22.7.2011   

EN

Official Journal of the European Union

C 216/9

1.

On 15 September 2010, the Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories (‘the Proposal’) (3). The main aim of the Proposal is to establish common rules to increase security and efficiency of the over-the-counter derivatives market.

2.

The EDPS has not been consulted by the Commission, although this is required by Article 28(2) of Regulation (EC) No 45/2001 (‘Regulation (EC) No 45/2001’). Acting on his own initiative, the EDPS has therefore adopted the present Opinion based on Article 41(2) of Regulation (EC) No 45/2001.

3.

The EDPS is aware that this advice comes at a relatively late stage in the legislative process. Nevertheless, he finds it appropriate and useful to issue this Opinion. In the first place, he emphasises the potential data protection implications of the Proposal. In the second place, the analysis presented in the present Opinion is directly relevant for the application of existing legislation and for other pending and possible future proposals containing similar provisions, as will be explained in Section 3.4 of this Opinion.

4.

In the wake of the financial crisis, the Commission has initiated and brought forward a review of the existing legal framework for financial supervision in order to cope with the important failures identified in this area both in particular cases and in relation to the financial system as a whole. A number of legislative proposals have been recently adopted in this field with a view to strengthening the existing supervisory arrangements and improving coordination and cooperation at EU level.

5.

The reform introduced in particular an enhanced European financial supervisory framework composed of a European Systemic Risk Board (4) and a European System of Financial Supervisors (ESFS). The ESFS consists of a network of national financial supervisors working in tandem with three new European Supervisory Authorities, i.e. the European Banking Authority (5) (EBA), the European Insurance and Occupational Pensions Authority (6) (EIOPA) and the European Securities and Markets Authority (ESMA) (7). In addition, the Commission adopted a series of specific initiatives to implement the regulatory reform in respect of specific areas or financial products.

6.

One of those is the present proposal which deals with ‘over-the-counter derivatives’, i.e. those derivative products (8) that are not traded on exchanges, but instead privately negotiated between two counterparts. It introduces the obligation for all financial counterparties and non-financial counterparties fulfilling certain threshold conditions to clear all standardised OTC derivatives through Central Counterparties (CCPs). In addition, the proposed regulation shall oblige those financial and non-financial counterparties to report the details of any derivative contract and any modification thereof to a registered trade repository. The Proposal also provides for harmonised organisational and prudential requirements for CCPs and organisational and operational requirements for trade repositories. While national competent authorities retain the responsibility for authorising and supervising CCPs, registration and surveillance of trade repositories is entirely entrusted to ESMA according to the proposed regulation.

7.

Article 61(2)(d) of the Proposal empowers ESMA to ‘require records of telephone and data traffic’ (emphasis added). As will be further explained below, the scope of the provision and in particular the exact meaning of ‘records of telephone and data traffic’ is not clear. Nevertheless, it seems likely — or at least it cannot be excluded — that the records of telephone and data traffic concerned include personal data within the meaning of Directive 95/46/EC and Regulation (EC) No 45/2001 and, to the relevant extent, Directive 2002/58/EC (now called, as amended by Directive 2009/136/EC, ‘the e-Privacy Directive’), i.e. data relating to the telephone and data traffic of identified or identifiable natural persons (9). As long as this is the case, it should be assured that the conditions for fair and lawful processing of personal data, as laid down in the Directives and the Regulation, are fully respected.

8.

Data relating to use of electronic communication means may convey a wide range of personal information, such as the identity of the persons making and receiving the call, the time and duration of the call, the network used, the geographic location of the user in case of portable devices, etc. Some traffic data relating to internet and e-mail use (for example the list of websites visited) may in addition reveal important details of the content of the communication. Furthermore, processing of traffic data conflicts with the secrecy of correspondence. In view of this, Directive 2002/58/EC has established the principle that traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication (10). Member States may include derogations in national legislation for specific legitimate purposes, but they must be necessary, appropriate and proportionate within a democratic society to achieve these purposes (11).

9.

The EDPS acknowledges that the aims pursued by the Commission in the present case are legitimate. He understands the need for initiatives aiming at strengthening supervision of financial markets in order to preserve their soundness and better protect investors and economy at large. However, investigatory powers directly relating to traffic data, given their potentially intrusive nature, have to comply with the requirements of necessity and proportionality, i.e. they have to be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it (12). It is therefore essential in this perspective that they are clearly formulated regarding their personal and material scope as well as the circumstances in which and the conditions on which they can be used. Furthermore, adequate safeguards should be provided for against the risk of abuse.

