The European Data Protection Supervisor (EDPS) has published a number of interesting opinions on targeted sanctions measures, which are on the ‘guidelines’ sections of this blog. His latest opinion – link here – (published on 7 May 2014) makes a number of recommendations to the Council of the EU on the way in which is processes personal data when it draws up and reviews its lists of targets for asset freezing measures. His latest opinion covers EU “autonomous” measures relating to both to terrorism and “country” regimes, and to EU measures implementing UN regimes.
The Opinion provides a summary of EU asset freezing measures, including the respects in which they involve the processing of personal data by the Council of the EU, pursuant to the EU Data Protection Regulation (Regulation 45/2001). A previous opinion related to data processing by the European Commission. The Opinion makes a number of observations and recommendations, including the following:
1) The very fact of appearing on a list of persons whose assets are to be frozen may imply “the suspicion of being related to criminal activity”, and may therefore involve processing sensitive personal data relating to (suspected) “offences, criminal convictions or security measures”. The EDPS finds that not all EU sanctions measures properly authorize publication of that kind of data (eg the Zimbabwe, Congo, Liberla, Somalia and Sudan measures).
2) The EDPS invites the Council to assess the necessity of publishing every item of data concerning an individual, on a case by case basis, in order to make sure that it is “strictly limited to what is necessary to identify the person concerned”. The EDPS doubts whether it is necessary and proportionate to publish in the Official Journal data on suspected human rights infringements or criminal activity, rather than simply making that data available to the person concerned.
3) “Given the serious consequences that restrictive measures have on affected persons, utmost attention must be given to the accuracy of the personal data”. The Opinion recommends that the Council review all data “regularly and frequently” in order to ensure that it is accurate and up to date, to ensure the “quality” of the data when it draws up the lists, and to rectify inaccurate data (which could include the very fact that a person was included on the list) “immediately”, “without delay” (the EDPS suggests within one month).
4) The EDPS recommends that individuals are given access to personal data about them on the Council’s file “on a wide basis”. Access must not be refused simply because the Member State that provided the information does not agree to its release. Access may only be refused on the grounds expressly listed in the Regulation (national security, public security etc), interpreted narrowly.
5) Where a person’s data has been stored or published unlawfully, the EDPS recommends that the Council should not simply remove a person from the list, but should take additional steps “in order to publicly ‘clear’ the name of a wrongfully listed person”. For example, the Council could publish the reasons for de-listing a person, inform him/her of the reasons for his / her removal by letter, and provide “a document facilitating the de-blocking of the accounts and reducing the negative effects on the person’s reputation”. The EDPS recommends that the Council consider informing third parties (eg banks and financial institutions) directly of the rectification.