On 14 March 2019, the European Data Protection Supervisor (EDPS) issued an opinionon a legislative initiative that aims at curbing VAT fraud in the area of e-commerce. The initiative was tabled by the Commission in December 2018 and consists of two proposals, one for a directive amending Directive 2006/112/EC (COM(2018) 812 final) and another for a regulation amending Regulation (EU) No 904/2010 (COM(2018) 813 final). The proposals would create the following obligations for Member States:

• Ensuring that payment service providers keep records on cross-border payment transactions, so that tax authorities are able to detect VAT fraud;
• Enabling competent national authorities to collect, exchange, and analyse information on payment transactions;
• Establishing a central electronic information system (“CESOP”) where information stored at the national level is transmitted by Member States and would then be accessible by Eurofisc liaison officials. Eurofisc would analyse the information contained therein with the purpose of investigating tax fraud.

The EDPS makes specific recommendations on various parts of the Commission proposal. The recommendations aim at reducing the impact of the envisaged legislation on fundamental rights, thus ensuring compliance with the EU’s data protection legal framework.

The EDPS welcomes the Commission’s approach towards limiting the processing of data to the purpose of fighting tax fraud and also limiting the collection and use of personal data to the online business (payees) and not extending them to the consumers (payers). This approach should not be watered down during negotiations with the Council. The EDPS recommends, however, that specification of the purpose should not only be mentioned in the recitals, but also be inserted into the operative parts of legal acts.

Since a new central database is being created, the opinion recommends that the Commission follow the EDPS “Guidelines on the protection of personal data in IT governance and management of EU institutions” if the system is implemented and technical details have to be specified.

Ultimately, the EDPS opinion offers guidance on how to define the restriction on the data subject’s rights in the proposed legislative acts.