Presentation on theme: "PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR"— Presentation transcript:
1PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR Bart van der SlootInstitute for Information LawUniversity of Amsterdam
2Tension Tension between private and public InterestsRightsDistinction between access and re-useAccess: 10 ECHR & transparency governmentRe-use: mostly commercial interestDistinction between collection and distributionCollection by government to fulfill their tasksDistribution from government to third party
3PSI & DPPSI-Directive Recital (21): “This Directive should be implemented and applied in full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and of the free movement of such data.”Article 1, §4: “This Directive leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of Community and national law, and in particular does not alter the obligations and rights set out in Directive 95/46/EC.”And Article 2, §5: “‘personal data’ means data as defined in Article 2(a) of Directive 95/46/EC.”full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/ECno way affects the level of protection of individuals with regard to the processing of personal data
4Topics Personal data Fairly and lawfully Legitimate purpose InformationRightsDuties
5Personal dataData relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectlyAnonymizationDirect personalIndirect data > Groups (geographical information, group profiling)Privacy by design
6Fairly and Lawfully (2 times) personal data must be collected for specified, explicit and legitimate purposesnot further processed if incompatible with original purposesadequate, relevant and not excessivekept no longer than is necessaryWho is responsible?
7Who is responsible? Ground (2 times) data subject unambiguous consent; Opt in - Opt out (freely given, specific and informed)Processing necessary for the public interestCommercial (prohibitions) - Non commercialNon sensitive – Sensitive (race, sex, political, religion)legitimate interests pursued except where privacy interest overridden: WP: Case by caseCommercial (prohibitions)- Non CommercialNon sensitive - SensitiveWho is responsible?
8Information (2 times) Who is responsible? no later than when the data are first disclosedthe identity of the controllerthe purposes of the processing;the categories of data concerned;the recipients or categories of recipients;the existence of the rights.Who is responsible?
9Rights (2 times) Who is responsible? Right of access & information Right of rectification, erasure or blockingRight of notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking unless disproportionate.Right to object, especially in case of grounds of public interest and third party interest.Who is responsible?
10Duties (2 times) Who is responsible? Confidentiality of processing Security of processingTransfer to a third country of personal data only if the third country in question ensures an adequate level of protection.Who is responsible?
11Who is responsible?'processor' anybody that processes personal data on behalf of the controller; - No Duties'controller' anybody who alone or jointly with others determines the purposes and means of the processing of personal dataThird party requesting re-use = controller (Fairly &Lawfully, Grounds, Information, Rights, Duties)Government is responsible:Original controllerProviderLegislator & enforcer
12Problem?full compliance with the principles relating to the protection of personal data in accordance with Directive 95/46/ECno way affects the level of protection of individuals with regard to the processing of personal data
13Proposal Access: right of privacy - right of access Re-use: No right - Economical asset.Two times minimum harmonizationClarification might be necessaryIn Data Protection DirectiveIn Public Sector Information DirectiveIn Code of ConductIn Best current practicesAcademic debate