Our investigation to figure out how to make PSI requests this time focuses on Spain.
This country ranks near the top of the maturity index of Member States according to the Open data Maturity Data Report 2018. It is in fact, one of the five European countries qualified as “trend-setters”. Is all that glitter gold?

Legal framework

The fact that tuderechoasaber.es, a website created to facilitate requests for access to public sector information, was closed in 2015 due to the insisted refusal of the institutions to reply to the requests  seems to cast some shadows on this performance. Let’s explore the legal framework which underlies the access and the reuse of information in Spain.

The Constitution of 1978 introduced for the first time the right of access to information in article 105 paragraph (b):

The law shall make provision for:

[…]

The access of citizens to administrative files and records, except to the extent that they may concern the security and defence of the State, the investigation of crimes and the privacy of persons.

However it was not included in the Constitution as a fundamental right as in other countries. This fact had some consequences; it could be regulated not only by provisions coming from the central parliament but also through local legislation produced by the autonomous communities, generating  competition between local and national provisions. The Catalan Law of Transparency (Law 19/2014, of 29 December, on transparency, access to public information and good governance) is the best example.

The first regulation of the right to access to information enshrined in the Constitution is dated 1992. Law 30/1992, of 26 November 1992, on the legal framework of public administrations and common administrative procedure (LRJPAC) implemented in Article 37 the right of citizens to access records and documents held in administrative archives, but the provision was unclear with the result of poor or no practical applicability.

We have to wait until December 2013 to have fully usable and comprehensive transparency law, Act 19/2013 of 9 December on Transparency, Access to Public Information, and Good Governance.

In the meantime other sectoral provisions resulting from EU Directives came into force: such as Act 27/2006, of 18 July 2006 (transposing Directive 2003/4/EC and 2003/35/EC), which regulates the rights to access information, public participation and access to justice in environment matters and Act 37/2007 of 16 November 2007 on the reuse of public sector information (transposing Directive 2003/98/EC), which regulates the private use of documents held by the Administrations and other public sector bodies.

Act 37/2007 was then amended by Act 18/2015 of 8 July 2015 transposing Directive 2013/37/EU.

Let’s focus for a while on Act 19/2013 on transparency. It is applicable to a wide range of public administrations including public Universities, private companies with public stake of more than fifty percent, political parties, trade unions and business associations etc. It foresees the right of access to public information, to which all persons are entitled, and which may be exercised without any need to justify a request. It envisages the creation of a transparency portal as a centralized point where citizens can express the right to access public information; measure that was then concretized with the transparencia.gob.es portal.

The act introduces also the principle of re-use of the public sector information in article 5 and 11.

Chapter II, Active publicity, Article 5 General Principles, paragraph 4 states:

Information subject to transparency obligations shall be published in the corresponding electronic portals or websites, in a manner that is clear, structured and comprehensible for those concerned, and preferably in reusable formats. The appropriate mechanisms shall be established to enable the accessibility, interoperability, quality and reuse of the information published, as well as its identification and location

Article 11 Technical principles, paragraph c) establishes:

Reuse: In accordance with Act 37/2007, of 16 November, on the reuse of public sector information and its implementing regulations, the use of publication formats that permit reuse shall be fostered.

In practice

Since 2015, the “Portal de la Transparencia” is the official reference for exercising the right to access to public information. At this page, there are recommendations to select the most appropriated channel for your request to access to public information whilst at this page you can submit your access request.

What about the reuse requests?
Likely, you can use the same channel mentioning the Act on the reuse in the description of the request. 

All the information is clear and exercising the right to access is simple and straightforward. This is not for all. The point is that, in order to make a request, you have to indicate your identity through the Cl@ve authentication system, which provides three specific authorization means for local residents and one for UE citizens.

As we write these lines, the “Ciudadanos UE” option results in a “service unavailable” page. Fortunately, at the bottom of the page there is a link to a downloadable form which allows you to overcome the obstacle.

As for public museums, libraries and universities, there is often a form to fill on their website, as in this example of Valladolid University.

Contrary to the web solutions adopted by other Member States, such as in The Netherlands, Austria etc, there is no mean to see the list of requests unless you are authenticated to the system. For this reason PSI Monitor cannot automatically grab the requests that you insert into the transparencia.gob.be portal. You have to add manually your request into PSI Monitor if you want it to be listed there.

Conclusion

The general perception is that everything is in place to ensure a full access and reuse of public sector information at least for citizens of Spain; they can rely on a portal (transparencia.gob.es) which acts as an hub for information on the Open Government (action plans etc), on the right of access (access requests, guides etc) and on the relevant legislation.

In spite of this, it has to be said that EU citizens and companies may encounter some obstacles if they wish reuse data of public sector bodies of this country. As we above reported, the list of requests is not freely consultable without authentication; the same if you want to make a new request. However, the authentication sytem provided does not work at the moment.

This week the series of articles on how to make a PSI request in the EU member states continues by analysing the case of Romania.

