It’s pretty clear from the context and implications that when European legislators wrote “public authority” into the General Data Protection Regulation they didn’t mean the same as the drafters of the UK’s Freedom of Information Acts. “Public authority” isn’t defined in the Regulation and I’ve not been able to find it in any other European law, so I’m grateful to David Erdos for pointing out the case where the concept and reason for it, if not the actual phrase, were discussed.
In the employment law case of Foster & others v British Gas (Case C-188/89) the European Court of Justice concluded that special treatment was needed where an organisation:
has been made responsible, pursuant to a measure adopted by the State, for providing a public service under the control of the State and has for that purpose special powers beyond those which result from the normal rules applicable in relations between individuals. (para 22)
That makes a lot of sense in the data protection context too. Where a law has given an organisation special powers to process personal data for a particular task, it may well be appropriate to restrict its use of other processing powers that it should not need. There is a clear echo of the British Gas case in Recital 47:
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
Recital 43 also casts doubt on whether valid consent can be obtained.
However where the organisation is acting in areas other than the special “tasks” assigned to it by law (for example to protect the security of its networks and information, as in Recital 49), it has no special powers, should not be given special treatment and “the normal rules applicable in relations between individuals” should apply. Extending the restriction beyond the legally-defined tasks is likely to force the organisation either to extend its special powers to processing for which they were not authorised, or to use other inappropriate bases for processing.
Pleasingly, this is pretty much the intention I’d worked out based on how the term “public authority” is used in the legislation. Where an organisation has been given special legal authority to carry out a particular task it should be using that authority, not legitimate interests, to justify the processing. For other tasks, it should be free to use legitimate interests, consent and the other legal bases, whichever is the most appropriate. An instance of successful reverse engineering of law, I think 🙂
