1. Abuse of Identification by Institutions vs Minimization of Data by Design and by Default

1. Abuse of Identification by Institutions vs Minimization of Data by Design and by Default

← Back to the top of the Report


 

1 – ABUSE OF IDENTIFICATION BY INSTITUTIONS vs MINIMIZATION OF DATA BY DESIGN AND BY DEFAULT
 

CONTENTS

ABUSE OF IDENTIFICATION BY INSTITUTIONS vs MINIMIZATION OF DATA BY DESIGN AND BY DEFAULT

    – Conflicts with the European Data Protection Regulation
    – Unnecessary identification of those making public information requests
    – Unnecessary identification in the use of private services


RECOMMENDATIONS


BEST PRACTICE RECOMMENDATIONS FOR INSTITUTIONS AND SYSTEMIC CORPORATIONS

 

APPENDIX (in Spanish)

AMENDMENTS TO THE SPANISH LAW


AN ANALYSIS OF THE SPANISH LEGISLATIVE DEVELOPMENT

    – Notes on the identification requirement
    – Notes on personal data protection regulations
    – The principle of data minimization: not a new concept in the Spanish legal system


ANALYSIS OF THE NATIONAL AND INTERNATIONAL JURISPRUDENCE AND RELEVANT RESOLUTIONS

    – International case law and resolutions
    – National case law and resolutions


LIST OF SPANISH LEGISLATION AND RELEVANT ARTICLES

 

ABUSE OF IDENTIFICATION BY INSTITUTIONS vs MINIMIZATION OF DATA BY DESIGN AND BY DEFAULT

In general, a good data protection system is characterised by the fact that the organisations responsible for processing our personal information are very conscious of their regulatory obligations and citizens are very conscious of our rights and the means to exercise them. The highest expression of this axiom is a stage in which the intervention of the supervisory authorities is not necessary. However, the present reality is far from a perfect system capable of self-regulation. (…) It is not for nothing that the European data protection model focuses on strengthening the rights of citizens, as well as the obligations of organisations in the framework of so-called proactive responsibility. The change of paradigm that took place with the approval of the General Data Protection Regulation (hereinafter, GDPR), deepens the empowerment of people over their own information, based on the transparency of the organisations on the use made of it. The aim is to eradicate asymmetry, the imbalance of power generated by opacity, the “power to see without being seen” that Foucault spoke about half a century ago”.(1)

The right of individuals to access public information is recognised by law. In addition, almost all Member States of the European Union already had some regulation on transparency and the right of access to public information when Law 19/2013 of 9 December on Transparency, Access to Public Information and Good Governance was passed in Spain, further developing Article 105.b) of the Spanish Constitution. To this must be added the obligation of public servants responsible for a task to identify themselves when providing a service (article 53 Law 39/2015).

The transparency of institutions and corporations is fundamental for democracy, the right to provide and receive truthful information, the oversight of public powers, the protection of the general interest, the preservation of accountability and integrity in the public sector, preventing corruption, or simply guarantee sufficient efficiency of the institutions in their relations with the public and users.

Even so, not all information that should be published by Administrations and systemic corporations is, and it is not always published correctly. In addition, access to information that should be public and is not published is discouraged due to the requirements involved in obtaining it. This leaves institutions considerably opaque, while the public are required to overly expose themselves if they wish to exercise their right of access to information. We are not merely referring to information of a certain complexity, but also to trivial, everyday information such as information on services, tariffs or similar.
In Spain, we find practices established years ago according to which disproportionate data is collected from the public for no apparent reason, and this has increased since 2015 when the new Law of Administrative Procedures was passed (and even with the Law on Transparency) with the obligation of identification of every user, systematic and by default.
The application of the new European Data Protection Regulation, and the adaptation of national law to incorporate it, should have enabled the legislator to reverse the situation on this data collection. However, we cannot find in the new (2018) Data Protection Act any substantial improvement related to this aspect, and although in some corporations and administrations the amount of data collected from consumers and users has been reduced, this is not a common practice.

It is in this context that Xnet has historically criticised the demagogy underlying the legislation aimed at meeting civil society’s fair demands for the registration of interest groups. At the moment, these disorganised registries have placed more obligations on the public than on those who it should really affect, installing an asymmetry of power and discouraging the active participation of people in public administration.(2)

 

Conflicts with the European Data Protection Regulation (GDPR)

In the course of the postgraduate directed by Simona Levi and Cristina Ribas on Technopolitics and Rights in the Digital Era, some of the participants made information requests to various public administrations and corporations, and where they required identification to carry out these procedures, they asked about the reason for each requirement (by getting some of them removed). The Administration requires identification for any action or procedure before said Administration (including requests made via the Transparency Law, in addition to other simple communications as complaints and suggestions). It is established by Law 39/2015, of 1 October, on the Common Administrative Procedure of the Public Administrations (LPAC)(3), or in other cases, as we will see, the Transparency Law.