10.

Article 61(2)(d) provides that ‘in order to carry out the duties set out in Articles 51 to 60, 62 and 63 (i.e. duties relating to the surveillance of trade repositories), ESMA shall have […] (the power) to require records of telephone and data traffic’. Because of its broad formulation, the provision raises several doubts concerning its material and personal scope.

11.

In the first place, the meaning of ‘records of telephone and data traffic’ is not entirely clear and thus needs to be clarified. The provision might refer to records of telephone and data traffic, which trade repositories are obliged to retain in the course of their activities. Several provisions of the proposed regulation concern record keeping requirements of trade repositories (13). However, none of these provisions specifies if and what records of telephone and data traffic must be retained by trade repositories (14). Therefore, should the provision refer to records held by trade repositories, it is essential to define precisely the categories of telephone and data traffic that have to be retained and can be required by ESMA. In line with the principle of proportionality, such data must be adequate, relevant and not excessive in relation to the supervisory purposes for which they are processed (15).

12.

More precision is needed particularly in the present case, in consideration of the heavy fines and periodic penalty payments that trade repositories and other persons (including natural persons as regards periodic penalty payments) concerned might incur for a breach of the proposed regulation (cf Articles 55 and 56). Such fines may reach 20 percent of the annual income or turnover of the trade repository in the preceding business year, i.e. a threshold which is twice as high as the maximum threshold provided for infringements of European competition law.

13.

It should also be noted that the above cited Article 67, paragraph 4, delegates to the Commission the power to adopt regulatory standards specifying the details of the information that trade repositories shall make obligatorily available to ESMA and other authorities. This provision might therefore be used to further specify record-keeping requirements of trade repositories and thus, indirectly, the power granted by ESMA to access records of telephone and data traffic. Article 290 TFEU provides that a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend non-essential elements of the legislative act. According to the EDPS, the exact perimeter of the power to access traffic data cannot be considered a non-essential element of the regulation. The material scope thereof should therefore be specified directly in the text of the regulation and not deferred to future delegated acts.

14.

Similar doubts surround the personal scope of the provision concerned. In particular, the potential addressees of a request to provide records of telephone and data traffic are not specified in Article 61(2)(d). It is not clear in particular whether the powers to require records of telephone and data traffic would only be limited to trade repositories (16). As the purpose of the provision is to allow ESMA to carry out supervision of trade repositories, the EDPS is of the opinion that this power should be strictly limited to trade repositories only.

15.

Finally, the EDPS understands that the aim of Article 61(2)(d) is not to allow ESMA to gain access to traffic data directly from telecom providers. This seems to be the logical conclusion particularly in consideration of the fact that the Proposal does not refer at all to data held by telecom providers or to the requirements set out by the e-Privacy Directive as mentioned in point 8 above (17). However, for the sake of clarity, he recommends making such conclusion more explicit in Article 61(2) or at least in a recital of the proposed regulation.

16.

Article 61(2)(d) does not indicate the circumstances in which and the conditions under which access can be required. Neither does it provide for important procedural guarantees or safeguards against the risk of abuses. In the following paragraphs, the EDPS will make some concrete suggestions in this direction.

17.

The power for supervisory authorities to require access to records of telephone and data traffic is not new in the European legislation as it is already foreseen in various existing directives and regulations concerning the financial sector. In particular, the market abuse Directive (20), the MIFID Directive (21), the UCITS Directive (22), the current Regulation on credit rating agencies (23), all contain similarly drafted provisions. The same is true for a number of recent proposals adopted by the Commission, namely the proposals for a Directive on alternative investment fund managers (24), a Regulation amending the existing Regulation on credit rating agencies (25), a Regulation on short selling and certain aspects of credit default swaps (26) and a Regulation on integrity and transparency of energy markets (27).

18.

As regards these existing and proposed legislative instruments, a distinction should be made between investigatory powers granted to national authorities and the granting of such powers to EU authorities. Several instruments oblige Member States to grant the power to require telephone and data traffic records to national authorities ‘in conformity with national law’ (28). As a consequence, the actual execution of this obligation is necessarily subject to the national law including the one implementing Directives 95/46/EC and 2002/58/EC and other national laws which contain further procedural safeguards for national supervisory and investigatory authorities.

