7 minute read
2.3.3 Citizen data and company records
operation
Prohibition against third party access and/or disclosure
Advertisement
Ensuring sufficient security/confidentiality Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of financial data is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.
supervisory authorities.
The overview above illustrates that part of the solution – alignment on substantive requirements – is comparable to the state of play for health data. However, financial data faces an additional challenge through the requirements imposed by national regulators and supervisors, who require the ability to access and audit data processing facilities.
2.3.3 Citizen data and company records
Overview and subtypes of data
Correspondents were also invited to identify barriers to the free flow of data for two other types of information which are examined together in this section of the report:
Citizen data: basic identity registers, particularly any official records in relation to a country’s citizens or residents (such as their names, addresses, date of birth) or to legal entities; Company data: company records, such as balance sheets, income statements or annual accounts submitted by companies.
These two categories of data are examined together here, as they all relate to fundamental information about natural or legal persons which is considered authoritative and therefore has high requirements in relation to trustworthiness and security. A second similarity is that these records tend to be managed as a part of a specific statutory or legislative mandate provided by the public sector.
The following overview can be provided for the reported barriers:
Figure 8 – Types of barrier observed (Citizen data and company records)
Country Source
Belgium Wet van 8 augustus 1983 tot regeling van een Rijksregister van de natuurlijke personen / Loi Any party that wants to access or use Indirect The law identifies the Minister of Foreign Affairs as the competent authority to maintain the Register (Article 4), and notes that an authorisation is
Restriction imposed on providers / users / data Direct or indirect Summary of obligation / restriction
36
de 8 août 1983 organisant un registre national des personnes physiques (Law of 8 August 1983 regulating a National Register of natural persons), Articles 4 ter, 5, 8 § 1 and § 2 and Article 14. information from the National Register required to access any part of the Register which is granted by law or by a specific committee of the data protection authority (Article 5). The same applies to the National Register Number, which is the identification number assigned to each lawful and permanent Belgian resident: it may not be used without prior authorisation, granted by law or by the aforementioned committee.
Denmark Bekendtgørelse af lov om Det Centrale Personregister (Civil Register Act), Chapter 14 §55. Ministry of Economic Affairs and the Ministry of the Interior
Luxembour g
19 décembre 2002. – Loi concernant le registre de commerce et des sociétés ainsi que la comptabilité et les comptes annuels des entreprises et modifiant certaines autres dispositions légales (19 December 2002. - Law concerning the register of businesses and companies, and concerning accounting and annual accounts of companies, modifying certain other legal provisions), Article 2.
23 janvier 2003. – Règlement grand-ducal portant exécution de la loi du 19 décembre 2002 concernant le registre de commerce et des sociétés ainsi que la comptabilité et les comptes annuels des entreprises (23 January 2003. – Grand Ducal Regulation relating to the execution of the law of 19 December 2002 concerning the register of businesses and companies, and concerning accounting and annual accounts of companies), Articles 1er, 2, 2 bis, 10, 13, 14, 15, 23. The Ministry of Justice, the CTIE, and the RCSL Indirect The law identifies the Ministry of Justice as the responsible entity for the business register, but designates a specific grouping (the RSCL, comprised of the Ministry, Chamber of Commerce and Chamber of Artisanal Professions) as the manager of the Business Register, with offices in the communes of Luxembourg and Diekirch. The Regulation in turn ensures that the files of this Register can be kept digitally, and notes in Article 14 that the underlying database must be held by the Centre for ICT of the State (Centre des technologies de l’information de l’Etat – CTIE - http://www.fonctionpublique.public.lu/fr/structure-organisationnelle/ctie/index.html). Any modifications of data must be done by the CTIE, who is also responsible for its storage for a period of 20 years after any business entity has been struck from the Register.
Slovenia Zakon o centralnem registru prebivalstva (Uradni list RS, št. 72/06), (Central Population The Central Population Register controller –Indirect The Act on the Central Population Register permits the controller of the Register (The Ministry of Interior) to transfer the data from the Register only
Indirect The law identifies the Ministry of Economic Affairs and the Ministry of the Interior as the competent authorities to maintain the Register, in coordination with the municipalities (§ 2). They are charged with ensuring that the necessary measures are taken to permit the disposal or destruction of CPR in case of specific conditions (§55).
37
Register Act), Articles 12, 19 and 23a. Uredba o vodenju in vzdrževanju centralnega registra prebivalstva ter postopku za pridobivanje in posredovanje podatkov (Uradni list RS, št. 70/2000), (Regulation on electronic operations), Article 5. The Ministry of Interior to users or other entities authorised by the law (Art. 12 above). There does not seem to be any legal bases which would specifically permit outsourcing of operations related to data form the Register. The Register is a cooperative data base where certain data sources may be authorised to directly maintain their data in the data base (Article 19 above). In case this involves electronic operations the data source must seek prior approval of the Minister of Public Administration (Article 5 of the Regulation) This is an indirect barrier to outsourcing.
38
Thus, three of the barriers related to natural persons (where personal data protection concerns apply), and one to company data (where such concerns are less important). All reported barriers were indirect in nature, i.e. they did not explicitly specify any geographical restriction or requirement. All of these will be discussed in greater detail in the sections below.
Scope of the barrier
Given the nature of the data examined (authoritative data in relation to natural or legal persons), it is not surprising that most of the reported barriers related to the exclusive competence of a particular entity for holding the organisation. Nonetheless, other barriers were reported as well.
Figure 9 – Nature and scope of barrier observed (Citizen data and company records)
Nature of the barrier
Designation of a specific legal entity that manages an official database Observed in which countries?
BE, SI, LU
Why is this (potentially) a restriction to the free flow of data within the European Union?
Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity
A specific mandate under law or from a specific body is required to access or use the data
BE, SI Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.
Prohibition against third party access and/or disclosure
BE Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of a manager of the register that requires no further processing by the storage service provider)..
Requirement for the data to be destroyed under certain circumstances
Joint management / updating of the data is foreseen (i.e. there is cooperation with identified entities such as local registrars or communes) to maintain the data
BE, DK, LU If the data is not kept locally, the managing entity may not have certainty that data can be decisively destroyed.
SI The existence of multilateral connections to maintain the completeness and accuracy of the data can complicate its hosting with a third party.
An interesting element that emerges from this table but which was not present for earlier data types is the distinction between storage of the authoritative data by a specific entity, and the right to use or access this data. Many of the reported barriers related to the simple observation that a specific entity was designated as the steward of authoritative data, which was interpreted by the correspondents as excluding the possibility of outsourcing, and thus also the possibility of data storage outside of national borders. This is however not necessarily the case: if exclusive control can be ensured with the designated steward, outsourcing of data storage should be allowed. However, in other cases it was noted that no third party was allowed to access or use the data without an appropriate authorisation granted under national law or by a specific body. That would indeed seem to be a barrier for cross border data flows, since it would imply that a foreign body would need to receive such an authorisation.
A separate consideration that emerged as a potential barrier was the need for the data to be destroyed under certain circumstances. The obligation is not without consequences, since the outsourcing of data storage to a third party can make it rather more difficult to ensure conclusively that data was effectively destroyed, or indeed that a data owner can count on the service provider to be able to heed the instructions given in this respect.
