Accessing Personal Information in Legal Opinions

A recent decision of the Court of Justice of the European Union found that the Dutch immigration authorities were not required to give a person access to a legal opinion about the person’s immigration status, though the opinion contained personal information about the person. Here is a story about the decision. Giving a summary of the personal information contained in the opinion was sufficient to comply with the obligation under the EU Privacy Directive to let people see the personal information about themselves.

Would such a request have a similar outcome in Canada, or would PIPEDA provide a separate exemption? It is not surprising to me that the legal opinion was off limits, but maybe I’m taking too narrow a view of it.

What do you think of the lawyer’s comment in the article that it’s of limited use to have access to one’s personal information if one can’t find out what is being done with it.

In a data analytics context for instance, a right to access data about you is pretty thin if you cannot also obtain the conclusions that are being drawn on the basis of that data.

Does that make sense to you? Or is it just trying to do too much with a privacy statute … which is why Canada accompanies privacy laws with access to information laws?


  1. David Collier-Brown

    Were this in Canada, I’d presume the information was only collected for a particular purpose, and that collection was consented to by the person, for that purpose. Or was collected by statute.

    To then deny the person knowledge of the purpose would be either nonsensical, or impossible.

    Access to the entirety of the legal opinion might be more than required to discover the purpose, but if the purpose turned out to be, for example, to deny the person residence, then the person should be entitled to know that. If not, how would they know to object to it?


  2. But does privacy law require that disclosure, Dave? Administrative law fairness might require it, so that a person affected by an official action has the ability to dispute it effectively, i.e. know the case he/she has to meet. In the EU case, the applicants sought to see the legal opinion based on rights under the Privacy Directive to see their personal information. That may not extend so far.

    But your point is related to the comment by the British lawyer I quoted: if you can’t see what they’re doing with the PII, the right to see the PII they’re using is not much good to you.

    Is the solution to that problem the extension of privacy law to disclosure of the full document (or more of it, anyway) or the creation or use of a different right for a purpose that is different from that served by privacy law?