The PSI directive and GDPR
Publication Date/Time
2018-07-18T09:00:00+00:00
The role of data protection in the proposal for a revised PSI
Directive
BACKGROUND AND AIM OF THE PSI DIRECTIVE AND ITS REVISION

The aim of the PSI Directive on re-use of Public Sector Information
[https://ec.europa.eu/digital-single-market/en/european-legislation-reuse-public-sector-information]
is to foster and guide the re-use of Public Sector Information (PSI).
The directive advocates making more public sector data and public
research data available at higher quality to increase the reusability.
A solid framework guides which data needs to be open and how potential
costs can be calculated. In order to update the directive to fit the
development in PSI re-use, the European Commission adopted a proposal
for a revised PSI Directive
[https://publications.europa.eu/en/publication-detail/-/publication/45328d2e-4834-11e8-be1d-01aa75ed71a1/language-en].
The proposal aims at overcoming the challenges and barriers that still
hinder the full potential of re-use of PSI. One important challenge
that hinders PSI re-use is doubt and misunderstanding about data
protection regulation and opening PSI.

PROTECTING AND OPENING PSI

As published by the European Data Portal on 6 July, protecting data
and opening data [/en/highlights/protecting-data-and-opening-data]
goes hand in hand. The new General Data Protection Regulation
[https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en]
(Regulation (EU) 2016/679, which replaces Directive 95/46/EU) supports
publishing PSI in compliance with data protection laws. However, there
are still concerns and challenges around opening of Public Sector
Information in case it contains personal data.

In doubt if PSI contains personal data, the simplest choice for many
public bodies is to keep PSI locked. The potential fines stated in the
GDPR can further prevent the opening of PSI if a qualification as
personal data cannot be categorically excluded. Therefore, a revised
PSI directive that aims at further fostering PSI re-use also has to
address these concerns and doubts. The Proposal for a revised
Public-Sector Information (PSI) Directive
[/en/news/proposal-revised-public-sector-information-psi-directive] as
well recognises and highlights the importance of further improvement
and guidance on weather PSI that contains personal data can or should
be opened and in which way.

THE CHALLENGE OF OPENING PSI THAT CONTAINS PERSONAL DATA

One challenge in making PSI available and re-usable occurs whenever
PSI contains personal data. Personal data is "any information relating
to an identified or identifiable natural person (data subject) an
identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, (...)
[https://gdpr-info.eu/]".

In cases where PSI contains personal data, the primacy principle of
data protection comes into play. It states that any PSI law has to be
applied in coherence with data protection law and cannot create
exceptions, as the protection of personal data is recognised as a
fundamental right in article 8 of the European Convention on Human
Rights.
[https://human-rights-law.eu/echr/article-8-echr-right-to-private-life-family-life-correspondence-and-home/]

PROTECTION OF DATA UNDER THE PSI DIRECTIVE

This primacy principle is explicitly recognised by the PSI Directive.
In other terms, EU member states and PSI re-users must consider the
principles and obligations of data protection law when applying or
implementing the PSI Directive. This does not imply that PSI that
contains personal data cannot be opened, it rather demands a thorough
assessment under which conditions the opening is lawful.

THE PSI DIRECTIVE TRIPLE ASSESSMENT

In order to support the opening of PSI while protecting personal data,
the PSI directive established a triple assessment: (shortened)

	* Determine whether the PSI contains personal data.
 	* Determine whether national access regimes restrict access to the
PSI. If yes, the same restrictions apply to PSI publication and re-use
as well.
 	* PSI containing personal data that is opened for re-use should only
be processed in compliance to data protection law.

RISKS AROUND SOME KEY PILLARS OF DATA PROTECTION REMAIN

Although the triple assessment includes important aspects, there are
further challenges making the assessment and a potential publication
more complex. For example:

	* The risk of loss of transparency and purpose limitation

By opening PSI that contains personal data and making it open for
re-use transparency for the way and the purpose of re-use of personal
data is not necessarily given. Although re-use is generally
encouraged, in case the purpose limitation principle that prohibits
the use of personal data incompatible with the purpose for which it
was collected is part of the licence, this principle could be
violated.

	* The risk of re-identification

Another challenge is the rather vague concept of personal data. For
example, a licence plate without a name for identification is defined
as pseudonymous information and as such personal data. If data is
anonymised on the other hand, it is not personal data and does not
fall under GDPR, e.g. anonymous information on gender, age, race,
location and income. However, if the combination of anonymous datasets
would allow to determine the identity of a natural person, data
protection laws would apply again. E.g. there may be only one possible
match by gender, age, race and location. The person could be
indirectly identified. This would violate the fundamental privacy
rights of that individual.

	* The risk of exclusive agreements

To avoid risks of violating data protection by publishing PSI, often
bilateral agreements are made to exclusively share data. This does not
follow the idea of a level playing field, demanded in the PSI
Directive. It poses an entry barrier and misses the altruistic
approach of PSI re-use.

NEW STRATEGIES AND CIRCUMSTANCES FOR DATA PROTECTION UNDER THE PSI
DIRECTIVE

GDPR and innovative technologies create new circumstances for data
protection and re-use. The new circumstances can provide solutions or
conditions for opening PSI in compliance with data protection law,
mitigating the risks.

	* Data protection impact assessment

With GDPR coming into effect in May 2018 step two of the PSI Directive
triple assessment, the recognition of variations in national data
protection laws is mitigated. However, the divergence in national
implementation of the PSI directive will persist. An updated common
base for a more elaborate assessment should be compiled. In the
Opinion on the application of data protection law to the context of
PSI
[http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp207_en.pdf]
a data protection impact assessment (DPIA) is recommended. This is
further supported by the GDPR (article 35) to address the involvement
of new technologies.

	* Data Officer

Furthermore, with GDPR, the mandatory role of a data officer for
public bodies was installed (article 37 [https://gdpr-info.eu/]). With
that role and a new assessment literate decision making for opening
PSI is supported.

	* Data anonymisation

Under GDPR the bar for anonymisation is set much higher to tackle the
risks of re-identification. The implementation of technical solutions
for anonymization or _anonymous by design_ solution will solve
challenges around costs of anonymisation and parts of the risks of
re-identification. (Although in some cases it will still be possible
to deduce identities.)

	* APIs

Application programming interfaces (APIs) that can be switched off in
case of data protection challenges or violations are additional
solutions to address risks of re-identification and purpose
limitation.

	* Licenses

Licenses can aim at controlling the use of personal data in PSI to
some extent including prohibiting re-identification attempts and
restricting the purposes of re-use. Finally, data sharing platforms
that allow organisations to derive insights from algorithms processing
other organisations data without actually accessing it are future
solutions of data sharing in compliance with data laws that need to be
taken into account when updating the PSI directive.

THE FUTURE OF THE PSI DIRECTIVE AND DATA PROTECTION

The biggest challenge of PSI re-use is the unavailability of open PSI
data (locked data) and the re-usability of data. To support both and
enable next generation data re-use like real-time data re-use through
APIs, a revised PSI directive should address the new circumstances
around data re-use in terms of data protection and new technologies.
It should also highlight the fact that not only data publishers but
also data re-users have the responsibility to process open PSI in a
way that is compliant with data protection law. In that way further
potential of PSI re-use can be leveraged.
