The document discusses the legal interface between data protection (DP) and freedom of information (FOI) laws in the EU and UK, highlighting the complexities and differing interpretations across member states. It outlines key aspects of legislation such as the General Data Protection Regulation (GDPR) and the UK Freedom of Information Act, including exemptions and public interest tests related to personal data disclosure. Conclusions indicate that significant divergence in legal approaches is likely to continue, affecting the reconciliation of public access and data protection rights.

1. Dr David Erdos
Centre for Intellectual Property & Information Law (CIPIL)
Faculty of Law, University of Cambridge

2. Outline
 Transnational and Comparative Introduction
 Formal law of EU and UK
 General interpretation by courts, tribunal, ICO & EDPS
 Situation as regards sensitive personal data
 Conclusions

3. Transnational Introduction
 Interface exists between DP and FOI, as essentially confirmed
in C-466/00 Österreichischer Rundfunk (2003).
 The DPD included Rectial 72 which stated:
 Article 86 of the GDPR goes further stating:
 Still strong case that this law & related processing should
comply with GDPR (subject to permissible derogations).
“this Directive allows the principle of public access to official documents
to be taken into account when implementing the principles set out in
this Directive.”
“Personal data in official documents … may be disclosed by the authority
or body in accordance with Union or Member State law to which the
public authority or body is subject in order to reconcile public access to
official documents with right to the protection of personal data pursuant
to this Regulation.”

4. Comparative Introduction
 In practice, formal law on DP-FOI interface differs widely across
Europe.
 Some countries have let FOI “trump” DP subject to some kind of
public interest test for certain personal information:
 Ireland
 Sweden
 In many other countries and at the EU level, FOI has essentially
been made subject to ordinary DP (or further restricted here):
 Pan-EU: Regulation (EC) 1049/2001
 United Kingdom
 France
 Portugal
 Greece (Fuster, 2014, p. 223)
 Significance divergence is likely to persist in GDPR era.

5. EU Regulation 1049/2001
 Art. 2 provides EU citizens and organizations with general
right of access to EU documents.
 However, inter alia, Art. 4.1 establishes an exception where:
 The DP legislation applicable to EU institutions is Regulation
2018/1725
 Unlike the previous Regulation 45/2001, this instrument states
“disclosure would undermine the protection of: …
(b) privacy and the integrity of the individual, in particular in
accordance with Community legislation regarding the protection
of personal data.”
“Union institutions and bodies shall reconcile the right to the
protection of personal data with the right of access to documents
in accordance with Union law.” (art. 9(3))

6. UK FOIA, s. 40
 For purposes of FOIA, limitations of “data” re: manual
holding are generally disapplied (s. 40 (3A)(b)).
 Request where applicant is the data subject:
 Automatic refusal (s. 40(1))
 Subject access regime then applies with modified regime for
expanded meaning of “data” also (subject to cost limit)
 The accuracy principle also applies here (DPA ss. 21(2) & 24)
 Disclosure where applicant is not the data subject:
Reject where “disclosure of the information to a member of the
public otherwise than under this Act would contravene – any of
the data protection principles.” (s. 40(3A)(a) & s. 40(5B)(a))

7. UK FOIA, s. 40 cont.
 In addition must refuse if:
 Would contravene right to object (s. 40(3B), or
 Information exempt from subject access (s. 40(4A)).
 However, these exemptions are subject to a public interest
test set out in s. 2(2)(b), whilst the other exemptions are
absolute (s. 2(3)(f)&(fa))
 The same structure applies to disapplication of duty to
confirm or deny holding of material (s. 40(5A-B)).
 However, in this case the public interest generally applies.

8. What are the ʻDP Principlesʼ here?
 Under the old DPA 1998, the DP Principles referred to
essentially the entire substantive scheme.
 The amended law states that:
 What is the status of other parts of GPDR Ch. II (Principles) i.e.
special categories (art. 9) & criminal data (art. 10)?
(7) ….“the data protection principles” means the principles set out in –
(a) Article 5(1) of the GDPR, and
(b) section 34(1) of the Data Protection Act 2018 [re law enforcement]
…
(8) In determining for the purposes of this section whether the lawfulness
principle in Article 5(1)(e) of the GPDR (lawfulness) would be contravened
by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to
be read as if the second sub-paragraph (disapplying the legitimate interests
gateway in relation to public authorities) were omitted.

