Opinion No 3/99 on

PUBLIC SECTOR INFORMATION AND THE PROTECTION OF PERSONAL DATA

INTRODUCTION AND PRELIMINARY OBSERVATIONS:

1. The European Commission has submitted a Green Paper entitled "Public sector information: a key resource for Europe" for public consultation¹. The main objective of the Green Paper is to encourage discussion on how public sector information can be made more accessible to citizens and business, and on whether or not national rules in this area need to be harmonised. The Green Paper appears to have been produced largely as a response to the demands of private players, who want low-cost access to public sector information and who dispute the continuing public sector monopoly in this area.

One of the key aspects of the Green Paper is therefore the availability of public sector information. At issue is a specific category of information held by public sector bodies known as "public" information, which would be made public subject to certain rules or for a particular purpose², and would be based, implicitly or explicitly, on the State's desire for transparency with regard to its citizens³.

The Green Paper does not ignore the protection of personal data, even though such protection would not appear to be its primary focus.

Paragraph 111 (Chapter III.7, page 16) explicitly states that Directive 95/46/EC on the protection of personal data⁴ "establishes binding rules for both the public and the private sectors and [...] must be fully observed in cases of personal data held by the public sector".

Paragraph 114 states that "[t]he emergence of the information society could pose new risks for the privacy of the individual if public registers become accessible in electronic format (in particular on-line and on the Internet) and in large quantities".

However, the Green Paper as a whole contains several ambiguities which cast doubt on the strength of this conviction.

First, the use of the term "publicly available" creates the impression that information, by virtue of its availability, can be used for any purpose. The principle of purpose, which is a cornerstone of our data protection legislation, does not go well sits uneasily with the adjective "available". Furthermore, the principle of honesty in data collection is ensured in particular by the requirement of security of processing, but could suffer if data are made public without prior discussion or precautions being taken. It is therefore advisable that the phrase "publicly available" be replaced by a more suitable and unambiguous wording (such as "publicly accessible").

Secondly, Question 7 ("Do privacy considerations deserve specific attention in relation to the exploitation of public sector information?", page 16) might lead one to think that Directive 95/46/EC is not as definite as one might have imagined on this point, while at the same time paragraph 111 specifies states that Directive 95/46/EC "achieves the necessary balance between the principle of access to public sector information and the protection of personal data". These ambiguities need to be removed.

2. The objective of this Opinion is to provide input for the discussion on the protection of personal data, a dimension which must be taken into consideration when undertaking to grant greater access to public sector data, where such data relates to individuals. However, the Opinion does not claim to provide answers to all of the questions raised by the need for a balance between improved access to public sector data, based on a desire for increased transparency by the State with regard to its citizens, on the one hand, and the protection of personal data as defined by Directive 95/46/EC, on the other.

So this Opinion does not deal with issues raised in the Green Paper which go beyond the issue of making public sector information available to third parties, such as the viewpoint expressed in paragraph 56 (Chapter II.2, page 9), for example, that "[t]he use of new technologies can considerably increase the efficiency of the collection of information. It gives public bodies the possibility to share available information when this is in conformity with data protection rules".

Drawing on Directive 95/46/EC and on practical illustrations using the best-known public registers of personal data, this Opinion aims to provide a first set of indications pointers to be considered when taking real-life decisions. These indications pointers and practical examples from a variety of Member States are intended to show how, in the information society, the rules on data protection should be taken into account with regard to data from public registers. While it cannot claim to ensure protection in every case, this Opinion also aims to point to some of the technical and organisational measures which can help to balance the publication of these data against compliance with the provisions on personal data protection and in particular the provisions relating to the fundamental principle in this area, i.e. the purpose for which the data are made public.

I - THE RULES ON DATA PROTECTION APPLY TO PERSONAL DATA WHICH HAVE BEEN MADE PUBLIC

The accessibility of public sector information advocated in the Green Paper, particularly through computerisation, raises the issue of how these data are used. Their usage cannot be prohibited as this would run contrary to trends in society. Nor is prohibition the intention of our data protection legislation: its task is to regulate the computerisation of society, not to prevent proscribe it.

It is an obvious fact thatperfectly clear from the wording of our data protection legislation covers that it applies to personal data made publicly available: even after they personal data are made public, they are still personal and must therefore be protected.

