“Support Portal” Requires Compliance with the Principle of Data Minimisation
The President of the Personal Data Protection Office, Mirosław Wróblewski, has presented comments on a parliamentary proposal to amend the Acts on the Exercise of Legislative Initiative by Citizens and the Electoral Code. The proposed amendment introduces a service intended to facilitate citizens’ exercise of their rights related to legislative initiatives and to enable the use of electronic solutions by the proxy of a “legislative initiative committee”.
According to the draft, the service made available through the “support portal” would expand citizens’ possibilities of action and allow certain activities provided for by law to be carried out electronically – for example, those relating to the rights and obligations of the proxy of a “legislative initiative committee”. The President of the Personal Data Protection Office also acknowledges the relevance of the proposal in the context of a modern and democratic state governed by the rule of law.
The analysis of the draft showed that, in order to provide the service within the ICT system, personal data would be processed on a large scale – including data revealing citizens’ political opinions and philosophical beliefs. Disclosure of such information – through signing support for a specific legislative proposal – would constitute a serious interference with an individual’s privacy and informational autonomy. It is therefore essential to ensure an appropriate level of security for data processed within such a service, as its processing carries risks to the rights and freedoms of individuals. The draft must therefore include adequate safeguards for their protection.
A safeguard ensuring the protection of fundamental rights and compliance with the purpose limitation principle could be the explicit provision that personal data are processed in the system solely for the purpose of exercising citizens’ legislative initiative and will not be processed for other purposes, nor used for profiling individuals.
The draft also indicates that citizens’ personal data would be transferred from the Central Register of Voters to the “support portal” regardless of whether a given person actually decided to use the service or whether they indeed expressed support for a legislative proposal via the portal. To ensure that the proposed mechanism complies with the principles of fairness, transparency and data minimisation, the solution should be voluntary and apply only to citizens interested in this form of political participation. The provisions must clearly state that only the data of those citizens who choose to use the service will be transferred from the Central Register of Voters and the Personal Identification Number Register PESEL register.
The transfer of citizens’ personal data should not deprive the controller of control over the data in the system nor exclude its accountability. Therefore, the draft should clearly specify the method and procedure for transferring personal data. The wording in the draft stating that data from the PESEL register “may be transferred” also requires clarification. The provisions must clearly indicate whether such data will be transferred or not; therefore, the term “may” should be amended.
The supervisory authority also calls for reconsideration of the proposed possibility of making personal data – processed in the support portal and linked to the service described in the draft – available to other entities. The proposed mechanism would allow the Head of the National Electoral Office to disclose data at the request of courts, prosecutors or the Police conducting criminal proceedings. This provision is too general and grants excessively broad powers to obtain personal data. It is unclear on what grounds – and whether on grounds justified by the necessity of processing – these authorities would obtain citizens’ personal data. This is particularly important given that the data in question would be special category data – relating to political opinions and philosophical beliefs of citizens who supported a specific legislative proposal via the service. As already emphasised, disclosure of special category data (Article 9(1) GDPR) would constitute a serious interference with individuals’ rights and freedoms. The legislator should therefore reconsider the appropriateness of this solution or supplement it with adequate safeguards for the protection of individuals’ rights and freedoms.
Such safeguards could include establishing a precise list of offences for which authorities may obtain personal data. An additional measure would be specifying the scope of personal data to be disclosed – ensuring it is proportionate and transferred only when strictly necessary.
The method of transferring personal data should also be clearly defined. The issue of data disclosure by public authorities has already been addressed in the case law of the Court of Justice of the European Union. Separate public authorities must be regarded as separate controllers, including the authority receiving personal data within the public administration.
Appropriate safeguards for the protection of rights and freedoms must also be established at the stage of disclosing personal data to law enforcement authorities upon their request by the Head of the National Electoral Office.
As emphasised at the outset, the President of the Personal Data Protection Office does not question the legitimacy of the parliamentary proposal. The supervisory authority’s comments on the draft amendments constitute expert guidance for the legislator.