The European Data Protection Supervisor (EDPS) published four separate opinions on the draft laws that EU law makers have proposed, which relate to the regulation of banks, market abuse, investment services and the regulation of credit rating agencies.
Giovanni Buttarelli, assistant EDPS, said the draft texts raised "similar data protection concerns" and that each one should include "substantive provisions emphasising the applicability of existing data protection legislation".
"In the financial sector, I am particularly concerned about the data protection issues raised by the new powers of the supervisory authorities, especially in relation to access to communication data and inspection of private premises. The reform presents a golden opportunity for the legislator to guarantee the fundamental right of data protection while taking the specific needs of the financial sector into account. This opportunity should not be missed," Buttarelli said.
Current EU laws on market abuse prohibit company management, staff and shareholders amongst others from using inside information – information that would affect a company's share price or related derivatives – they are in possession of to buy or sell "financial instruments" for either their "own account" or that of a third party. Part of the EU financial sector planned reforms are set out in the 'MAD II' draft legislation, which proposes new rules on insider dealing and market manipulation as well as new criminal sanctions relating to the activity.
The MAD II text sets out that authorities would be able to enter private premises to seize documents and force telecoms providers to hand over 'traffic' data from communications. However, the EDPS said that the text should set out a "general requirement" for investigators to obtain "prior judicial authorisation" before entering private premises, claiming it was "both justified and required in view of the potential intrusiveness of the power at stake". The text should also include specific provisions that require the investigators to show that it is "necessary" in each case to enter the premises, the EDPS opinion said.
Investigators should only be able to access traffic data from communications which is both necessary and proportionate for their purpose, the EDPS said.
"Investigatory powers directly relating to traffic data, given their potentially intrusive nature, have to comply with the requirements of necessity and proportionality, i.e. they have to be limited to what is appropriate to achieve the objective pursued and not go beyond what is necessary to achieve it," the EDPS's opinion said. "It is therefore essential in this perspective that the provisions are clearly drafted regarding their personal and material scope as well as the circumstances in which and the conditions on which they can be used. Furthermore, adequate safeguards should be provided for against the risk of abuse."
The EDPS said that the draft legislation should specifically refer to the "categories of telephone and data traffic records" that investigators can access. "Such data must be adequate, relevant, and not excessive in relation to the purpose for which they are accessed and processed," it said.
This information should not be classed in such a way that it would require the telecoms companies to retain the information for longer than they can currently do so under the EU's Privacy and Electronic Communications Directive, the EDPS said. That Directive requires telecoms companies to delete traffic data when it is no longer needed for the commercial purpose it was collected for.
The EDPS also expressed concern about provisions in the draft banking regulatory reforms which could allow details about individuals at "credit institutions" to be transferred from EU member states to regulators in other countries. He said the draft should include a specific requirement that the third countries to which data is to be transferred have "an adequate level of protection" in accordance with current EU data protection rules.
Plans for regulators to publish details of every sanction they issue under the regulations also raise potential problems, the EDPS said. He said he was "not convinced" that every sanction had to be publicised and instead suggested that each case should be reviewed individually to determine whether publication is appropriate. Even then the publication should be deleted after "a reasonable period of time" has elapsed, he said.
"The EDPS is of the view that the provision on the mandatory publication of sanctions - as it is currently formulated- does not comply with the fundamental right to privacy and data protection," the EDPS's opinion said. "The legislator should carefully assess the necessity of the proposed system and verify whether the publication obligation goes beyond what is necessary to achieve the public interest objective pursued and whether there are less restrictive measures to attain the same objective."
"Subject to the outcome of this proportionality test, the publication obligation should in any event be supported by adequate safeguards to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an appropriate period of time," the opinion said.
People who bring wrongdoing to regulators' attention should also be guaranteed that they will remain anonymous other than if "disclosure is required by national law in the context of further investigation or subsequent judicial proceedings," the EDPS said.
The watchdog also said that individuals who are accused of wrongdoing under the draft new laws should have a right to be heard as well as given a chance to "seek effective judicial remedy against any decision or measure" concerning them.