This assertion requires an examination of exactly what protection is afforded to personal data made public. In this regard, Directive 95/46/EC can provide some of the answers.

A - Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

The rules of the Directive cover the principle of the right of public access to administrative documents⁵ and other factors which are relevant to the discussion⁶.

The principle of purpose requires that personal data are collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner which is incompatible with these purposes.⁷ This principle therefore plays a key role in the accessibility of personal data held by the public sector.

In particular, a case-by-case examination is required of the extent to which a law makes publication or public access to personal data mandatory or permissible. Is the law intended to ensure access to the data in their entirety with no time limitation? Can the data be used for any purpose, regardless of the initial purpose or, conversely, does the law allow only some parties to access the data and/or does it require that the data be used for a purpose linked to the initial purpose for which they were made public? Consequently, personal data to be made public do not constituteare not a homogeneous category which can be dealt with uniformly from a data protection point of view. Instead, an a step-by-step analysis in stages is needed of the rights of the data subject and the right of the public to access the data respectively. While there may be public access to data, such access may be subject to certain conditions (such as proof of legitimate interest). Alternatively, the purposes for which the data may be used, for example for commercial purposes or by the media, may be restricted. The examples below illustrate these points.

At this point it is worth mentioning that regardless of whether or not personal data are published, data subjects always has the right to access their data and, where necessary, to require that they be rectified or erased if they have not been processed in accordance with the Directive, and in particular if they are incomplete or inaccurate⁸.

A number of provisions of the Directive refer explicitly to the public nature of data. Two of these provisions are worth examining in some all of their nuancesdetail.

Article 18(3) concerns the obligation to notify the supervisory authority of the processing of data and states that an exception may be made in the case of a register "which according to laws or regulations is intended to provide information to the public and which is open to consultation ... by the public in general". But it should be noted that recitals 50 and 51 of the Directive specify that exemption or simplification only applies to processing operations whose sole purpose (first condition) is the keeping of a register intended, according to national law, to provide information to the public (second2nd condition) and open to consultation by the public or by any person demonstrating a legitimate interest (3rd third condition). However, such derogations do not release the controller from any of the other obligations resulting from the Directive.

Finally, Article 26(1f) contains a derogation from the requirement of an adequate level of protection, where data are transferred to a third country which does not ensure an adequate level of protection "from a register ... which is open to consultation ... by the public". However, recital 58 of the Directive limits the scope of such transfer by specifying that it should not involve the entirety of the data or entire categories of the data contained in the register and, where appropriate, the transfer should only be made at the request of persons having a legitimate interest.

It is clear from the provisions and recitals referred to above that personal data protection considerations should not be used to prevent citizens from accessing administrative documents under conditions laid down in national legislation. However, the Directive is not intended to remove all protection from publicly-accessible data either.

The discussion on whether the national rules on access to public sector information need to be harmonised should in any case take account of the harmonised rules on the protection of personal data and the associated national transposition measures.

In addition to the Commission's task of monitoring the application of the Directive, the Working Party set up under Article 29 of the Directive shall undertake a concrete examination of the impact of the national measures implementing Directive 95/46/EC in specific cases, which could bring to light divergences at national level⁹.

B - Examples of how a balance is struck between the rules on personal data protection and the right of access to public sector information

Some national legislation only allows public sector information to be used for certain purposes. Access to certain data may be prohibited, certain uses may be prohibited, or conditions may be imposed on access.

The computerisation of data and the possibility of carrying out full- text searches creates an unlimited number of ways of querying and sorting information, with Internet dissemination increasing the risk of collection for improper purposes. Furthermore, computerisation has made it much easier to combine publicly available data from different sources, so that a profile of the situation or behaviour of individuals can be obtained¹⁰. In addition, particular attention should be paid to the fact that making personal data available to the public provides fuel forserves to fuel the new techniques of data warehousing and data mining. Using these techniques, data can be collected without any advance specification of the purpose, and it is only at the stage of actual usage that the various purposes are defined. So all of the technological possibilities with regard to data usage need to be considered¹¹.

This is why it is important to check, on a case-by-case basis, what the negative repercussions on individuals might be, before taking any decision on computerised dissemination. In some cases a decision will have to be taken either not to release certain personal data, to let the data subject decide, or to impose other conditions.