9. The Principles (art. 5(1))
Personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data
subject (ʻLawfulness, fairness and transparencyʼ)
(b) Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes … (ʻPurpose
Limitationʼ)
(c) Adequate, relevant and limited to what is necessary is necessary in relation
to the purposes for which they are processed (ʻData minimisationʼ);
(d) Accurate and, where necessary, up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate having regard to the purposes for
which they are processed, are erased or rectified without delay (ʻaccuracyʼ);
(e) Kept in a form which permits identification of data subjects for no longer than is
necessary for the purpose for which the personal data are processed … (ʻstorage
limitationʼ);
(f) Processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisation
measures (ʻintegrity and confidentialityʼ).

10. Some other UK FOI Laws
 Environmental Information Regulations:
 Regulation 13 is the mirror image of s. 40 FOIA (except
that intelligence services processing not excluded).
 FOIA (Scotland) 2002
 s. 38 is generally the mirror image of s. 40 FOIA.
 In addition, s. 38 establishes absolute exemption for:
 Personal census information (s. 38(1)(c)) – protected for 100
years (see s. 38(6) and s. 58(2)(b)).
 A deceased person’s medical record (s. 38(1)(d)).

11. UK FOIA & the Deceased
 In general, information about the deceased is not
“personal data” (GDPR, Recital 27).
 In such circumstances the following come to the fore:
 s. 41 FOIA (information provided in confidence)
 Reg. 12 (5) (f), EIR (interests of personal who provided
info)
 s. 36 (2), FOIA (Scotland) re: confidentiality.
 See ICO, Information About the Deceased.

12. ICO, FOI and the GDPR
 Despite ambiguities above, ICO approach remains stable:
 Does note that GDPR changes definition of sensitive data
and the subject access rules.
 But otherwise suggests continuation of status quo.
“The General Data Protection Regulation (GDPR) came into effect
on 25 May 2018. The Data Protection Act 1998 will be replaced in
the UK with the Data Protection Act 2018.
Our approach to considering the disclosure of personal data
under the Freedom of Information Act 2000 (FOIA) and the
Environmental Information Regulations 2004 (EIR) remains
largely the same and our existing guidance is still of use. We will
amend it in due course.” (ICO, n.d./2018)

13. General Interpretation: ICO Approach (1)
 No independent content here to “incompatibility”
 “The third, fourth and fifth principles [essentially replicated
in art. 5(1)(c)-(e) of GDPR] are only likely to be relevant to
holding and using data, not to disclosure.”
 Similar statement re: security, data transfer etc.
 Purposes = authority’s business purposes, so no need to
specify FOIA in notification to data subjects (or
presumably in record keeping).
“There are eight data protection principles [under DPA 1998]. For
the purposes of disclosure under the FOIA, it is only the first
principle – data should be processed fairly and lawfully – that is
likely to be relevant.” (ICO, n.d., p. 10)

14. ICO Flowchart
 Check that release would be fair
 Check legitimating condition (cf. art. 6 GDPR) met
 Consider whether release lawful (little independent
content but cf. Art. 8 ECHR)
“There are six conditions … but only condition 1 (consent) or
condition 6 (legitimate interests) should be relevant to
disclosure under FOIA.” (ICO, n.d., p. 31)

15. ICO Core Fairness Criteria
 Sensitive personal data
 Possible consequences of disclosure
 Public domain (esp. if authoritative & very accessible)
 Reasonable expectations
 Nature or content of information
 Circumstances in which data was obtained
 Private vs. public life
 (Fair processing notices)
 Balance with general interests in transparency
 General public interest in transparency
 Public interest in issue
 Public interest in specific information

16. ICO on Necessity etc.
 Necessity is required due to need for legal ground:
 “Pressing social need” & proportionality but also state:
 Others ways test differs from qualified exemption:
“where the information in question is relatively innocuous, the
general need for transparency regarding public bodies may
constitute a sufficiently “pressing social need”.” (ICO, n.d., p. 35)
“there is no assumption of disclosure as there is with qualified
exemption … If the public authority discloses personal data in
contravention of DPA principles, it is in breach of its duty as a
data controller.” (ICO, n.d., p. 29)

