separate sections:


I. DATA PROTECTION AND SECURITY CONSIDERATIONS

1. This section provides guidance to Member States on the design and operation of smart grids and smart metering systems ensuring the fundamental right to protection of personal data.

2. This section also provides guidance on measures to be taken for the deployment of smart metering applications in order to ensure that national legislation implementing Directive 95/46/EC is, where applicable, respected when such technologies are deployed.


II. METHODOLOGY FOR THE ECONOMIC ASSESSMENT OF THE LONG-TERM COSTS AND BENEFITS FOR THE ROLL-OUT OF SMART METERING SYSTEMS

30. This section provides guidance to Member States along with a framework for cost-benefit analysis as a foundation for conducting a consistent, credible and transparent economic assessment of the long-term costs and benefits of the roll-out of smart metering.


III. COMMON MINIMUM FUNCTIONAL REQUIREMENTS FOR SMART METERING SYSTEMS FOR ELECTRICITY

39. This section is based on best practice from early CBAs for smart metering of electricity carried out in 11 Member States. It provides guidance on measures to be taken to ensure that Member States make due use of appropriate interoperability and standards for smart metering systems currently being developed under Mandates M/441, M/468 and M/490 and of best practice.



Ralf Grahn
public speaker on EU affairs

P.S. Already multilingual Bloggingportal.eu aggregates the posts from 940 Euroblogs. They represent an important part of the emerging European online public space, discussion across national and linguistic borders. One of the most promising fresh entrants is the LSE European Politics and Policy (EUROPP) blog, where Ronny Patz recently wrote about the EU blogosphere and called for more academics to spread the word about their research and to discuss their findings closer to real life.

Among the Euroblogs on Bloggingportal.eu you find my current blog trio, Grahnlaw (recently ranked fourth among political blogs in Finland), the Nordic Grahnblawg (written in Swedish) and Eurooppaoikeus (meaning European Law, in Finnish). I write and speak about democracy, institutional issues and EU politics, but increasingly about the challenges of growth (EU2020) and the (digital) single market in the making, including issues at policy level.

After SWIFT – sudden EU-US data protection agreement consultation

Lately the Commission, the Council and the US administration have been as busy lobbying the SWIFT / TFTP agreement on rendering financial data from the European Union to the United States as they previously were anxious to keep the European Parliament in the dark. Not that the quality of information seems to have improved despite turning on the volume.



The European Parliament has informed us about the 29 to 23 vote of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) to propose rejection: SWIFT: MEPs to vote on backing or sacking EU/US data sharing deal (5 February 2010).

I wonder why the 23 who voted for breaching EU data protection standards have been so silent about their reasons.


The Euroblogosphere has actively debated the SWIFT agreement and the muscular diplomacy employed, for instance: Henrik Alexandersson, Henrik Alexandersson, Netzpolitik, Henrik Alexandersson, Julien Frisch, Henrik Alexandersson, Thomas Mayer, Jon Worth, Europaeum, Julien Frisch, Open Europe Blog, Sköne Oke.



Suddenly



Suddenly, after keeping the European Parliament and the EU citizens in the dark for so long about the SWIFT agreement, the European Commission’s DG Freedom, Security and Justice has launched an online consultation on the future European Union (EU) - United States of America (US) international agreement on personal data protection and information sharing for law enforcement purposes. The consultation runs until 12 March 2010.

I wonder.





Ralf Grahn







P.S. The BBC’s Europe editor Gavin Hewitt writes a blog, which presents European politics to readers in Britain and worldwide.

Gavin Hewitt’s Europe is listed on multilingual Bloggingportal.eu, which has now grown to 532 great Euroblogs.

Bloggingportal.eu is your useful one-stop-shop for fact, opinion and gossip on EU affairs, i.a. politics, more than thirty policy areas, communication, economics, finance, business, civil society and law.

At the same time Euroblogs are an agreeable way to brush up one’s skills in foreign languages.

If you are interested in the EU or the euroblogosphere, you can also subscribe to the RSS feed for new blog posts appearing on Bloggingportal.eu.

By the way, I also discuss European issues, including the relations between the EU and Switzerland, in Finnish on Eurooppaoikeus and in Swedish on Grahnblawg.