Public Administrations have the obligation to request a large amount of data; this derives from the anachronistic fact that any relationship between citizens and public institutions is considered an “administrative procedure”, even to get information that, by law, by policy or simply by logic, must be public. As we will see in the next section, we believe the law imposing these cumbersome procedures conflicts with higher European law.

In fact, one of the historical demands made by civil society that gave rise to the General Data Protection Regulations to which the Spanish Organic Law on Data Protection is subordinated is that of not requiring more data of citizens than is strictly necessary so that their privacy is not exposed by an excessive circulation of their personal data. This is the principle of “data minimization”, and it arises, in particular, from the demands of German civil society that suffered at the hands of the Stasi, the largest operation of surveillance and personal data collection ever known in the pre-digital era.

In the case of procedures involving large systemic companies which also ask for more data than is necessary, and to which the minimization principle should apply directly, this does not happen in most cases.(4) This is compounded by the fact that when consumers detect irregularities in the processing of their data, they must complain to the Spanish Data Protection Agency (AEPD) to give notice of the breach, yet the results can be slow and do not involve a general change in the situation. We believe that the AEPD, which has supervisory powers over Spanish companies, could take action in a proactive and previous manner, as it has started to do.

Administrative laws not only require the identification of the public, but they also impose conditions on such identification. In addition, in the digital environment, it is common for identification to be required by means of electronic certificates or other means established by the Administrations(5). In the case of the use of digital certificates, each Administration chooses the information it collects from them(6), without generally informing the individual of the data actually collected or the reason for which they will be used subsequently (apart from for identification of the individual).

The requirements for verifying the identity of the individual for any procedure they wish to carry out before public administrations conflicts directly with the GDPR, which establishes that only adequate, relevant and non-excessive data should be collected in accordance with the purposes for which it is collected, and before collecting this data, it must be established which data will be collected by default and why.
Administrative laws adopted in 2013 and 2015 require by default that administrations collect more data than is necessary to decide whether or not to allow applicants access to public information.

In principle, identification data is not necessary to resolve and respond to requests for access to public information. We therefore believe that these rules should be amended to allow requests and other formalities to be carried out without the need to identify individuals, which would enable the public to oversee their institutions without fear of reprisals and at the same time reduce the bureaucracy currently involved in accessing information. Institutions should only identify cases for follow-up, traceability and to demonstrate that they are responding to requests by means of reference codes for the user, or other similar systems.

 

Unnecessary identification of those making public information requests

In the comparisons of the transparency laws of different countries published on the page of the Council for Transparency and Good Governance(7,8), we can observe that in most countries, requests for public information can be made without being identified or by using a word that does not necessarily have to coincide with the real name of the person, and Spain is one of the few countries in which it is compulsory to verify that the identity of the person making the request coincides with their real identity by checking their ID card, equivalent document or digital certificate. Additionally, the use of certificates or electronic signatures is not required in most of the States analysed, where it is sufficient to have an email address to make the request under the following conditions:

Bearing in mind that international standards allow States to recognise the right to privacy of those who request public information, except when identification is essential for processing the request for information, Xnet believes that requiring the identification of applicants is excessive when requesting access to public information, and may discourage requests for information for fear of possible reprisals. In addition, we must be aware that some of the requests for information that are made refer to information that should have been published by the Administration. It is therefore illogical to require the applicants to identify themselves when they should be able to access such information freely and are unable to do so because of the Administration’s failure to publish such information.

Identification is not necessary to access public information, since in order to decide on requests, administrations must do so in a way that is objective, that is, taking into consideration only the information requested and the limits of access established by law, for example, in the Transparency Law, such as the protection of personal data of the people who may appear in the information and the protection of general interests such as public safety, environmental protection, economic and commercial interests, and so on.

Finally, it has been admitted even by the Council for Transparency and Good Governance that electronic identification systems (Cl@ve and other electronic certificates) can be perceived as an obstacle to the exercise of the right of access to public information(9) insofar as they can be difficult for the public to use because they are complex systems in any of their forms, in addition to discriminating against both legal persons (companies, associations, etc.) who do not have ID cards and cannot obtain electronic certificates and also discriminates against foreign persons who do not have ID cards or electronic certificates, and even European people because the system designed for them does not work for many countries. Thus, the Council for Transparency and Good Governance admits that identification systems are an obstacle, without assessing whether identification can also be perceived as an obstacle to the exercise of the right of access to public information.
&nbwp;

Unnecessary identification in the use of private services

We have the right to use services without disclosing any additional data.
If a company or organisation wishes to process personal data that is not strictly necessary for the provision of a particular service (for example, a transport application that wishes to access your phone’s contact list), it must obtain explicit consent to process such data and should not be conceived as “blackmail”, that is, without data there is no service. There are exceptions in the Law (art. 6.3. “The execution of the contract may not be made subject to the consent of the person concerned to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship”), but people do not know this. The fact that a company believes that certain data are useful for the provision of its service does not always mean that they are necessary. This also makes it possible, for example, to make advances in avoiding the harassment and abuse of the presumption of innocence practised by many multinational providers of services such as telephony, electricity and gas when they pursue clients or alleged debtors, even though it has not yet been proven that they owe money.