17. Stance of Courts: House of Lords (now UKSC)
“there is no presumption in favour of the release of personal data
under the general obligation that FOISA lays down. The
references which that Act makes to provisions of DPA 1998 must
be understood in the light of the legislative purpose of that Act,
which was to implement Council Directive 95/46/EC. The
guiding principle is the protection of the fundamental rights and
freedoms of persons, and in particular their right to privacy with
respect to the processing of personal data: see recital 2 of the
preamble to, and article 1(1) of, the Directive.”
(Lord Hope in Common Services (2008) at [7])

18. High Court: Corporate Officer (2008)
 “Pressing social need” not = “indispensable”
 “Pressing social need” not = “desirable” or “useful”
“It was common ground that 'necessary' within para 6 of Sch 2
to the DPA should reflect the meaning attributed to it by the
European Court of Human Rights when justifying an
interference with a recognised right, namely that there should
be a pressing social need and that the interference was both
proportionate as to means and fairly balanced as to ends.” (at
[43])

19. Tribunal IN Corporate Officer (2007)
“we find that when assessing the fair processing requirements
under the DPA that the consideration given to the interests of
data subjects, who are public officials where data are processed
for a public function, is no longer first or paramount. There
interests are still important, but where data subjects carry out
public functions, hold elective office or spend public funds they
must have the expectation that their public actions will be
subject to greater scrutiny than would be the case in respect of
their private lives. This principle still applies even where a few
aspects of their private lives are intertwined with the public lives,
but where the vast majority of processing of personal data relates
to the data subject’s public life.” (para. 78)

20. Tribunal Corporate Officer on Transparency
 Note different logic of argument here to ICO guidance
 Note criticism of reasoning (“not completely clear”) in
Jay (2012, pp. 263-4)
 Issue not directly considered by EWHC in appeal
“we accept … that the requirements of paragraph 2(1) of Part II to
Schedule 1 [the data subject notification provisions] have been
met. We are particularly able to make this finding as the
wording of paragraph 2 (1) (a) only requires that the data
controller “ensures so far as practicable” that data subjects are
provided with the information in sub-paragraph (3), so there is
no absolute requirement.” (para. 75)

21. Tribunal Guardian (2009)
 Facts: Request for information on judges etc. reprimanded
etc. by Lord Chancellor in response to complaint.
 Held: Information should not be disclosed.
 Reasoning:
 Expectation internal disciplinary matter private
 More senior member of staff, higher expectation
 Issues of sensitive personal data (despite no argument on
this point – see later)

22. Tribunal Dun (2011)
 Facts: Case in part considered removal of ID and contact
details of junior civil servants authored, referred to or
were copied into document.
 Held: Redaction necessary in circumstances unless had
already been accidental disclosure.
 Reasoning: Required case-by-case analysis. However:
“Having considered the redacted names and contact details of
junior civil servants the Tribunal is satisfied that disclosure
would not be fair and would be unwarranted” (at 43)

23. C-28/08 Bavarian Lager (2010)
 Re: interpretation of Art. 4 (1) Reg. (EC) 1049/2001:
 Two very different views:
1. Threshold theory (Bavarian Lager, EDPS, CFI)
2. Renvoi theory (European Commission, UK, ECJ)
 Second theory now clearly authoritative.
 Interpretation may shed a slight of UK FOIA also.
“disclosure would undermine the protection of:
…
(b) privacy and the integrity of the individual, in particular in
accordance with Community legislation regarding the
protection of personal data.”