4th Data Protection Day 28 January 2010 in Europe

On the fourth Data Protection Day the Council of Europe issued a communication highlighting the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28.I.1981).




Europeans' privacy will be big challenge in the next decade, said Commissioner Viviane Reding for the European Union in an informative press release, which set out both the existing rules (with useful links) and the challenges ahead (IP/10/63).

However, Reding did not mention specific dark clouds on the horizon, such as the SWIFT agreement, the ACTA negotiations or the possible resurrection of IPRED2.




Just one example, for starters; here are some questions where the Council and the Commission should respond in a more constructive manner than what we have seen to date:




MEP Alexander Alvaro (ALDE) on the Anti-Counterfeiting Trade Agreement (ACTA)


Citizens’ rights should be remembered and protected every day of the year.




Ralf Grahn







P.S. Cross-border communication is a necessity in the European Union and beyond, with scrutiny by active citizens. At the same time Euroblogs are an agreeable way to brush up one’s skills in foreign languages.

Turkish blogger Erkan Saka collects and comments on a plethora of issues relevant to contemporary life, politics and culture, offline and online. Erkan’s Field Diary (in English) is a must read among Euroblogs.

Erkan’s Field Diary is listed among 522 great Euroblogs (at the latest count) on growing multilingual Bloggingportal.eu, your useful one-stop-shop for fact, opinion and gossip on European affairs, i.a. politics, more than thirty policy areas, communication, economics, finance, business, civil society and law.

If you are interested in the EU or the euroblogosphere, you can also subscribe to the RSS feed for new blog posts appearing on Bloggingportal.eu.

By the way, I also discuss European issues in Finnish on Eurooppaoikeus and in Swedish on Grahnblawg.

Growing opposition against EU-USA SWIFT or TFTP agreement

Active opposition against the so called SWIFT agreement on the rendition of financial data from the European Union to the United States of America seems to be growing among experts, in the European Parliament and beyond.

One the one hand, there is the interim TFTP agreement the member states’ governments (Council) wanted to enter into force on 1 February 2010, without burdening the European Parliament with scrutiny. On the other hand, there are plans for a long term agreement, but the Council has been less than zealous in engaging the European Parliament.




Members of the EP Committee on Civil Liberties, Justice and Home Affairs (LIBE) have not taken the combination of pressure secrecy from the Council and the European Commission kindly, as seen in SWIFT interim agreement: Civil liberties Committee to vote on 4 February (27 January 2010).



The procedure file NLE/2009/0190 EU/USA agreement: processing and transfer of Financial Messaging Data for purposes of the Terrorist Finance Tracking Program on Oeil, the Legislative Observatory of the European Parliament, tells us the basic facts about the existing documents:

1) COUNCIL DECISION on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (document 16110/09), meant to enter into force provisionally from 1 February and remaining in force until 31 October 2010. This interim agreement has been published in the Official Journal of the European Union as Council Decision 2010/16/CFSP/JHA, OJEU 13.1.2010 L 8/9 & 11.

2) The previous initial legislative document contains the Commission’s proposal on the conclusion of the TFTP Agreement; 17 December 2009; COM(2009)0703 final.

3) COUNCIL DECISION on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program; dated 20 January 2010; Council document 5305/10. The meaning of the document is somewhat unclear. Is it a belated attempt by the Council to ask for the consent of the European Parliament with regard to the interim agreement after the entry into force of the Lisbon Treaty? Or is it meant to cover the planned long term agreement? Anyway, the “attached” substance of the agreement is missing.



LIBE


The LIBE Committee has been doing what such parliamentary committees are supposed to do: gathering information about the impact of the TFTP Agreement on fundamental rights of EU citizens.




The Article 29 Data Protection Working Party (Working Party on Police and Justice) has expressed concerns on data protection grounds.



The European Data Protection Supervisor considers that not enough elements have been provided so far to justify the necessity and proportionality of such a privacy-intrusive [TFTP] agreement, which in many aspects overlaps with already existing EU and international instruments in this area.


Political reactions


Given the evidence, political reactions have continued, but they have also become sharper.



