Transcript PRIVACY ASPECTS OF PSI BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF REUSE OF PSI: BETWEEN
PRIVATE AND PUBLIC
SECTOR
Bart van der Sloot
Institute for Information Law
University of Amsterdam
Tension
• Tension between private and public
– Interests
– Rights
• Distinction between access and re-use
– Access: 10 ECHR & transparency government
– Re-use: mostly commercial interest
• Distinction between collection and distribution
– Collection by government to fulfill their tasks
– Distribution from government to third party
PSI & DP
PSI-Directive Recital (21): “This Directive should be
full
compliance
with
the
principles
implemented
and applied
in full
compliance
with the
principles relating to the protection of personal data in
relating
towith
theDirective
protection
personal
accordance
95/46/ECof
of the
European
Parliament and of the Council of 24 October 1995 on the
data
in accordance
Directive
protection
of individuals with with
regard to
the processing of
personal data and of the free movement of such data.”
95/46/EC
Article 1, §4: “This Directive leaves intact and in no way
affects the level of protection of individuals with regard
to the processing of personal data under the provisions
of Community and national law, and in particular does not
no
way
affectsand
the
level
ofinprotection
alter
the obligations
rights
set out
Directive
of95/46/EC.”
individuals with regard to the
And
Article 2, §5: “‘personal
data’ means
data as defined in
processing
of personal
data
Article 2(a) of Directive 95/46/EC.”
Topics
•
•
•
•
•
•
Personal data
Fairly and lawfully
Legitimate purpose
Information
Rights
Duties
Personal data
• Data relating to an identified or
identifiable natural person ('data subject');
an identifiable person is one who can be
identified, directly or indirectly
• Anonymization
– Direct personal
– Indirect data > Groups (geographical
information, group profiling)
– Privacy by design
Fairly and Lawfully (2 times)
• personal data must be collected for
specified, explicit and legitimate purposes
Who is responsible?
• not further processed if incompatible with
original purposes
• adequate, relevant and not excessive
• kept no longer than is necessary
Ground (2 times)
• data subject unambiguous consent;
– Opt in - Opt out (freely given, specific and informed)
Who is responsible?
• Processing necessary for the public interest
– Commercial (prohibitions) - Non commercial
– Non sensitive – Sensitive (race, sex, political, religion)
• legitimate interests pursued except where
privacy interest overridden: WP: Case by case
– Commercial (prohibitions)- Non Commercial
– Non sensitive - Sensitive
Information (2 times)
• no later than when the data are first
disclosed
• the identity of the controller
• the purposes of the processing;
• the categories of data concerned;
• the recipients or categories of recipients;
• the existence of the rights.
• Who is responsible?
Rights (2 times)
• Right of access & information
• Right of rectification, erasure or blocking
• Right of notification to third parties to
whom the data have been disclosed of any
rectification, erasure or blocking unless
disproportionate.
• Right to object, especially in case of
grounds of public interest and third
party interest.
• Who is responsible?
Duties (2 times)
• Confidentiality of processing
• Security of processing
• Transfer to a third country of personal data
only if the third country in question
ensures an adequate level of protection.
• Who is responsible?
Who is responsible?
• 'processor' anybody that processes personal
data on behalf of the controller; - No Duties
• 'controller' anybody who alone or jointly with
others determines the purposes and means of
the processing of personal data
• Third party requesting re-use = controller (Fairly
&Lawfully, Grounds, Information, Rights, Duties)
• Government is responsible:
– Original controller
– Provider
– Legislator & enforcer
Problem?
• full compliance with the principles
relating to the protection of personal
data in accordance with Directive
95/46/EC
• no way affects the level of protection of
individuals with regard to the
processing of personal data
Proposal
•
•
•
•
Access: right of privacy - right of access
Re-use: No right - Economical asset.
Two times minimum harmonization
Clarification might be necessary
– In Data Protection Directive
– In Public Sector Information Directive
– In Code of Conduct
– In Best current practices
– Academic debate