The future of access to information: Ensuring complementarity between the right to information and personal data protection
Transparency – one of the core principles of open government – is globally recognised as a catalyst for good governance and a lever for representation and for strengthening citizens’ trust in public institutions. The right of access to information (ATI) held by public entities, is celebrated through the International Day for Universal Access to Information on 28 September each year, underpins the concept of transparency and has been recognised as a fundamental human right that enables citizens and stakeholders to be informed of and exercise other rights. It is often enshrined at the highest level of law, such as in the constitution, as is the case in Estonia, Japan, and Portugal. However, there is a delicate balance to be found between the right to access public information and the equally legitimate right to privacy and protection of personal data. The right to privacy protects individuals from arbitrary or unlawful interference with their private life, family, home or correspondence and is similarly enshrined in many constitutions, such as in Finland, Spain and Germany. In this regard, governments have made significant efforts over recent decades to advance personal data[1] protection, which has had, in some cases, unintentional repercussions on the right of access to information.
According to the Global Right to Information Rating (RTI), ATI laws are present in 134 countries, including 37 OECD countries. As personal data has grown in importance in our economies, societies and everyday lives, so too has the right to protect this information. Data privacy laws have proliferated around the world in the last decade and can be found in 142 countries. The increasing importance of both rights has exacerbated the need to find an equilibrium between them, with neither being compromised. The reasons behind the need for policy coherence in this area are multitudinous. For example, the tension between both rights comes to the forefront when a request for access to information is submitted and the document requested includes personal data. In addition, and relatedly, there is a need to protect the privacy of those filing such requests, especially when anonymity is not an option in the requesting procedures.
These rights are further connected by ‘habeas data’, the right to access information held by an institution about oneself, presenting these rights as two sides of the same coin. ‘Habeas data’ as a right and legal action is recognised at the Constitutional level in Brazil, Paraguay and Argentina and, until recently, it was a legal figure used only by some Latin American countries. However, with a similar concept being enshrined in the EU General Data Protection Regulation (GDPR) – through the right that grants subjects the agency to access all data stored about them within public sector entities – its application is growing globally beyond the region.
The disclosure of personal data in violation of an individual’s privacy is often a legitimate reason exempting countries from releasing information. For instance, in Spain, information reflecting sensitive data categories (such as that related to race, ideology or health) may only be disclosed with the explicit and written consent of the data subject. This reasoning can, however, present some risks to the right to information. Even with solid legal frameworks in place, the OECD notes that governments need to identify a middle ground between an open-by-default approach and over-compliance with personal data protection regulations that can restrict their ability to appropriately respond to access to information requests from citizens and stakeholders. Data protection laws could be used by authorities to prevent civil society organisations or individuals from pursuing public interest research or investigative reporting. At the same time, the duty to make information public can sometimes trump data privacy. The GDPR, for example, highlights that “personal data in official documents held by a public authority (…) may be disclosed in accordance with Union or Member State law in order to reconcile public access to official documents with the right to the protection of personal data”.
The protection of personal data can be effectively guaranteed through institutional oversight mechanisms. The large majority of OECD countries have specific independent supervisory bodies to handle complaints and oversee implementation of relevant data protection laws. Furthermore, all EU members are bound by the GDPR to have an independent data protection office. Outside of the EU, many newly established laws have also established the corresponding agencies, such as the Brazilian National Data Protection Authority. However, there are exceptions. In the United States, there is no federal privacy agency. The Federal Trade Commission, tasked with protecting consumers and competition, handles data complaints against private sector entities at the federal level, while complaints towards public institutions are often handled internally across various state and federal agencies and subsequently by the courts. Similarly, an important factor in implementing ATI laws is the existence of institutional arrangements for oversight of their application, usually through ad hoc independent agencies or ombudsman offices. The responsibilities of these bodies vary but often include enforcement, monitoring and promotion of ATI laws.
The institutional oversight bodies responsible for both of these policy areas are increasingly identifying synergies in safeguarding both interconnected rights. While both are most often treated as separate legal frameworks in most countries and require different technical capacities, recognised synergies are pushing governments to consider centralising these areas through a single institution. This is the case for instance, in Argentina, Belgium and Mexico. Exploring this approach would present an opportunity for these institutions to recognise and exploit connections between both policy areas and ensure that personal data and privacy are defended while still enabling full access to public information. Such a move could also foster policy coherence in this area, which may otherwise be fragmented and siloed, with different approaches and outcomes emerging from two misaligned and independent public bodies.
Under the purview of its Working Party on Open Government, the OECD has been at the forefront of advancing the open government agenda by supporting countries around the world to strengthen this cultural change towards more transparency, accountability and stakeholder participation, through public sector reforms. The organisation provides evidence-based policy advice and recommendations on mainstreaming open government strategies and initiatives through its Open Government Reviews. The OECD is also undertaking efforts to measure the progress and impact of open government reforms, including through an Open Government Dashboard and a forthcoming Open, Participatory, and Representative Government Index, which will include a focus on assessing transparency in OECD member countries and beyond.
[1] Any information relating to an identified or identifiable natural person.