Log in

Register



News

New PSI Directive VERSUS GDPR

As we know, the revision of the PSI Directive is under way. The Commission issued the first proposal on 25 April 2018 and on 7 November 2018 the European Council agreed a compromise text taking into account the key concerns of the Member States.

Meanwhile, on 25 May 2018 a major reform of the European data protection framework, i.e. the General Data Protection Regulation (GDPR), entered into force.

At this stage, where the revision cycle of the new PSI Directive proposal is close to the end, it is interesting to analyse its relationship with the GDPR.


References to the GDPR in the text of the PSI Directive

Taking the text agreed by the European Council as a reference, Article 2, point 3a foresees full compliance to the provisions of the GDPR and the corresponding provisions of the individual Member States:

This Directive is without prejudice to the provisions of Union and national law, on the protection of personal data, in particular those of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council, and corresponding provisions of the Member States.

Since the GDPR is explicitly mentioned, that reinforces the idea that any possible re-use of data must comply with the requirements of the Regulation.

Recital 47 suggests a way to go by introducing the concept of “anonymous information”.

This Directive should not affect the protection of individuals with regard to the processing of personal data under the provisions of Union and national law, particularly under Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council including any supplementing provisions of law enacted by the Member States. Anonymous information is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Rendering information anonymous is a means to reconcile the interests in making public sector information as re-usable as possible with the obligations under data protection legislation, but comes at a cost. It is appropriate to consider this cost as one of the cost items to be considered as part of the marginal cost of dissemination as defined in Article 6 of this Directive.

Article 6 “Principles governing charging” states that:

Re-use of documents shall be free of charge. However, Member States may provide that the marginal costs incurred for the reproduction, provision, and dissemination of documents, as well as anonymisation of personal data and measures taken to protect commercially confidential information, may be recovered.

Article 6 and Recital 47 establish two key concepts:

  • making information anonymous would solve any possible conflict between data re-use and data protection,
  • the cost of anonymisation can be included in the marginal costs

 Recital 33 foresees the same provision also for libraries, museums and archives. In other words, anonymisation is welcome, but it may increase re-use costs.

 

Anonymisation as a marginal cost. A crutch for the GDPR?

Regulation (EU) 2016/679 in Article 32 Security of processing recommends the adoption of security measures like pseudonymisation and encryption of personal data. Other measures are not excluded but it is clear that if you pseudonymise or encrypt your data, you are compliant with the Article 32.

GDPR defines pseudonymisation in Article 3 as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” The “additional information” must be “kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.”

Pseudonymisation is thus a slight form of anonymisation. The difference is that pseudonymous data still allows the re-identification, while anonymous data cannot be re-identified. It is obvious that if you provide pseudonymous data as open data not including the “additional information”, the data become anonymised data.

What does this mean? It means that public sector bodies, libraries, museums and archives have an extra incentive to pseudonymise/anonymise their data by charging the relative costs to the re-users with the condition that they provide their data as open data.
This all sounds like a win-win strategy: the public sector bodies do not pay for anonymisation and the re-users have more data to re-use.

Evaluation by the Commission

Another sign of impact of the data protection rules on the PSI Directive is mentioned in Article 16  Evaluation, where on point 1 it is stated that the Commission shall carry out an evaluation of the Directive and on point 2 that:

  1. The evaluation shall in particular address the scope and impact of this Directive, including the extent of the increase in re-use of public sector documents to which this Directive applies, the effects of the principles applied to charging and the re-use of official texts of a legislative and administrative nature, the re-use of documents held by other entities than public sector bodies, the interaction between data protection rules and re-use possibilities, as well as further possibilities of improving the proper functioning of the internal market and the development of the European data economy.

The provision of including the interaction between data protection rules and re-use possibilities in the evaluation have already been added by Directive 2013/37/EU, nevertheless on the light of the points above described, now it has a greater importance.

Conclusion

The new PSI Directive has  not been finalized yet, but the last amendments show that the data protection has been taken into account by recommending compliance with the GDPR and encouraging the anonymization of information by including its cost between the marginal costs.

About

A transparent and publicly accessible database of requests for the re-use of public sector information (PSI).

Funded by the European Union

Keep in Touch

 
 

NEWSLETTER

 
© 2018 PSI Monitor

Quick search