GDPR Privacy FAQs: Can a company share personal data in response to a non-compulsory document request from a government agency?

August 28, 2019

It depends.

The GDPR prohibits a controller from “processing” personal data unless one of six situations, or permissible purposes, applies.  As the GDPR defines processing to include the “disclosure by transmission, dissemination or otherwise . . .” of personal data, prior to sharing personal data with a government agency, a controller should determine which, if any, permissible purpose applies.  The following discusses those permissible purposes which controllers might consider when deciding whether to disclose information to a government agency:

  1. Consent.  In some situations, a controller can seek the consent of one, or more, data subjects to release information to a government agency.  In other situations, however, a government agency may request (or demand) that data subjects not be alerted to the agency’s request.  For example, if the data subject is the target of an investigation of potential illegal conduct, a government agency may have a vested interest in not tipping off the data subject to the request (or the fact of the investigation).  There are also situations in which seeking consent is simply impractical or cost prohibitive – for example, if a government agency requests data about thousands of individuals.
  2. Necessary to comply with a legal obligation.  While the GDPR permits processing when it is necessary to comply with a legal obligation, by its nature, a controller is not legally obligated to comply with a voluntary request for documents.  It is also worth noting that even if a request for information is compulsory, supervisory authorities have only recognized an ability to rely upon this permissible purpose in the context of European legal obligations.  As a result, this permissible purpose would be unavailable in the context of a foreign (i.e., non-EEA) government agency request (whether compulsory or voluntary).
  3. Necessary to protect vital interests of a natural person. In some situations, it may be possible to base a voluntary request for the release of information to a government agency in order to protect the “vital interests” of a person.  So, for example, if a police department requested information necessary to identify a kidnapped child, or to stop an imminent terrorist attack, the release of such information might be based upon the protection of the “vital interests of the data subject or of another natural person.”1
  4. Processing is necessary for the performance of a task carried out in the public interest.  One of the permissible purposes within the GDPR is where transferring data is “necessary for the performance of a task carried out in the public interest.”2 The Article 29 Working Party interpreted this purpose as applying to situations in which a controller is requested to provide information to “an officer of a public body competent for investigating crime” and the request is that the controller voluntarily cooperate rather than force the “ordering” of the controller “to comply with a specific request to cooperate.”3  It should be noted that if a controller decides to rely upon this permissible purpose, the GDPR confers upon data subjects the ability to object to the processing and requires that a controller inform the data subject of such right.4  In some cases, this may mean that a controller notifies a data subject about a planned imminent release of information.  Alternatively, if the controller’s privacy notice preemptively disclosed that it may share information with government agencies (or other third parties) to investigate, prevent, or take action regarding possible illegal activities, fraud, violations of policies, or threats to safety, and if it informed data subjects about their ability to object to such disclosures preemptively, the controller could argue that no additional notice is needed prior to sharing with a government agency.  Finally, it is important to recognize that the Article 29 Working Party only recognized voluntary cooperation with a government agency as related to the “public interest,” when the government agency was an “authority granted by the European Union or a Member State.”5  Requests “carried out in the public interest of a third country,” such as the United States,” do not fall within the scope” of this permissible purpose.6

Processing is necessary for a legitimate interest pursued by a controller or a third party.  If the purpose of processing is to further a legitimate interest of the controller, the controller is permitted to process the data so long as its interest is not “overridden” by the interest or “fundamental rights and freedoms of the data subject which require protection of personal data.”7  A controller could argue that it has a legitimate interest in complying with a government request for the release of information.  For example, the Article 29 Working Party has suggested that “legitimate interest” might be the basis upon which a controller would rely when producing information to a foreign (non-EEA) tax authority’s request for income information where there is no agreement in place between the foreign government and the EU.8  Prior to the disclosure of information, however, the controller should conduct a balancing test of its interest as compared to the privacy interests of data subjects.  For example, the a controller’s interest in complying with a voluntary request for documents or information from a foreign country is likely to be overridden by the data subject’s interest in privacy, if the foreign country’s intent is to use the information to suppress dissidents.9   As with reliance on the permissible purpose of “the public interest,” the GDPR requires that the controller take steps to inform data subjects that it may release information to government agencies based upon legitimate interest, and inform data subjects of their ability to object.10

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. GDPR, Article 6(1)(d).

2. GDPR, Article 6(1)(e). 

3. WP 217 at 21.

4. GDPR, Article 21(4).

5. WP 217 at 21.

6. WP 217 at 21.

7. GDPR, Article 6(1)(f).

8. WP 217 at 66.

9. WP 217 at 66-67.

10. GDPR, Article 21(1), (4).