As part of “day to day” Open Data operations in Slovakia we recently stumbled upon topic of “GDPR vs. Open Data” Statements like “GDPR will kill your Open Data” or “Unofficially, personal information regulators thinks Open Data is illegal” were overheard.
WE can discard such statements as “unofficial” and “FUD”. But there was some “risk” identified already (see use-case example bellow). So, we would like to discuss and share know-how, tips and tricks with others around the EU (or world-wide), since GDPR is not a Slovak specific.
To make the debate more grounded, focuses and real, here’s a quick summary of what we (=Slovak Open Data initiative) concluded so far:
- GDPR has mostly no effect on Open Data (see point 3 as to why)
- GDPR relates to Open Data mostly because both proper execution of Open Data publishing and protection of personal data require (amount other things) proper data management, some ETL (anonymization , …), etc.
- The most contentious item (GDPR vs. Open Data) so far are an “exceptional” Open dataset which do contain personal information, for example Business Registry or Land Ownership data.
So, few more points on those “exceptional” Open dataset which do contain personal information:
- As mentioned above, we believe those are a minor part of the total set of (Open) data there is.
- But those tend to be of higher interest/value (precisely because they do contain names, etc.)
- But as those were published with certain purpose in mind (in general, usually, because of “public intetrest”), we believe their processing/usage should not be in any way affected by GDPR.
- But the problem as of now is that agencies responsible for protection of personal information seem to think (assumed based on what we know from them directly or indirectly so far) such datasets do not have any exception from GDPR, thus users of such Open Data have to produce the usual paperwork (and other stuff) which is required from “data controllers”.
The desired outcome for the Open Data community would be to achieve a state when it is clear that even though a dataset does contain some personal information, Open license is still valid and thus users of that data are able to use and re-use it “as usual”.
Typical worst-case scenario we would like to avoid:
- Slovak Business Registers publishes data about companies and their owners as Open Data.
- Some guys create a nice service based on that, create a company around that once the service proves interesting and commercially viable.
- Personal Data authority then steps is and tell them to either explain why they are processing names of company owners (and prove they have some relationship to all of them, etc. bla bla bla, ewe do not fully understand what other stuff the authority may require) or cease/delete the names right away (and pay a fine, etc.)
- That sets and example country-wide (“legal uncertainty”, “high costs/difficulty in starting the project”, etc.) and we “fast rewind” back few years and function/live as if no Open Data from Business Register exists.
That would essentially defeat the purpose of making such data public and published Open Data (what is the purpose of having some data freely available on the Internet if you can’t legally make a copy and work with it?)
(We can use also an “NGO fighting corruption” in that example, will still be almost same. But NGOs can at least “hide” to some degree as “journalists” in that case.)
Side note: I see last year there was something written in that regards in New Organization Request by melina_t but since that one is locked, I do not know what.