Embed Size (px)
Citation preview
Re-use of PSIData Protection Issues
Cécile de TerwangneProfessor at the Law Faculty, Research Director at CRIDS
University of Namur (Belgium)
2nd LAPSI Public Conference 23 January 2012, Brussels
Relations re-use & data protection
Art. 1, § 4, PSI directive 2003/98« This Directive leaves intact and in no way
affects the level of protection of individuals with regard to the processing of personal data under the provisions of Community and national law, and in particular does not alter the obligations and rights set out in Directive 95/46/EC. »
respect data prot. rules when re-use of PSI
Right to data protection is derived from
but not assimilated to right to privacy:
- art. 7 and 8 EU Charter Fund. Rights
- art. 8 ECHR
not to be restricted to confidentiality
4
When does data protection apply?
Which data? Personal data = any information related to an identified or identifiable natural person
not necessarily confidential dataeven professional data
commercial data published data
When data is processed by automatic means or is part of a filing systemPersonal data sets; isolated personal data
5
Examples possibly concerned by re-use:• Commercial registers• Vehicles registration• Case law data bases• Institutional web sites presenting members, agenda,
etc.• Socio-economic data• Land register• European Patent Office
Data Protection principles
Fair processing of personal dataTransparency
Purpose principle: for which purposes? only data relevant in relation to the purposes
Proportionality principlefor the data (non excessive)for the processing (6 hypotheses)
Data quality: data accurate and, where necessary, kept up to date
Limited time of storage
Data Protection principles
Respect of the data subjects’ rights: access rectification, erasure right to object
Information to data subjects
Security measures
Notification to authority
Data protection legislation is not a prohibition legislationExcept for sensitive data: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”
And for judicial data:“data relating to offences, criminal convictions or security measures”
9
Data Protection Principles
Data protection principles having particuliar impact on PSI re-use:
Purpose principle
Proportionality principle
Transparency principle
10
Purpose Principle
Data processed for specified, explicit and legitimate purposes…
and data not processed in a way incompatible with the purposes of collection
(compatible = within data subject’s reasonable expectations / foreseen by law)
Re-use for a specified purpose
• From the point of view of the public sector entity• From the point of view of the re-user
Purpose Principle
Re-use for incompatible purposes:• Dir. 95/46: strict reading: not allowed (except historical,
statistical, scientific research purposes)
soft reading: OK with data subject’s consent or NSauthority prior authorisation
• Regulation proposal: OK if consentnecessary for a contractlegal obligationdata subject’s vital interesttask in the public interest
Purpose Principle
consent• Freely given, informed, specific (art. 2, h, Dir.
95/46)
• But binary (whereas nuances desirable linked to purposes/contexts)
• [Retractable? (review dir. 95/46: « The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal »)]
To sum up:Re-use allowed if
• compatible purposes• historical, statistical or scientific research purposes• data subject’s consent• NSA prior autorisation• [processing is necessary for the performance of a
task carried out in the public interest]
Or else anonymise.! Sensitive and judicial data
Purpose Principle
15
Only relevant data in relation to the purposes of processing (re-use)
Purpose Principle
16
Re-use for legitimate purposes (balancing test)
Grounds to legitimate re-use:• Data subject’s consent (ex.: planning permissions)• Re-use provided for by law (balance done in
advance)• Interest of re-use overriding data subject’s rights
and interests (ex.: re-use of data from official websites in the newspaper or in the journal of a non-profit-making association)
Proportionality Principle
Only non excessive data
Proportionality Principle
Transparency Principle
Duty to inform data subjects on:
• The controller
• The purposes of re-use
• The data
• The recipients
• The existence of rights of access, to rectify, to object
Possible exemptions
Thank you for your attention
Cécile de Terwangne
19