Legislative framework

The situation is quite straightforward, Romania is a unitary state and a semi-presidential republic.
Law no. 544/2001 regulates the right to information: free access to information of public interest (a sort of domestic FOIA). The law confers on any person the right to obtain information about the activities of any public authorities or institutions, including other entities using public resources. The law specifies the conditions under which the access to information is provided and guarantees to obtain the requested information. It also imposes an active and transparent behavior of public authorities and institutions by provisions on the obligation to publish certain information of interest on the public notice or on the website.

The country had the obligation to adopt the communitary acquis before entering into the European Union and, thus, in April 2007 adopted Law no. 109/2007 as transposition of Directive 2003/98/EC.

Following some observations by the European Commission, the law was amended in 2008 by Law no. 213/2008.

Law no. 299/2015 amending Law no. 109/2007 on the re-use of information from public institutions transposed Directive 2013/37/EU.

The unique national platform for the publication of data sets produced or held by public authorities or institutions in open format for re-use, data.gov.ro, was launched in October 2013.

In practice

We have seen that the legislative framework in Romania is in line with the last European amendments and that there is also a domestic FOIA law since 2001. Hence from a legislative point of view, they are well positioned.

Nonetheless, the country still struggles to implement the rules due to a combination of limited institutional capacity and a lack of knowledge. However the government is making considerable efforts to improve the situation, as evidenced by the National Plan 2016 - 2018.

In a practical way, it is hard to find a Romanian public sector body that provides guidance (in the shape of a form or a contact email address) on how to make a PSI request for reuse of information. We were able to find just some examples with regard to access to information based on Law no. 544/2001:

Inspectoratul Teritorial De Munca Teleorman

ANAF (Agentia Nationala de Administrare Fiscala)

General Inspectorate for Immigration

Primaria Lipova

What to do then? In this case, it is worth to stay stick to what the Law states about requests of re-use of information. An extract of the English version of the Law no 299/2015 transposing Directive 2013/37/EU is presented below.

Applications to re-use documents shall be submitted in writing, either on paper or electronically. An application shall indicate the following:

1. the public institution to which it is addressed;
2. the information requested, so that the public institution can identify the documents;
3. the applicant's identification and authentication data, and the address to which the reply should be sent;
4. the purpose for which the requested information is to be used.

So, the first thing to do is to pinpoint the public sector body and look for an email contact on its institutional website. Afterwards, you can send the request directly to the public sector body or

add it to PSI Monitor and let Psi Monitor send it for you.

In the latter case the advantage is that the request will be publicly consultable on the PSI Monitor repository and this may induce the public sector body to be more proactive in answering the request.

Another way to go is to leverage nuvasuparati.info, a website that helps you to make a request for access to information similar to the well known  whatdotheyknow.com. 

It is focused on requests based on the FOIA Law no. 544/2001 but it can be worth to try to use it for a re-use request mentioning the Law no. 299/2015 in the description of the request. As we already suggested here, you can add the tag #psimonitor to the description so that we can filter it and add it also to the PSI Monitor repository.

References to the GDPR in the text of the PSI Directive

Taking the text agreed by the European Council as a reference, Article 2, point 3a foresees full compliance to the provisions of the GDPR and the corresponding provisions of the individual Member States:

This Directive is without prejudice to the provisions of Union and national law, on the protection of personal data, in particular those of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council, and corresponding provisions of the Member States.

Since the GDPR is explicitly mentioned, that reinforces the idea that any possible re-use of data must comply with the requirements of the Regulation.

Recital 47 suggests a way to go by introducing the concept of “anonymous information”.

This Directive should not affect the protection of individuals with regard to the processing of personal data under the provisions of Union and national law, particularly under Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive 2002/58/EC of the European Parliament and of the Council including any supplementing provisions of law enacted by the Member States. Anonymous information is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Rendering information anonymous is a means to reconcile the interests in making public sector information as re-usable as possible with the obligations under data protection legislation, but comes at a cost. It is appropriate to consider this cost as one of the cost items to be considered as part of the marginal cost of dissemination as defined in Article 6 of this Directive.

Article 6 “Principles governing charging” states that:

Re-use of documents shall be free of charge. However, Member States may provide that the marginal costs incurred for the reproduction, provision, and dissemination of documents, as well as anonymisation of personal data and measures taken to protect commercially confidential information, may be recovered.

Article 6 and Recital 47 establish two key concepts:

• making information anonymous would solve any possible conflict between data re-use and data protection,
• the cost of anonymisation can be included in the marginal costs

 Recital 33 foresees the same provision also for libraries, museums and archives. In other words, anonymisation is welcome, but it may increase re-use costs.

Anonymisation as a marginal cost. A crutch for the GDPR?

Regulation (EU) 2016/679 in Article 32 Security of processing recommends the adoption of security measures like pseudonymisation and encryption of personal data. Other measures are not excluded but it is clear that if you pseudonymise or encrypt your data, you are compliant with the Article 32.

GDPR defines pseudonymisation in Article 3 as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” The “additional information” must be “kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.”

Pseudonymisation is thus a slight form of anonymisation. The difference is that pseudonymous data still allows the re-identification, while anonymous data cannot be re-identified. It is obvious that if you provide pseudonymous data as open data not including the “additional information”, the data become anonymised data.

