Local authorities: RGPD, Open Data, contradictory injunctions?

The modernization of public action, security in the face of cyberattacks, factors of transparency and trust with citizens or even the significant increase in sanctions, with the RGPD, are all data protection challenges that local authorities face.

So when the CADA law allowing a “public Open Data” (“open database”) meets the General Data Protection Regulation (RGPD), local authorities find themselves surrounded between opening and closing in access to data.

However, can we find ethical complementarity for local authorities in these two texts?

Open Data for communities.

Principle: open data

It was through the Digital Law of 2016, which supplemented the provisions of the “CADA law” of 1978, that the obligation for public organizations to publish their databases on the Internet was created. This data can thus be exploited and reused easily by everyone, individual as well as a company. In addition, certain private actors (companies holding public contracts, beneficiaries of public subsidies, etc.) are also required to provide so-called “general interest” data, data concerning the operation of public energy or water services, real estate transactions, or even the management and recycling of waste.

Indeed, two main principles of the CADA law confirm openness to public data: the right to access administrative documents and the free reuse of public information.

The right of access refers to the obligation for administrations to publish administrative documents online, i.e. any document produced or received by the administration as part of a public service mission (Code of relations between the public and the administration - CRPA). This obligation may also concern a private person responsible for a public service mission.

Limit: Personal data

However, to these main principles, the law has introduced some necessary restrictions, in particular to respect for privacy, in particular when public information contains personal data.

Let's take a concrete example: community administrative files, such as civil status registers, social assistance files or even the internal directory of community agents, cannot be used by elected officials for political communication purposes.

Complementarity RGPD and CADA law

Even though the CADA law imposes limitations on Open Data in the public sector, the RGPD - and more generally the Data Protection Act of January 6, 1978, which came into force in its new version since June 1, 2019 (“I&L” law) - applies to personal data whether the sector is private or public. These two laws, CADA and I&L, include references from one to the other, making it possible to determine the conditions under which they should be articulated. For example, article 13 of the “CADA” law provides that the reuse of public information containing personal data is subject to compliance with the I&L law.

Is everyone effectively acting on their own playing field? Even though the two independent administrative authorities - the CADA and the CNIL - are likely to intervene to protect interests that are as different as they are complementary in a democratic society, their field of application could encroach on the other. However, we have distinguished three hypotheses.

Application of the CADA law alone

The CADA law will apply alone, for example, when a private organization exercises its right of access to administrative documents without any prospect of re-using personal data. In addition, since personal data is not, by itself, protected by privacy, a public servant can thus request access to the list of public officials working in a community. Here, no reuse of information relating to personal data, but free access.

However, it should be pointed out that when documents contain statements such as “whose communication would infringe the protection of privacy” or “revealing the behavior of a person, since the disclosure of this behavior could be prejudicial to him”, the administration will only be able to legally bring it to the attention of the applicant after hiding or disconnecting these mentions.

Application of the only Data Protection Act

In our second hypothesis, when an administrative authority (or a private law body responsible for a public service mission) requests the transmission of information to another authority, as part of the exercise of its public service mission, under article 10 of the “CADA” law, this transmission “does not constitute reuse within the meaning of this chapter”. Not involving the reuse of information, which is the main principle of the CADA law, this type of exchange falls under the jurisdiction of the I&L law.

As such, the main I&L principles must be implemented and respected by both organizations, such as the prior information of the persons concerned (article 32), the declaration of the treatment or modification of the treatment in progress (article 22) or the respect of the rights of individuals (articles 38, 39 and 40).

Thus, each of these laws seems to have its own scope of application, and the context of each situation determines which of the two will apply in this case.

Combined application of the CADA law and the Data Protection Act

So how can free access to public data be reconciled with the protection of personal data? In the context of Open Data, a solution seems to respond to the clashes that the two laws encounter when they come face to face: the anonymization of data, which allows public information to be published online without personal data. Thus, in the absence of anonymization of the information, the publication of the document will also be subject to the “I&L” law.

Indeed, anonymizing data makes it impossible to identify the person by any means whatsoever and in an irreversible manner. The GDPR does not apply to this data. Local authorities thus wishing to disseminate administrative documents by publishing them online, for example, have the obligation to anonymize these documents beforehand (article L.312-1-2 of the CRPA).

The CNIL ensures that complementarity exists and to make life easier for local authorities, it has just published a list of the types of processing operations for which a data protection impact assessment is not required.