24. C-28/08 Bavarian Lager (2010)
 Facts: Bavarian Lager internal market violation claim.
Infringement proceedings opened. Meeting. Proceedings
dropped. Request names of people at meeting. Rejected
where no consent (in 2 cases) or unable to contact (in 3).
 Held: Commission right to refuse disclosure in all 5 cases.
 Reasoning:
“[W]here a request based on Regulation No. 1049/2001 seeks to
obtain access to documents including personal data, the
provisions of Regulation No 45/2001 became applicable in their
entirety, including Articles 8 and 18 thereof.” (at [63])

25. A. 8 (same thrust in art. 9(1)(b) of new Reg)
“personal data shall only be transferred to recipients subject to the
national law adopted for the implementation of Directive 95/46/EC,
… (b) if the recipient establishes the necessity of having the data
transferred and if there is no reason to assume that the data
subject's legitimate interests might be prejudiced.” (Reg. 45/2001)
“As Bavarian Lager had not provided any express and legitimate
justification or any convincing argument in order to demonstrate
the necessity for those personal data to be transferred, the
Commission has not been able to weigh up the various interests of
the parties concerned. Nor was it able to verify whether there was
any reason to assume that data subjects’ legitimate interests might
be prejudiced, as required by Article 8 (b) of Regulation No.
45/2001.” (at [77])

26. Reg. 45/2001, art. 18 (cf. arts. 14-16 of new Reg)
“The data subject’s right to object
The data subject shall have the right:
…
(b) to be informed before personal data are disclosed for the first
time to third parties or before their and used on their behalf for the
purposes of direct marketing, and to be expressly offered the right
to object free of charge to such disclosure of use.”
 A. 14-16 of new Reg. mirrors information notice req. in GDPR:
 Originally direct collection: New notice if new purpose.
 Other personal data: Also new notice unless e.g.
“disproportionate basis” but then safeguards including
“making the [transparency] information publicly available”.

27. EDPS on Transparency (2011)
“The institution involved, as controller of the data, is under an
obligation to inform the data subject at the moment of collection of
the data about, inter alia, the purpose of the processing operation for
which the data are intended and the recipients or categories of
recipients of the data (see Articles 11 and 12 of the [old] data
protection regulation [45/2001]) ….
In situations in which the public disclosure is not unconditionally
announced at the moment of the data collection, the EDPS considers
it an element of fair processing (Article 4(1)(a) of the [2001] data
protection regulation [45/2001]) that the data subject is informed
subsequently before the information is in fact disclosed to the public.
Informing the data subject about the envisaged disclosure enables
data subjects to invoke their rights under the data protection
regulation.” (p. 9)

28. Sensitive Data: ICO Approach
 Under DPA 1998 took strict view re: special vires:
 Argued best to consider special vires before general vires.
 ICO has maintained this strict approach under DPA 2018:
“The only [special] conditions … that are relevant to disclosures
under FOIA are condition 1 (explicit consent) or condition 5
(information already made public by the individual). This is
because the other conditions concern disclosure for a stated
purpose, and so cannot be relevant to the ‘applicant-blind’ and
‘purpose-blind’ nature of disclosure under FOIA.“ (p. 30)
“[P]ublic authorities should consider whether disclosure would
breach the data protection principles. (In the case of special
category or criminal offence data, public authorities must also
satisfy one of the conditions listed in Article 9 of the GDPR).”

29. Tribunal Carleton (2009)
Facts: Request to HMCS re: criminal charges, verdict and
imposition of Court in relation to named individual who
had appeared before Court earlier in the month.
Held: Could not be released.
Reasoning:
 Disclosure would be unfair.
 Apparent anomalies re: press coverage and/or
attendance at Court noted in judgment.

30. Tribunal Brett (2009)
Facts: Request for various information related to evidence given by
Carmen Proetta re: Death on the Rock programme.
Held: Parts which were sensitive information of Proetta could not
be released.
Reasoning:
 Open to considering provisions for disclosing for special
expressive purposes & research* as relevant.
 But both had number of conditions attached.
 Held “substantial public interest” not met.
 Also unpersuaded that ordinary legitimating condition met.
* - Test now only requires “public interest” re: research (but other restrictions apply).

31. Conclusions
 FOI-DP interface widely divergent within EU national laws.
 UK FOI-DP interface has been formally very restrictive, but in
practice less so (although this laxity may have peaked).
 Pan-EU FOI-DP interface is in formal terms similarly
restrictive & in practice seems much more rigorously applied.
 Variety of conundrums especially as regards transparency
requirements and sensitive personal data vires.
 DP Act may liberalise formal law here somewhat but depends
on interpretation by relevant actors – ICO, courts etc.