9. Right of Access to Public Information: The Portuguese Case

Brin 1998.

An English version of the Constitution of the Portuguese Republic (CPR) and of the main legislation hereby quoted may be found at the site of the Portuguese Parliament, Assembly of the Republic (www.​parlamento.​pt) or at the sites of CADA and CNPD (www.​cada.​pt and www.​cnpd.​pt) (Accessed on 14 February 2017).

Cunha 2006, p. 623–651.

For further developments, AA VV 1999 and 2001, Almeida 2004, Ascensão 2001.

This subject was already brought to our study: Neto et al. 2002, p. 187–200.

More recently, these matters have also been addressed to in Neto 2012b, p. 41–55 and also Neto 2012c, p. 7–16.

This principle is developed by the Article 62 of the Code of Administrative Procedure of 1991 and has specific remedies relief since at least 1985. This principle is also known as “open archive”. In what concerns the fullfillment of this goal, see Ribeiro 2003 and Ribeiro 2005, p. 83–100.

After the constitutional revision of 1997, there is also a reference made in Article 26 to the protection of genetic information, also addressed by Law No. 12/2005 of 26 January 2005 and by Law No. 5/2008 of 12 February 2008, that created a genetic database.

The concept ‘document’ was then defined in Article 3 of Law No. 65/93: “Documents enacted or used by governmental bodies with administrative functions, public institutes and public associations, council bodies and other entities defined by law”. Furthermore, Article 4 distinguished between two types of documents: a) Administrative documents (documents issued or used by public entities) and b) Nominative documents (documents containing personal data).

The law now enforced refers to fees due by those who require information, as we will point out in Sect. 3.1.

See Article 13 of Law No. 65/93.

See Article 15 of Law No. 65/93.

On the specific matter of the re-use of public information, Ascensão 2004, p. 65–82.

In L2016, the definition of “nominative documents” now covers administrative documents containing “personal data” as defined by the legal regime of personal data protection.

Law No. 12/2005 of 26 January 2005 already mentioned.

However, L2016 states clearly in Article 3.2 that shall not be deemed ‘administrative documents’ those drawn up from administrative activities, particularly those concerning meetings of the Council of Ministers and Secretaries of State, and the preparation thereof.

This issue is set by the Criminal Procedure Code.

Pereira 2001 .

On the other hand, “nominative document” are now defined as administrative documents that contain an assessment or value judgment, or information covered by the reservation on the intimacy of private life, about an identified or identifiable natural person. Furthermore, L2016 demands that the third party interest is constitutionally protected.

Pinto 1993.

Moniz 1997, p. 231–300.

We list some general references on this topic in what concerns portuguese legal system: Casimiro 2000, Castro 2005, Farinho 2006. In what concerns the liability for internet providers, Fachana 2012. In what concerns liability for the possible misuse of information, Matos 2011 and Monteiro 1989.

However, in this latter case, this temporary classification must be ratified within ten days, as determined by Article 3 of Organic Law No. 2/2014.

The Portuguese Republic Intelligence System is grounded on Law No. 9/2007 of 19 February 2007 that establishes nowadays the framework regulation for the Secretary-General of the Portuguese Republic System, for the Defence Strategic Intelligence Service (SIED) and for the Security Intelligence Service (SIS).

The agreement between the Council, European Parliament and European Commission of EU reached on 15 December 2015 a major step in the adoption process of the EU General Data Protection Regulation (GDPR), that get together Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, thus repealing Directive 95/46/EC (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Those two set of rules were published on the 4^th of May on the EU Official Journal. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018, according to Article 94.1 of the Regulation. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. Perhaps the most significant change from the current Data Protection Directive is that the GDPR will be directly applicable in all EU Member States, without the necessity of national implementing laws, thereby mitigating the current fragmentation of national data protection laws.

These guidelines were established by the Council of Europe Convention for the Protection of Individuals against the Automatic Handling of Personal Data (1981) or the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1981). In accordance with this latter Convention, the general principle was that sensitive data could be processed automatically as long as the domestic law provided appropriate safeguards which were no more than the translation of so-called principles of fairness and lawfulness, purpose, quality and that are shed in the right to be informed about the purpose, the right of access to data, the right to correct or delete, and the right of opposition as the safeguard clause.

Or “sensitive data”.

Court of Justice of the European Union, Costeja, C-131/12 (Judgment of 13 May 2014). For further discussion within the articulation with the portuguese legal system, Raimundo 2012.

This is the Portuguese supervisory body in what concerns personal data that we will refer to in Sect. 5.1.2. However, the 2016 Regulation sets a “one-stop shop and cooperation procedure”.

Article 27 of L1998.

Article 29 of L1998.

Articles 12, 13 and 15 of L2016.

Articles 12, 13 and 15 of L2016.

Articles 12, 13 and 15 of L2016.

Articles 10 and 12.5 of L2016.

All decisions of the Portuguese Constitutional Court (Tribunal Constitucional) are available at http://​www.​tribunalconstitu​cional.​pt/​ (Accessed on 14 February 2017).

Neto 2011, p. 315–343.

