Commission shows a lack of understanding of the risks of including personal data in open data | Open Data Directive

On a page of the European Commission on ‘High-value datasets’, the Commission states that personal data will be part of open data. The Commission calls certain data produced by the public sector that are particularly interesting for creators of value-added services and applications ‘High-value datasets’ (HVDs). The Open Data Directive sets out six categories of HVDs:

  1. geospatial,
  2. earth observation and environment,
  3. meteorological,
  4. statistics,
  5. companies and company ownership, and
  6. mobility.

In particular, the fifth category will contain a very large amount of personal data. Probably there will be personal data in the other categories also.
About personal data the Commission remarks:

In principle, the list of high-value datasets does not refer to personal data. However, should certain datasets be considered personal data in Member States or if Member States choose to extend the list to personal data, compliance with GDPR needs to be ensured.

It is nicely said that compliance with GDPR needs to be ensured, but what will be the practical implications in a European Union with understaffed and underfunded data protection authorities?

The Commission shows a lack of understanding regarding the significant risks associated with the dissemination of personal data of people involved in companies and other entities:

* (…) In addition, open company data will increase market transparency, enabling a better allocation of private investment or public support.
* A wider availability of information on companies has clear social benefits for areas such as fighting crime (incl. financial crime), increased public engagement and transparency of economic transactions.

The question whether re-use of personal data is allowed is answered as follows:

Is the re-use of personal data held by a public sector body allowed?
* The re-use of personal data held by a public sector body is allowed under two conditions: the data must be generally accessible [1] to the public and their re-use (i.e. personal data processing) must be carried out in full respect of the General Data Protection Regulation (GDPR), which takes precedence over the provisions of the Open Data Directive.
* The Implementing Regulation on HVDs refers to data that falls within the scope of the Open Data Directive and is therefore subject to the same limitations. The draft list of HVDs as presented in the Impact Assessment generally avoids including personal data in its scope. This choice was intentional, as the wide inclusion of such data would decrease the legal feasibility of the initiative while increasing the costs for public sector bodies that need to ensure compliance with the GDPR.

[1] Typically, this means that citizens and businesses can request access to such data under national laws on free access to information. Member State legislation can also provide that certain publicly held data are excluded from access on the grounds of personal data protection, in which case they fall out of scope of the Open Data Directive.


It is highly doubtful whether the GDPR’s data protection requirements are compatible with open data principles.

Over Ellen Timmer

Weblog: ||| Microblog: ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Europa, Grondrechten, ICT, privacy, e-commerce, Ubo-register en getagged met , , , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s