Data protection: Public bodies sharing personal data must obtain data subjects’ prior consent

Raj Shah, Sharpe Pritchard

Raj Shah, solicitor in the procurement team, explains how a recent ruling by the Court of Justice of the European Union serves as a timely reminder, at a time when data sharing arrangements are on the increase, that public administrative bodies may not transfer personal data to other such bodies and process it without first informing the persons concerned, the data subjects.

Key data protection principles

Under Article 6 of the EU Data Protection Directive (95/46/EC), personal data must be processed fairly and lawfully in a manner that is not excessive in relation to the purposes for which that data is kept or further processed. Under Article 10, data controllers must additionally provide fair processing information to data subjects, including information on the data controller’s identity, the purposes of processing the data and the recipients of the data. Data controllers who have not obtained personal data directly from data subjects are required to do the same under Article 11.

The EU Data Protection Directive provides for certain exemptions to these provisions: Article 13, for instance, allows for the scope of these provisions to be restricted through ‘legislative measures’ if this is necessary to safeguard “an important economic or financial interest […], including monetary, budgetary and taxation matters”.

What happened

The Romanian national tax authority transferred the income data of several self-employed citizens to the Romanian national health insurance fund, which required the payment of contributions to the national health insurance regime in arrears. The citizens concerned contested the lawfulness of this transfer before the Romanian Court of Appeal on the basis that their data had been used, without their prior explicit consent and without their having first been informed, for purposes other than those for which it had initially obtained by the tax authority.

Romanian law allows public bodies to transfer personal data, including name and address, but not data relating to income received, to the national health insurance fund so that the fund can determine whether the relevant data subject qualifies as an insured person.

The Romanian Court of Appeal therefore asked the Court of Justice of the European Union whether EU law precludes a public administrative body from transferring personal data to another such body for the purpose of that data’s subsequent processing without informing the data subjects.

The Court of Justice of the European Union’s decision

The Court of Justice of the European Union held that the EU Data Protection Directive’s requirement of fair processing of personal data requires a public administrative body to inform the data subjects concerned that their data is to be transferred to another public body and processed.

Further, the Romanian law that allowed the transfer of personal data to the national health insurance fund did not remove the obligation on the data controller to inform the data subjects of the transfer and the subsequent processing, since the law in question did not define or describe the transferable data or the transfer arrangements.

The fact that the national health insurance fund had failed to provide information to the data subjects about the subsequent processing, namely who the data controller is, the purpose of the processing and any further information necessary to ensure the data’s fair processing such as the existence of the right to access or rectify the data, was held to be a further contravention of the EU Data Protection Directive.

What does this mean for public bodies?

Public administrative bodies can take the following points away from this case:

  • at a time when data sharing between public bodies is on the increase, public bodies intending to transfer personal data between them for subsequent processing must remember to inform the data subjects in advance – unless a legitimate exemption applies;
  • public bodies should not assume that the exemptions contained in the EU Data Protection Directive for the purposes of safeguarding state functions and interests, gives them the carte blanche to share personal data freely;
  • where any data sharing takes place, it is always advisable, wherever possible, to provide fair processing information to data subjects concerned instead of relying on derogations or legislative measures; and
  • even where legislation allowing for data sharing is relied on, it is important not to go beyond the scope of that legislation. For example, by sharing data falling outside the data categories permitted by that legislation. This will help to ensure that the data to be processed is relevant, adequate and not excessive in relation to the purposes for which it is collected.

For further information, contact Raj Shah, solicitor in the procurement team, on 020 7405 4600 or at rshah@sharpepritchard.co.uk.

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.