Mass disclosure of personal data and privacy: Lessons from Slovakia and the EU

The right to privacy and the protection of personal data is a core human right in the European Union. It is often challenged when states or public authorities require broad or indiscriminate processing of personal information from different types of organizations. This may involve collecting or publishing data on large groups of people, such as all telecom service users or donors to nongovernmental organizations. These measures can seriously infringe privacy and personal data protection, and courts rarely uphold them if they are not carefully justified and proportionate.

Slovakia NGO law cancelled by the Constitutional Court

A recent example comes from Slovakia. The government amended the law on NGOs. The amendment required NGOs to publish identification data of all individual donors whose contributions exceeded 5,000 euros per year, including natural persons. The government argued that the law would increase transparency, reduce undue influence, fight the shadow economy and prevent illegal funding.

However, the Constitutional Court of the Slovak Republic disagreed. It struck down the amendment, ruling that the blanket and broad obligation to disclose all donor data was disproportionate and unbalanced. The court emphasized that even a strong public interest in transparency cannot automatically outweigh the right to privacy and personal data protection.

Ultimate Beneficial Owner legislation

Similar issues have arisen at the European level. One notable example involves Ultimate Beneficial Owner registries. The Fifth Anti-Money Laundering Directive (Directive 2018/843) required EU member states to allow public access to company ownership registries. These registries contained personal data such as names, dates of birth, nationalities and ownership shares. The goal of the legislation was to fight money laundering and illicit financial activity. 

In the joined cases C‑37/20 and C‑601/20 (22 Nov. 2022), the Court of Justice of the European Union struck down provisions allowing unrestricted public access. The court explained that access should be limited to individuals with a legitimate reason. Public access without any relevant restrictions constitutes a serious interference with privacy, even when aimed at an important public goal like preventing financial crime and money laundering. This case highlights a key principle in EU law: Legitimate public interest must be balanced against privacy rights, and measures must be proportionate to their purpose.

Long-running saga of data retention

The Data Retention Directive (2006/24/EC) provides another instructive example. It required member states to store large amounts of telecommunications data for at least six months. This included information on the sender and recipient of communications, date and time, duration, device identifiers and location data. The obligation applied to every client of the telecommunication services without assessing risk or necessity. 

In the joined cases C‑293/12 and C‑594/12 (8 April 2014), the CJEU annulled the whole Data Retention Directive, citing its disproportionate and indiscriminate nature. Following this judgment, national laws implementing the directive were carefully reviewed across Europe, demonstrating the wide impact of this decision.

Anti-doping registry

Sports regulations also illustrate the tension between transparency and privacy. In the case C‑115/22, NADA and Others, the CJEU examined the Austrian Anti-Doping Act. The law requires authorities to publish the names of athletes and sanctions for doping violations. One of the affected athletes argued that this disclosure was an excessive intrusion into privacy. 

The court found the measure legitimate and proportionate, serving the goal of preserving the integrity of sport and preventing doping. Importantly, the court stressed that public interest could justify a limited privacy intrusion, but it must always respect the principle of proportionality.

EU-Canada Passenger Name Record Agreement

In Opinion 1/15 (EU-Canada Passenger Name Record Agreement), the CJEU examined a planned agreement that would allow airlines to transfer PNR data from the EU to Canada. These data include information collected during flight reservations, such as names, contact details, travel routes and payment information. 

The CJEU accepted that using such data can help fight terrorism and serious crime, which is a legitimate objective. However, the court found that the agreement in the proposed wording did not provide enough protection for personal data and privacy. Some rules allowed data to be used too broadly, stored for too long and shared without sufficient safeguards. There were also concerns about the handling of sensitive information and the lack of strong independent oversight. 

Because of these problems, the court concluded that the agreement could not be approved unless it was changed to better protect individuals’ fundamental rights.

The European Commission then revised the draft agreement to address the court’s concerns. This court's opinion also influenced the development and interpretation of other EU PNR agreements, particularly those with the U.S. and Australia, by setting clearer standards for the transfer, retention and protection of passenger data.

Key takeaways

This article only mentions a few examples to demonstrate two key principles that emerge. First, any broad collection, processing or publication of personal data must be justified and proportionate to its purpose. Second, courts consistently require safeguards to protect those affected. Whether dealing with donor registries, UBO registries, telecommunications data or anti-doping information, law requires a careful balance between public interest and privacy. Blanket measures that treat all individuals equally without distinction are unlikely to withstand judicial scrutiny.

The Slovakia NGO example, when viewed alongside EU jurisprudence, highlights practical implications. Governments and organizations must design transparency measures carefully to avoid unnecessary privacy violations. Simply invoking public interest is not enough. Such a broad approach to collecting and storing personal data can, in addition to rendering the legal measure invalid, also give rise to a claim for compensation by the affected individuals (data subjects) for any harm caused by the unlawful processing of their data.