In December 2009 the liberal group ALDE pushed for an agreement with the other political groups on two conditions for EP approval: that Parliament has full access to all relevant documents and information connected to the SWIFT agreement and that Council's negotiating mandate for the longer-term agreement, to replace this interim agreement expiring by 31 October 2010, fully reflect Parliament' stated concerns in its resolution of September; in Parliament sets conditions for granting consent to SWIFT agreement (17 December 2009).



Practically all the political groups expressed concerns and conditions during the EP’s SWIFT debate on 20 January 2010.




The Greens-EFA parliamentary group has opted for rejection of the SWIFT agreement as a breach of fundamental rights, quoting home affairs spokesman Jan-Philipp Albrecht: EU-US SWIFT bank data agreement: Parliament must stop Council in its tracks (27 January 2010).




The Pirate Party is going to vote for rejection of the SWIFT Agreement in the European Parliament, says Henrik Alexandersson, who posts a press release (in Swedish): Piratpartiet röstar nej till SWIFT-avtalet (28 January 2010).



Euroblogs




Netzpolitik.org (in German) has been keeping a close watch on the SWIFT agreement process. Recommended reading.




Piratpartiet live has aggregated a number of blog posts opposing the SWIFT agreement (mostly in Swedish). Here are but two examples:




Maloki says no to the SWIFT Agreement: Nej till SWIFT-avtalet! (28 January 2010).



Anna Troberg: Piratpartiet säger nej till SWIFT-avtalet (28 January 2010).




Ralf Grahn







P.S. Cross-border communication is a necessity in the European Union, with scrutiny by active citizens. At the same time Euroblogs are an agreeable way to brush up one’s skills in foreign languages.

Even when discussing French political and legal events, Diner’s room retains a European and human perspective well worth consideration beyond the borders of France.

Diner’s room (in French) is listed among 522 great Euroblogs (at the latest count) on growing multilingual Bloggingportal.eu, your useful one-stop-shop for fact, opinion and gossip on European affairs, i.a. politics, more than thirty policy areas, communication, economics, finance, business, civil society and law.

If you are interested in the EU or the euroblogosphere, you can also subscribe to the RSS feed for new blog posts appearing on Bloggingportal.eu.

By the way, I also discuss European issues in Finnish on Eurooppaoikeus and in Swedish on Grahnblawg.

Puzzling EP action over EU-USA bank data deal?

What is happening between the European Parliament and the Council? I have to admit that I was puzzled, even shocked when I saw that the EP is threatening the EU Council with political blackmail.

EUobserver reports that the European Parliament threatens to derail EU-US bank data deal (18 January 2010). According to the article, EP president Jerzy Buzek has sent a second letter to the Council, demanding more information about the so called interim SWIFT agreement, also known by the acronym TFTP (Terrorist Finance Tracking Program).

The European Parliament wants full access to information related to the interim agreement, and the EP wants its concerns to be fully reflected in the negotiating mandate for the planned long-term agreement after the end of October, writes Valentina Pop for EUobserver.com.


Late November 2009 Grahnlaw wrote about the upcoming decision of the Council of the European Union to approve the so called SWIFT Agreement to hand over European banking data to the United States, and early December we reported on the decision, taken on the last day before the Lisbon Treaty entered into force.

The Decision by the Council of the European Union on the signing of the so called SWIFT or TFTP Agreement was later officially published, which we reported on:



COUNCIL DECISION 2010/16/CFSP/JHA of 30 November 2009 on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program; Official Journal of the European Union (OJEU) 13.1.2010 L 8/9.


This contained the formal decision on signing, as well as a provision and declaration on provisional application of the Agreement.



The annexed contents of the TFTP / SWIFT Agreement were here.




Parliament v Council

The Council deliberately adopted the TFTP / SWIFT Agreement on the last day before the Lisbon Treaty entered into force and the European Parliament became more fully involved in the conclusion of international agreements. (Cf Article 218 TFEU).

The news report seems to indicate that the EP action stems from the Parliament’s desire to “be immediately and fully informed at all stages of the process” (Article 218(10) TFUE).

Fair enough, the European Parliament wants to be taken into account from day one, even if the issue may seem more like a continuation of the interim solution than a totally new agreement.