19.

No such condition is contained in the instruments which grant the power to require telephone and data traffic records directly to EU authorities, such as in the present proposal on OTC derivatives and the above-mentioned proposal for a Regulation amending Regulation 1060/2009 on credit rating agencies (the ‘CRA Proposal’). As a consequence, in these cases there is an even stronger requirement to clarify in the legislative instrument itself, the personal and material scope of this power and the circumstances in which and the conditions under which it can be used and to ensure that adequate safeguards against abuse are in place.

20.

In this respect, the observations made in the present Opinion, although aimed at the proposal on OTC derivatives, have a more general relevance. The EDPS is aware that with regard to legislation already adopted or close to adoption, these comments may come too late. Nevertheless, he invites the institutions to reflect upon the need to amend the pending proposals in order to take into account the concerns expressed in the present Opinion. As to the already adopted texts, the EDPS invites the institutions to seek for possibilities to clarify matters, for instance where the scope of the provision concerned is liable to be directly or indirectly specified in delegated or implementing acts, for instance acts defining the details of record keeping requirements, interpretative notices or other comparable documents (29). The EDPS expects the Commission to consult him in good time in the context of these related procedures.

21.

The EDPS considers it appropriate to make additional comments on some other points of the Proposal which relate to the rights to privacy and data protection of individuals.

22.

Recital 48 correctly states that it is essential that Member States and ESMA protect the right to privacy of natural persons when processing personal data, in accordance with Directive 95/46/EC. The EDPS welcomes the reference to the Directive in the recital. However, the meaning of the recital could be made clearer by further specifying that the provisions of the Regulation are without prejudice to the national rules which implement Directive 95/46/EC. Preferably, such a reference should also be included in a substantive provision.

23.

Moreover, The EDPS notes that ESMA is a European body subject to Regulation (EC) No 45/2001 and to EDPS supervision. It is therefore recommended to introduce an explicit reference to this Regulation, specifying as well that the provisions of the Proposal are without prejudice to such Regulation.

24.

One of the principal aims of the proposed regulation is to enhance the transparency of OTC derivatives market and improve regulatory oversight of such market. In view of this objective, the Proposal obliges financial counterparties and non-financial counterparties meeting certain threshold conditions to report the details of any OTC derivative contract they have entered into and any modification or termination thereof to a registered trade repository (Article 6) (30). Such information is meant to be held by trade repositories and made available by the latter to various authorities for regulatory purposes (Article 67) (31).

25.

In case one of the parties to a derivative contract subject to the above clearing and reporting obligations is a natural person, information about this natural person constitutes personal data in the sense of Article 2(a) of Directive 95/46/EC. The fulfilment of the above obligations therefore constitutes processing of personal data in the sense of Article 2(b) of Directive 95/46/EC. Even in case where the parties to the transaction are not natural persons, personal data may still be processed in the framework of Articles 6 and 67, such as for instance the names and contact details of the directors of the companies. The provisions of Directive 95/46/EC (or Regulation (EC) No 45/2001 as relevant) would therefore be applicable to the present operations.

26.

A basic requirement of data protection law is that information must be processed for specified, explicit and legitimate purposes and that it may not be further processed in a way incompatible with those purposes (32). The data used to achieve the purposes should furthermore be adequate, relevant and not excessive in relation to that purpose. After an analysis of the proposed regulation, the EDPS draws the conclusion that the system put in place by the Proposal does not meet these requirements.

27.

As regards purpose limitation, it must be stressed that the Proposal fails to specify the purposes of the reporting system and, most importantly, the purposes for which the information held by trade repositories can be accessed by the competent authorities under Article 67 of the Proposal. A general reference to the need for enhancing the transparency of the OTC derivatives market is clearly not sufficient to comply with the purpose limitation principle. Such principle is further put under pressure in Article 20(3) of the proposed regulation concerning ‘Professional secrecy’, which, as it is currently formulated, would seem to allow use of confidential information received pursuant to the proposed regulation for a number of additional and not clearly specified purposes (33).

28.

