| AKI - 2.1-3/20/347 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 15(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 09.03.2020 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2.1-3/20/347 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Estonian |
| Original Source: | AKI (in ET) |
| Initial Contributor: | n/a |
The Estonian Data Protection Authority (AKI) confirmed that the police are not entitled to deny access to requested documents, if the applicable national law only foresees restrictions for a limited time period that is exceeded and no other legal ground for an access restriction applies.
English Summary
Facts
A journalist submitted a request to receive information from the police. The police refused the request based on national law (§ 40 (1) of the PSA) that foresees restrict access for information intended for the internal use up to five years. In the current case almost 16 years have passed since the creation of the document and the Public Information Act does not provide for the possibility of imposing restrictions for a period exceeding a maximum of 10 years.
Dispute
The AKI assessed, whether information needs to be protected sixteen years after the creation by restrict access, even when the national law only foresees restrictions to the access for a period of maximum ten years.
Holding
The AKI states that in some cases, ten years may be too short a time and a restriction may be needed on the document established for a longer period. This is especially true of documents that have been recognized archival value, but the restrictions cannot be extended without a legal basis. Therefore, the AKI agrees with the Police and Border Guard Board that the grounds for the restriction must be reviewed before the request for information can be complied with.
It remains incomprehensible to the AKI that when the Police understood that even after 10 years, the document contains information that is still needed to be protected why no steps have been taken to legitimize the protection of such information.
Due to the above, the AKI argued that because the Public Information Act does not provide an opportunity to impose on information restrictions for more than 10 years and the Data Protection Inspectorate cannot change this, the Police shall remove access restrictions and provide the claimant with the information he or she wishes if it is not a state secret and there is no other reason to restrict access to information.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
Page 1 PROTECTION OF PRIVACY AND TRANSPARENCY Tatari tn 39/10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee Registry code 70004235 CONTEST DECISION and PRECAUTIONS WARNING in public information case no. 2.1-3 / 20/347 Challenge decision and injunction maker Chief Inspector of the Data Protection Inspectorate Elve Adamson Challenge decision and injunction time and place of making 09.03.2020 in Tallinn Time to file a challenge 1/27/2020 Holder of the information Person in charge of the holder of the information Police and Border Guard Board address: Pärnu mnt 139, 15060 Tallinn e-mail address: ppa@politsi.ee Director - General Challenger (information requester) AS Eesti Ekspress address: Narva mnt 13, 10151 Tallinn e-mail address: Procedure@egrupp.ee Representative of the appellant Taimi Rosenberg RESOLUTION: § 45 (1) 1), § 51 (1) 3) and 7) of the Public Information Act (AVTS), administrative proceedings on the basis of clause 85 2) of the HMS Act and § 75 1 (3) of the Government of the Republic Act 1) I make a decision to challenge the challenge 2) issue a mandatory precept to the holder of information for compliance: The Police and Border Guard Board shall remove the public from the information requested by the appellant access restrictions imposed under the Information Act and issue a challenge to the appellant the information requested by him, unless it is a state secret and there is no other basis for the information restrict access. 3) set 20 March 2020 as the term for compliance with the precept Pursuant to § 52 of the PSA, the holder of information must, within five working days of receiving the precept, take measures to comply with the precept and notify the Data Protection thereof To the Inspectorate. ________________________________________ Page 2 2 (7) CONTEST REFERENCE: To the extent that this decision fully upheld the challenge, the challenger will receive it within 30 days to apply to an administrative court only if the Data Protection Inspectorate violated the proceedings the rights of the opponent in another way. A state agency may contest this administrative act with a challenge to the Data Protection Inspectorate to the Director General or pursuant to the procedure specified in § 101 of the Government of the Republic Act. Contestation of a precept does not suspend the obligation to comply with the precept or the measures necessary for enforcement implementation. WARNING: If the holder of the information fails to comply with the precept of the Data Protection Inspectorate, the Data Protection may The Inspectorate may contact the higher authority of the holder of the information, a person or the entire party of the official to conduct supervision or to initiate disciplinary proceedings against an official. (AvTS § 10 (1) and (4), § 53 (1)). FACTUAL FACTS: 1. On 3 January 2020, the journalist of AS Ekspress Meedia submitted Xxxxxx Xxxxxx to the Police Request for information to the Border Guard Board, in which the Director General requested information of 14 June 2004 Directive 141 2. On 10 January 2020, the Police and Border Guard Board extended the term for responding to a request for information until 24.01.2020, substantiating this with the need to evaluate the document. 3. On 24 January 2020, the Police-Border Guard Board forwarded to the appellant his request document, but contained some of the information covered by the reason that the police considered it necessary some of the information contained in the document is still protected, even though the restriction has expired. 4. The submitter of the challenge did not agree with the above and submitted a partial information to the Data Protection Inspectorate challenge of non-issuance. CLAIMER'S REQUEST AND GROUNDS: 1. Facts 1.1. On 3 January 2020, AS Ekspress Meedia's journalist Xxxxx Xxxxxx was presented by the Police and Request for information to the Border Guard Board (PBGB) for information on the Director-General's letter of 14 June 2004 Directive No. 141 (Annex 1). 