Balancing on a Tightrope:

Transparency and Personal Data Protection in the EU

Open Data Charter
opendatacharter

--

by Rachel Hanna, Access Info Europe, and Krzysztof Izdebski, Open Spending EU Coalition, @EuSpending

Photo by Christian Lue on Unsplash

Balancing is never an easy task. One has to move slowly, carefully taking one step after another. A mistake can cause a fall — and in the context of the topic of this article — resulting in a negative impact on either transparency or personal data protection. This blog will guide readers through the intricacies of this equilibrium and equip them with a virtual balancing stick.

While there is no need to broadly explain why transparency is important (given that it stems from the right to information, supports the fight against corruption and facilitates better decision-making), to understand the complexities of this balancing act, let’s dive immediately into some basics of personal data protection in the EU.

Is the right to personal data protection absolute?

The right to personal data protection is a fundamental right and is one of the cornerstone values of the European Union. This right is deeply embedded in the EU’s legal framework, with Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union providing that everyone has the right to the protection of their personal data.

This right, however, is not absolute and can be limited under Article 52 of the Charter. The EU’s General Data Protection Regulation (GDPR) itself, in preamble 4, recognises this and states that personal data protection must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality, including the right to freedom of expression and information.

The GDPR clarifies that processing of personal data can be lawful if it is necessary for the performance of a task carried out in the public interest (Article 6) and that derogations and exceptions to the fundamental right to data protection can be exercised when necessary in the interest of freedom of expression and freedom of information (Article 85). Specifically, public authorities must reconcile public access to official documents with personal data protection, when performing a task carried out in the public interest (Article 86), which can concern, for example, the expenditure of public funds.

Therefore, the right of data subjects to the protection of their personal data must be balanced with, and therefore can be limited by, competing rights and general public interest in revealing the information.

How this balancing takes place largely depends on the specific EU or national legal context, taking into account the personal data in question, and identity of the data subject. This results in the fact that we, unfortunately, have very different practices from country to country or subject to subject.

Still sounds too theoretical? Let’s move to the practice then.

How does the EU balance personal data protection with transparency in public spending?

In terms of transparency and accountability of public spending, publication of some personal data on final beneficiaries of public funds has been recognised as necessary for the specific purpose of public control and scrutiny of how funds are being spent.

For example, the EU Financial Regulation establishes the principle that there should be transparency in how EU funds are spent: “citizens should know where, and for what purpose, funds are spent by the Union. Such information fosters democratic debate, contributes to the participation of citizens in the Union’s decision-making process, reinforces institutional control and scrutiny over Union expenditure, and contributes to boosting its credibility.”

The Court of Justice of the European Union found that “in a democratic society, taxpayers and public opinion generally have the right to be kept informed of the use of public revenues,” it also stated that such information “may make a contribution to the public debate on a question of general interest, and thus serves the public interest”. (Joined Cases C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk and Others (para 85)

It is therefore accepted that the public should be adequately informed about how public money is spent and who is receiving it. To ensure that this is happening, it is inevitable that public bodies will need to release a limited amount of personal data of beneficiaries.

A very good example of such a mechanism is the Regulation on the Common Agricultural Policy (CAP). It states that if public control of funds is to be achieved, a limited amount of personal data of beneficiaries needs to be brought to the attention of the public, including name, municipality and the amount of payment received, which is to be published online for 2 years.

This balancing act allows for the public to be informed on how public money is being spent and who is receiving it. Yet, by putting limits on just how much and for how long personal data is in the public domain, and not publishing personal data, which by nature is particularly sensitive (for example, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, or sexual orientation), this ensures that the publication causes the least interference with the beneficiaries’ right to respect for private life and their right to protection of their personal data.

With these limits in place, the publication of personal data does not go beyond what is necessary in a democratic society in view of the need to protect the Union’s financial interests as well as to achieve the objective of public control of the use of the money from the Funds.

This is how the balancing should be done. But we also observe as is the case in many other legal ecosystems…it depends.

Is the EU backtracking on transparency?

So we know that the rules surrounding transparency of the CAP funds make it very clear that a limited set of personal data of beneficiaries must be made available to the public in order to ensure accountability of public spending.

Transparency activists had therefore expected similar uniform spending arrangements to ensure accountability of the Recovery and Resilience Facility (RRF) — the massive EU spending of €723 billion on the recovery from the Covid-19 pandemic.

Surprisingly, there were no common provisions for spending transparency in the RRF Regulation. Rather, the management and oversight of RRF spending was to take place at the national level, with Member States’ national control systems serving as the main instrument for safeguarding the financial interests of the Union. Without common transparency rules in place, Member States themselves decided which data to make public on the spending of the RRF funds — resulting in differing levels of data being published on beneficiaries.

