Presentation on theme: "PRIVACY ASPECTS OF RE- USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR Bart van der Sloot Institute for Information Law University of Amsterdam."— Presentation transcript:
PRIVACY ASPECTS OF RE- USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR Bart van der Sloot Institute for Information Law University of Amsterdam
Tension Tension between private and public –Interests –Rights Distinction between access and re-use –Access: 10 ECHR & transparency government –Re-use: mostly commercial interest Distinction between collection and distribution –Collection by government to fulfill their tasks –Distribution from government to third party
PSI & DP PSI-Directive Recital (21): This Directive should be implemented and applied in full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and of the free movement of such data. Article 1, §4: This Directive leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of Community and national law, and in particular does not alter the obligations and rights set out in Directive 95/46/EC. And Article 2, §5: personal data means data as defined in Article 2(a) of Directive 95/46/EC. full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/EC no way affects the level of protection of individuals with regard to the processing of personal data
Topics Personal data Fairly and lawfully Legitimate purpose Information Rights Duties
Personal data Data relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly Anonymization –Direct personal –Indirect data > Groups (geographical information, group profiling) –Privacy by design
Fairly and Lawfully (2 times) personal data must be collected for specified, explicit and legitimate purposes not further processed if incompatible with original purposes adequate, relevant and not excessive kept no longer than is necessary Who is responsible?
Ground (2 times) data subject unambiguous consent; –Opt in - Opt out (freely given, specific and informed) Processing necessary for the public interest –Commercial (prohibitions) - Non commercial –Non sensitive – Sensitive (race, sex, political, religion) legitimate interests pursued except where privacy interest overridden: WP: Case by case –Commercial (prohibitions)- Non Commercial –Non sensitive - Sensitive Who is responsible?
Information (2 times) no later than when the data are first disclosed the identity of the controller the purposes of the processing; the categories of data concerned; the recipients or categories of recipients; the existence of the rights. Who is responsible?
Rights (2 times) Right of access & information Right of rectification, erasure or blocking Right of notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking unless disproportionate. Right to object, especially in case of grounds of public interest and third party interest. Who is responsible?
Duties (2 times) Confidentiality of processing Security of processing Transfer to a third country of personal data only if the third country in question ensures an adequate level of protection. Who is responsible?
'processor' anybody that processes personal data on behalf of the controller; - No Duties 'controller' anybody who alone or jointly with others determines the purposes and means of the processing of personal data Third party requesting re-use = controller (Fairly &Lawfully, Grounds, Information, Rights, Duties) Government is responsible: –Original controller –Provider –Legislator & enforcer
Problem? full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/EC no way affects the level of protection of individuals with regard to the processing of personal data
Proposal Access: right of privacy - right of access Re-use: No right - Economical asset. Two times minimum harmonization Clarification might be necessary –In Data Protection Directive –In Public Sector Information Directive –In Code of Conduct –In Best current practices –Academic debate