Should states disclose the personal information of the newly-minted citizens? Until recently, the prevailing trend was very clear and full disclosure seemed to be seen as a must, potentially hurting plenty of new citizens, especially those who get the status through making an investment or a donation, thus frequently having no intention at all (and of course no obligation) to move into their new country of citizenship.
In the European Union the balancing of privacy concerns of individuals against the perceived need to disclose personal information led to radically different outcomes: while Malta publishes all the names of new citizens as is required by law, Cyprus prohibits such publication. Who is right?
As demonstrated in our research forthcoming in the Houston Journal of International Law and available in draft as NYU Law School’s Jean Monnet Working Paper, deep changes in the status quo on the issue of the publication of the new citizens’ personal data have occurred in recent years alongside the magnification of privacy and data protection-related concerns. These concerns relate to the possible steep negative consequences such publication could have for the new citizens, including potential interference with business or financial interests in the original or new state of nationality.
Similarly, since some states prohibit dual nationality, publication of naturalisation data could potentially lead to withdrawal of one of the individual’s citizenship statuses, leading to a potentially significant downgrade of rights. Indeed, protecting new citizens from the harassment of the original state of nationality refusing to view multiple citizenship as a human right, as proposed by Spiro, has been a notable trigger behind the introduction of secrecy rules related to the naturalisation information, as could be illustrated, for instance, by the Hungarian practice.
Despite the clear trend toward greater restriction, a remarkable degree of variance remains in terms of whether EU Member States publish personal details of new citizens upon naturalisation or not, and if so, in what form. Ultimately, an investigation into the relevant privacy and data protection standards leads us to argue that states ought to take European privacy standards into account when assessing their current publication practices, particularly in light of the concerns that have arisen in respect to information sharing in the digital age.
For decades, many Member States’ measures entailing the publication of instances of naturalisation went unremarked and unquestioned. This is clearly no longer the case, as demonstrated by the European Migration Network’s (EMN) 2015 Ad-Hoc Query on Naturalization requested by Irish authorities.
Diversity in publication practice
On whether or not to publish, debates and differences in state practice can be seen in the examples of Malta and Cyprus. In Malta, the annual publication of the names of those who naturalise is mandated by law. The published list does not specify the route according to which a new citizen has naturalised, whether via the IIP or another legal basis. Media and political actors arguing along the lines of transparency and the public interest have requested or called on the disclosure of a list of IIP investors specifically, but this has been refused on the grounds that such disclosure would be illegal.
Similar was the response by Cypriot authorities when The Guardian published a leaked list of names of naturalised investors in 2017. Unlike in Malta, however, in Cyprus the names of those who naturalise are not published at all by the state. Following the leak, the national data protection authority (DPA) ordered the report be deleted and noted that the leak could potentially be a criminal offence. The subsequent April 2018, a bill providing for the official, legal, disclosure of such a list was rejected by the Cypriot Parliament.
Differences in format can also be seen more generally across the EU Member States that do publish an individual’s details upon naturalisation. Some Member States’ naturalisation-related publications are limited to names only, whereas others include dates and place of birth (eg Belgium, France, Lithuania, Portugal). Sometimes special ID numbers are published too, as seen in Greece.
Trend towards restriction
Notwithstanding the large degree of variance, in recent years a clear trend has emerged towards restricting the publication of personal information after naturalisation. In Latvia, after several official analyses of such publications – which included personal identification codes – the practice was deemed to conflict with national data protection and privacy legislation. To balance such interests with the public’s interest in disclosure, since 2017 each national OJ issue now only discloses the number of individuals naturalised. Personal data has been redacted from previous issues.
In Ireland, the legally-required publications included even the new citizen’s personal address. The government and DPA initially defended the practice after it was criticised in the media and by civil society in August 2015. Shortly after the EMN Ad-Hoc Query report requested by the Irish Justice Department, in 2016 these publications in the online Gazette ceased.
French legislators opted for a different approach to restriction. When the French OJ was digitised in 2016, ‘protected access’ barriers were implemented to ensure nationality-related acts would not be indexed by search engines. This data protection measure has been largely circumvented by a website that assembled links to all OJ issues containing naturalisation decrees since 2016.
Others have opted for a temporal approach to restriction, eg in the Netherlands. A 2017 Dutch decree limited access to archives disclosing an individual’s naturalisation to only 100 years after the citizen’s date of birth.
Applicable legal framework?
Legal questions arise given the general greater focus on privacy and data protection in Europe, clear trend of reviewing and restricting publication practices, and the increasing prevalence of acquiring multiple nationalities – as seen eg with the rise of investment migration schemes. In that light, a common regulatory framework governing issues such as the publication of newly-naturalised citizens personal data is desirable.
It is first and foremost noteworthy that all the above changes in Member State practice involved considerations based on EU data protection law, now in the form of the 2018 General Data Protection Regulation (GDPR). Naturalisation publications seemingly do amount to ‘processing of personal data’ in the sense of the broad scope of the GDPR.
However, we found it unlikely that a situation would arise in which such publications would not benefit from the exemption of processing carried out ‘in the course of activity which falls outside the scope of Union law’. It is not impossible, however, if the situation fell within the scope of another area of EU law, such as EU citizenship.
From the case law of the EU Court of Justice, we identified two circumstances in which this could arise:
- where the rights enjoyed by virtue of possessing EU citizenship status are violated (as seen in Eman and Sevinger and Delvigne in relation to the right to elect EU Parliament members)
- where the enjoyment of EU citizenship as such is disproportionately threatened (as per Rottmannandrecently, Tjebbes)
It is seemingly unlikely that many Member State publications of individual’s personal information upon naturalisation would involve one of these two situations. Nevertheless, since it is not entirely impossible, and also given the abovementioned state authority investigations based on EU data protection law, a de facto minimal level of harmonisation in this field based on GDPR standards is not unimaginable.
Instruments of the Council of Europe also contain legal standards relevant to European practice in this field. In terms of the European Convention on Human Rights’ (ECHR) Article 8 right to privacy, State publications of naturalisation-related personal information would likely be protected by the Article 8-2 limitation clause. This is due to the margin of appreciation given to State restrictions particularly when there is no consensus amongst States in the area.
As for the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, this ‘GDPR-lite’ applies to data processing also in public sectors and does not present the same issue of scope as the GDPR. The Convention provides essential building blocks for national data protection law, especially in its basic principles of lawfulness, fairness, purpose limitation, and data minimisation (also enshrined in the GDPR). These principles unquestionably apply to State naturalisation publications.
Several recommendations can be made based on the discussed legal standards. First and foremost, States that have not reviewed their practices in respect to naturalisation publications in recent years should do so. This is in light of the increasing importance and harmonisation of privacy and data protection issues, which arguably make the development of a common standard to naturalisation publications all the more desirable.
If States do opt for such publication, they should assess in particular their substance, such as whether the publication contains just an individual’s name, or additional details. The publication’s format should also be considered in terms of its accessibility and eg whether any privacy safeguards are taken.
Moreover, temporal dimensions should arguably also be factored in to such an assessment, as has been done in the sense of the ‘right to be forgotten’ established in Google Spain. For instance, is it proportionate to maintain the digital availability of decade-old OJ publications containing information related to naturalised citizens?
At a minimum, at each instance states should provide a formal opportunity for individuals to demonstrate the disproportionately negative effect such measures could have on their privacy or data protection rights, providing an opt-out from publication where appropriate.