 

RECOMMENDATIONS

As a result of the analysis carried out, in order to ensure and protect the right of individuals to access information in line with international human rights laws, XNet recommends:

    Modifying the administrative laws, in particular, Law 39/2015, of 1 October, on Public Administrations’ Common Administrative Procedure (LPAC), Law 19/2013, of 9 December, on Transparency, Public Information and Good Governance and Organic Law 3/2018, of 5 December, on Data Protection and the Guarantee of Digital Rights, in addition to internal protocols of institutions and companies to protect the identity of the public where identification is not necessary to access the services provided by the Administration or systemic corporations.

    In 2017, the Ministry of the Presidency indicated its willingness to simplify the system for identifying people who make information requests(10). There are also experts who have proposed an amendment to the Law to revise the criteria for identifying those requesting access to public information so as not to dissuade them from exercising this right(11).

    In this regard, Xnet considers necessary to modify the administrative laws and the Law on Transparency, to use the faculties that the international standards give to the State so that identification of the public is only required when it is deemed essential in justified cases. Along the same lines, similar provisions should be laid down so as not to require the personal identification of members of the organised, not-for-profit civil society who meet with institutions to put forward their demands and recommendations for legislation and public policies. Transparency, understood correctly, should put pressure on the agenda of institutions, making the publication of all meetings held with professional lobbyists and civil society a real obligation, without the need to expose the personal data of the latter.

    Ensure that the data collected is minimised by default

    Review the laws and regulations frequently used, both by public and private operators, that require the collection of personal data from individuals to ensure that domestic law does not conflict with European law and that these do not require by default more data than necessary, hiding behind the law that they must apply, collecting only the data strictly necessary for the service or purpose to be fulfilled. In case of detecting that a rule requires more data than would be necessary, promote regulations and laws for their amendment and adaptation to the new regulation of personal data protection.

    Demanding that information of public interest be made available to the public without having to request it.

    As many civil society organisations, we ask for greater emphasis and sanctions on the effective and proper publication of information that should be public. On the other hand, there is no impediment for public administrations and other institutions and organisations, obliged or not by law, to voluntarily publish more information than is required when this information is in the public interest. If institutions make this information public, the general population will be able to access it with no need for identification, thus guaranteeing free, universal access. Sanctions should be in place for breaches of disclosure obligations within public administrations, institutions, political parties and systemic corporations. In this regard, we recall another historical demand to expand the subjects and objects of application of the Law on Transparency.

    The authorities have expressed to us their concern about the commercial use of the information they provide in the resolution to the consultations they received. We believe that this problem can be addressed by publishing the consultations of public utility. Charging for publicly available institutional information is clearly a wrongdoing.

    Inspecting the measures taken by institutions and companies to protect the personal data of individuals

    The Spanish Data Protection Agency can proactively extend the investigations it carries out to other institutions and business in the same sector of activity. Concerning large corporations, it is necessary that sanctions be proportionate and consistent as it has been demonstrated that fines are often lower than corporations earn by collecting more data than necessary(12). The obligation of those who process personal data to comply with the decisions of the data protection authorities when they are in situations similar to those already object of its decisions.

    Strengthening the right of the public to know how and why their data is used

    The public needs to be correctly informed about the communications of their data to be carried out and the purpose, also in voluntary procedures, in order to ensure that they are well informed and fully exercise their right to information self-determination, recognised for the first time in Europe by the Judgement of 15 December 1983 of the German Constitutional Court, and in Spain by the Constitutional Court (STC 254/1993) that called it “computational freedom”.

    Providing a more succinct definition of overly ambiguous concepts, especially that of “legitimate interests”.

     

    BEST PRACTICE RECOMMENDATIONS FOR INSTITUTIONS AND SYSTEMIC COMPANIES

    PRIOR TO THE AMENDMENTS TO THE LAW TO CREATE A MORE FAVOURABLE FRAMEWORK FOR THE RESPECT OF FUNDAMENTAL FREEDOMS

      • Publish proactively the institutional information on planning and legal, economic, budgetary, statistical or any other kind of information, including that information which is not expressly required by law, in order to reduce the number of requests for access, through a broader interpretation of the obligation of active publicity provided for by the Law on Transparency. Assess the application of limits to the right of access in an objective way, setting aside by default the identification of the person making the request.