1 - Databases of court decisions:

Paragraph 74 of the Green Paper (page 11) refers specifically to court cases to illustrate the notion of "information that is fundamental for the functioning of democracy". This raises a fundamental basic question, namely: do we really imagine that putting all every judgments from all jurisdictions every court on the Internet will not harm individuals?

If special precautions are not taken, case-law databases, which are legal documentation instruments, can become information files on individuals if these databases are consulted to obtain a list of the court judgments on a specific individual rather than to find out about case- law, for example.

In an opinion delivered on 23 December 1997, the Belgian Commission for the Protection of the Right to Privacy (Commission de la Protection de la Vie Privée) strongly emphasised this point, stating that advances in technology mean that greater caution must be exercised when naming the parties in case-law chronicles. The Commission proposed that, if complete anonymity is not an option, then court decisions which are accessible to any group of public users should not be indexed by name, thereby preventing searches from being made using this criterionon the basis of the names of the parties.

The Italian Commission for the Protection of Personal Data¹² is considering putting forward a proposal at national level to the effect that the parties should be entitled to prevent their names from being published in case-law databases. They could exercise this right at any time and have their names removed when computerised databases are updated. Existing paper publications would not be affected by this entitlement.

The French Ministry for Justice wishes to disseminate case law databases on the Internet and has stated in the specifications that the parties to court decisions must remain anonymous.

2 - Certain official texts:

The Internet has caused an information explosion at international level and a corresponding increase in information sources. This globalisation of information has givenmay generate rise to a specific particular type of risk. The distribution of information which is legitimate public information in one country can seriously endanger the privacy or physical safety of individuals if disseminated worldwide. In some countries, for example, publication of the names of naturalised persons is mandatory. This is the case in France where, on the advice of the National Commission for Information Technology and Civil Liberties (Commission Nationale de lÆInformatique et des Libertés -CNIL), the Government has excluded lists of naturalised persons from the version of the Official Journal published on the Internet, in order to ensure that certain nationals who have given up their original nationality are not subjected to retaliation.

In certain cases, therefore, the desire of the State - and in particular of its nationals - for transparency is incompatiblesits uneasily with the global dissemination of such data.

3 - Other instances of the imposition of conditions imposed on the dissemination of personal data which have been made public, in order to protect data subjects:

The conditions of access to personal data contained in registers vary greatly, depending on the regulations governing them. These conditions include partial access, proof of legitimate interest and the prohibition of commercial usage.

In Germany, for example, all lists of candidates in Federal elections must include the surname, forename, profession or status, date and place of birth, and address of each candidate. But in the lists which the returning officer responsible for organising federal elections at local or Land level makes public before the ballot, the date of birth is replaced by the year of birth.

In Italy, the legislation governing the population register held by each municipality prohibits data from being transmitted passed to private bodies and requires any public authority requesting data to provide proof of legitimate public interest.

The electoral register in France is public so that the entries can be checked for validity. By law, all candidates and political parties may use the register for political purposes but commercial usage is prohibited. It is inconceivable that the electoral lists would be published on the Internet.

Also in France, personal data in the cadastral register are public, but may not be used for commercial ends.

In Greece, where the cadastral register is organised on the basis of an alphabetical index of property owners, the current system will be replaced by an index based on the properties themselves in order to prevent users from carrying out searches on the property owned by a single individual. Access to the cadastral register requires proof of legitimate interest.

II - THE NEW TECHNOLOGIES CAN HELP TO STRIKE A BALANCE BETWEEN THE PROTECTION OF PERSONAL DATA AND THE PUBLICATION OF SUCH DATA

In addition to promoting access to public data, in particular by providing on-line access, the new technologies and some of the accompanying administrative measures can also help to ensure compliance with the main principles of data protection, such as end purpose, the principle of information, the right to object and the principle of security. However, these technologies do not provide an absolute guarantee against abuses of the principles of personal data protection described above.

A - The technical conditions for access to public sector information must help to ensure compliance with the principle of purpose

Given the conditions of public access to computerised data, it is obviously very difficult to ensure guarantee in practice that data are actually used for the stated purpose, but well- properly thought-out and targeted use of technology can help to attain this objective. This means, however, that in each individual case the query conditions must be defined and checked. The following principle should apply: "anyone may read any individual data set to the extent authorised, but not all data sets in their entirety". The search criteria must be chosen in such a way that it is impossible to misuse the data in normal usage. It is also necessary to check whether it is possible to get around the obstacle using additional information from other sources.