What does this mean? It means that public sector bodies, libraries, museums and archives have an extra incentive to pseudonymise/anonymise their data by charging the relative costs to the re-users with the condition that they provide their data as open data.
This all sounds like a win-win strategy: the public sector bodies do not pay for anonymisation and the re-users have more data to re-use.

Evaluation by the Commission

Another sign of impact of the data protection rules on the PSI Directive is mentioned in Article 16  Evaluation, where on point 1 it is stated that the Commission shall carry out an evaluation of the Directive and on point 2 that:

2. The evaluation shall in particular address the scope and impact of this Directive, including the extent of the increase in re-use of public sector documents to which this Directive applies, the effects of the principles applied to charging and the re-use of official texts of a legislative and administrative nature, the re-use of documents held by other entities than public sector bodies, the interaction between data protection rules and re-use possibilities, as well as further possibilities of improving the proper functioning of the internal market and the development of the European data economy.

The provision of including the interaction between data protection rules and re-use possibilities in the evaluation have already been added by Directive 2013/37/EU, nevertheless on the light of the points above described, now it has a greater importance.

Conclusion

The new PSI Directive has  not been finalized yet, but the last amendments show that the data protection has been taken into account by recommending compliance with the GDPR and encouraging the anonymization of information by including its cost between the marginal costs.

How to make a request for re-use in the different member states? This time we are in Italy, let’s see how things work.

 Legislative framework

Directive 2003/98/EC (PSI Directive) was transposed through Legislative Decree 36/2006 but this has not given rise to any particular initiatives for a while.

Only in the last few years, new developments in the Open Data legislation put Italy in the forefront of those member states who embrace the principles of openness and transparency of public sector information, as evidenced by the upgrading of Italy from the Followers level to the Trend-setter according to the Open Data Maturity Index.

In fact, Italy has transposed Directive 2013/37/EU amending Directive 2003/98/EC on time through the legislative Decree no 102 of 18 May 2015. In 2016 the country has also introduced the Freedom Of Information Act through Legislative Decree no 97 of 25 May 2016.

So, is everything okay? Not exactly.

The efforts made to increase transparency in the public administration have led to some overlaps. At the moment there are three different kinds of administrative right of access:

• the original right of access to administrative documents (Law no. 241/1990), which states that the applicant must demonstrate a qualified interest
• the right of civic access to documents, data and information (legislative Decree no 33 of 14 March 2013), which allows access only to information that falls within the publication obligations provided for by law
• the “generalized” right of civic access introduced by the above mentioned Freedom Of Information Act Legislative Decree no 97 of 25 May 2016, that allows private parties to obtain disclosure beyond the borders of compulsory application imposed by the previous Decree.

The coexsistence of three different rights of access, described in three different laws, is something that does not help simplification of norms and rules.

Further to that, the generalized civic access introduced an interesting – from the re-users point of view – side effect.

 Since Legislative Decree no 97 is an amendment of Legislative Decree no 33, it has kept some articles unchanged while it has changed others. For instance, the unchanged article 7 says that all information that has been object of civic access as per article 5 can be re-used with no broader limitations than the duty to mention their source and to use them properly.

The updated article 5 defines now the civic access at point 1 and point 2. Point 1, as before, limits the right to access to data already published or data not yet published but for which there is the pre-requisite of compulsory publication. Instead, new point 2 extends the right of access to data and documents not subject to mandatory publication.

The result is that with the “generalized” civic access anyone can access and reuse data and information with the duty to mention their source and to use them properly.

The overlap with the PSI Directive is clear. However interesting thing is that the re-users have now another weapon at their disposal to obtain an answer to their requests for reuse of public sector information.

In practice

Basically, to address a reuse request to an Italian public sector body, it is worth to have a look at its website; often you can download a module to be compiled and sent to the mail address indicated. An example here.

In the other cases, you have to create your request bearing in mind some general rules:

• clearly indicate your identity and contacts
• the request should not be generic; you should describe it in a way that allow identification of the data, document or information you are requesting
• there is no obligation to motivate your request
• add a reference to the relevant legislation; as we already seen, you can either invoke articles 5 and 6 of Legislative Decree 36/2006 (transposing Directive 2003/98/EC) as amended by Legislative Decree 102/2015 or articles 5 and 7 of legislative Decree no 97 of 25 May 2016.

Which one is the most appropriated to use? It depends on the kind of data requested and on the public sector body involved. In general there are limitations on which data you can obtain in both cases, for instance with regards to the reuse of personal data, but their investigation is beyond the scope of this article.

Then you can send the request directly to the public sector body or let PSI Monitor do it for you: register to psimonitor.eu, click on add your request and fill the form. 

There are also other tools that you can leverage to make a request; for instance www.FOIAPop.it lets you create a pdf form in a few clicks. At this time it is still in beta and may not work as expected.

Another tool is chiedi.dirittodisapere.it which allows you to make a request according to the generalized civic access. It appears not so active at the moment (last request inserted is dated May 2018); we have tried to contact the administrators of the website without success, anyway might be worth to give a look to the requests registered there to get a feel of the situation.