The Proposal furthermore fails to specify the kind of data that will be recorded, reported and accessed, including any personal data of identified or identifiable persons. The above-mentioned Articles 6 and 67 empower the Commission to further specify the content of reporting and record-keeping obligations in delegated acts. Although the EDPS understands the practical need for using such a procedure, he wishes to emphasise that, as long as the information being processed under the above Articles concerns natural persons, the main data protection rules and guarantees should be laid down in the basic law.

29.

Finally, Articles 6 of Directive 46/95/EC and 4 of Regulation (EC) No 45/2001 require that personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the data were collected. The EDPS notes that the Proposal does not lay down any concrete limitation period for the retention of the personal data potentially processed under Articles 6, 27 and 67 of the proposed regulation. Articles 27 and 67 only provide that the relevant records shall be retained for at least 10 years. However, this is only a minimum retention period, which is clearly in contradiction with the requirements set out by data protection legislation.

30.

On the basis of the foregoing, the EDPS urges the legislator to specify the kind of personal information that can be processed under the Proposal, to define the purposes for which personal data can be processed by the various entities concerned and fix a precise, necessary and proportionate data retention period for the above processing.

31.

Article 61(2)(c) empowers ESMA to carry out on-site inspections with or without announcement. It is not clear whether these inspections would be limited to business premises of a trade repository or also apply to private premises or holdings of natural persons. Article 56(1)(c) allowing the Commission, at the request of ESMA, to impose periodic penalty payments on employees of a trade repository or other persons related to a trade repository in order to compel them to submit to an onsite inspection ordered by ESMA pursuant to Article 61(2) might suggest (unintentionally) otherwise.

32.

Without elaborating further on this point, the EDPS recommends limiting the power to carry out on-site inspections (and the related power to impose periodic penalty payments under Article 56) only to business premises of trade-repositories and other legal persons substantially and clearly related to them (34). Should the Commission indeed envisage allowing inspections of non-business premises of natural persons, this should be made clear and more stringent requirements should be foreseen in order to ensure compliance with necessity and proportionality principles (particularly with regards to the indication of the circumstances in which and the conditions on which such inspections can be carried out).

33.

Several provisions of the proposed regulation allow for broad exchanges of data and information between ESMA, competent authorities of Member States and competent authorities of third countries (see in particular Articles 21, 23 and 62). Transfers of data to third countries may also occur when a recognised CCP or trade repository from a third country provides services to entities recognised in the Union. Insofar as the information and data exchanged concerns identified or identifiable natural persons, Articles 7-9 of Regulation (EC) No 45/2001 and 25-26 of Directive 95/46/EC, as relevant, apply. In particular, transfers to third countries may only occur where an adequate level of protection is ensured in those countries or one of the relevant derogations provided by the data protection legislation applies. For the sake of clarity, an explicit reference to Regulation (EC) No 45/2001 and Directive 95/46/EC should be included in the text, stating that such transfers should be in conformity with the applicable rules foreseen, respectively, in the Regulation or the Directive.

34.

In accordance with the purpose limitation principle (35), the EDPS also recommends introducing clear limits as to the kind of personal information that can be exchanged and define the purposes for which personal data can be exchanged.

35.

Article 68 of the Proposal contains a number of reporting obligations of the Commission concerning the implementation of various elements of the proposed regulation. The EDPS recommends introducing also the obligation for ESMA to report periodically on the use of its investigatory powers and particularly the power to require records of telephone and data traffic. In light of the findings of the report, the Commission should also be able to make recommendations, including if appropriate proposals for the revision of the Regulation.

36.

The present proposal empowers ESMA to ‘require records of telephone and data traffic’ in order to carry out duties related to the supervision of trade repositories. In order to be considered necessary and proportionate, the power to require records of telephone and data traffic should be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it. As it is currently framed, the provision at stake does not meet these requirements as it is too broadly formulated. In particular, the personal and material scope of the power, the circumstances and the conditions under which it can be used are not sufficiently specified.

37.

The comments made in the present Opinion, although aiming at the OTC derivatives Proposal, are also relevant for the application of existing legislation and for other pending and possible future proposals containing equivalent provisions. This is particularly the case where the power in question is entrusted, as in the present proposal, to an EU authority without referring to the specific conditions and procedures laid down in national laws (e.g. the CRA Proposal).

38.

Having regard to the above, the EDPS advises the legislator to:

39.

As regards other aspects of the Proposal, the EDPS would like to refer to his comments made under Section 4 of the present Opinion. In particular, the EDPS advises the legislator to: