The balance between the access to public information and protection of personal data

Author:Ioan Aron
Pages:202-208
SUMMARY

The adoption of General Data Protection Regulation - GDPR - has a series of implications, on national level, regarding data management. In the same time, the laws regarding the access to information of public interest are more and more used by the citizens and the informational society implies the management of a continually growing volume of information. The aim of this research is to describe the frame and the modalities to obtain the balance between the access to public data and the protection of personal information.

 
CONTENT
202 CRISTINA MIHAELA SALCĂ ROTARU
IT LAW
The balance between the access to public information and
protection of personal data*
Ioan ARON**
Abstract
The adoption of General Data Protection Regulation – GDPR – has a series of
implications, on national level, regarding data management. In the same time, the laws
regarding the access to information of public interest are more and more used by the
citizens and the informational society implies the management of a continually growing
volume of information. The aim of this research is to describe the frame and the modalities
to obtain the balance between the access to public data and the protection of personal
information.
Keywords: GDPR, personal data, information management, access to information
Free and unrestricted access to information of public interest is one of the
fundamental principles of relations between persons and public authorities,
stipulated in the Constitution of Romania, the international documents ratified
by the Parliament and in the European legislation.
Adequate protection of the right to intimate, family and private life and the
right to information is necessary, since these rights are recognized as
fundamental rights.
Thus, on the one hand, public authorities and institutions must allow access
to documents, in order to effectively respect the right to information of public
interest.
On the other hand, public authorities and institutions must provide
individuals with a certain protection of data contained in an official document or
held by them, in order to guarantee the right to the protection of personal data.
Personal data that can be made public is not a homogeneous category that is
uniformly addressed from a data protection point of view.
Public access to data does not mean unrestricted access, all EU member
states. based its legislation on this philosophy. When personal data is made
public, either by virtue of a regulation, or because the data subject has authorized
Law Review vol. X, issue 2, July-Decembre 2019, pp. 202-208
The balance between the access to public information 203
this action, that person benefits from protection by law, in accordance with the
fundamental principles of the right to privacy.
In order to strike a balance between the right to the protection of personal
data and the access of the public to data in the public sector, the Working Group
on Art. 29 - consisting of representatives of the supervisory authorities and
having an advisory role with the European Commission - considers that the
following should be taken into account:
- conducting an assessment for each case, on the possibility of making
personal data public, respectively if they should not be accessible and if so, under
what conditions and on what kind of support (computerized or not, spreading on
Internet, etc);
- observance of the principle of proportionality of purpose and legitimacy;
- the obligation to inform the data subject;
- the right of the data subject to oppose the disclosure of his data;
- the use of new technologies for the defense of the right to privacy.
A number of public authorities and institutions have requested the point of
view of the Supervisory Authority, regarding the interpretation and application
of the provisions of Law no. 544/2001 regarding the free access to information of
public interest, modified and supplemented, by reference to the GDPR1, in
situations where the media or some non-governmental organizations request
information considered to be of public interest, which also contain personal data.
Thus, in one case, the opinion of the Authority was requested regarding the
disclosure of personal data such as name, salary, as well as other allowances or
bonuses obtained by civil servants.
In the answers, the Supervisory Authority underlined that these are personal
data, some representing an indicator of the economic and financial situation of
the person concerned. Accordingly, according to the GDPR provisions for the
disclosure of these categories of personal data, the consent of the data subject is
required or the situation must fall within one of the express exceptions provided
by law.
At the same time, the provisions of art. 14, para. (1) of Law no. 544/2001
specifies that the information regarding the personal data of the citizen can
become information of public interest only insofar as it affects the ability to
exercise a public function.
In the case of the processing of personal data carried out for journalistic
purposes, the processing may be carried out without the consent of the data
subject being required, if the processing concerns personal data, which have been
expressly made public by the data subject, or which are closely linked to the
1 EU General Data Protection Regulation (GDPR)
204 CRISTINA MIHAELA SALCĂ ROTARU
quality of a public person, or the public character of the facts in which he is
involved.
Therefore, I appreciate that the personal data of the data subjects can only be
disclosed unless the situation falls within the exceptions provided by the GDPR.
In this context, the Constitutional Court has ruled that, as far as public
authorities and institutions are concerned, their budgets include the expenses
they can make, by chapter, including those with staff and salaries. The Court
finds that the salaries of the staff of the institutions in the budgetary sector are
established by normative acts, which are also public. However, the Court held
that the concrete salary of a person, established within the minimum and
maximum limits provided in the normative acts, taking into account the
importance of the work submitted, the contribution made to the accomplishment
of the tasks and the personal situation, no longer has public interest, entering into
the sphere of the private interest of the person (Decision no. 615/2006).
The Supervisory Authority considers that the existence of a derogatory
regime from the general principle of the existence of the consent of the data
subject, in the case of data processing for journalistic purposes, represents the
respect of the freedom of expression.
Also, information on judicial proceedings cannot be made public, if their
publicity is prejudicial to ensuring a fair trial or to the legitimate interest of any
of the parties involved in the process.
Thus, in the context of the disclosure of personal data or documents
containing personal data, by judicial authorities, respect for the fundamental
rights and freedoms of natural persons must be ensured, in particular the right to
intimate, family and private life, with regarding the processing of personal data.
The association "Society for Justice" (SoJust) has notified to the supervisory
authority certain aspects regarding the possible non-observance of the
presumption of innocence in the press releases of the judicial authorities. These
were analyzed by SoJust in a case study entitled "Press releases of the
Prosecutor's Office attached to the High Court of Cassation and Justice and of the
National Anticorruption Directorate".
The supervisory authority has specified that the authorities with judicial
attributions have the legal obligation to inform the public about their activity,
including regarding the detection and investigation of crimes, with respect for,
guaranteeing and protecting the fundamental rights and freedoms of natural
persons, in especially the right to intimate, family and private life, regarding the
processing of personal data.
At the same time, in the "Guide of good practices for cooperation between
the courts, the prosecutor's offices and the media", a document adopted by
decision of the Superior Council of Magistracy, it is provided that "In relation to
the media", the spokespersons will also be concerned with observing and
The balance between the access to public information 205
observing the provisions of Recommendation 13 (2003) of the Committee of
Ministers and the Annex of this document, especially regarding the respect of the
presumption of innocence, judicial independence, impartiality and objectivity of
the justice act''
Aspects derived from the reports transmitted by the operators of the justice
system
- informing, by the operator, the data subjects - The Supervisory Authority
underlines that the operator has the legal obligation that, when collecting the
data, to communicate to the data subject the information. In the opinion of the
Supervisory Authority, the observance of the right to information ensures
transparency in the data processing activity towards the data subject who, thus,
can expressly and unequivocally consent to the processing of his data and is
aware of the rights available to him in the relationship with the operator. The
data subject must be informed in accordance with the purpose of the processing,
the nature of the data processed and the means processed. Verbal information is
allowed only if, given the circumstances of the processing, it is impossible to
perform one of the other modalities highlighted in the notification form (in
writing, by posting or on the web page). In order to facilitate the choice of one of
these options, the Supervisory Authority has made available to the data
operators a series of models of information notes in the guide for completing the
notifications;
- disclosure of personal data to third parties - in the activity of processing
personal data, situations have arisen where the operator communicates or
discloses certain data or categories of data to other entities. Public authorities to
whom personal data are communicated within a special investigative
competence cannot be considered as recipients (for example: personal data
requested by the courts, prosecutors, criminal investigation bodies if they are
necessary to conduct an investigation). Thus, there is the possibility that the
personal data may be disclosed to third parties, without the consent of the data
subject, if this is allowed by a legal provision that regulates the operator's activity
and establishes its attributions. Another situation is that in which the data
requesting third party has certain legal competences, according to which he is
authorized to request personal data; in this respect, the Supervisory Authority
may issue recommendations and opinions on the specific aspects of the data
protection field at the request of the courts and prosecutor's offices;
- another situation was that of an operator who challenged the report of the
contravention sanction, invoking the fact that the date of committing the
contraventions was not mentioned in it, although the date of the preparation of
the respective report was passed. The courts have decided that "the acts
considered as contraventions are continuous facts, in which case the date of the
preparation of the minutes represents the date of their committal";
206 CRISTINA MIHAELA SALCĂ ROTARU
- another case was that of contesting the contraventional sanction report of
an operator who had installed video surveillance cameras and thus processed the
image of the people, without first notifying the Supervisory Authority, claiming
that the processing carried out does not fall under the GDPR
In this regard, we mention that any data relating to a natural person,
identified or identifiable, such as: name and surname, address, place and date of
birth, citizenship, profession, e-mail, telephone number, image, place of work,
signature, sex, family situation are personal data.
The image is undoubtedly personal data, because it can lead to the
identification of a person, the installation of video cameras can only be done with
the consent of the neighbors.
Principles related to the processing of personal data
The GDPR sets out seven principles that must be complied with
cumulatively when making a decision about data processing. These principles
are: legality, fairness and transparency, limitations on purpose, minimizing data,
accuracy, high storage limitations, integrity and confidentiality, responsibility.
Legality, fairness and transparency - paragraph 39 of the GDPR – „any
processing of personal data should be fair, personal data should be adequate,
relevant and limited to what is necessary for the purposes for which they are
processed"2 and paragraph 40 of the GDPR, „in order for the processing of
personal data to be legal, it should be carried out on the basis of the consent of
the data subject or on the basis of another legitimate reason, provided by law,
either in this Regulation or in another act of Union or domestic law,,3.
