Despite the lack of official guidance on the topic of processing publicly available personal data, some General Data Protection Regulation (GDPR) provisions apply to the processing of such data. In general, the GDPR sees publicly available data as ‘data that have not been obtained from the data subject’. Furthermore, Article 86 and Recital 154 GDPR recognise the right for the public to have access to documents held by public authorities and bodies, serving a wider public interest. According to the IAPP, a balancing test is required to determine whether the processing of publicly available data benefits the public interest or whether it constitutes a violation of the right to the protection of personal data.
More specifically, ‘the more sensitive the data (…) merged and linked together to create detailed profiles, and the bigger the audience to which the data will be subsequently disclosed, (…) the less likely it is that the balancing test will be in favour of the controller.’
When collecting and processing publicly available data, data controllers need, among others, to ensure they have a suitable legal basis for processing such data. Given that data will be collected from publicly available sources, consent may not always be the most suitable basis for processing. Instead, controllers may need to rely on the basis of other existing legislation or of a wider public benefit which would justify such processing.
This article firstly explores the implications of not having a lawful basis as part of a data controller’s processing activities. For instance, collecting data from the web through automated means (‘web scraping’) and processing it for one’s own purposes and benefits without relying on a lawful basis, can lead to administrative fines under the GDPR. The use case below describes one such incident. In addition to the lawful basis requirement, the article will touch upon other data protection principles as well as practical means to minimise any data protection risks arising from the processing of publicly-available personal data.
The Italian DPA sets a precedent on the processing of publicly available data
On its monthly newsletter the Garante Privacy, the Italian Data Protection Authority (DPA), imposed an administrative fine of 60,000 euros and a corrective order on the owner of the website ‘www.trovanumeri.com’. The website serves as an online telephone directory where users can find the details of another person by looking up their name. Trovanumeri had collected the personal data by means of web scraping, the process of gathering data by automated means from publicly available internet sites. This data was used for the creation of an online telephone directory where their names, addresses and telephone numbers of members of the public were made available to a wide audience. Issues arose as data subjects had no prior knowledge of the use of their personal data and had not provided consent to the collection and use for further processes, i.e., the development of the telephone directory.
An investigation was carried out by the Garante that was based on reports collected by public complaints throughout the years since 2012 but also by some affected individuals. It was found that the website owner had violated the General Data Protection Regulation (GDPR) in the ways described below:
- Not having a legal basis to collect and process personal data;
- Publishing personally identifiable information without obtaining prior authorisation from the data subjects;
- Not providing adequate information to data subjects, e.g., contact details of the Data Controller;
- Not providing available methods to data subjects to request the deletion of their personal data through the website;
The Italian DPAs findings
The Garante found that ‘www.trovanumeri.com’ had breached, inter alia, the principles of data processing, the requirement of having a lawful basis for processing, the rights of the data subjects as well as the obligations of Data Controllers under the GDPR. Most notably, the Italian DPA investigation findings noted that:
- The data subjects had never provided consent to the website owner for their data to be published online in the form of a telephone directory [Articles 5 (1, a) and 6 GDPR]
- There was no established verification process to ensure that the personal data of a said person corresponded to the phone number registered on the website. After the Garante attempted to add fictitious data on the website and confirmed that there was no verification process to identify the individual, the website owner was found also in violation of the ‘accuracy principle’ [Article 5 (1, d) GDPR]
- The data subjects were receiving unwanted communication by unknown third parties, after their personal details were made publicly available online without their consent [Articles 5 (2) and 6 GDPR]
- The data subjects attempting to request data deletion by filling in the deletion form available on the website, could not do so as ‘the procedure seemed to be inactive or stopped before succeeding’ [Articles 12, 17 GDPR];
The Garante proceeded in prohibiting the website owner from ‘collecting, storing, and publishing personal data for the creation and online dissemination of a telephone directory’. The online dissemination of a telephone directory was found to be a severe violation of Article 6 of the GDPR. Some of the reports submitted to the Garante involved individuals who, due to the nature of their work activities, the publication of their names, their personal phone numbers and address created an important risk to their and their family’s safety. The Garante further found that expressing free and informed consent was not possible as the consent flag was pre-selected and not modifiable. Although the form to request data deletion was available, it was also found that the consent boxes for reverse data search could not be unchecked.
Can organisations, companies and other entities collect and further process publicly available data?
It is not prohibited by law to further process publicly available data for other purposes than the ones originally collected. However, it important to ensure that further processing complies with the GDPR. More specifically, for a data controller to further process data from publicly available online sources, they need to:
- Always rely on an appropriate lawful basis for the further processing of such data (Article 6 GDPR)
- Demonstrate that the data subject has consented to his or her personal data further processing, where processing is based on consent [Article 6 (1,a) GDPR]. Should a data subject withdraw their consent, the data controller is under the obligation to inform any third party providers of such request.
- Ensure that any data collected and processed is accurate and updated as the processing continues [Article 5 (1, d) GDPR]
- Demonstrate their compliance with the relevant data protection framework as part of their accountability obligations under the GDPR [Article 5 (2) GDPR]
- Provide adequate information to data subjects whose data is being processed [Article 13 (1, a) GDPR]
- Be cognisant of GDPR requirements such as the obligation to inform data subjects of the source of the data and whether this originated from publicly available sources [Article 14 (2, f) GDPR]
- Ensure that the data subjects whose data is being processed have the necessary means to exercise their rights under the data protection framework [Articles 12, 17 GDPR]
- Build data protection by design and by default (Article 25 GDPR).
How can you be proactive and ensure that your business or service is complying with the data protection framework?
Trilateral’s Data Protection and Cyber-Risk Team has significant experience in consulting organisations and other entities in advanced data management and compliance as well as supporting experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.