The friction between transparency and personal data protection in Peru

by Digital Rights LAC on July 14, 2015

583204694_b8b82dcb1b_b

In recent months, it has been discussed in Peru how the personal data protection norms must be interpreted within the framework of transparency obligations. In cases decided by two different bodies, the limits of what can and cannot do with public databases have been discussed. The answer to these questions can impact significantly on new journalism practices and the degree of access to public information.

*By Miguel Morachimo

Datos Perú and legal norms

In October 2014, the Personal Data Protection Authority (PDPA) resolved two claims against the Datos Perú website’s administrators. The site, which operated for several years in Peru, among others, paid the access and search service for legal devices within the State Gazettes. In other words, the entire Legal Standards Bulletin published in the Official Journal, including legal and administrative acts of compulsory disclosure as appointments and sanctions, were copied and pasted. Two of these norms reproduced by Datos Perú correspond to disciplinary sanctions against the claimants. That was the origin of the claim.

In its decision, the PDPA determined that the site had failed to comply with the data protection law in failing to request the consent of such persons to include their name in a legal database and, thereafter, in ignoring their requests for cancellation. Although the same information, including the names of the claimants, was accessible from the Official Gazette website, as well as from the Ministry of Justice website, the PDPA considered that this did not authorize any third party to reproduce information containing personal data. That is, the PDPA determined that prior publication of a public document did not authorize its consecutive reproduction to the extent it contains personal data.

Equifax and the public taxpayer register

In March 2015, another case brought us back to the same question. This time the Constitutional Court (CC) ruled a habeas data claim filed by a citizen against Equifax, operator of a private credit risk bureau in Peru, for including information he did not provide, comprising also his address. In its defense, Equifax said that it has obtained the plaintiff’s domicile had obtained through a routine search in the public taxpayer register available to the general public on the Peruvian tax authority website.

For the CC, Equifax was not authorized to use or incorporate into its database the information contained in the taxpayer register. By establishing the rule that the credit bureaus cannot collect information from public databases, it established the criterion that only those who are expressly authorized can do so. That is, in a similar tone to the PDPA’s decision, the court stated that prior publicity of personal information in a public database does not authorize others to use such data without permission of the owners.

A response but not a solution

The rule underlying both decisions is clear: third parties cannot reproduce the documents or state databases accessible to the public as containing personal data. The exception being that these third parties have a special authorization from the owner the data or are under an assumption of emergency (e.g., public interest). This is the reasoning given by the head of the PDPA in several occasions, including a recent interview. However, although this approach can be sustained under an interpretation of the personal data and transparency norms, it leaves a bitter taste for many reasons.

There is a serious conflict between what we seek to protect and the reality. It is idealistic protecting privacy only when private persons infringe it. Through their decisions, the CC and PDPA acknowledge that reproducing certain personal data may affect the privacy of citizens. However, instead of preventing the affectation in origin, they limited themselves to punish third parties replicating what the State did in the first place.

In both cases, it is about sanctions to private persons that tried to reproduce data published firstly by the State and, so far, available through state services. I fully understand that legally there is no consent for further processing by third parties. However, what are we really protecting by applying this criterion? Clearly, it is not the confidentiality of such personal data.

The second mismatch occurs when this rule is analyzed from the new ways to access public information. It is not whimsical that the taxpayer register is publicly available or that even includes taxpayers’ address and their tax capability. Nor it is random that resolutions of appointments, disciplinary sanctions or affidavits by civil servants appear in the Official Gazette and are archived in all libraries and archives in the country. This information is distributed as public information because it is part of the national memory, a guarantee for business transactions and unalterable record of the country’s life.

Before, only a person with physical access to those documents could access, read or recall them. Today, the technology allows for the consultation of databases with millions of such documents. That is, the reuse of public information made available by the State allows ordinary citizens the full exercise of their right of access to public information.

According to the reasoning of the mentioned decisions, this possibility would be closed, unless any reference to personal data is previously removed from these databases. In the case of many databases, this does not only imply a titanic job, but the subtraction of the content itself. If the information is published with the intention that all can access it, why this right can only be exercised in the terms and on the platforms enabled by the State?

Finally, this rule only seems to support an anachronistic view of the journalistic task. According to it, it is fine for an investigative journalist accessing numerous databases individually but can only publish those data of public interest as part of his/her story or article. But what about the data journalism projects in which entire databases are also published through visualizations or tables? In Peru, for several months, it is available a website that allows to consult visitor records from various public offices, taking data directly from the records published by the institutions themselves. Under the proposed solution, this activity, which in itself is a form of investigative journalism, would be illegal for not having the consent of the persons whose names are being shown.

What is clear is that the solution proposed in these decisions need to be reconciled with reality. We need to establish clear rules that protect personal data and are applicable to the State and private persons. These rules cannot ignore how nowadays we interact with technology and how we use it to exercise both civil and economic rights. Acknowledging the existence of this problem is the first step to begin solving it.

*Miguel Morachimo is an attorney and Director of the NGO Hiperderecho. E-mail: miguel@hiperderecho.org

Image: (CC ND-NC) Felipe Morin