The regulation provides that the data will be processed only with respect to
one or more conditions, namely the consent, the contract, the legal obligation, the
legitimate interest, the public interest and the vital interest.
Equity - assumes that the data processing is fair and legal for the data subject
who should easily exercise the rights provided in the GDPR.
Transparency - means that any information and communications related to
the processing of personal data are easily accessible, easy to understand,
presented in a simple and clear language.
Purpose limitations - paragraph 50 of the GDPR – „The processing of
personal data, for purposes other than the purposes for which the data were
initially collected, should be allowed only when the processing is compatible
with the purposes for which the personal data are were initially collected,,4. If the
data subject has given his consent or the processing is based on Union law or on
a national law which is a necessary and proportionate measure to protect a
2 http://www.privacy-regulation.eu/ro/r39.htm
3 http://www.privacy-regulation.eu/ro/r40.htm
4 http://www.privacy-regulation.eu/ro/r50.htm
The balance between the access to public information 207
general public interest, the data processing should be possible regardless of the
compatibility of the purposes, provided that the operator proves the consent.
Data minimization - according to the GDPR, the data must be adequate,
relevant and limited to what is needed in relation to the purposes for which they
are processed. Supplementary data that is not required by the operator should be
destroyed, anonymized and used for statistical and historical research purposes
only.
Accuracy - the GDPR states that the data must be accurate and should be
updated. Inaccurate ones cannot be processed and will be deleted or corrected.
High storage limitations - The GDPR states that the data will be kept for a
period that does not exceed the time required to accomplish the purposes for
which the data are processed. Exceptions to this rule are encountered in
employment contracts that are kept for 75 years or payment states that are kept
for 50 years, or in the case where it would be necessary to keep the data as
evidence in the event of a dispute.
Integrity and confidentiality - the regulation provides that the data will be
processed under adequate security conditions offering protection against
unauthorized processing, loss, destruction or accidental damage by specific
methods, pseudo-anonymization, data encryption, the ability to restore personal
data in case an incident of a physical or technical nature.
Responsibility - is a principle that sums up all these requirements and offers
the organization the ability to ensure and guarantee within the legal limits the
use of personal data with a high-performance management, updated to the EU
requirements.
Legality of the processing of personal data
The legal framework for the processing of personal data contains the
following conditions - the consent, the contract, the legal obligation, the vital
interest, the public interest and the legitimate interest found in the GDPR.
The consent - is defined by the regulation as any manifestation of free will,
specific, informed and unambiguous of the person concerned by it accepts by a
declaration or an unequivocal action that the personal data regarding it are
processed. The working group, at art. 29, warns that the consent must be a real
choice for the data subject and mentions the revision of the methods of obtaining
the inactive consent. In accordance with Council Directive 93/13 / EEC, a prior
statement of consent should be provided by the operator, in an intelligible, easily
accessible form and without abusive clauses. They must also know the identity of
the operator and the purpose of the data processing and the data subject must
truly have the freedom of choice5.
5 https://www.dataprotection.ro/servlet/ViewDocument?id=1442
208 CRISTINA MIHAELA SALCĂ ROTARU
GDPR obliges operators to ensure that consent can be withdrawn as easily as
it was given at any time and free of charge. The consent of the children under the
age of 16 must be given or authorized by the legal representative (par. 38
GDPR)6.
Legality of processing of special categories of data
According to the GDPR, the processing of personal data relating to criminal
convictions and offenses or related security measures is carried out only under
the control of a state authority authorized by Union law or by a national law
providing adequate safeguards.
According to Law no. 190/2018, the processing of genetic, biometric or
health data for the purpose of performing an automated decision-making process
or for creating profiles is allowed with the explicit consent of the data subject.
Data processing, in the context of a task that serves a public interest - Law
no. 190/2018 - regarding the measures of application of the GDPR, stipulates that
the recourse to the public interest for processing can be realized only with the
establishment of the following guarantees - observance of the principles listed in
art. 5 of the GDPR, in particular the minimization of data, respectively the
principle of integrity and confidentiality; appointing a data protection officer if
necessary and establishing storage terms depending on the nature of the data
and the purpose of the processing, as well as specific deadlines for deletion.
Conclusions
Considering the national and European legislative framework that offers
practical recommendations, the case law of the ECHR and the ECJ as well as the
guidance given by the National Supervisory Authority for personal data, we can
say that important steps have been taken in the field with solid guarantees, but
the GDPR issue is wide, dynamic, constantly implies increased supervision and
improvements at the same time as the evolution of society.
6 http://www.privacy-regulation.eu/ro/r38.htm