Transcript Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2nd LAPSI Public.

Re-use of PSI
Data Protection Issues
Cécile de Terwangne
Professor at the Law Faculty, Research Director at CRIDS
University of Namur (Belgium)
2nd LAPSI Public Conference 23 January 2012, Brussels
Relations re-use & data protection
Art. 1, § 4, PSI directive 2003/98
« This Directive leaves intact and in no way affects the
level of protection of individuals with regard to the
processing of personal data under the provisions of
Community and national law, and in particular does
not alter the obligations and rights set out in
Directive 95/46/EC. »
respect data prot. rules when re-use of PSI
Right to data protection is derived from
but not assimilated to right to privacy:
- art. 7 and 8 EU Charter Fund. Rights
- art. 8 ECHR
 not to be restricted to confidentiality
When does data protection apply?
Which data? Personal data = any information
related to an identified or identifiable natural person
not necessarily confidential data
even professional data
commercial data
published data
When data is processed by automatic means or is
part of a filing system
Personal data sets; isolated personal data
4
Examples possibly concerned by re-use:
•
•
•
•
Commercial registers
Vehicles registration
Case law data bases
Institutional web sites presenting members, agenda,
etc.
• Socio-economic data
• Land register
• European Patent Office
5
Data Protection principles
Fair processing of personal data
Transparency
Purpose principle:
for which purposes?
only data relevant in relation to the purposes
Proportionality principle
for the data (non excessive)
for the processing (6 hypotheses)
Data quality:
data accurate and, where necessary, kept up to date
Limited time of storage
Data Protection principles
Respect of the data subjects’ rights:
 access
 rectification, erasure
 right to object
Information to data subjects
Security measures
Notification to authority
Data protection legislation is not a prohibition
legislation
Except for sensitive data:
“personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life”
And for judicial data:
“data relating to offences, criminal convictions or
security measures”
Data Protection Principles
Data protection principles having particuliar impact
on PSI re-use:
Purpose principle
Proportionality principle
Transparency principle
9
Purpose Principle
Data processed for specified, explicit and legitimate
purposes…
and data not processed in a way incompatible with the
purposes of collection
(compatible = within data subject’s reasonable
expectations / foreseen by law)
10
Purpose Principle
Re-use for a specified purpose
• From the point of view of the public sector entity
• From the point of view of the re-user
Purpose Principle
Re-use for incompatible purposes:
• Dir. 95/46: strict reading: not allowed (except historical,
statistical, scientific research purposes)
soft reading: OK with data subject’s consent
or NSauthority prior authorisation
• Regulation proposal: OK if consent
necessary for a contract
legal obligation
data subject’s vital interest
task in the public interest
consent
• Freely given, informed, specific (art. 2, h, Dir.
95/46)
• But binary (whereas nuances desirable linked to
purposes/contexts)
• [Retractable? (review dir. 95/46: « The data subject
shall have the right to withdraw his or her consent at
any time. The withdrawal of consent shall not affect
the lawfulness of processing based on consent before
its withdrawal »)]
Purpose Principle
To sum up:
Re-use allowed if
•
•
•
•
•
compatible purposes
historical, statistical or scientific research purposes
data subject’s consent
NSA prior autorisation
[processing is necessary for the performance of a
task carried out in the public interest]
Or else anonymise.
! Sensitive and judicial data
Purpose Principle
Only relevant data in relation to the purposes of
processing (re-use)
15
Proportionality Principle
Re-use for legitimate purposes (balancing test)
Grounds to legitimate re-use:
• Data subject’s consent (ex.: planning permissions)
• Re-use provided for by law (balance done in
advance)
• Interest of re-use overriding data subject’s rights
and interests (ex.: re-use of data from official
websites in the newspaper or in the journal of a nonprofit-making association)
16
Proportionality Principle
Only non excessive data
Transparency Principle
Duty to inform data subjects on:
• The controller
• The purposes of re-use
• The data
• The recipients
• The existence of rights of access, to rectify, to
object
Possible exemptions
Thank you for your attention
Cécile de Terwangne
19