1.2. On 10 January 2020, the PBGB announced that it would extend the deadline for responding to the request for information until 24.01.2020, substantiating this with the need to evaluate the document. 1.3. On 24 January, the PBGB submitted a reply only partially complying with the request for information (Annex 1). 2. Content and grounds of the challenge 2.1. We would like to contest the partial non-compliance of the PBGB with AS Ekspress Meedia's request for information. 2.2. The disputed directive was declared for internal use by the Public Information Act (AvTS) on the basis of § 35 (1) 9) until 14.06.2009. 2.3. Pursuant to § 40 (1) of the PSA, information intended for internal use may be provided restrict access for up to five years. The head of the institution may extend this term up to five years. 2.4. Thus, the deadline for restricting access to the requested directive already arrived on 14.06.2014. ________________________________________ Page 3 3 (7) 2.5. In our opinion, the PBGB has no legal basis for partially non-compliance with the request for information. 2.6. The PBGB cites clauses 5 1, 9 and 10 of § 35 (1) of the PSA as grounds for partial refusal. However, the grounds for that restriction on access are not set out in the contested document. Even if the restriction had been included in the document, it would have been possible for internal use the restriction established on the basis of § 40 (1) of the PSA has expired for a long time. 2.7. We draw attention to the fact that § 35 of the PSA provides for the recognition of information as internal but in the present case the time-limit for restricting access has expired and the contested directive has expired is public information. 3. Application 3.1. Based on the above and guided by §§ 46 and 51 of the Public Information Act, AS Ekspress requests Media to issue a precept to the PBGB to the Data Protection Inspectorate and to oblige the PBGB to request information to comply with and issue to Ekspress Meedia AS the directive of the Director General of the PBGB of 14 June 2004 No 141 in its entirety. GROUNDS OF THE INFORMATION HOLDER: We will provide answers to the questions submitted in the inquiry of the Data Protection Inspectorate on 06.02.2020. - On what legal basis did the PBGB refuse the information requester after the restriction of access ended issue the document in full? In our reply to the requester, we explained that the deadline for restricting access to the document was but the PBGB considers that some of the information contained in it still needs protection. Asked The directive was created in 2004, but 16 years later the KAIRI information system is enough in a similar form continues to be a daily tool for criminal police officers. While the information system the maintenance arrangements have been amended several times over time and the 2004 version is no longer valid, the police measures, tactics and technological solutions it contains are partly the same. Therefore, in the opinion of the PBGB, the fulfillment of the request for information is only possible in part. We also added a public of the Information Act (hereinafter AVTS), the bases on which we used the restriction of information: • according to § 35 of the PIA one point five one is covered with parts of the text, which contain information the methods and tactics of the investigative body and the disclosure of such information may make it more difficult to detect offenses or facilitate the commission of offenses. • Pursuant to clauses (1) 9) and 10) of the same section, parts of the text that contain information are covered description of technological solutions and security measures. - According to the challenge, the restriction initially imposed on the document was only on the basis of § 35 (1) 9) of the PSA, but in refusing to comply with a request for information, § 35 (1) 5 ) and Point 10 of because § 35 section 1 subsection 5 1 added PIA-I in 2016, ie after 12 years apart the creation of a document, as a result of which the PBGB considers that the document receives the aforementioned provision (which did not yet exist at the time of the maximum validity of the restriction) years after the expiry of the maximum limit? At the time of the establishment of this directive, clause 35 (1) 9) of the PSA was valid as follows in the wording: “9) other information provided by law”. In 2007, a response was passed to the law establishing point 9 was worded as follows: "(9) information containing sensitive personal data". Although According to RT, this version was valid from 28.12.-31.12.2007, then it probably did not enter into force. On 1 January 2008, clause 9 entered into force instead with the following wording “9) information security systems, a description of the security organization or security measures ". In the same form, point 9 applies today. At the proposal of the PBGB, § 35 (5 1 ) was amended to read “information on the methods of operation of the police and tactics if it should be made public may make it more difficult or easier to detect offenses their commission ”, the provision entered into force on 01.01.2010. In 2016, this provision was amended on the proposal of the MTB, ________________________________________ Page 4 4 (7) by replacing the word "police" with the word "investigative body". The purpose of the change was to expand this provision to other authorities for whom it was necessary to impose access restrictions. It follows from the foregoing that the grounds for imposing a restriction on access are repeated in this case changed. When complying with a request for information, the holder of the information has the right and also the obligation to check the relevance and timeliness of the grounds for restricting access to the information adjust the basis (s) if necessary (supplement, repeal, etc.). We also did this in response to this request for information: we reassessed and reconsidered the sensitivity of the information and the realization of the potential risks associated with its publication, and we compared it today with the current regulation, ie to what extent the information in need of protection is also reflected in the current