The decisions and rulings (“Acórdãos”) on this subject are available at www.​dgsi.​pt: Administrative Supreme Court (Supremo Tribunal Adminsitrativo), Process 0896/07 (Judgment of 17 January 2008; Administrative Supreme Court, Process 0848/08 (Judgment of 7 January 2009); Administrative Supreme Court, Process 0838/08 (Judgment of 18 February 2009); Administrative Supreme Court, Process 0998/08 (Judgment of 25 February 2009); Administrative Supreme Court, Process 0288/09 (Judgment of 20 May 2009); Administrative Supreme Court, Process 0453/09 (Judgment of 30 September 2009); Administrative Supreme Court, Process 01110/09 (Judgment of 20 January 2010); Administrative Supreme Court, Process 0169/10 (Judgment of 12 May 2010); Administrative Supreme Court, Process 0668/11 (Judgment of 24 January 2011); Administrative Supreme Court, Process 0671/11 (Judgment of 7 December 2011); Administrative Supreme Court, Process 0758/11 (Judgment of 31 August 2011); Administrative Central Court – North, Process 511/11.2BECBR (Judgment of 4 November 2011); Administrative Central Court – South (Tribunal Central Administrativo Sul), Process 08214/11 (Judgment of 12 January 2012); Administrative Central Court – North, Process 354/12.6BEPRT (Judgment of 13 July 2012); Administrative Central Court – North (Tribunal Central Administrativo Norte), Process 01721/12.0BEPRT (Judgment of 25 January 2013).

We have also mentioned in Sect. 2.1. the framework regulation for the Secretary-General of the Portuguese Republic System, for the Defence Strategic Intelligence Service and for the Security Intelligence Service.

For further information, and consultation of decisions, please see www.​cada.​pt (Accessed on 14 February 2017).

Article 30 of L2016.

In those cases, the fines are

In that case, the fines are:

For further information and consultation of the public registry of decisions, please go to www.​cnpd.​pt/​.

Article 25 of L1998.

Articles 22 and 23 of L1998.

Article 34 of L1998.

Article 35 of L1998.

Regulation 2016/679 sets a new type of violation of personal data (Article 4 No. 12) and harmonises data protection enforcement in the EU. It will introduce two levels of fines: (1) up to € 10 million or 2% of the undertaking’s global annual turnover, whichever is higher, for certain infringements; and (2) up to € 20 million or 4% of the undertaking’s global annual turnover, whichever is higher, for more severe infringements.

Article 33 of L1998.

Please consider Fachana 2012, Gonçalves 2003 and Neto 2010 and 2012a for further developments.

In Portugal, the Law No. 12/2005 of 26 January 2005 defines the concept of health information and genetic information. In this sense, health information covers all kinds of information directly or indirectly linked to health, present or future, of a person, whether you are alive or have died, and your medical history and family, taking special care with issues concerning ownership, storage and access to health information (Article 3) and the treatment of health information (Article 4).

Incidentally, it should be noted that the genetic information that does not have immediate implications for the health status cannot be included in the clinical process – Article 6 of the same Law – and should in general be protected by legislative and administrative measures to protect strengthened in terms of access, security and confidentiality.

Even more crucial, the design and construction of a genetic database can be considered or understood in different and opposing perspectives, both as to the type of material collected either on the purpose of use, or as storage conditions. In fact, it can only be thought of as a means of criminal investigation or civil identification.

The Portuguese solution was molded in Law No. 5/2008, of 12 February 2008, which regulate the genetic database has long been claimed in terms mixed: mandatory in the case of criminal identification, optional in the case of civil identification.

Hence, the growing importance of the institutional guarantee poured in the topics covered by the most relevant guidelines of the National Commission for Data Protection – operating under the Law No. 42/2004, of August 18, and charged even the organisation of public record:

Let us remember that L1998 has also been complemented by the Law No. 69/98, of 28 October 1998, that regulates the treatment of personal data and the protection of privacy regarding telecommunications, thus matching the Directive No. 97/66/EC of the European Parliament and of the Council, of 15 December 1997. It gives special emphasis to the questions of security and confidentiality that have to be considered in an era of new technological possibilities. Furthermore, the connections are obvious with the legal framework for electronic commerce approved by Decree-Law No. 7/2004, of 7 January 2009 and amended in 2012) and with the scope or Law No. 46/2012, of 29 August 2012, implementing Directive No. 2009/136/EC on the amending Directive No. 2002/58/EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the sector electronic communications, proceeding to the first amendment of the Law No. 41/2004, of 18 August 2004, and the second amendment Decree-Law No. 7/2004. On these matters, CNPD (2004). Further, the Decree-Law 122/2000 matches the Directive No. 96/9/EC of the European Parliament and of the Council, of 11 March, regarding the legal protection of databases. This text gives special attention to the matters of multispacial situations and of intellectual and industrial property, in a way that in a certain manner follows Decree-Law 16/93, regulating the management, conservation and access to archives. Personal data was already protected here in Article 17, which prevented disclosure of documents containing personal information of judicial, criminal or health nature. Further limitations would apply to preserve personal security and privacy.