      • In cases of information or queries realized often to the institution, publish the information and answers in an easily accessible place, for example, a FAQ page in order that it is not necessary to contact the institution. The authorities have expressed to us their concern about the commercial use of the information they provide in the resolution to the consultations they received. We believe that this problem can be addressed by publishing the consultations of public utility. Charging for publicly available institutional information is clearly a wrongdoing.

      • Review the existing policies of administrations, institutions and corporations as regards the collection of personal data so that they do not collect more data than is strictly legal and necessary for the various procedures that the public can carry out.

      • Initiate a greater number of inspection procedures in institutions and large companies to detect information that should be public but has not been actively published as well as data protection infringements, in addition to applying resolutions to analogous actors with greater agility.

      • Adopt standards, protocols and internal procedures that do not require the identification of information seekers based on international standards, in order to facilitate the exercise of the right of access by the public. Examples that may be taken into account for this purpose are the Protocol of the General Council of the Judiciary(13) or the Transparency Ordinance of Madrid City Council(14) or the Ethical Mailbox of the Barcelona City Council, all of which are discussed in the analysis of the legislative development in this report.
      Along the same lines, similar provisions should be laid down so as not to require the personal identification of members of the organised, not-for-profit civil society putting forward their demands and recommendations for legislation and public policies and make the publication of all meetings of public officials held with professional lobbyists and civil society members an obligation, without the need to expose the personal data of the latter.

      • Discourage non-compliance.

      • Encourage these practices in the private sector.

     
    _________________________________________________________________

    (1)
    Translated from: Isidro Gómez-Juarez. Firma invitada “Apología de la privacidad en la era del Gran Hermano”. El País – Retina. https://retina.elpais.com/retina/2019/09/18/tendencias/1568807812_129427.amp.html?__twitter_impression=true
    (2)
    See: About Interest Groups, by Xnet: https://xnet-x.net/sobre-grupos-de-interes/
    (3)
    In particular, Article 11 thereof.
    (4)
    https://www.elperiodico.com/es/economia/20190927/solo-una-de-cada-cinco-empresas-espanolas-cumple-la-ley-de-proteccion-de-datos-7654202
    (5)
    In particular, this obligation is laid down in Article 9 of Law 39/2015, of 1 October 2015, on Common Administrative Procedures of the Public Administrations (LPAC).
    (6)
    According to a telephone query made with the Fábrica Nacional de la Moneda y Timbre (National Mint and Stamp Factory).
    (7)
    Comparative study on international standards and the right of access to public information by the Council for Transparency and Good Governance in collaboration with the National Institute of Public Administration (https://www.consejodetransparencia.es/ct_Home/dam/jcr:38363e0e-62b9-40db-b726-419e2bf3dbe2/Estudio%20comparado%20sobre%20normativa%20internacional.epub)
    (8)
    Report on the identification requirements for people requesting access to public information by Emilio Guichot Reina, commissioned by the Council for Transparency and Good Governance (https://www.consejodetransparencia.es/dam/jcr:977fc69c-b6a9-4df6-90d8-25d5b75993a9/Informe_requisitos_identificacion.pdf).
    (9) Annual Report by the Council for Transparency and Good Governance Council 2015, pages 103-104: https://www.consejodetransparencia.es/dam/jcr:b4186ab2-141b-464f-99ac-156c2587ffeb/memoria_completa.pdf
    (10)
    III Spanish Action Plan 2017-2019 of the Alliance for Open Government, 27 June 2017, pp. 23, 29 and 59. (https://transparencia.gob.es/transparencia/dam/jcr:74d66aee-760c-4962-983e-0b250fb583b8/2017_Junio_Spain_III_Plan_GA_OGP_vf.pdf)
    (11)
    Joaquín Meseguer Yebra, in his article “el acceso a la información pública y los requerimientos de identificación” [Access to public information and identification requirements] published in the Spanish Transparency Journal No. 3, 2016, believes that now is “the moment to decisively promote the necessary modifications so that it is feasible to identify the applicant in the least restrictive terms in order for them to exercise the right of access”.
    (https://drive.google.com/file/d/0BzZV66dM4HCTeVhGOVBfM1preUU/view)
    (12)
    https://www.genbeta.com/redes-sociales-y-comunidades/multa-5-000-millones-dolares-a-facebook-ha-hecho-rico-a-mark-zuckerberg-a-sus-accionistas
    (13)
    www.poderjudicial.es/stfls/CGPJ/TRANSPARENCIA/FICHEROS/20141215%20Ac%20CP%2018%20nov%202014%20Protocolo%20acceso%20transparecia.pdf
    (14)
    https://sede.madrid.es/FrameWork/generacionPDF/ANM2016_108.pdf?idNormativa=3eabe8e52c796510VgnVCM1000001d4a900aRCRD&nombreFichero=ANM2016_108&cacheKey=61