Thanks to, among other things, the advocacy work of the Open Spending EU Coalition, an agreement was reached under separate EU legislation — RePowerEU (art. 25a) to make it compulsory for Member States to publish a list of the 100 largest beneficiaries at the halfway stage of the programme — in the case of a natural person, the first and last name of the recipient.

This solution, however, is far from sufficient. The list is limited, and it does not contain data on contractors and subcontractors, which in practice also excludes the data of individuals receiving these funds. It is also a stark contrast to the rules that the EU put in place to ensure uniform transparency of final beneficiaries of CAP funds. The RRF was a missed opportunity to build systemic transparency for beneficiaries of EU programmes. It could also be considered as a backtracking of transparency standards by the EU in public spending.

We have seen in other areas a backtrack in transparency in the name of data protection, with a progressively prominent role being given to privacy and data protection rights:

Backtrack on beneficial ownership transparency: In November 2022, the Court of Justice of the European Union stated that general public access to beneficial ownership registers was neither strictly necessary nor proportionate to justify the interference with privacy and personal data protection.Hence the provisions of the Fifth Anti-Money Laundering Directive giving public access were declared invalid.

Backtrack on transparency of EU public officials: the European Commission decided to remove the contact details of staff below head of unit level from the online directory of EU staff. One of the reasons behind the decision was to prevent staff members from being subject to “undue pressure from external sources”. The European Ombudsman has opened an inquiry concerning this.

How do Member States balance personal data protection with transparency in public spending?

At present, the EU is not necessarily consistent in terms of balancing transparency and personal data protection. It often defers the decision on how to balance transparency and personal data protection to Member States.

While we may not be happy with losing the concept of the single market of transparency rules, there are positive examples of how Member States are achieving the balance between transparency of public spending and personal data protection at the national level, while still complying with the GDPR.

In Poland, the clash between the need for openness in public spending and the need for data protection rights was already causing tension before the adoption and implementation of the GDPR. In 2012, the Supreme Court grappled with the question of whether the names of people who performed consulting contracts for the city hall of the Polish capital could be made available. The issue involved, among other things, sociological analyses of events organised by the office. The court held that, as these persons had performed contracts for a public institution and had received remuneration from the city budget, their right to protection of personal data (in terms of their first and last names, but not their exact address), could be restricted.

Interestingly, following the judgement, the city has developed a contract register published online, where spending data appears on an ongoing basis, including the names of those who received public funds for work done for the authority. A systemic change has thus taken place. The implementation of the GDPR has changed little in this regard.

Other positive examples of balancing at the national level include Slovakia, which has had an online contract registers for many years. Portugal and Romania also publish the data of people who carry out various types of work for public institutions. This makes it possible, for example, to see how much public money a particular person has received in total.

It is clear from these examples that publication of a limited set of personal data in order to ensure transparency and accountability of public spending can indeed be done in line with GDPR as it is considered to be:

  • Necessary for the performance of a task carried out in the public interest, and
  • Proportionate to the legitimate aim pursued.

Looking beyond the horizon

While we recognise the importance of the fundamental right to data protection, it is not absolute, and when public spending is involved this right should be limited.

Personal data of beneficiaries of public funds can be made public while still complying with the GDPR. It has been agreed that the publication of a limited set of personal data on final beneficiaries of public funds is necessary for the performance of a task carried out in the public interest of ensuring transparency and accountability of public spending.

To ensure that this type of publication is proportionate, the type of personal data released in this situation, however, should be limited, and should of course not concern sensitive personal data, such as personal data on health, sexual orientation or ethnic origin.

Despite the consensus that the publication of a limited set of personal data on final beneficiaries of public funds is in the public interest, there are still inconsistencies in the rules surrounding this. We see that more personal data of beneficiaries is shared for some funds (e.g. CAP) and not for others (e.g. RRF spending). We find no justification for different standards of access to information in similar circumstances.

What is obvious is that more consistent rules and clear guidance are needed on how to achieve the appropriate balance between personal data protection and transparency around the spending of public funds. Such guidance would give a sense of security to officials deciding whether or not to share such information.

Rachel Hanna is as Legal Researcher and Campaigner for Acccess Info, advocating for the universal enjoyment of the right to information. In this role, Rachel runs Access Info’s human rights research and legal analysis projects, using final results to hold government accountable and campaign for change.

Krzysztof Izdebski is the Co-Lead at Open Spending EU Coaltion. Want to know more about how we open up EU spending? Visit open-spending.eu to learn about our work, find out what the EU institutions are doing, and be inspired by what our members are doing.

This article is part of our Finding the ‘Rights’ Balance blog series which was kickstarted by our Research Director, Renato Berrino Malaccorto. Part One discusses how access to public information and open data complement each other, while Part Two presents 7 ideas that harmonise debates surrounding open data and privacy.

--

--

Open Data Charter
opendatacharter

Collaborating with governments and organisations to open up data for pay parity, climate action and combatting corruption.