1. How to combine the protection of personal
data with the “openness” of Public Sector
Information?
ePSIplatform Conference 2012
16th March 2012, Rotterdam
Cristina Dos Santos
Senior Researcher at CRIDS– University of Namur
(Belgium)
2. Legal issues - 1
Public sector collects, produces, reproduces and
disseminates a wide range of information in many areas of
activity: social, economic, geographical, weather, tourist,
business, patent, taxes, educational information, …
Directive 2003/98/EC (PSI Directive)
Most of this information can be considered as „personal
data‟, i.e. any information relating to an identified or
identifiable natural person (the „data subject‟)
Directive 95/46/EC
(Data Protection Directive)
2
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
3. Legal issues - 2
As a result, we have to combine the application of
both legislations when personal data are at stake
Current provisions of PSI Directive related with DP:
Recital (21) : « …implemented and applied in full compliance
with the principles relating to the protection of personal data in
accordance with [Data Protection Directive] »
Article 1 (4) : « …leaves intact and in no way affects the level of
protection of individuals with regard to the processing of personal
data … and in particular does not alter the obligations and rights
set out in [Data Protection Directive] »
Article 2 (5) : « personal data means data as defined in Article 2
(a) of [Data Protection Directive] »
3
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
4. LAPSI Thematic Network
WG on “Privacy Aspects of PSI”
Current conclusions of the working group reflections:
No real need to review these articles of PSI Directive as
regards data protection…
however, in practice, there still areheterogeneity of practices &
legal uncertainty…
Need to modify or complete the PSI Directive provisions, in
order to provide more « guidance » to Member States!
Sources : http://www.lapsi-project.eu/(LAPSI European Thematic Network)
&http://www.lapsi-project.eu/wiki/index.php/Working_Group_02 (Draft “Policy Recommendation”)
4
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
5. Example of “bad transposition”?…
Belgium:
Transposition of PSI Directive at several levels: e.g. Federal Law of 7
March 2007 about re-use of PSI its Article 4 imposes the systematic
anonymisation of data subjects!
several « sectoral committees » (article 36bis L. 1992) have been
created within the Belgian data protectionauthority – la Commission
de la Protection de la Vie Privée (CPVP): any “interested person” could
request to them an authorization to receive electronic disclosure of
personal data hold by a [public body]…
possibility of re-use as intended by PSI Directive?
inconsistency between both legal regimes?!
A Federal Commission of Appeal on re-use has been created since
2009 still no cases… is there a re-use of PSI market?!
Example: the Crossroad Bank for Enterprises (BCE), …
5
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
6. Example of a “mix of solutions”…
France:
Transposition of PSI Directive by the Law n°78-753 of 17 July
1978 (also called « CADA Law ») : authorizes re-use of
personal data in 3 cases:
• when the data subject has given his/her consent, or
• when the personal data have been anonymised, or
• when a legislative rule or regulation allows it
The French Data Protection authority – la CNIL – could also
oblige possible re-users to address a prior request of
authorization for personal data gathered by public bodies
E.g.: for public archives the CNIL excludes the re-use of sensitive data
and the entries made in the margins of the civil status‟ acts, but it
authorizes commercial re-use following the respect of some
« precautions »…
6
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
7. Recommendation - 1
PSI Directive could make more references to the
obligationsof the data controllers within PSI Directive,
e.g.:
Article 7 on „transparency‟: should suggest the establishment of
a clear and (when possible) specific « privacy policy »
and/or an « information document » by PSI holders about
possibilities of re-use of personal data
Article 8 about „licenses‟: should remind the respect of privacy
& data protection principles and obligations when the license
is established by a public body
7
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
8. Recommendation - 2
A clear reference to national Data Protection
supervisory authorities (NSAs) should be made, in
order to « invite » (oblige?) potential re-users to address
them their requests of re-use of PSI when personal
data are at stake!
Examples of « best practices » already exist (within
EU institutions under EDPS guidance, in some national
« combined-authorities », etc.)
Art.29 WP is the “right arena” to discuss about an
“harmonized” solution (need to update its WP 83 (2003!)
8
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
9. Other “possible” solutions…
Technical measures: Privacy by Design, PETs…
pseudonymisation, anonymisation?
“Soft-law” policies (national and regional level):
• “Proactive approach” of public bodies (EDPS‟ Background paper on
access)
• Data Protection Officers (solution of new DP Regulation!), under the
control of NSAs
• Codes of Conduct (at sectoral levels)
• Privacy policies for openness (case-by-case approach)…
Source:Bassi, Dos Santos & Fernández Salméron, Data Protection and re-use of PSI: towards a
possible compromise?, CPDP 2012
9
ePSIplatformConference 2012 - Rotterdam, 16th March 2012
10. Thank you for your attention!
Cristina Dos Santos
Senior Researcher at CRIDS
All comments are welcome at:
http://www.lapsi-project.eu/get-involved
Or by mail:
cristina.dossantos@fundp.ac.be
10
ePSIplatform Conference 2012 - Rotterdam, 16th March 2012