The EUobserver article also seems to indicate that the European Parliament is not convinced about the privacy and data protection guarantees for European businesses and citizens in the interim agreement.



On 17 September 2009 the European Parliament had adopted a non-legislative resolution P7_TA(2009)0016 on the envisaged international agreement to make available to the United States Treasury Department financial payment messaging data to prevent and combat terrorism and terrorism financing.

The resolution doubted if a separate agreement was the right way to proceed, given the framework of the EU-US agreement on legal assistance to enter into force on 1 January 2010, and it went on to lay down a number of “minimum” assurances the EP found necessary.

If I understand correctly, the European Parliament is not only showing off, but has procedural and substantive concerns it wants to see addressed.

At first I was a bit shocked when I read about the EP’s threat of political blackmail, but after reading the resolution I think that the Spanish presidency of the Council of the European Union should come up with a constructive and cooperative response today in Strasbourg.

The rule of law, privacy and data protection are fundamental EU values. They are not to be treated lightly, even in the combat against terrorism, the importance of which the European Parliament stressed in its resolution:

Recalls its determination to fight terrorism and its firm belief in the need to strike the right balance between security measures and the protection of civil liberties and fundamental rights, while ensuring the utmost respect for privacy and data protection; reaffirms that necessity and proportionality are key principles without which the fight against terrorism will never be effective.

Ralf Grahn




P.S. On Verfassungsblog (in German) Max Steinbeis writes expertly on German and European issues of constitutional law. Verfassungsblog is a fine example of a specialist blog in the Euroblogosphere, listed together with more than 500 great euroblogs on growing multilingual Bloggingportal.eu, a useful one-stop-shop for fact, opinion and gossip on European affairs, i.a. politics, policies, communication, economics, finance, business, civil society and law.

By the way, euroblogs are an excellent means to brush up your foreign language skills while learning about or debating our common challenges.

EU & USA: SWIFT agreement ─ Sweden “informs”

Yesterday, in the blog post SWIFTly signed – Long term damage? (Updated), I criticised the Swedish EU Council presidency for acting against its proclaimed principles of openness, transparency and accessibility with regard to the proposed bank data transfer deal with the United States of America.

Important as the fight against terrorism is, expediency should not override democratic scrutiny and open debate, when fundamental rights are at stake.

Have matters improved since early Friday afternoon?

Actually, Friday brought some improvements, but left the fate of the SWIFT agreement between the EU and the US hanging in the air.


Presidency and Council information



During Friday, the Swedish presidency of the Council of the European Union published information about the Council meeting Monday 30 November 2009, Justice and Home Affairs configuration: Stockholm Programme and work to combat human trafficking at Council meeting. The general press release highlights “some of the issues”, but not the SWIFT agreement.



The provisional agenda of the JHA Council meeting (dated 13 November 2009; document CM 4735/09) still mentions the bank data transfer agreement, without any reference to documents of substantive value:

“Council Decision authorising the signing of an Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data for purposes of the Terrorist Finance Tracking Programme
- Adoption”

Understandably, the short pre-meeting video with ambassador Christian Danielsson on preparation in Coreper II concentrates on the strategically important five year Stockholm Programme, which covers the whole of the evolving area of freedom, security and justice, but the interview makes no mention of the SWIFT deal.



The Background note on the Justice and Home Affairs Council 30 November to 1 December 2009, by the Council Press service (dated 27 November 2009), breaks the silence by mentioning the US agreement among the highlighted questions (front page):

“Ministers will also discuss a draft EU-US agreement on financial messaging data for counterterrorism investigations.”

Under Home Affairs (Monday, 30 November), the background note presents the following general information about the financial data transfer agreement (page 5):

“EU-US agreement on financial messaging data for counter-terrorism investigations

The Council will discuss an EU-US agreement on the processing and transfer of financial messaging data for purposes of the US Terrorist Finance Tracking Programme (TFTP).

The negotiations on the agreement started in July 2009 and responded to a decision by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to store its European financial messaging data no longer in a database located in the US, but only in Europe. The agreement aims to continue to allow the US Department of the Treasury to receive European financial messaging data for counter-terrorism investigations, while ensuring an adequate level of data protection.