To prevent data from being used for purposes other than the one(s)that (those) for which they were made public, on-line consultation of databases can be restricted. Such restrictions would be applied on a case-by-case basis and might involve, for example, limiting the field of the query or the query criteria.

In France, for example, any person who knows the name, date and place of birth of an individual can access their birth certificate. The National Commission for Information Technology and Civil Liberties has made on-line access to birth certificates subject to the condition that the on-line request includes all of this information. Thus, by laying down criteria restricting the scope of database queries, large-scale collection of data from these registers for commercial purposes can be prevented and compliance with the principle of purpose can be ensured.

Again in France, it used to be possible to query the computerised version of the telephone directory using the first few letters of the surname, thereby making it easier to download the entire directory and use it for commercial purposes against the wishes of some subscribers who had objected to such usage. Possible abuses of purpose in this manner were headed off by making this type of query impossible on Minitel and the Internet.

In the Netherlands, the telephone directory on CD-Rom has been designed in such a way that users cannot obtain people's names and addresses simply by knowing their telephone number (it is impossible to query the database using the telephone number alone).

Similarly, it should not be possible to query business registers using the person's name alone, because this would allow users to find out all of the business interests of a single individual.

B. The use of technical tools to prevent the automatic capture of on-line data should be encouraged

An example of such a tool is the Robots Exclusion Protocol, whose goal is to prevent all or some of the pages in a website from being indexed automatically by a search engine. But such a protocol can only be effective if website designers and Internet users know that it exists and if search engines comply with it. Some search engine producers say that they adhere to this protocol.

III. Commercial usage

Personal data held by the public sector are initially collected and processed for specific purposes and, as a rule, on the basis of a regulationnormally speaking, on the basis of certain rules. In some instances the provision of data is mandatory and in other cases information must be supplied in order to gain access to a public service. Therefore, data subjects do not necessarily expect that their personal data will be made public and used for commercial purposes. This is one of the reasons why some national legislation permits access to public sector information, including personal data, but prohibits the use of such data for commercial ends¹³.

From the point of view of Directive 95/46/EC¹⁴, the question arises as to whether commercial usage should be viewed as incompatible with the original purpose for which the data were collected and, if so, under what conditions commercial usage might nevertheless be permitted.

If public sector information is to be published and marketed¹⁵, certain rules must be obeyed. In each individual case, a balance needs to be struck between the right to privacy and the commercial interests of private operators.

Directive 95/46/EC recognises the right of data subjects to be informed about the processing of data concerning them and stipulates that at the very least they have the right to object to legitimate processing. Data subjects must therefore be informed about the commercial usage of data concerning them and must be able to object to such usage by simple and effective means¹⁶.

Much remains to be done in this respect. Given the profusion of data dissemination sources, the large number of operators and the possibility of downloading data, the notion of a one- stop-shop for data protection is gaining ground, meaning that data subjects would not have to object to each operator individually. In several European countries, people listed in the telephone directories can avail themselves of this option.

For the same reason, the National Commission for Information Technology and Civil Liberties¹⁷ has recommended that all publishers of directories should identify the subscribers who have exercised their right to object to their details being used for commercial purposes. The publishers should do this on every medium on which their directories are published (hard copy, CD-Rom, Minitel or Internet).

The idea of a one-stop-shop would appear to be essential both to ensure that people's rights are respected and to act as a reference point for commercial operators wishing to use personal data.

To achieve a balance between the right to privacy and the commercial interests of operators, it may also be necessary to obtain the data subject's consent¹⁸ or even to introduce legislation or regulations, as the following example shows.

In an opinion on the use of planning permission data for commercial purposes, Belgium's Commission for the Protection of the Right to Privacy considered that such usage could only be lawful if the new purpose (in this case the use of data processed by public authorities for commercial purposes) had a legal or statutory basis defining it in exact terms. Without such a basis, the Belgian Commission considered that the interests served by passing on data to third parties did not override the data subject's right to privacy. Another possibility mentioned in the opinion was to obtain the data subject's consent for commercial usage. Data subjects must have given their consent unambiguously and in full knowledge of the facts, taking into account the fact that anyone applying for planning permission is required to submit a file which meets certain stipulations.

