Now draft biz guillotine law triggers info privacy watchdog
Data revealed during insolvencies sparks Euro ire
There are insufficient data protection safeguards built in to proposed reforms to the EU's insolvency law framework, a privacy watchdog has said.
In a recently issued opinion into the European Commission's draft Insolvency Regulation, the European Data Protection Supervisor (EDPS) raised concerns about the mandatory publication of information relating to the opening and closing of insolvency proceedings (11-page 71KB PDF) as well as the exchange of information between courts and liquidators.
In December last year the Commission published its draft Insolvency Regulation in a bid to overhaul existing laws that have been in operation since 2000. The proposals seek to make clearer the processes involved when there are parallel court proceedings initiated by creditors in different EU member states regarding payment of the debts they are owed.
Under the Commission's proposals, a court that is asked to open secondary proceedings will "immediately" be required to inform the appointed liquidator in the main proceedings in order to give those liquidators the chance to challenge those secondary proceedings from commencing.
In addition, EU member states would also be required to provide a free, publicly-accessible online register of key information relating to insolvency proceedings involving companies, the self-employed and independent professionals. National registers would be connected to a pan-EU online portal. Foreign creditors will be able to lodge claims for payment of debts by submitting a standard form within 45 days of notice of the opening of proceedings in the insolvency register being published.
The EDPS, which advises EU institutions on privacy issues, said that because the proposals "necessarily" involve the processing of personal data, EU data protection laws must be respected in the new regime. However, the watchdog said whilst the Commission has made references to those laws being applicable to the regime, it said there are still data protection "shortcomings and inconsistencies" contained within the proposed Regulation.
"The general references [to data protection] need to be specified and translated into concrete safeguards that will apply for any situation in which personal data processing is envisaged," Giovanni Buttarelli, the assistant EDPS, said in a newly adopted opinion on the draft Insolvency Regulation. "Such safeguards should be developed in the proposed Regulation."
"For instance, the retention period of the data processed and sometimes published for insolvency proceedings should be specified. Besides, it is not sufficiently clear who is responsible for the data published and, as a result, who should update the data and ensure it is secured enough. In other words, data controllers should be designated. In addition, substantive provisions are needed to further develop in a concrete manner the modalities according to which the existing rights of the data subject about whom data is collected and processed may be exercised against the various actors in such a specific area," he added.
Buttarelli said that it may not always be necessary or proportionate for information about individual insolvency proceedings to be published on the Commission's proposed online registers. He said that, even if the information should be detailed in this way, there should be a limit on how long the information should sit there before being removed, as well as efforts made to ensure the data is both accurate and secure.
"The necessity and the proportionality of the proposed system for the Internet publication of decisions opening and closing insolvency proceedings is assessed and it is verified whether the publication obligation does not go beyond what is necessary to achieve the public interest objective pursued and whether there are not less restrictive measures to attain the same objective," Buttarelli said.
"Subject to the outcome of this proportionality test, the publication obligation should in any event be supported by adequate safeguards to ensure full respect of the rights of the persons concerned, the security/accuracy of the data and their deletion after an adequate period of time," he added.
Buttarelli also called on the Commission to clarify aspects about how information contained within the national registers can be processed and used.
"[The Regulation] must identify the purpose of the processing operations and establish which are the compatible uses; identify which entities (judges and authorities responsible for the opening and the closing of insolvency procedures, competent authorities and potentially others) will have access to which data stored in the database and will have the possibility to modify the data; ensure the right of access and appropriate information for all the data subjects whose personal data may be stored and exchanged; define and limit the retention period for the personal data to the minimum necessary for the performance of such purpose," he said.
"These are essential elements that should be included in the Regulation itself," the watchdog added.
Copyright © 2013, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Global DDoS threat landscape report