Under the Terrorist Finance Tracking Programme (TFTP), the US Department of the Treasury seeks to identify, track and pursue suspected terrorists and their providers of finance. It was set up shortly after the terrorist attacks of 11 September 2001.

Relevant results of the US analysis have been and will, under the draft agreement, continue to be shared with EU member states. A report by the former French investigating judge Jean-Luis Brugière, commissioned by the Commission, concluded in December 2008 that the TFTP had generated considerable intelligence value also to the EU member states.

SWIFT is a Belgium-based company which operates a worldwide messaging system used to transmit, inter alia, bank transaction information. It has been estimated that SWIFT handles 80% of the worldwide traffic for electronic value transfers.”

***


Where do we stand?


We note that the background note Friday says “discuss a draft”, not “sign” or “approve”. Does this mean that concluding the agreement is off the agenda Monday, and that the governments are going to give the EU’s data protection rules and parliamentary procedures some serious thought?

We also note that the information on offer – although a huge improvement on past practice – is bland, incomplete and one-sided. Privacy, data protection or fundamental rights are not mentioned, but valuable intelligence is. There are no documentary references to enlighten debate.




The SWIFT agreement is not among the issues debated publicly on the JHA webcast Monday 30 November 2009.

The fight against terrorism is too important to spoil by shady dealings and sowing mistrust in an EU on the threshold of becoming a union, “in which decisions are taken as openly as possible and as closely as possible to the citizen”.

Admittedly, proceedings behind closed doors have created a problem with the end of the year approaching fast. Still, I am reasonably optimistic that, given the opportunity, the European Parliament would do its bit to look for temporary solution if the Council agrees to trust our system of representative democracy.




Ralf Grahn



P.S. Do you find EUSSR myths fascinating? Are we EU citizens worth a better European Union? Educate yourself! There are already 487 Euroblogs aggregated on multilingual Bloggingportal.eu. You can access all the posts or concentrate on the editors’ choice. On most of the blogs you can comment and discuss our common European future.

SWIFTly signed ─ Long term damage? (Updated)

The “war on terror” has been a sorry saga of expediency overriding truth and the rule of law. Have the governments of the EU member states learnt anything? Perhaps not, if we look at the Council agenda for Monday.



Brussels Blogger has sounded the alarm regarding the plan of EU member state governments to sign an agreement with the US administration on the massive transfer of financial data; in SWIFT – EU to grant USA nearly unlimited access to all EU banking data (26 November 2009) and 5 reasons why the SWIFT deal is very bad for Europe (27 November 2009).


Julien Frisch has taken up the issue in EU to hand all banking details of Europeans to the US. A rapidly growing Facebook group demands that the deal is stopped.

***

JHA Council


On the provisional agenda of the EU Council (Justice and Home Affairs) 30 November 2009, prepared under the Swedish EU Council presidency, is the so called SWIFT agreement:

“Council Decision authorising the signing of an Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data for purposes of the Terrorist Finance Tracking Programme
- Adoption”

When have the texts been published for open debate? Where are the results of the public deliberations? What have the European Parliament and the national parliaments said?

***

Openness and tranparency?



Who still remembers the promising tones of the Swedish work programme for the EU Council presidency about openness, transparency and accessibility?

“Europe is facing two overriding challenges: the global economic crisis and efforts to halt climate change. During its Presidency, Sweden will work hard to make progress on these and other important issues. The day-to-day EU work must be open, effective and results-oriented: open through transparency and accessibility, effective by moving these issues forward and results-oriented by taking action so that objectives are fulfilled and unexpected events are dealt with.” (Page 11)

***

Democratic procedures and rule of law


The fight against terrorism and for the security of EU citizens is important, and it is beyond me to present an instant reasoned view on the necessity and proportionality of the privacy (data protection) breaches in the proposed SWIFT agreement, but signing such an agreement on the last day before the Lisbon Treaty enters into force is a sure-fire way for governments to cause distrust among EU citizens.

Taking the expedient course in the short term is often a guarantee of less credibility and more problems in the long term.


The EU Council is too limited and opaque to legitimise important decisions concerning fundamental rights.




