In February Richard Sulík, an MEP from Slovakia, submitted the following written question in the European Parliament:
Subject: Re-use of open data under the GDPR
One area covered by Regulation (EU) No 2016/679 of the European Parliament and of the Council (GDPR) is the use of open data, in particular by the non-profit sector. Last year, the European Data Portal ranked Slovakia among the top 10 Member States with the best access to open-source technologies.
The current Slovak law on the protection of personal data contains an exemption according to which it is possible to process or accumulate previously disclosed personal data without the consent of the person concerned. This primarily concerns information contained in national registers, such as the business register and the central register of contracts.
However, the GDPR recognises no such exemption. The majority of open data does not contain personal data. They are company databases containing data on revenues, sales and other commercial information. Specific datasets are an exception, such as the register of legal persons, which contains the names and addresses of the owners and the statutory representatives of legal entities, registers of published contracts that are mandatory to publish, court decisions or debtor lists. In order to process or even re-process personal data, the operator is required to have a legal basis to do so under the GDPR.
How exactly will the GDPR affect the re-use of open data without the consent of the person concerned, i.e. the pooling and publishing of data from a number of open datasets? Can national legislation set rules on the re-use and/or pooling of open data by the non-profit sector as it carries out publicly useful work in such a way that it would not require the consent of the person concerned?
Yesterday Věra Jourová, European Commissioner for Justice, provided this answer:
Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information states that its provisions should be implemented and applied in full compliance with the principles relating to the protection of personal data. As far as open data are personal data, i.e. related to an identified or identifiable natural person, any processing of personal data must comply with the applicable legislation on the protection of personal data. The General Data Protection Regulation1 (GDPR) which entered into application on 25 May 2018 provides for data protection rules that are directly applicable in the Member States. The current Slovak law on the protection of personal data must therefore be brought in line with the GDPR.
The lawfulness of the processing of personal data does not only rely on consent of the data subject as a legal basis. Article 6(1)(b) to (f) provide other lawful legal bases, besides consent. Among others, processing of personal data is lawful in case it is necessary for the performance of a task carried out in the public interested or in the exercise of official authority vested in the controller. The basis for such processing shall be laid down by the Union or Member State law.
Accordingly, national legislation may set rules on the re-use and/or pooling of personal data under condition that specific tasks are given in the public interest by law to the non-profit body in question, if the processing of personal data is necessary for the performance of that task. Apart from the establishment of the appropriate legal basis, other relevant data protection rules must be complied with, taking into account in particular the risks for the rights and freedoms for data subjects2.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2 The Opinion of the Article 29 Working Party 06/2013 on open data and public sector information ('PSI') reuse -WP 207 (05.06.2013)
Comments
I'm not sufficiently familiar with the law in Slovakia to know whether these concerns have special relevance there. Comments from developer Peter Hanečák in an OKFN forum thread last year suggested a lively debate about potential for conflict between open data and GDPR.
However I don't think this answer from the European Commission breaks any new ground.
In the UK there is a distinction between public registers, such as the Companies House register and Environment Agency's registers of environmental permits, and open data.
Public registers have a statutory basis that permits publication of personal data for limited (if sometimes poorly defined) purposes. No public registers have a statutory basis that is sufficiently broad to allow processing of personal data for any purpose.
Personal data from a public register cannot be treated as open data – the re-user always has to consider their lawful basis for processing, according to their intended purpose.
The Commission's answer confirms that member states may "set rules on the re-use and/or pooling of personal data" in the public interest, but this is only a standard interpretation of public task as a lawful basis under GDPR and does not go very far into the realm of open data. The processing of personal data must be necessary to the task and no more.
Is there any scenario under which UK government could establish a statutory basis for open re-use of personal data without the consent of data subjects and without the need for the re-user to match their specific purpose to a lawful basis for processing under GDPR?
This is an interesting thought exercise, but so far I cannot imagine such a scenario.