The ‘orientation debate’ on the ECI held on 23 April can be seen here on the Commission site (I’m not sure what the excuse is for the terrible quality of audio streaming).
The council is trying to get the proposal approved before the end of the current presidency in June. Have a look at the briefing document [PDF] which talks about a couple of points which had not sunk in before:
- The new proposal is to set the minimum signatures for each country at 750*number of MEPs (ie proportionally harder for small countries)
- The proposal foresees an earlier filter at the time of registration, which enables the Commission to reject the registration of initiatives that are “manifestly against the values of the Union” – this is addition to the decision on admissibility of the proposal taken on submission
- Member States are required to carry out checks when 300.000 signatures have been collected from 3 Member States
- “The principle of parallelism between online and paper systems is a very important element, which ensures simplicity and allows the possibility of collection online immediately.”
- It should be noted that the certification of the online system only relates to the system itself, and not to the data that would be collected:
Member States are required to certify the conformity of such a system based on its territory is compatible with the requirements of the Regulation
A couple of thoughts:
 Does this mean ECIs can be rejected even if legal and within the competence of the Commission? Giving officials that level of judgement doesn’t seem a great way of building confidence in the system.
 Certifying the online systems seems to be fairly pointless given that signatures will also need to be validated. Or have I missed something?
If the system certification is by national authorities, that’ll impose a pretty severe burden on a EU-wide project like EuroPetition – a project which is being funded to make the ECI work!
Updated since initial publication to add:
This has all sorts of implications for internal change control, testing, package management processes etc etc. I wonder if anyone has thought this through. For instance:
- Will the system have to be recertified every time a bug fix is posted? After all, the code will have changed…
- Will there be a (certified) test suite to maintain too? And certifiers to pay?
- Or is it enough for the developers to be ISO2700x certified?
I’m sure that’s not what the EC means, but that’s the implication of what they seem to be saying…
The general need for conformance with the Data Protection Directive should have be enough – with no need for an extra certification: otherwise, what about all the other applications out there that collect personal data: why shouldn’t they need to be certified too?
…after all it is the data – the signatures – that matter.