Ralf Grahn



P.S. Do you find EUSSR myths fascinating? Are we EU citizens worth a better European Union? Educate yourself! There are already 487 Euroblogs aggregated on multilingual Bloggingportal.eu. On most of the blogs you can comment and discuss our common European future.




Update 27 November 2009 about 14:40 EET



I have just read the EU Council’s Main topics for the coming fortnight, 30 November to 13 December 2009. Nowhere on the 15 pages is the SWIFT agreement mentioned. So much for openness, transparency and closeness to citizens.

EU: Data protection

Readers, who are interested in the protection of personal data, can find a number of opinions of the European Data Protection Supervisor (EDPS), published in the Official Journal of the European Union (OJEU) 6.6.2009 C 128:



Opinion of the European Data Protection Supervisor on the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection

Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee towards a European e-Justice Strategy

Opinion of the European Data Protection Supervisor on the proposal for a directive of the European Parliament and of the Council on the application of patients’ rights in cross-border healthcare

Second opinion of the European Data Protection Supervisor on the review of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Opinion of the European Data Protection Supervisor on the proposal for a Council directive imposing an obligation on Member States to maintain minimum stocks of crude oil and/or petroleum products


***

European Data Protection Supervisor

The pace of the official publication of the opinions is measured, to say the least, so it serves the needs of those, who look at the reasoning and older material.

More up-to-date material is found on the web pages of the European Data Protection Supervisor (EDPS).



There you find more information about the EDPS, supervision, consultation (including fresh opinions) and cooperation. There are links to relevant legislation.

The publications include a Position paper on the role of Data Protection Officers in ensuring effective compliance with Regulation (EC) 45/2001, which concerns the Community institutions.




Ralf Grahn

EU: Radio-frequency identification (RFID)

According to Article 211 of the Treaty establishing the European Community (TEC), the Commission can formulate recommendations to ensure the proper functioning of the common market (internal market).


Radio frequency identification (RFID) marks a new development in the information society where objects equipped with microelectronics that can process data automatically will increasingly become an integral part of every day life.

RFID is progressively becoming more common, and hence a part of individuals’ lives in a variety of domains such as logistics, healthcare, public transport, the retail trade, in particular for improved product safety and faster product recalls, entertainment, work, road toll management, luggage management, and travel documents.

RFID technology has the potential to become a new motor for growth and jobs and thus make a powerful contribution to the Lisbon Strategy, as it holds great promise in economic terms, where it can bring about new business opportunities, cost reduction and increased efficiency, in particular in tackling counterfeiting and in managing e-waste, hazardous materials, and the recycling of products at their end of life.

RFID technology enables the processing of data, including personal data. It raises questions about the monitoring of individuals and the protection of personal data.



This is the background for Commission Recommendation 2009/387/EC of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio- frequency identification, published in the Official Journal of the European Union (OJEU) 16.5.2009 L 122/47.



***

Scope

Points 1 and 2 of Recommendation 2009/387/EC set out the scope:

Scope

1. This Recommendation provides guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data.

2. This Recommendation provides guidance on measures to be taken for the deployment of RFID applications to ensure that national legislation implementing Directives 95/46/EC, 1999/5/EC and 2002/58/EC is, where applicable, respected when such applications are deployed.

***

The member states are supposed to make the recommendation known to stakeholders and to report back in two years time. Within three years from now, the Commission will issue a report on implementation.


Ralf Grahn

EU TFEU: Personal data protection

Protection of personal data looks nice on paper for the citizen of the European Union, but what are the principles worth in practice when assailed by the US administration’s ‘war on terror’, unscrupulous ICT business practices beyond the reach of EU jurisdiction, or the EU member states’ common foreign and security concerns as well as their combat against terrorism and crime?

The first step towards answers is to get acquainted with the basic provisions at the EU treaty level, both the current ones and those proposed by the Treaty of Lisbon.

