Author: András Jóri

 

Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.

I. Preliminary remarks

Access to official documents (or to data defined as “public data”) is regulated to various degrees in many Member States; in some, this right is elevated to a constitutional right. The GDPR necessarily interferes with the right to access to official documents, since its provisions are to be applied to the personal data contained in such documents. Therefore, the lawmaker expressly emphasizes the need for a balance between the right to personal data and the right to access in Art. 86 GDPR, leaving the task of setting such balance to other Union of Member State legal acts.

II. Legislative history

Recital 72 DPD acknowledged that “this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive”.

 

III. Analysis
1. The need for setting a balance between the access to official documents and the right to personal data

Determining the right balance between data protection and freedom of information is crucial to make data protection efficient. Not striking the right balance between privacy and transparency can not only ruin the public perception of data privacy regulation but can also endanger the effective protection of transparency interests.

This issue appears in many cases on an EU and a Member State level, and involves the question of how to organize a data protection authority – shall it enforce also freedom of information law or not. Data protection supervisory authorities are tasked with freedom of information enforcement in e.g., the UK, Germany (on federal and state level), Estonia, Hungary and so forth. This institutional model, in our view, might contribute to a harmonized interpretation of data protection and transparency. On an EU level, such enforcement powers are separated: while the EDPS is acting as an independent data protection supervisory authority according to Regulation (EU) 2018/1725, the cause of access to official documents held by EU institutions is represented – with growing emphasis under the tenure of Emily O’Reilly, the former information commissioner of Ireland – by the EU Ombudsman, operating on the basis of Art. 228 TFEU. The two bodies signed a Memorandum of Understanding guiding their cooperation as early as in 2006.

The issue of data protection versus access to official documents also appears in the CJEU’s case law. In Bavarian Lager, a beer distributor applied for the minutes of an official meeting attended by the officials of a Member State, the Comm, and industry representatives. The minutes were disclosed, but the names of certain persons present at the meeting had been deleted from the public version. At first instance, the General Court held that transparency interests overrode data protection interests in this case; however, according to the final judgment of the CJEU, the original decision to withhold the data was right (remarkably, the EDPS intervened in support of the requester). In another important case, the Court ruled that a regulation that set out the publication of certain personal data of beneficiaries of the European Agricultural Guarantee Fund and the European Agricultural Fund for Rural Development is invalid. While the publication of such data may serve a legitimate interest recognized by the EU, the actual legal provision did not make a distinction based on such relevant criteria such as time periods of the funding, frequency of funding, nature or amount of the funding (i.e., they were not compliant with the principle of proportionality). In B v Latvijas Republikas Saeima , CJEU found that “the national register of vehicles and their drivers is an official document, within the meaning of Article 86” and – while “public access to official documents constitutes a public interest capable of justifying the disclosure of personal data contained in such documents”, Art. 86 requires the reconciliation of that right with the fundamental rights to private life and that to the protection of personal data . The court held, that “in the light in particular of the sensitivity of data relating to penalty points imposed for road traffic offences and of the seriousness of the interference with the fundamental rights of data subjects to respect for private life and to the protection of personal data, which is caused by the disclosure of such data, it must be held that those rights prevail over the public’s interest in having access to official documents, in particular the national register of vehicles and their drivers” .

 

 

 

[…]