How to combine the protection of personaldata with the “openness” of Public Sector               Information?         ePSI...
Legal issues - 1 Public sector collects, produces, reproduces and disseminates a wide range of information in many areas o...
Legal issues - 2As a result, we have to combine the application ofboth legislations when personal data are at stakeCurrent...
LAPSI Thematic Network                    WG on “Privacy Aspects of PSI”Current conclusions of the working group reflectio...
Example of “bad transposition”?…Belgium: Transposition of PSI Directive at several levels: e.g. Federal Law of 7  March 2...
Example of a “mix of solutions”…  France:    Transposition of PSI Directive by the Law n°78-753 of 17 July     1978 (also...
Recommendation - 1PSI Directive could make more references to theobligationsof the data controllers within PSI Directive,e...
Recommendation - 2  A clear reference to national Data Protection  supervisory authorities (NSAs) should be made, in  orde...
Other “possible” solutions…    Technical measures: Privacy by Design, PETs…           pseudonymisation, anonymisation?   ...
Thank you for your attention!                               Cristina Dos Santos                         Senior Researcher ...
Upcoming SlideShare
Loading in …5
×

Track H - Cristina Dos Santos

1,346 views

Published on

How to combine personal data protection with the openness of PSI?

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,346
On SlideShare
0
From Embeds
0
Number of Embeds
162
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Track H - Cristina Dos Santos

  1. 1. How to combine the protection of personaldata with the “openness” of Public Sector Information? ePSIplatform Conference 2012 16th March 2012, Rotterdam Cristina Dos Santos Senior Researcher at CRIDS– University of Namur (Belgium)
  2. 2. Legal issues - 1 Public sector collects, produces, reproduces and disseminates a wide range of information in many areas of activity: social, economic, geographical, weather, tourist, business, patent, taxes, educational information, … Directive 2003/98/EC (PSI Directive) Most of this information can be considered as „personal data‟, i.e. any information relating to an identified or identifiable natural person (the „data subject‟)  Directive 95/46/EC (Data Protection Directive) 2 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  3. 3. Legal issues - 2As a result, we have to combine the application ofboth legislations when personal data are at stakeCurrent provisions of PSI Directive related with DP:  Recital (21) : « …implemented and applied in full compliance with the principles relating to the protection of personal data in accordance with [Data Protection Directive] »  Article 1 (4) : « …leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data … and in particular does not alter the obligations and rights set out in [Data Protection Directive] »  Article 2 (5) : « personal data means data as defined in Article 2 (a) of [Data Protection Directive] » 3 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  4. 4. LAPSI Thematic Network WG on “Privacy Aspects of PSI”Current conclusions of the working group reflections: No real need to review these articles of PSI Directive as regards data protection… however, in practice, there still areheterogeneity of practices & legal uncertainty… Need to modify or complete the PSI Directive provisions, in order to provide more « guidance » to Member States!Sources : http://www.lapsi-project.eu/(LAPSI European Thematic Network)&http://www.lapsi-project.eu/wiki/index.php/Working_Group_02 (Draft “Policy Recommendation”) 4 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  5. 5. Example of “bad transposition”?…Belgium: Transposition of PSI Directive at several levels: e.g. Federal Law of 7 March 2007 about re-use of PSI  its Article 4 imposes the systematic anonymisation of data subjects! several « sectoral committees » (article 36bis L. 1992) have been created within the Belgian data protectionauthority – la Commission de la Protection de la Vie Privée (CPVP): any “interested person” could request to them an authorization to receive electronic disclosure of personal data hold by a [public body]…  possibility of re-use as intended by PSI Directive?  inconsistency between both legal regimes?! A Federal Commission of Appeal on re-use has been created since 2009  still no cases… is there a re-use of PSI market?! Example: the Crossroad Bank for Enterprises (BCE), … 5 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  6. 6. Example of a “mix of solutions”… France:  Transposition of PSI Directive by the Law n°78-753 of 17 July 1978 (also called « CADA Law ») : authorizes re-use of personal data in 3 cases: • when the data subject has given his/her consent, or • when the personal data have been anonymised, or • when a legislative rule or regulation allows it  The French Data Protection authority – la CNIL – could also oblige possible re-users to address a prior request of authorization for personal data gathered by public bodiesE.g.: for public archives the CNIL excludes the re-use of sensitive dataand the entries made in the margins of the civil status‟ acts, but itauthorizes commercial re-use following the respect of some« precautions »… 6 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  7. 7. Recommendation - 1PSI Directive could make more references to theobligationsof the data controllers within PSI Directive,e.g.: Article 7 on „transparency‟: should suggest the establishment of a clear and (when possible) specific « privacy policy » and/or an « information document » by PSI holders about possibilities of re-use of personal data Article 8 about „licenses‟: should remind the respect of privacy & data protection principles and obligations when the license is established by a public body 7 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  8. 8. Recommendation - 2 A clear reference to national Data Protection supervisory authorities (NSAs) should be made, in order to « invite » (oblige?) potential re-users to address them their requests of re-use of PSI when personal data are at stake! Examples of « best practices » already exist (within EU institutions under EDPS guidance, in some national « combined-authorities », etc.)  Art.29 WP is the “right arena” to discuss about an“harmonized” solution (need to update its WP 83 (2003!) 8 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012
  9. 9. Other “possible” solutions… Technical measures: Privacy by Design, PETs…  pseudonymisation, anonymisation? “Soft-law” policies (national and regional level):• “Proactive approach” of public bodies (EDPS‟ Background paper on access)• Data Protection Officers (solution of new DP Regulation!), under the control of NSAs• Codes of Conduct (at sectoral levels)• Privacy policies for openness (case-by-case approach)…Source:Bassi, Dos Santos & Fernández Salméron, Data Protection and re-use of PSI: towards apossible compromise?, CPDP 2012 9 ePSIplatformConference 2012 - Rotterdam, 16th March 2012
  10. 10. Thank you for your attention! Cristina Dos Santos Senior Researcher at CRIDS All comments are welcome at: http://www.lapsi-project.eu/get-involved Or by mail: cristina.dossantos@fundp.ac.be 10 ePSIplatform Conference 2012 - Rotterdam, 16th March 2012

×