Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Data protection and freedom of information: a balancing act [1999] PLBIRp 55; (1999) 51 Privacy Laws and Business International Report 14

Data protection and freedom of information: a balancing act

CANADA HAS HAD YEARS OF EXPERIENCE in balancing access rights with protecting personal data. France, on the other hand, is modifying its law to allow better access to official documents. What needs to be considered to be able to respect both rights?

Access to public sector documents may lead to a situation where releasing information jeopardises an individual's privacy. Organisations operating in jurisdictions which have both data protection and freedom of information laws are faced with complex cases.

The following examples, presented in Hong Kong at the 21st International Conference of Privacy and Data Protection Commissioners in September, show how the two rights can be balanced.

CANADIAN COMMISSIONER PLAYS A DUAL ROLE

Freedom of information legislation has been adopted in several jurisdictions ranging from Scandinavian countries to the US and Australia. It is, however, not so common to have one authority responsible for overseeing both rights. In Canada, the Information and Privacy Commissioner for British Columbia does just that. Dr David Flaherty, the province's Commissioner between 1993-1999, offered the conference his views on achieving a proper balance.

Dr Flaherty explained that he had found it beneficial to have this dual role, even though some of his decisions sacrificed traditional privacy interests to promoting open government. The British Columbia Freedom of Information and Protection of Privacy Act lists criteria under which disclosure of personal data to a third party can be seen as an unreasonable invasion of privacy. These include situations where the personal data relates to employment data or medical information.

The law also requires a "public interest test", which supersedes any other exception in the law. The public interest test has been used, for example, when deciding on whether parents should be informed about the presence of a sex offender in their area. In another case, a journalist had demanded the right to publish the name of an accident victim which he claimed was in the public interest.

The Information and Privacy Commissioner upheld the decision of the police not to release the name, saying that the newspaper story was no less credible even if it did not include the victim's name.

FRANCE SEEKS HARMONISATION OF LAWS

In France, access to administrative documents has been possible since 1978. However, the body for enforcing the law has not been the Data Protection Authority (CNIL), but the Commission of Access to Administrative Documents (CADA). The President of the CNIL, Michel Gentot, told the conference that the CADA can issue only non-binding opinions. However, its advice is normally followed.

The French law states that access to an administrative document cannot be provided if the document includes personal data. The main problem has been to identify what is personal data. CADA has interpreted it to include only data which contains an assessment or value judgement about a natural person. However, the Data Protection Act applies to all personal data. This contradiction led both the CADA and the CNIL to seek harmonisation of the two laws.

Michel Gentot explained that France's Parliament is now considering a bill which would solve the problem. Although the proposal favours transparency over privacy, the CNIL fully supports it.

INFORMATION SOCIETY POSES NEW PROBLEMS

Michel Gentot continued by highlighting a few transparency issues. The European Commission's Green Paper on Public Sector Information points out that the information society poses new risks to privacy as public registers become more accessible. Easy access and increased sharing of data present certain dangers. For example, personal data that can be legitimately made public in one jurisdiction, may need protection in another.

Another cause for concern is the commercial value of personal data. Michel Gentot asked whether it is legitimate that the identity and address of a car owner should be passed on from the registration authority to builders or dealers?

In France, 20% of telephone line subscribers have chosen to go ex-directory in order to avoid direct marketing. By being too aggressive, commercial users of data are, in fact, reducing the amount of publicly available data. Michel Gentot concluded by saying that a balance between protecting personal data and access to public information can be found, but it requires a solid legal basis.

This report is based on the presentations of Dr David Flaherty, Information and Privacy Consultant (e-mail: david@flaherty.com, Tel: +1 250 595 8897) and Michel Gentot, President, CNIL (e-mail: mgentot@cnil.fr, Tel: + 33 1 5373 2201) at the 21st International Conference of Privacy and Data Protection Commissioners, 13-15.9.1999, Hong Kong. Conference proceedings are available on the Internet at http://www.pco.org.hk/conprocced.html ("What's new"). The conference was organised by the Office of the Privacy Commissioner for Personal Data, Unit 2001, 20th Floor, Office Tower, Convention Plaza, 1 Harbour Road, Wanchai, Hong Kong. Tel: (852) 2877 7168 Fax: (852) 2877 7026 e-mail: hkpcpd@pco.org.hk Internet: http://www.pco.org.hk