www.cnil.fr

Welcome
Diary
Registration
Paris Infos
Le journal
Press Review
Contacts
Mailing list
Links
Privacy

 


Contribution


Giovanni Buttarelli
Electronic Democracy (25 September, 2001)
Summary of the speech by Giovanni Buttarelli

Five examples can help us address the issue of publication of “publicly available” personal data on the Internet in greater detail.

 First.

 A criminal proceeding is instituted concerning the circulation of infected blood products. There are many victims, who are difficult to find; under the Criminal Procedure Code, in these cases it is possible to publish a general summons to trial without serving writs on the individual parties. This is normally done by publishing the summons either on the Official Journal or on a newspaper. In this case, the court decides to publish the summons on the Internet including names and addresses of 1,500 patients with AIDS or HIV-infection – which must be reported in the summons under the laws in force. Shall we say that these persons have been safeguarded by the State?

 Second.

 The information included in tax reports – as also related to tax evasion – is publicly available at a Ministry and in small municipalities. The data are also available to the press. A few newspapers include this information into articles that are also posted on the Internet. Lists of the richest taxpayers are drafted, especially on local newspapers and with regard to managers of SMEs who are not known to the general public. The appropriate openness in dealing with these data is therefore considerably enhanced and the data can be processed much more easily. There have been, however, complaints on account of the alleged risk of exposure to criminal attacks. Should this situation be accepted, or is it a form of exaggerated transparency?

 Third.

 Registers of births, marriages and deaths are only kept at local level, i.e. municipality by municipality. Any person can request a municipality to issue a certificate of the data included in these registers concerning another person. However, only public administrative agencies – rather than private bodies – are entitled to obtain certain lists of persons with a view to specific public purposes. A project has been started involving a few Ministries in order to set up a unified national register with a single database including thousands of local municipality registers; this database would be subsequently made available either on the Internet or by way of the interconnection of different municipalities. Our Data Protection Authority has taken steps in this regard by having the project amended to a considerable extent. How long will it take before those Ministries have another try at a similar project?

 Fourth.

 The dates fixed for trying cases and the judgments issued have been posted on the Internet by a court dealing with civil proceedings; however, access is only allowed to the counsel concerned by means of a password that is provided on a case by case basis. A court dealing with administrative matters has made this information publicly available on the Internet for the sake of simplification and administrative transparency, based on the principle that information can be provided to any person interested in obtaining it. Any person can therefore browse the file and find out whether a litigation is in progress between Dick and Tom and what is happening to them. Which court is following the proper approach?

 Fifth, and last.

 A public computerised system of legal information is set up including a number of decisions and judgments by ordinary, appellate and Supreme courts, whether in abridged format or not. The records also refer to the judges’ names. A charge is levied for accessing the system. Should the data also be processed in order to monitor judges’ efficiency or to forecast acceptance of a given juridical position by a judge, or else to decide the date – and therefore, the judge – most suitable for a hearing? Are these purposes the same for which the judgments have been made publicly available?

 Publicly available data on the Internet are clearly a multifaceted issue.

 This issue has been raised  rather recently and addressed by very few scholars so far.

 However, Article 29 Working Party dealt with it in 1999, by issuing an opinion on the 1998 Green Paper of the European Commission on “Public Sector Information: A Key Resource for Europe”.

 What else can we say nowadays?

 Let us consider, in the first place, only data that is really publicly available in the proper sense of the word: that is to say, data and documents that can be disseminated without any contents restrictions – usually by public administrative agencies – and can be made known to any entity whether private or public.

 Therefore, we will not take into account two categories of data and document, namely

- data and documents that are publicly available, though only to persons proving that they have a legitimate interest in them as provided for by law. These data may not be subsequently disseminated on the Internet.

- data and documents that are publicly available in the sense that they are only accessible either to the public body that has created them or to one or more public bodies. Again, dissemination on the Internet is out of the question.

 In order to focus on the core issues

 - let us skip, for the time being, the issue of data security and integrity, and

- let us take for granted that no limitations apply to consultation of data that are publicly available to anybody in terms of either time (e.g., cases in which consultation is not permitted for a limited period in order to update the information on the lists), purpose (e.g., cases in which a public register may not be used for commercial purposes) or specific mechanisms (e.g., cases in which access is permitted to any person giving proof of his/her identity).

