Where Citizenship Law and Data Protection Law Converge
The Publication of Personal Data upon Naturalisation
Becoming a citizen of a country is a noteworthy event. Whether it is birth or naturalisation, there are many reasons to share the news. However, in light of the increasing scrutiny of controlling and processing personal data, it is only logical that states face questions regarding the necessity of formal publication of the personal data of their new citizens upon naturalization. This issue is particularly contentious, since this practice has been carried out to differing degrees across EU Member States. Until recently the Member States opting for such publication were in the majority. However, as privacy rights awareness is on the rise in the EU, our research published in a recent Jean Monnet Working Paper (NYU Law) demonstrated an overall trend towards greater questioning and restricting of this previously unquestioned default practice. This trend notwithstanding, discrepancies between the national approaches taken across the EU are radical: while publication is often still required by law in many states, in numerous others disclosing personal information of the new citizen is a punishable offence. We submit that states ought to take upgraded European privacy standards into account when revisiting their current publication practices, particularly considering the changed realities of information sharing in the digital age.
European practice(s)
The landscape of legal rules on the disclosure of personal information of newly-naturalised citizens and of the practice regarding the application of such rules in the EU is very diverse, showcasing the lack of consensus among EU’s governments on this matter. Until recently, just under half of the Member States did not publish such information at all, whereas the abolition of that practice in Bulgaria, Ireland, Latvia, Luxembourg, and the UK now brings that number to sixteen. In some cases, the publication of naturalisation information is mandated by law – as found in Greece. In others, there is no legal basis, as highlighted by the Cypriot DPA after the Guardian published a leaked list of the names of investors naturalised in Cyprus based on ius doni. What is mandated by law in some Member States is thus in direct violation of the law in others, while the European umbrella privacy standards theoretically apply to all.
Those that do publish information related to newly-naturalised citizens differ in terms of which details are published, in what format, and whether safeguards are taken to factor in privacy and data protection-related concerns. Some Member States’ naturalisation-related publications are limited to names only (eg in Malta) whereas others include dates and place of birth (Belgium, France, Lithuania, Portugal). Sometimes special identification numbers are published, as seen in Greece and formerly Latvia. When publication of personal information of the new citizens is required, the law has little to say about the consequences of the application of this requirement for the individuals concerned, who can have very strong reasons to be discrete. In the worst cases, the publication could lead to the loss of core rights (eg passive political rights in Australia) or even of the original citizenship of the new citizens. This can go as far as triggering inter-state tensions, as was the case between Hungary and Slovakia, leading to the application of the strictest non-disclosure rules to the lists of the new Hungarian citizens threatened by the amended Slovak law with the loss of Slovak nationality, as analysed by Araiza.
Particularly interesting are those recent instances of reform in law and practice that occurred in France, Latvia, and Ireland. When the French OJ was digitised in 2016, ‘Protected Access’ measures were implemented, but these have been largely circumvented as private parties were quick to establish web-pages assembling links to all OJs published since 1 January 2016 containing naturalisation decrees. The catalysts for further scrutiny of such practices were Latvia and Ireland. Until August 2017, the former published unique personal identification numbers, whereas the latter also indicated the newly naturalised individual’s personal address and whether they were an adult or minor. In Latvia, after a Ministry of Justice assessment (subsequently confirmed by the national DPA) found the practice to be disproportionate from the perspective of privacy and data protection concerns as balanced against the interest in informing the public, such publications were ceased in Latvia in 2017 and retroactively deleted from the online official journal: all personal details are completely redacted, including names, and one can now only count the number of naturalised individuals per publication.
Similarly, naturalisation-related publications in the Irish official journal have been suspended since April 2016 as the result of media focus and the consequential public backlash related to naturalisation publications in the Irish Official Journal.
EU General Data Protection Regulation (GDPR)
While those Member States that publish naturalisation-related decisions justify the practice by public interest, the recent trend towards greater restriction highlights the countervailing interests in privacy and data protection. With such different practices from jurisdiction to jurisdiction, the 2018-enacted GDPR may provide a useful framework to inform a legal analysis of such practices.
