Comments of the EDPS in response to the public consultation on



Similar documents
Opinion 06/2013 on open data and public sector information ('PSI') reuse

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

Opinion of the European Data Protection Supervisor

How To Write A Report On A Recipe Card

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

Prior checking opinion on the European Surveillance System ("TESSy") notified by the European Centre for Disease Prevention and Control ("ECDC

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Acquia Comments on EU Recommendations for Data Processing in the Cloud

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

European Public Sector Information Platform Topic Report No / 3. The amendment of the PSI directive: where are we heading?

(Information) INFORMATION FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES EUROPEAN COMMISSION

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Initial appraisal of a European Commission Impact Assessment

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Proposal for an Interinstitutional Agreement on Better Regulation

Proposal for a RECOMMENDATION OF THE EUROPEAN COMMISSION

EUROPEAN DATA PROTECTION SUPERVISOR

Council of the European Union Brussels, 5 March 2015 (OR. en)

Opinion of the European Data Protection Supervisor. on net neutrality, traffic management and the protection of privacy and personal data

EUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

(DRAFT)( 2 ) MOTION FOR A RESOLUTION

INSPIRE, The Dutch way Observations on implementing INSPIRE in the Netherlands

EFPIA position on Clinical Trials Regulation trialogue

Do you have a private life at your workplace?

EUROPEAN ECONOMIC AREA JOINT PARLIAMENTARY COMMITTEE. REPORT on E-Commerce and EEA legislation

Council of the European Union Brussels, 12 September 2014 (OR. en)

Council of the European Union Brussels, 27 April 2015 (OR. en)

Guidelines on data protection in EU financial services regulation

Fourth Railway Package proposed by the European Commission

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

RECALLS in EUROPE. Past, present, near & further future. Gert Bos BSI Medcon May 2012

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

Opinion 03/2013 on purpose limitation

Brussels, 07 May 2014 ( , , )

Institute for Judicial and Legal Studies

Privacy by Design. Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of

Potential mechanisms for a UK exit from the European Union and what follows next

4-column document Net neutrality provisions (including recitals)

Privacy and Data Protection Impact Assessment Framework for RFID Applications. 12 January 2011

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

ARTICLE 29 DATA PROTECTION WORKING PARTY

EDRi s. January European Digital Rights Rue Belliard 20, 1040 Brussels tel. +32 (0)

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

COMMISSION REGULATION (EU) No /.. of XXX

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

European Commission. Complaint by Mr Oliver HOEDEMAN, Corporate Europe Observatory (CEO), ref /LP

Executive summary. The functions of Internet intermediaries. A source of economic growth and innovation

(the "Website") is provided by Your Choice Counselling.

5439/15 PT/ek 1 DG E

Draft Code of Conduct on privacy for mobile health applications

At its meeting held on 11 and 12 February 2004 the Working Party completed the third reading of the above Proposal.

Application of Data Protection Concepts to Cloud Computing

HERON (No: ): Deliverable D.2.6 DATA MANAGEMENT PLAN AUGUST Partners: Oxford Brookes University and Università Commerciale Luigi Bocconi

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Big Data for Mutuals. Marc Dautlich 25 November 2013

Opinion of the European Data Protection Supervisor

Summary of feedback on Big data and data protection and ICO response

Data protection compliance checklist

Data transfers in the Cloud

STATUTORY INSTRUMENTS. S.I. No. 416 of 2014 EUROPEAN UNION (INSURANCE AND REINSURANCE GROUPS AND FINANCIAL CONGLOMERATES)(AMENDMENT) REGULATIONS 2014

RECOMMENDATIONS COMMISSION

International Open Data Charter

ETNO Expert Contribution on Data retention in e- communications - Council s Draft Framework Decision, Commission s Proposal for a Directive

(Legislative acts) REGULATIONS

Transcription:

