A recast version of the Opinion of the European Data Protection Supervisor on the proposal for a Council Regulation on administrative cooperation and combating fraud in the field of value added tax appears on today’s online version of the European Union’s Official Journal. So what does the EDPS say about the proposal? While, like all good citizens, he and his office are opposed to VAT fraud, is the proposal acceptable in data protection terms?
Broadly speaking, the proposal is not quite as DP-friendly as it might be. Concludes the EDPS’s report:
“60. The EDPS is aware of the importance of enhancing the effectiveness of measures against cross-border fraud and of achieving better collection of VAT in cross-border
situations. The EDPS furthermore acknowledges that in order to achieve these purposes it is inevitable that personal data are processed. The EDPS underlines
however that the processing of such data must be in conformity with the Community rules on data protection.
61. … the EDPS has concluded that, although several positive elements can be found [damning the proposals with faint praise?], not all the requirements stemming from the Community rules on data protection are met.
62. In the current Opinion the EDPS has advised the legislator the following:
— As regards the issue of the applicable Community legislation on data protection, to clarify the respective responsibilities of the Member States, the Commission and Eurofisc for compliance with these rules [Good point. If it’s not clear who’s responsible, it’s not clear who you sue when things go wrong].
— As regards the data exchange between competent authorities upon request or spontaneously, to specify the kind of personal information that can be exchanged, to circumscribe the purposes for which personal data can be exchanged and assess the
necessity of the transfer, or at least assure that the necessity principle is respected [this looks like a truly serious omission, especially bearing in mind that, wherever VAT is concerned, the data exchanged may have a bearing not just on a party who is being investigated for fraud but other parties too].
— With regard to the data exchange through the direct accessibility of the electronic databases, to state explicitly that, in as far as personal data are concerned, no other data, then (sic) the data already defined, shall be put in the database, or to at least ensure that automated access is restricted to the categories of data mentioned. And furthermore to circumscribe the purposes for which the databases can be directly accessed, to assure that the necessity principle is respected, and to determine a maximum storage period for keeping personal data in the database, with possible exceptions in exceptional circumstances [given the fact that VAT is reported and paid in arrears and that circumstances giving rise to a suspicion of cross-border fraud may not be apparent for a long time, a very lengthy maximum storage period is predicted]. …“.
The conclusions then identify other more specific issues that need attention, as well as issues of principle involving transparency and comitology.
This exercise shows how useful it is for the office of the EDPS to get its hands on proposed Regulations at an early stage, so that their implementation has a better chance of being their final resting place and is less likely to be a temporary stop-off on the way to the Court of Justice.