Executive summary of the Opinion of the European Data Protection Supervisor on the ‘Open-Data Package’ of the European Commission including a proposal for a directive amending Directive 2003/98/EC on reuse of public sector information (PSI), a Communication on Open Data and Commission Decision 2011/833/EU on the reuse of Commission documents.
The EDPS recalls that this proposal for a directive amending Directive 2003/98/EC on reuse of public sector information (PSI) is part of the ‘Open-Data Package’, which also includes: (i) a Commission Communication entitled ‘Open data - An engine for innovation, growth and transparent governance’ and (ii) a Commission Decision on the reuse of Commission documents.
The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001. This is regrettable in view of the large amount of personal data potentially concerned by this initiative. This Opinion is therefore based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this Opinion be included in the preamble of the instrument adopted.
The EDPS notes that the PSI Directive aims at facilitating the reuse of public sector information throughout the EU by harmonising the basic conditions for reuse and removing barriers to reuse in the internal market. He highlights the facts that the proposal specifically requires Member States to ensure that existing documents held by public sector bodies of Member States shall be reusable for commercial and non-commercial purposes.
EDPS recommendations: the reuse of PSI that contains personal data may bring significant benefits, but also entails considerable risks to the protection of personal data. In light of these risks, the EDPS recommends that the proposal should more clearly define in what situations and subject to what safeguards information containing personal data may be required to be made available for reuse. In particular, the proposal should:
· establish more clearly the scope of applicability of the PSI Directive to personal data;
· require that an assessment be carried out by the public sector body concerned before any PSI containing personal data may be made available for reuse;
· where appropriate, require that data be fully or partially anonymised and license conditions specifically prohibit re-identification of individuals and the reuse of personal data for purposes that may individually affect the data subjects;
· require that the terms of the licence to reuse PSI include a data protection clause, whenever personal data are processed;
· where necessary considering the risks to the protection of personal data, require applicants to demonstrate that any risks to the protection of personal data are adequately addressed (via a data protection impact assessment or otherwise) and that the applicant will process data in compliance with applicable data protection law;
· clarify that reuse can be made contingent upon the purpose for which reuse is made, in derogation from the general rule allowing reuse for any commercial and non-commercial purposes.
In addition, the EDPS suggests: (i) allowing costs of pre-processing (such as digitalisation), anonymisation and aggregation to be charged to license-holders where appropriate and (ii) that the Commission develops further guidance, focusing on anonymisation and licensing and consult the Working Party in this regard.