Comments of the EDPS in response to the public consultation on the planned guidelines on recommended standard licences, datasets and charging for the reuse of public sector information initiated by the European Commission 1 I. Introduction: balancing open data and data protection During the past two years, the EDPS was involved in two formal, written contributions to the debate surrounding the re-use of public sector information. First, he issued a formal Opinion in his advisory capacity to the European Commission, Council and Parliament during the legislative process leading up to the adoption of the revised PSI Directive. 2 Second, as member of the Article 29 Data Protection Working Party, he contributed, together with his corapporteurs, the Information Commissioners of the United Kingdom and Slovenia, to the Opinion of the Working Party, which aimed at providing guidance to Member States on the implementation of this Directive. 3 In all his contributions, the EDPS has been advocating for a balanced approach to be followed in all cases of PSI reuse where the protection of privacy and personal data is at stake. On the one hand, rules for the protection of personal data should not constitute an undue barrier to the development of the re-use market. On the other hand, the right to the protection of personal data and the right to privacy must be respected. In the present comments, the EDPS first briefly summarises the main general findings and recommendations outlined in the two opinions. Second, based on and summarising the findings of these two opinions, he makes targeted recommendations with regard to licensing, 1 Background: On 12 December 2011, the Commission adopted a proposal (PSI Proposal) for a Directive amending Directive 2003/98/EC on re-use of public sector information (the PSI Directive). The proposal is part of the 'Open-Data Package'. The PSI Directive aims at facilitating the re-use of public sector information throughout the European Union by harmonising the basic conditions for re-use and removing barriers to re-use in the internal market. On 26 June 2013, the European Parliament and the Council adopted Directive 2013/37/EU, amending the PSI Directive. The revised PSI Directive, subject to specific exceptions, now makes it mandatory for public sector bodies to allow re-use of all information they hold, for both commercial and non-commercial purposes, provided the information has already been made publicly accessible under national law and re-use under the PSI Directive is in compliance with applicable data protection law. The revised PSI Directive calls on the European Commission to assist the Member States in implementing the Directive in a consistent way by issuing guidelines on recommended standard licenses, datasets to be released/improved as a matter of priority and charging for the reuse of documents. The objective of the present public consultation is to seek the views of stakeholders on specific issues to be addressed in the three sets of guidelines. The call for consultation was published at http://ec.europa.eu/digital-agenda/en/news/consultationguidelines-recommended-standard-licences-datasets-and-charging-re-use-public. 2 EDPS Opinion of 18 April 2012 on the 'Open-Data Package' of the European Commission including a Proposal for a Directive amending Directive 2003/98/EC on re-use of public sector information (PSI), a Communication on Open Data and Commission Decision 2011/833/EU on the re-use of Commission documents. Available at: https://secure.edps.europa.eu/edpsweb/webdav/shared/documents/consultation/opinions/2012/12-04- 18_Open_data_EN.pdf. 3 Opinion of the Article 29 Data Protection Working Party of 6/2013 on open data and public sector information ('PSI') reuse adopted on 5 June 2001 (WP207). Available at http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2013/wp207_en.pdf. Unless otherwise stated, all text in quotation marks in these comments is taken from this Working Party Opinion. Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 30 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 02-283 19 00 - Fax: 02-283 19 50

which is one of the three main subject areas where the Commission asked for input from stakeholders. II. EDPS Opinion on the Commission's Open Data Package Following the adoption of the Commission Proposal and with a view towards the on-going legislative process, on 18 April 2012, the EDPS adopted his opinion on the Commission's Open Data Package. In this Opinion, the EDPS highlighted the need for specific safeguards for data protection whenever PSI contains personal data. He recommended that public sector bodies take a 'proactive approach' when making personal data available for re-use. This would make it possible to make data publicly available, on a case by case basis, subject to conditions and safeguards in compliance with data protection rules. The EDPS emphasised that the re-use of PSI containing personal data may bring significant benefits, but also entails great risks to the protection of personal data, due to the wide variety of data held by public sector bodies. The Commission proposal should therefore more clearly define in what situations and subject to what safeguards information containing personal data may be required to be made available for re-use. In his opinion, the EDPS recommended, among others, that the proposal should: require that a data protection assessment be carried out by the public sector body concerned before any PSI containing personal data may be made available; require that the terms of the licence to re-use PSI include a data protection clause, whenever personal data are processed; where necessary considering the risks to the protection of personal data, require applicants to demonstrate that any risks to the protection of personal data are adequately addressed and that the applicant will process data in compliance with applicable data protection law, and where appropriate, require that data be fully or partially anonymised and license conditions specifically prohibit re-identification of individuals and re-use of personal data for purposes that may individually affect the data subjects. In addition, the EDPS suggested that the Commission develop further guidance, focusing on anonymisation and licensing, and consult the Article 29 Data Protection Working Party, an advisory body consisting of data protection authorities in EU Member States. III. Article 29 Data Protection Working Party Opinion on the revised PSI Directive At its plenary session on 5 June 2013 4, the Article 29 Data Protection Working Party adopted its Opinion on the PSI Directive, which provided guidance to Member States on the implementation of this Directive. The Opinion acknowledged that the re-use of public sector information may bring benefits to society, including greater transparency of the public sector and stimulating innovation. However, it also emphasised that enhanced accessibility of personal data, or anonymised data derived from personal data, is not without risks. 4 The Opinion was adopted once the final text of the revised PSI Directive had been approved by the legislators, but ahead of the publication of the Directive in the Official Journal. 2