 In other words, we are going to only deal with a basic question: if certain personal data can or must be disclosed to the general public, does dissemination via the Internet add “something” to this and should one start from different assumptions in terms of limitations or safeguards applying to data subjects’ personal rights?

 The answer would seem to be obvious; however, data protection safeguards and issues are not always top priorities on the to-do list of the experts striving, fully in good faith, to improve transparency of public administrative action.

 It is reasonable to conceive of the Internet as a unique opportunity for simplifying and reducing costs for citizens in accessing publicly available information, so as to reduce information monopolies, ensure that databases are as effective and complete as possible, enhance the sharing of the available information and improve the citizen-Government relationships.

 However, dissemination on the Internet is different from other types of dissemination.

 Indeed, “publicly accessible” personal data turn into “freely usable” personal data much more easily.

 There is the risk that various data protection principles are not complied with, in particular as regards

 - the principle under which the purposes sought at the time of data collection must be compatible with those that may be pursued following dissemination on the Internet,

- the principle under which data must be collected fairly,

- the principle under which data may be transferred abroad to countries ensuring adequate protection,

- the information provision principle, under which data subjects should be informed that dissemination may occur to the greatest possible extent, i.e. via the Internet. Imagine that a municipality gives out apartments to let to its residents. Public attention focuses consequently on council housing, and there is a demand for transparency when any of these apartments are sold or let to new tenants. In order to prevent criticisms, the municipality posts two lists on the Internet including the names of the persons concerned and the addresses of the housing estates, respectively. This means taking appropriate safeguards. However, by matching the published data with those included in telephone directories the addresses of off-directory subscribers can be easily identified.

 Thus, I believe the recommendations made in this regard by Article 29 Working Party in 1999 are still fully applicable.

 However, it is high time we wondered whether “traditional” data protection tools are enough – with particular regard to the principles I mentioned; could not it be that we need something more, in order to better adjust the safeguards I referred to and better distinguish traditional dissemination mechanisms from dissemination via the Internet?

 We have to address this issue, since it may happen that mechanisms aimed at ensuring transparency end up by impinging on data subjects’ rights.

 This does not mean that it is necessary to restrict the scope of publicity of these data, but rather devise publication mechanisms including better safeguards and also take account of the use of the data for further purposes.

 This is the attempt we have made on various circumstances in our country; for instance, satisfactory solutions could be devised, in agreement with our Government, in order to allow schools to publish students’ curricula on the Internet with a view to employment offers, whilst a few Universities were allowed to publish researchers’ CVs for cultural exchange and international mobility purposes.

 Indeed, in both case interesting safeguards were provided for in respect of relevance of the data and sensitive data, and the data subjects’ right to object was regulated.

 Specific safeguards applying to data relevance have been also provided for concerning the dissemination of the minutes of meetings held by elected bodies as well as of documents reporting on the institutional activities of public bodies.

 However, one cannot always follow the trail of novelty with a case by case approach. A general preventive policy is probably required.

 We should consider this topic in greater detail and also decide on how best to support technical solutions that only allow individual queries of the data published on the Internet or else provide for limiting mechanisms and/or criteria as regards retrieval and selection of the published information.

 It might be necessary to draw a distinction between the various types of dissemination and also lay down a new definition of dissemination. Indeed, as early as in 1999 Council of Europe Recommendation No. R (91) 10 called for greater attention to access to public data by way of electronic tools.

 It might be appropriate to recommend that public bodies consider much more carefully whether and how to publish a given document.

 Special attention will have to be paid to sensitive data.

 Publication of the Official Journals in full on the Internet has actually entailed a change in the nature of this mandatory type of dissemination.

 It might be helpful to raise citizens’ awareness of the effects possibly produced by the simultaneous availability of different sources as published on the Internet, which allows retrieving and creating information and profiles by means of full text searches.

 In a few cases, it will be necessary to also take account of the decisions made by data subjects based on suitable information. For instance, the decisions by our Authority are published after blanking the complainant’s name if the latter so requests or this is deemed advisable.

 These are quite sensitive issues to be addressed without delay. Whenever personal data are disseminated, the information thus made “public” does not turn into “res nullius” or publicly-owned information but remains information on data that are nevertheless personal data.

 

http://www.echo.lu/legal/en/access.htlm

Concerning these distinctions and the resulting consequences, see Publication of Publicly Available Documents on the Internet (Italy, Country Report, by Giovanni Buttarelli), 24th Meeting of the International Working Group on Data Protection in Telecommunications, Berlin, 9-10 November 1998.