The Court of Justice of the European Union (CJEU) recently held that personal data cannot be transferred between two public bodies, and subject to further processing, without the data subjects concerned having been informed in advance (Smaranda Bara and Others v Președintele Casei Naționale de Asigurări de Sănătate, Casa Naţională de Asigurări de Sănătate, Agenţia Naţională de Administrare Fiscală (ANAF), Case C‑201/14).
Income data of Ms Bara and other self-employed Romanians was transferred by the Romanian tax authority to the Romanian National Health Insurance Fund, which then required the payment of arrears of contributions to the health insurance regime. The individuals complained that their data was (on the basis of a protocol concluded between the public bodies, rather than a legislative measure) transferred and used for purposes other than that for which it had been collected, without their prior explicit consent, and without their having been given prior notice.
The Romanian Court of Appeal asked the CJEU whether Articles 10, 11 and 13 of the Data Protection Directive (95/46/EC) (the Directive) preclude a public body from transferring personal data to another public body for further processing, on the basis of a measure akin to an administrative measure, without the data subjects being informed of that transfer and further processing.
The Directive provides that, subject to the exemptions permitted under Article 13, all processing of personal data must comply, firstly with the data protection principles set out in Article 6 (including the fair processing requirement), and secondly one of the criteria for making data processing legitimate listed in Article 7.
Article 10 of the Directive requires a data controller to provide certain fair processing information to data subjects when collecting their data, in order to comply with Article 6. This information includes: the identity of the data controller, the purpose of the processing, and any further information, such as the recipients or categories of recipients of the data, to guarantee fair processing of the data. Article 11(1) of the Directive requires data controllers who have not obtained data directly from data subjects to do the same.
Article 13 of the Directive provides for certain exemptions from the requirement to provide fair processing information to data subjects where a Member State adopts legislative measures necessary to safeguard various state interests, including “an important economic or financial interests …including monetary…and taxation matters” . Article 11(2) also provides an exemption for data controllers who indirectly obtain data where the “disclosure of data is expressly laid down by law“. Thus both articles 13 and article 11 require any restriction on the requirement to provide fair processing information to be imposed by legislative measures.
The CJEU held that the Romanian law that provides for the transfer of personal data necessary to determine qualification for health insurance does not include the transfer of income data. The Romanian law does not define the specific details of the transferable information, rather a bilateral protocol agreed between the tax authority and the Health Insurance Fund provided for the sharing of income data. Therefore the Romanian law did not allow the tax authority to dispense with its obligation to provide fair processing information to the data subjects, and the exemptions in Article 13 or Article 11(2) of the Directive were not applicable.
The CJEU concluded that Articles 10, 11 and 13 of Directive 95/46 must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public body of a Member State to transfer personal data to another public body and their subsequent processing, without the data subjects having been informed of that transfer or processing.
The decision serves as a reminder that public bodies cannot freely share personal data. It also highlights the narrow scope of the exemptions to the obligation to provide fair processing information to data subjects (i.e. article 13 of the Directive, as transposed by section 8 of the Irish Data Protection Acts 1988 & 2003). Where a public body shares personal data with another public body, without first informing the data subjects concerned, it should ensure there is an explicit legal basis set out in primary legislation permitting it to do so, and it does not go beyond the limits of that legislation.
In Ireland, data-sharing legislative provisions are included in various Acts, based on the requirements of a particular Government Department. For example, the Department of Social Protection, in conjunction with the Revenue Commissioners, has developed data exchanges to enhance the detection of fraud and control compliance. The legislative basis for the exchange of information is contained in Section 261 of the Social Welfare Consolidation Act 2005.
The Government intend to streamline the data sharing process between public bodies, and are expected to publish a Data Sharing Bill soon to allow specified public bodies to share specified personal information. However the Government’s Legislation Programme for Autumn 2015 indicates that the heads of the Data Sharing Bill have yet to be approved, and the publication date is not yet known. It is hoped that the new legislation, once enacted, will provide a transparent framework for data-sharing by public bodies.