For this reason, the Working Party emphasised that when public sector information contains personal data, the re-use of this information is not always allowed according to the applicable data protection laws. Often it will be more appropriate to make available aggregated and anonymised datasets derived from personal data rather than personal data. The Opinion provides some general guidance on anonymisation and anticipates further guidance on more technical aspects of anonymisation, which is expected later this year. Further, in cases where re-use of personal data as such is allowed, additional legal, technical or organisational measures to protect the data may be necessary. For these cases the Article 29 Working Party stressed that it is important to have a firm legal basis for making personal data publicly available, taking into account the relevant data protection rules, including the principles of proportionality, purpose limitation and data minimisation. To ensure that adequate safeguards are in place, it is recommended to carry out a data protection assessment before public sector information containing personal data is made available for re-use. Finally, the Article 29 Working Party also recommended that the terms of the license to reuse public sector information include a data protection clause, whenever personal data, or anonymised datasets derived from personal data, are made available and provided guidance on the content of such clauses. IV. Article 29 Working Party and EDPS Recommendations with regard to licensing As stated by the Article 29 Working Party 5, 'when applying the PSI Directive and data protection law to the reuse of personal data, a public sector body is likely to make one of three different types of decisions: 1. Decision not to make personal information available for re-use under the terms of the PSI Directive 2. Decision to convert personal information into anonymised form (usually into aggregated statistical data) 6 and make only such anonymised data available for re-use 3. Decision to make personal information available for re-use (where necessary, subject to specific conditions and adequate safeguards).' Licensing may play an important role and serve as a significant safeguard to ensure the protection of personal data in both of the cases listed above, when personal data are made available under the terms of the PSI Directive. 7 The Article 29 Working Party also emphasised that 'licences do not remove the need for compliance with data protection law but a data protection clause in license conditions would help to ensure compliance with data protection law by adding a layer of enforceability. Such a clause could also help raise awareness by reminding re-users of their obligations as data controllers.' 8 Depending, in general, on whether the information is converted into anonymised form, or rather, made available for reuse as personal data, different types of licensing conditions may be appropriate. The following two Sections will discuss the two situations. 5 See Section 1.2 of the Working Party Opinion. 6 On the reuse of aggregated and anonymised datasets derived from personal data, see Section VI of the Working Party Opinion. 7 The recommendations below take into account Article 8(1) of the revised PSI Directive, which requires that license 'conditions shall not unnecessarily restrict possibilities for re-use and shall not be used to restrict competition'. 8 See Section 10.2 of the Working Party Opinion. 3

V. License terms for anonymised data-sets With regard to anonymised data, the Article 29 Working Party recommended in its Opinion 9 that 'the license conditions should reiterate that the datasets have been anonymised; prohibit license-holders from re-identifying any individuals 10 ; prohibit license-holders from using the data to take any measure or decision with regard to the individuals concerned; and should also contain an obligation on the license-holder to notify the licensor in case it is detected that individuals can be or have been re-identified.' The Article 29 Working Party also noted that the data protection clause in a license should also give the licensor the right to suspend or terminate accessibility of data (for example, the right to turn off the API or remove the file from the platform) for the case if re-identification has taken place or if there is a risk that such re-identification can take place. To address the issue of these compromised datasets, the EDPS recommends that at a minimum the following (or similar) text be included in the license terms: Licensor shall have the right to suspend or terminate accessibility of data [for example, the right to turn off the API or remove the file from the platform] if it has a reasonable suspicion that part or all of the data subjects whose data were contained in the datasets and whose data were intended to remain anonymous have become reidentifiable ('compromised datasets'). When notified by the licensor, or when it otherwise becomes aware that a dataset has been compromised, the re-user shall make all reasonable efforts to ensure that it deletes all or all affected parts of any compromised datasets. (In case of a disagreement whether as dataset has been compromised, and pending the outcome of verification, the re-user shall block accessibility to the compromised datasets.) VI. License terms for personal data The point of departure for license terms for personal data can be found in the Opinion of the Article 29 Working Party 11. This states that: 'when personal data are licensed, there is a need to define the limits of the use of such data. Here the key concern is to ensure that any reuse will be limited to what is compatible with the purposes for which the data has been initially collected. 12 To achieve this, the license conditions must at least make it clear for what purposes data was first published and give indication of what would and what would not be considered as compatible use of personal data. 9 See Section 10.3 of the Working Party Opinion. 10 Limited exceptions might apply, for example, in bona fide cases of re-identification testing. Even in such cases, however, the results of the tests should be brought to the attention of the controller and the public sector body concerned, and the re-identified data should not be published or otherwise disseminated more broadly. 11 See Section 10.4 of the Working Party Opinion. 12 See Opinion of the Article 29 Data Protection Working Party of 3/2013 on purpose limitation, adopted on 2 April 2013 (WP 203). 4

In light of these considerations, the EDPS recommends that - where bespoke and more specific license terms are not feasible or desirable - at a minimum the following (or similar) text is included in the license terms with regard to purpose limitation: The licensed dataset contains personal data. The reuse of personal data is subject to [insert reference to applicable data protection legislation]. The personal data contained in the licensed dataset have been published [if applicable, insert reference to the specific legislation governing the release of the personal data and/or applicable transparency legislation] for purposes of [if applicable, insert the words 'transparency and accountability' and/or a more specific description of purpose where appropriate]. The personal data contained in the licensed dataset can only be reused for these purposes or other purposes compatible with these purposes. Brussels, 22 November 2013 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information