European Data Protection Supervisor (EDPS) Peter Hustinx advises EU institutions on their privacy and data protection policies. His office has published an opinion on planned changes to the EU Regulation that permits the European Central Bank (ECB) to collect statistical information on behalf of the European System of Central Banks (ESCB).
The ECB has asked the EDPS its opinion on those changes, and the EDPS has said that while it welcomes the attention paid to privacy and data protection, some of the changes are not acceptable.
"The EDPS welcomes that the proposed amendments contain a specific reference to the data protection legal framework," said its opinion. "The EDPS notes that the expression ‘statistical information’ is not defined in any of these texts, except by some reference to the definition of reporting requirements."
"The EDPS considers that the scope of this expression should be clarified," it said. "Personal data … may be collected and although these data would be processed in a statistical form, they could still be data on identifiable individuals."
"The notion of statistical information should be limited to statistics on natural and legal persons which are processed within the sphere of competence of the ECB. The EDPS suggests that further clarification about this expression be given in the recitals," it said.
When personal data is processed, EU law says that it must be for a specific purpose. The EDPS said that the proposed changes to the ECB Regulations violate that principle.
"The EDPS does not oppose the widening of purposes but objects to a list of purposes which would be indicative and not sufficiently specified," it said.
The proposed Regulation seeks to clarify the conditions under which financial statistics can be passed to the European Statistical System (ESS). It says that such transfers should be allowed "provided that it is necessary for the efficient development, production or dissemination of European statistics".
The EDPS said that if such transfers are going to take place they must be fully secure and there must be no chance that people's financial information is made public.
"It should be ensured that access to statistical information for research purposes should be provided in such a way that the reporting agent cannot be identified, either directly or indirectly, when account is taken of all relevant means that might reasonably be used by a third party," said the EDPS opinion.