procedure. In the course of this, we came to the conclusion that the grounds for the restriction of access are necessary based on the content of the information supplement (clauses 10, 5 1 ), as well as additions to the grounds for restriction of access shall assist the requester get a clearer picture of the need for continued restrictions. There are currently The procedure for maintaining the information system POLIS subsystem KAIRI was established by the Director General on 05.10.2018 Directive No. 117 and a restriction on access to it has been established pursuant to clauses 35 (1) of the PSA 3, 5 1 , 9 and 10. - Does the PBGB consider that the time limit for all of the above grounds should be longer than 10 years? Please justify your position. In the case of this directive, the PBGB is of the opinion that the information contained in it still needs some information protection. In fulfilling the request for information, the PBGB comprehensively assessed the continuing need for the restriction sentence by sentence. The thorough substantive assessment is also confirmed by the fact that the field was involved in the assessment different experts, so it took extra time to comply with the request for information, and we were also forced to do so extend the deadline. Covered passages contain sensitive information that is significantly compromised by disclosure the achievement of the objectives of criminal proceedings and the pursuit of surveillance where existing measures and tactics, technological solutions would no longer be possible implemented as it stands. It must be borne in mind that the methods of operation of the police / investigative body and tactics will not change significantly for decades. § 35 (1) of the PSA is a mandatory provision which obliges the holder of information to restrict access to information. Because both the directive requested in the request for information and the current directive are similar provisions, there is a substantive conflict between § 35 (1) and § 40 (1) of the PSA if interpret the latter provision as meaning that the access restriction can only be imposed on 5 + 5 year. The procedure for complying with this request for information illustrates the need for legal regulation to allow the restriction to be extended beyond certain periods in certain cases 5 + 5 years (as long as the reason for imposing the restriction persists). GROUNDS FOR THE DATA PROTECTION INSPECTORATE: Access to public information § 3 (1) of the PSA provides that public information is in any way and on any medium recorded and documented information obtained or created by or on the basis of law in the performance of their public tasks under this legislation. Since the document at issue is established by the Police and Border Guard Board in the performance of public duties, it is disputed the document is public information within the meaning of the Public Information Act. ________________________________________ Page 5 5 (7) Pursuant to § 3 (2) of the PSA, access to public information can be restricted only as provided by law in order. The bases for access restriction are set out in § 35 and areas of the Public Information Act special laws. The Supreme Court also found in clause 24 of its judgment 3-3-1-5-09 : “ § 44 (2) of the Constitution imposes to state agencies, local governments and their officials the obligation provided by law to provide the Estonian citizen with information on his or her activities at his or her request. To this the obligation is fulfilled by an Estonian citizen (and, unless otherwise provided by law, also in Estonia the presence of a foreign national and a stateless person present) upon request information. The material scope of that right extends to the activities of public authorities which they do not distribute to the general public. National citizens and other persons must in order to ensure the transparency of the exercise of official authority, also have access to the information which for any reason, public authorities do not voluntarily disseminate information to the public. " Restrictions on access to public information § 35 (1) of the PSA provides a list of information which the holder of information is required to establish access restriction. In the present case, it is common ground that the document contained a restriction information. The subject-matter of the challenge in the present case is the time-limit for imposing a restriction on the document. § 40 (1) of the PSA provides that information intended for internal use shall be established restriction of access from the time the document is drawn up or received and until necessary until the event expires or the event arrives, but for no longer than five years. Head of the institution this period may be extended by up to five years if a restriction on access is imposed the reason remains. Thus, the Public Information Act clearly states how long the AVTS is possible Restrict access to information on the basis of subsection 35 (1). The right to extend does not follow from § 40 (1) of the PSA after the expiry of the period of 10 years. If the Police and Border Guard finds a provision If the 5 + 5 deadline is short, an amendment to the law should be initiated in the respective part, on the basis of which it is possible to set a longer restriction period for certain specific information. Not allowed is a situation where restrictions are imposed on documents without a legal basis. At this point, I consider it necessary to point out that it is also in the past that a time limit for the application of restrictions is desired extended, but the legislator has not considered it necessary. For example, 14.09.2009 was requested initiated amendments to the Personal Data Protection Act, the Public Information Act and the Archives Act The draft Law 564 SE PIA supplement to § 40 paragraph 4 is added: "This information intended for internal use pursuant to clause 35 (1) 3) of the Act is established access restriction for up to five years. The head of the institution may extend this term twice up to five years if the reason for imposing the access restriction persists ". The explanatory memorandum to the same draft explains the following: “§ 40 of the Public Information Act is amended by a new one providing a separate basis for information the disclosure of which would be detrimental to the State external relations, the period of validity of the recognition for internal use is 5 + 5 + 5 years. The normal term is 5 years, which can be extended once by 5 years . Ten years may be too short to ensure the protection of external relations. An exception must therefore be made and to allow a third extension for another five years ”(p. 7 p. 2.6 of the explanatory memorandum of the draft). 