Data Transfer in the GDPR: The Public Register Derogation

In its effort to regulate the flow of personal information beyond the borders of the European Union, the GDPR creates a set of acceptable methods for “cross-border transfers” of personal data that are often unavailable to global organizations. Article 49 of the GDPR offers a number of “derogations” (i.e., exceptions) that allow transfer of such data outside of the European Union in situations where the enumerated acceptable methods are not available. This installment of The eData Guide to GDPR highlights one such derogation that has not received much publicity yet and is found in Article 49(1)(g). 

The “Public Register” derogation provides a permissible means to transfer public filings from the European Union to other jurisdictions, including materials filed in a proceeding before a court in the European Union. The derogation facilitates cross-border transfer of materials that are available to the public or to those with a legitimate interest in the materials. Two cautions should inform the transfer: (1) the entirety of the personal data or the entirety of the register should not be transferred, and (2) the transfer should take into account the “interests and fundamental rights of the data subject.”[1]

Specifically, Article 49(1)(g) provides:

Derogations for Specific Situations:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

While little interpretive authority has been issued to aid application of this derogation, the EU Data Protection Board guidelines on Article 49 Derogations provide this insight:

Article 49 (1) (g) and Article 49 (2) allow the transfer of personal data from registers under certain conditions. A register in general is defined as a “(written) record containing regular entries of items or details” or as “an official list or record of names or items, where in the context of Article 49, a register could be in written or electronic form.

The register in question must, according to Union or Member State law, be intended to provide information to the public. Therefore, private registers (those in the responsibility of private bodies) are outside of the scope of this derogation (for example, private registers through which credit-worthiness is appraised).

The register must be open to consultation by either:

(a) the public in general or

(b) any person who can demonstrate a legitimate interest.

These could be, for example: registers of companies, registers of associations, registers of criminal convictions, (land) title registers or public vehicle registers.[2]

The question of interpretation in Article 49(1)(g) is whether a court docket is a “Registry” under EU law. That seems to be the case. The Court of Justice of the European Union refers to its docket as a “Registry” and defines it as “responsible for maintaining the case-files for pending cases and for keeping the register in which all the procedural documents are entered. The Registry receives, keeps and serves the applications, pleadings and other procedural documents sent to the Court by the lawyers and agents for the parties. It is responsible for all correspondence relating to the progress of proceedings before the Court.” [3]

Recital 111 adds two cautions:

Provision should also be made for the possibility for transfers … where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register[4] and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.

Where a register is intended to be made available to the public, there appear to be no limitations on the use of the information. Thus, for example, if a local court docket is open to consultation by the public and documents filed on the docket can be obtained by members of the public, transfer would appear to be permissible without limitation.

If available only to those with a legitimate interest, the guidelines caution that “the transfer can only be made at the request of those persons or if they are recipients, taking into account of the data subjects’ interests and fundamental rights.”[5] Those with a “legitimate interest” include:

[L]egitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.[6]

Once established as a party with a legitimate interest, the last clause of Recital 111 requires some interpretation. It appears to provide that transfers made at the request of those having a legitimate interest can occur without further limitation: “the transfer should be made only at the request of those persons.” The last clause continues: “or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.”

Finally, the guidelines note the following: “Further use of personal data from such registers as stated above may only take place in compliance with applicable data protection law.” Further use after transfer might include use of the materials in a foreign litigation. Should the parties elect to do so, the terms and conditions of any ESI protocol or protective order should govern the disclosure of materials from an EU state litigation Registry. Should one of the parties seek enhanced protection for these materials, or should they seek to exclude them from disclosure, they would be forced to seek protection from the court in the foreign litigation and/or seek redress in the original EU state. The party would stand little chance of finding support in the United States, for example, to block the transfer of data required in that litigation. Their right of redress in the EU is less clear, but any EU authority will have little or no authority to prevent the use of the material in the foreign litigation.

[1] Recital 111.

[2] Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.

[3] Registry, Court of Justice of the European Union.

[4] A transfer from a public register should not be a wholesale transfer of an entire category of data on a registry or of all of the personal data on a registry.

[5] Recital 111

[6] Recital 47