***

In the Treaty of Lisbon (ToL) the intergovernmental conference (IGC 2007) inserts a provision on personal data protection in the Treaty establishing the European Community (TEC), to be called the Treaty on the Functioning of the European Union (TFEU). The Article is placed in TFEU Part One, Title II Provisions having general application. See Official Journal (OJ) 17.12.2007 C 306/50:

29) An Article 16 B shall be inserted, replacing Article 286:

Article 16b TFEU (ToL), when renumbered Article 16 TFEU

1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 25a of the Treaty on European Union.

***

Comparing the Lisbon Treaty provision, we start with the existing Article 286 TEC being replaced (in the latest consolidated version of the current TEU and TEC, OJ 29.12.2006 C 321 E/171):

Article 286 TEC

1. From 1 January 1999, Community acts on the protection of individuals with regard to the processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty.

2. Before the date referred to in paragraph 1, the Council, acting in accordance with the procedure referred to in Article 251, shall establish an independent supervisory body responsible for monitoring the application of such Community acts to Community institutions and bodies and shall adopt any other relevant provisions as appropriate.

***

The European Convention proposed the following Article I-50 under Title VI The democratic life of the Union of the draft Treaty establishing a Constitution for Europe (OJ 18.7.2003 C 169/20):

Article I-50 Draft Constitution
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. A European law shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union Institutions, bodies and agencies, and by the Member States when carrying out activities which come under the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of an independent authority.

***

The IGC 2004 took up the proposal of the European Convention, and in the Treaty establishing a Constitution for Europe we find Article I-51, under Title VI The democratic life of the Union (OJ 16.12.2004 C 310/36):

Article I-51 Constitution
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. European laws or framework laws shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

The IGC 2004 wanted to make clear that national security may override personal data protection sensitivities, and agreed on a declaration (OJ 16.12.2004 C 310/423):

10. Declaration on Article I-51 (Constitution)

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article I-51 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

Although the basis for Community legislation exists, the wording of the current TEC is badly dated. The draft Constitution and the Constitution and the TFEU seem to be essentially equal. The Lisbon Treaty follows in their footsteps, but adds a second subparagraph to paragraph 2, with a referral to a new TEU provision we have visited earlier on specific rules concerning Chapter 2 Specific provisions on the common foreign and security policy (OJ 17.12.2007 C 306/31):

Article 25a TEU (ToL), renumbered Article 39 TEU

In accordance with Article 16 B of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

The IGC 2007 added two declarations of relevance here (OJ 17.12.2007 C 306/255). Declaration 20 lays stress on national security, and in substance repeats the text of the IGC 2004 declaration, although the TFEU referral and the new specific CFSP provision have been introduced:

20. Declaration on Article 16 B of the Treaty on the Functioning of the European Union

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article 15a could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

The other IGC 2007 declaration concerns raises another area of concern for the member states, judicial cooperation in criminal matters and police cooperation:


21. Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation

The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 B of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields.

***

Article 8 of the Charter of Fundamental Rights of the European Union provides for the protection of personal data (OJ 14.12.2007 C 303/4):

Article 8 Charter
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

***

The Explanations relating to the Charter of Fundamental Rights traces the Charter provision back to its origins (OJ 14.12.2007 C 303/20):

Explanation on Article 8 — Protection of personal data

This Article has been based on Article 286 of the Treaty establishing the European Community and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31) as well as on Article 8 of the ECHR and on the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member States. Article 286 of the EC Treaty is now replaced by Article 16 of the Treaty on the Functioning of the European Union and Article 39 of the Treaty on European Union. Reference is also made to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). The above-mentioned Directive and Regulation contain conditions and limitations for the exercise of the right to the protection of personal data.

***

Those who want to dig deeper could start their study of secondary legislation with the European Commission’s web pages on Freedom, Security and Justice, with Data Protection, Legislative documents:

http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm

***

The EurActiv 14 February 2008 news story “US air security plans ‘unacceptable’, says EU” on transatlantic tensions and a crumbling EU front is just one topical example of an area, which looks set to engage EU institutions, member state governments, NGOs and courts of justice in the years to come:

http://www.euractiv.com/en/transport/us-air-security-plans-unacceptable-eu/article-170303

Privacy or personal data protection issues concern every citizen of the European Union.