Later on in the same opinion, the Belgian Commission refers to the obligation to inform data subjects of processing concerning them, and stresses in particular that they are entitled to object to such processing, on request and without charge, if the data are to be used for direct marketing purposes.

CONCLUSION:

Public access to data does not mean unfettered access: all Member States base their legislation on this philosophy. When personal data are made public, either by virtue of a regulation or because the data subject himself authorises it, the data subject is not deprived of protection, ipso facto and forever. He is guaranteed such protection by law in accordance with the fundamental principles of the right to privacy.

In order to strike a balance between the right to privacy and the protection of personal data on the one hand, and the right of the general public to access public sector data on the other, the Green Paper consultation and conclusions must take account of the following factors and issues:

• a case-by-case assessment of whether personal data can be published/should be accessible or not, and if so, under what conditions and on which media (computerised or not, Internet dissemination or not, etc.);
• the principles of purpose and legitimacy;
• the obligation to inform the data subject;
• the data subject's right to object;
• the use of the new technologies to help protect the right to privacy.

These factors should be taken into account not just in situations where publication or access is already regulated, but also in situations where regulation does not appear necessary, with a view to satisfying the general public's demand for access to public sector information, including personal data¹⁹.

The Working Party looks forward to the European Commission's conclusions on the current consultation process, and we would be extremely interested in contributing to future work in this area, including the issue of third party access to public information, which strictly speaking goes beyond the scope of the Green Paper²⁰.

Brussels, 3 May 1999
On behalf of the Working Party

Peter Hustinx
Chairman

¹ Com (1998)585, available at: http://www.echo.lu/legal/en/access.html.

² It seems that a distinction can be made between information which must be made public by law, information which is accessible by law, and situations where the issue of publication of, or access to, public sector information is not regulated by law but is raised following a request from individuals or businesses.

³ This Opinion does not, therefore, deal with the other, broader, meaning of "public", which covers all data processed by public bodies.

⁴ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the protection of personal data and on the free movement of such data, OJ L 281, 23 November 1995, p. 31. Available at: http://www.europa.eu.int/comm/dg15/fr/media/dataprot/index.htm.

⁵ See recital 72. It is important to note for this discussion that the Directive does not define "administrative documents". However, they can be considered in a broad sense to include at least the "administrative information" defined in the Green Paper proposal for a classification of information (paragraph 73 et seq, page 11).

⁶ See Article 10 and recital 37 of Directive 95/46/EC on achieving a balance between the right to privacy and the rules on freedom of expression. See also Recommendation 1/97 of the Working Party on "Data protection law and the media", adopted on 25 February 1997 (Document No 5012/9, available in the eleven official languages at http://www.europa.eu.int/comm/dg15/fr/media/dataprot/index.html).

⁷ For details see Article 6(1b) of Directive 95/46/EC.

⁸ See Article 12 of Directive 95/46/EC.

⁹ See Articles 29 and 30 of Directive 95/46/EC.

¹⁰ Note that the use of such technologies also enables the State to establish such profiles.

¹¹ A further example of this is that it is possible to obtain negative information about individuals more easily by combining two databases electronically, e.g. the names of people who are not entitled to vote can be obtained by combining the population register (where it exists in computerised form) with the electoral rolls.

¹² Garante per la protezione dei dati personali

¹³ See Annex 1 of the Green Paper: Current situation in Member States regarding legislation and policy on access to public sector information, page 20 et seq.

¹⁴ See Article 6(1b) of Directive 95/46/EC.

¹⁵It should be noted that some people consider that since personality profiles can be assembled by combining data from various sources, the use of personal data for commercial purposes should be banned or at least restricted and infringements punished. As regards personal data from official sources, there should be no exception to the obligation to inform the data subject (Article 11 of the Directive).

¹⁶ See Articles 10, 11 and 14 of Directive 95/46/EC.

¹⁷ Commission Nationale des Libertés et de lÆInformatique, France.

¹⁸ See Articles 2(h), 7(a) and 8 of Directive 95/46/EC on the definition of consent and the requirement of specific forms of consent in some cases.

¹⁹ See footnote on page 2.

²⁰ See, for example, the earlier reference to paragraph 56 (page 9 of the Green Paper) on the possibilities of collecting and sharing information, and paragraph 123 (page 18) containing a proposal for the exchange of information between public bodies.