1 The following can be read from the transcript of the sitting of the Riigikogu held on 17.02.2010: “ Public information however, pursuant to subsection 40 (1) of the Act, the head of an agency may establish for internal use restriction on access to information for a period of five years, subject to the restriction of access may be extended for a further period of five years. The Government of the Republic therefore only wanted the new provision to establish a 5 + 5 + 5 system for information that may damage the country's foreign relations. 1 http://www.riigikogu.ee/tegevus/eelnoud/eelnou/bebb8363-8999-f12e-b587- f3718b56a685 / Personal Data% 20Protection% 20Law,% 20Public% 20Information% 20Law% 20and% 20Archives Act % 20change% 20 Act / ________________________________________ Page 6 6 (7) The Committee on Constitutional Affairs, having discussed this issue in detail at its meetings , considered that it was not it is justified to give all holders of information the possibility of such extensions for a further period of five years by. Pursuant to subsection 5 (1) of the Public Information Act, the holder of information is all state and local local authorities, legal persons governed by public law and subject to certain conditions legal persons and natural persons in private law. It is obvious that everyone sitting in this Chamber should report very clearly to, for example, the Foreign Ministry's foreign embassies The memos drawn up may include assessments by other ambassadors residing in that country the Head of Government or the President of that State, their possible cooperation with third parties countries or some doubts as to whether one or the other may be related to one or the other organization, work with someone, etc. Apparently we all understand that. Is it all the information listed in the long list contained in the original version should be protected marked "for official use", this raises serious doubts. /… / Committee on Constitutional Affairs At the meetings, the members of the commission concluded that because the Ministry of Foreign Affairs is the main state external relations authority, such an extension should be limited to them. In particular, this is in the form of a memo between the Ministry of Foreign Affairs and the embassies internal exchange of correspondence (including negotiation strategies) information for use. " Due to the above, the Riigikogu has expressed its position that the access restriction information can be limited to five years and can be limited to five years at a time and has discussed an exception for information detrimental to external relations. The reason for rejecting the aforementioned bill was precisely that the Riigikogu found that an attempt was being made unduly conceal the information held by the authorities and make the state opaque, which is not inherent in an open democracy. The Data Protection Inspectorate agrees with the Police and Border Guard Board that in some cases it may indeed, ten years may be too short a time and a restriction may be needed on the document established for a longer period. This is especially true of documents that have been recognized archival value, but the restrictions cannot be extended without a legal basis. Ka The Data Protection Inspectorate as a supervisory authority whose task is to control restrictions when establishing compliance with the law, the right or permission to establish longer than the law cannot be granted here restriction deadlines. We agree with the Police and Border Guard Board that since the grounds for the restriction have changed over time, then the grounds for the restriction must be reviewed before the request for information can be complied with. However, it remains incomprehensible document (ten years after the creation of the document, if the document no longer exists possible restrictions) the addition of a restriction that was added to the Public Information Act 12 years after the creation of the document (PIA § 35 section 1 subsection 5 1 ). This was not the case by changing the wording of the provision, but by adding a new provision to the law. Data Protection Inspectorate Considers that a document the creation or receipt of which is more than 10 months old years, grounds for restriction that have been added to the law after the restriction period cannot be added expiration. Since in this case almost 16 years have passed since the creation of the document and the Public Information Act does not provide for the possibility of imposing restrictions for a period exceeding a maximum of 10 years, it does not have to the inspectorate also needed to analyze the desired parts covered in the desired document justification for the restriction. However, based on the continued imposition of the restriction the justification for the need has repeatedly referred to a link to a state secret information, it should be assessed, if necessary, whether such information, even after 16 years needs to be protected after its creation should not be covered by a state secret. It also remains incomprehensible to the Data Protection Inspectorate when the Police and Border Guard Board had it is understood that even after 10 years, the document contains information that is still needed why no steps have been taken to legitimize the protection of such information. ________________________________________ Page 7 7 (7) Due to the above, because the Public Information Act does not provide an opportunity to impose on information restrictions for more than 10 years and the Data Protection Inspectorate cannot do anything to anyone here exemption for the holder of the information, the Police and Border Guard Board shall remove access restrictions and provide the claimant with the information he or she wishes if it is not a state secret and there is no other reason to restrict access to information. /signed digitally/ Elve Adamson Inspector General under the authority of the Director General