Ralf Grahn

EU Treaty of Lisbon: Personal data protection

Internationally, the protection of personal data can be seen as a particular European sensitivity, where balance is sought between concerns for privacy and security. The different approaches between the European Union and the United States of America have led to protracted negotiations on both commercial use and security measures.

Internally, the European Community (EC) introduced common norms on the protection of personal data, binding the member states, generally in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and concerning telecommunications in Directive 97/66/EC, repealed and replaced by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

The Treaty of Maastricht filled a gap concerning protection of personal data held by the EC itself. On the basis of Article 286 TEC a Regulation has been enacted: Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

The scope of Regulation 45/2001 is restricted to European Community legislation; the intergovernmental pillars, the common foreign and security policy (CFSP) and police and judicial cooperation in criminal matters, remain outside the scope of the Regulation.

***

On the other hand, Article 8 of the Charter of Fundamental Rights of the European Union (OJ 14.12.2007 C 303/4) lays down a general right to protection of personal data:

Article 8
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

***

The Explanations relating to the Charter of Fundamental Rights give the following background to Article 8 (OJ 14.12.2007 C 303/20):

Explanation on Article 8 — Protection of personal data

This Article has been based on Article 286 of the Treaty establishing the European Community and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31) as well as on Article 8 of the ECHR and on the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member States. Article 286 of the EC Treaty is now replaced by Article 16 of the Treaty on the Functioning of the European Union and Article 39 of the Treaty on European Union. Reference is also made to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). The above-mentioned Directive and Regulation contain conditions and limitations for the exercise of the right to the protection of personal data.

***

The Treaty of Lisbon introduces a new Article 25a in the Treaty on European Union (TEU) (OJ 17.12.2007 C 306/31):

45) Articles 26 and 27 shall be repealed. The following Articles 25a and 25b shall be inserted, with Article 25b replacing Article 47:

Article 25a

In accordance with Article 16 B of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

Since the proposed new Article 25a refers to Article 16b of the Treaty on the Functioning of the European Union (TFEU), we have to look up Article 16b TFEU, as amended:

29) An Article 16 B shall be inserted, replacing Article 286:

Article 16b TFEU

1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 25a of the Treaty on European Union.

***

Since Article 16b TFEU replaces Article 286 of the Treaty establishing the European Community (TEC), we have to take a look at that:

Article 286 TEC

1. From 1 January 1999, Community acts on the protection of individuals with regard to the
processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty.

2. Before the date referred to in paragraph 1, the Council, acting in accordance with the procedure referred to in Article 251, shall establish an independent supervisory body responsible for monitoring the application of such Community acts to Community institutions and bodies and shall adopt any other relevant provisions as appropriate.

***

The Convention proposed a unitary legal basis for protection of personal data in the draft Treaty establishing a Constitution for Europe Article I-50 (OJ 18.7.2003 C 169/20):

Article 50
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. A European law shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union Institutions, bodies and agencies, and by the Member States when carrying out activities which come under the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of an independent authority.

***

The Treaty establishing a Constitution for Europe took over the Convention’s proposal almost ‘verbatim’ in Article I-51 (OJ 16.12.2004 C 310/36):

Article I-51
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. European laws or framework laws shall lay down the rules relating to the protection of
individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

Annexed to the Constitutional Treaty was joint Declaration (number 10) on Article I-51, which gave an indication of the sensitivities of the member state governments (OJ 16.12.2004 C 310/423):

10. Declaration on Article I-51

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article I-51 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

If the Convention and the Constitutional Treaty had a unitary approach, taking into consideration the restrictions implied by Declaration 10, the Lisbon Treaty hollowed out the general provision in accordance with the IGC 2007 Mandate (Council document 11218/07, point 15): There will also be a specific legal basis on personal data protection in the CFSP area. – Footnote 7 added: With regard to the processing of such data by the Member States when carrying out activities which fall within the CFSP and ESDP and the movement of such data.

The specific legal basis for Chapter 2 Specific provisions on the common foreign and security policy, Article 25a TEU in the Reform Treaty follows from the mandate of the intergovernmental conference. The purpose of the new Article seems to be to offer leeway to the Union and member states’ governments in questions related to security.

***

Next time we look at Article 25b TEU.


Ralf Grahn