The broad material scope of the GDPR encompassing ‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system’ (Art 2(1)) could be interpreted as relating to the publication of naturalisation information. However, without ECJ case law on the matter it is debatable whether these nationality decisions constitute processing that occurs ‘in the course of activity which falls outside the scope of Union law’ (Art 2(1)(a)), thus falling outside the GDPR framework.
Could EU citizenship trigger the scrutiny of the publication of naturalisation information? Overall, Member States are free to regulate the conferral and withdrawal of nationality as they see fit, as analysed, most recently, by Jessurun d’Oliveira and by Sarmiento, with the caveat that such regulation cannot undermine the essence of the status or jeopardise the enjoyment of EU citizenship rights by the holder of the supranational status. This means that the publication of the personal data of new (EU) citizens by a number of Member States will not fall within the scope of EU law, thus failing to trigger the GDPR, only if:
- it does not constitute a violation of one of the rights of EU citizenship enjoyed merely by virtue of possessing the status and analysed extensively in EU Citizenship and Federalism (such as the right to vote in European Parliament elections at issue in Eman and Sevinger and Delvigne); and,
- it does not disproportionately threaten the enjoyment of citizenship as such (as per Rottmann and also Tjebbes, however weak on this count)
Thus, while EU legal intervention is unlikely in the context of the publication of naturalisation-related information – a field traditionally falling within the exclusive domain of the Member States – it does not seem entirely impossible, leading to a potential de facto minimal harmonization of this field through the application of the strict GDPR standards.
Council of Europe
Might instruments of the Council of Europe serve to further inform how such situations should be handled? On the one hand, the European Court of Human Rights’ (ECtHR) approach in recent cases dealing with state surveillance measures might allow for inferences to be made as to the publication of personal data at naturalisation, such as a broad support for the protection of the informational sphere of the individual and the integrity of the family, as well as potential restrictions in areas where national security concerns prevail. However, the role of the margin of appreciation afforded to states especially in areas where a consensus amongst Contracting Parties is implausible or non-existent makes the critical application of the European Convention on Human Rights to naturalisation-related publications seemingly unlikely.
More interesting perhaps is the oldest international legally binding instrument in the area of data protection, Council of Europe Convention No. 108, modernised in 2018. Since the Convention and more specifically its principles of lawfulness, fairness, purpose limitation, and data minimisation apply to data processing in both the public and private sectors, it is unquestionable that such principles apply to state publications of new citizens’ personal information upon naturalisation (especially since the Convention rights also apply to non-citizens), meaning Contracting Parties need to carefully consider which information is published.
Best practices
In terms of recommendations that can be made based on the relevant privacy and data protection standards, from the outset the risk for a naturalised individual to suffer rights-restrictions as the result of the publication of personal data should be taken very seriously and assessed closely by public authorities – this is now not the case at the outset in any of the Member States publishing personal data of the new citizens. Consequently, in the cases when legislation mandates the publication of the fact of naturalisation, exceptions are advisable for those who can demonstrate that such publication considerably threatens the continued enjoyment of rights in the new and other states of nationality and/or could negatively affect business or family interests. In such an assessment, the type of data published should be considered – is it limited to name and perhaps date and place of birth? Or is further information such as home address or a national identification number included? Moreover, the possible consequences that could arise from the combination of such information with other information (including that held by other parties) should also be taken into account, in line with the 2017 recommendations of the UN Special Rapporteur on the right to privacy.
Moreover, the appropriateness of maintaining the public availability of naturalisation details should also arguably be considered from a temporal perspective. The Google Spain decision on ‘the right to be forgotten’ could provide a gate-way to discuss the issue of personal data and time in the digital age in a more nuanced manner: whether to publish personal data or not is not the only question – fundamental issues also include how to publish and to what extent to make the publication available. Indeed, states should look at the categories, amount, accessibility, and relevance over time of the personal data they publish upon naturalisation, striking a balance between the public interest in receiving the information and individual rights.
Finally, the development of a common approach to such publications across Member States is desirable. While the current EU regulatory framework suggests each country enjoys absolute discretion to decide for itself, the increasing harmonisation of the privacy framework in Europe and across the world raises the expectations of individuals to be subject to at least comparable rights-safeguarding standards. At a minimum, any common standard or best practice guidance should contain guidelines for opt-outs when such disclosures could demonstrably lead to significant negative consequences for newly-naturalised citizens in either the new or other states of nationality.