EU: EDPB final opinion on restrictions under Article 23 GDPR
The European Data Protection Board ('EDPB') published the final version of the Guidelines 10/2020 on Restrictions under Article 23 GDPR1 ('the Guidelines') on 19 October 2021, and adopted the Guidelines on 13 October 2021. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses the key points of the Guidelines, as well as specific elements for data controllers and processors.
Any restriction shall respect the essence of the right that is being restricted. This means that restrictions that are extensive and intrusive to the extent that they void a fundamental right of its basic content and cannot be justified.
A general exclusion of data subjects' rights with regard to all or specific data processing operations or with regard to specific controllers would not respect the essence of the fundamental right to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the European Union.
Legislative measures laying down restrictions and the need to be foreseeable
- Without the corresponding legislative measure, controllers cannot rely directly on the grounds listed in Article 23(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
- The legislative measure should be clear and precise, and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union ('CJEU') and the European Court of Human Rights ('ECHR').
- The domestic law must be sufficiently clear in its terms to give individuals an adequate indication of the circumstances in and conditions under which controllers are empowered to resort to any such restrictions.
- The same strict standard should be applied for any restrictions that could be imposed by Member States.
- A legislative measure laying down the provisions for the application of restrictions under Article 23 of the GDPR does not always have to be limited in time or linked to a specific period. In light of the principle of necessity and proportionality, it is necessary to ensure that such legislative measures relate to a ground for restriction to be safeguarded on an ongoing basis, or permanently, in a democratic society. For instance, a legislative measure restricting the scope of the obligations and rights provided for in Articles 12 - 22 and Article 34 of the GDPR for safeguarding the protection of judicial independence and judicial proceedings may, for example, be considered as fulfilling a continuing objective in a democratic society and therefore may not be limited in time.
- Sometimes, however, the restriction must be limited in time in order to be foreseeable. In the context of a state of emergency to safeguard public health, the EDPB considers that restrictions, imposed for a duration not precisely limited in time, do not meet the foreseeability criterion, including when such restriction apply retroactively or are subject to undefined condition.
- This link between the foreseen restrictions and the objective pursued should be clearly established and demonstrated in the concerned legislative measure or additional supplementary documents. For instance, the mere existence of a pandemic alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction shall clearly contribute to the safeguard of an important objective of general public interest of the Union or of a Member State
Grounds for restriction (exhaustive list)
- National security, defence, public security, and protection of human life, especially in response to natural or man-made disasters.
- Prevention, investigation, detection, and prosecution of criminal offences or the execution of criminal penalties; any disclosure omitted due to this needs to be provided as soon as it is possible.
- Other important objectives of general public interest, for example. important economic or financial interest, including monetary, budgetary and taxation matters, public health, and social security. Such restriction should be limited to the time necessary for the specific investigation and should be lifted as soon as the Tax Administration closes the investigation.
- Protection of judicial independence and judicial proceedings.
- Prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions (e.g. doctors and lawyers).
- Monitoring inspection or regulatory function connected to the exercise of official authority.
- Protection of the data subject or the rights and freedoms of others, for example, legislative measure may provide that the person subject to an inquiry or disciplinary proceedings may experience a limitation to his or her right of access, where the identity of an alleged victim or witness whistleblower cannot be disclosed in order to protect him or her from retaliation.
- Enforcement of civil law claims.
Data subject rights and controller's obligations which may be restricted
- The restrictions to obligations concern restrictions to the principles relating to the processing of personal data as far as the provisions of Article 5 of the GDPR correspond to the obligations provided in Articles 12 - 22 of the GDPR and to the communication of a personal data breach to the data subjects (Article 34 of the GDPR). Any other data subjects' rights - such as the right to lodge a complaint to the supervisory authority (Article 77 of the GDPR) - or other controllers' obligations cannot be restricted.
- Restrictions to the data protection principles need to be duly justified by an exceptional situation, respecting the essence of the fundamental rights and freedoms at issue and following a necessity and proportionality test.
Necessity and proportionality
First, identify the objective in sufficient detail so as to allow the assessment on whether the measure is necessary.
- Necessity: The case law of the CJEU applies a strict necessity test for any limitations on the exercise of the rights to personal data protection and respect for private life with regard to the processing of personal data: "derogations and limitations in relation to the protection of personal data (...) must apply only insofar as is strictly necessary".
- Proportionality: The restriction must therefore be appropriate for attaining the legitimate objectives pursued by the legislation at issue and not exceed the limits of what is appropriate and necessary in order to achieve those objectives.
- Demonstrate: (i) evidence describing the problem to be addressed by that measure; (ii) how it will be addressed by it; (iii) why existing or less intrusive measures cannot sufficiently address it; and (iv) how any proposed interference or restriction genuinely meet objectives of general interest of the State and EU or the need to protect the rights and freedoms of others.
Requirements under Article 23(2) of the GDPR
The legislative measures imposing restrictions to the rights of data subjects and the controllers' obligations shall contain, where relevant, specific provisions including:
- the purposes of the processing or categories of processing affected by the legislation; providing a clear understanding of the restriction, how, why, and why it applies;
- categories of personal data subject to the restrictions;
- scope of restrictions: which rights are concerned and how far they will be limited;
- safeguards to prevent abuse or unlawful access or transfer;
- who the controller is or who the categories of controllers are;
- how long the data will be stored (which can be calculated as the duration of the processing operation plus additional time for potential litigation);
- risks to data subjects rights and freedoms; and provide the assessment in the recitals or explanatory memorandum of the legislation or in the impact assessment; and
- right to be informed about the restriction, unless this may be prejudicial to the purpose of the restriction (to this end, a privacy notice may be sufficient).
For example, in extraordinary circumstances, for instance in the very preliminary stages of an investigation, if the data subject requests information when he or she is being investigated, the controller could decide not to grant that information at that moment - if this restriction would be lawful and strictly necessary in the specific case to what would be prejudicial to the purpose of the restriction. At a later stage, such as after the preliminary phase of the investigation or inquiry is completed, data subjects should receive a (specific) data protection notice. It is still possible at this stage that certain rights continue to be restricted, such as the right of access to the information about the opening of an investigation, or to the allegations of potential victims of harassment. This fact should be indicated in the data protection notice along with an indication of a period in which the rights will be fully restored, if possible.
Consultation with the supervisory authorities
- Where restrictions are adopted at the level of the Member States, supervisory authorities shall be consulted before the adoption of the legislative measure to be adopted by a national parliament.
- It is within the tasks of the supervisory authorities to provide advice on legislative measures relating to the protection of individuals' rights and freedoms regarding their personal data processing.
- If supervisory authorities are not duly consulted, they can issue under Article 58(3)(b) of the GDPR on their own initiative opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions or bodies as well as to the public.
Specific elements for controllers/processors:
- It is good practice that the controller documents the application of restrictions on concrete cases by keeping a record of their application. This record should include: (i) the applicable reasons for the restrictions; (ii) which ground(s) among those listed in Article 23(1) of the GDPR apply(ies) (where the legislative measure allows for restrictions on different grounds); and (iii) its timing and the outcome of the necessity and proportionality test. The records should be made available on request to the data protection supervisory authority.
- In case the controller has a data protection officer ('DPO'), the DPO should be informed - at least in a general manner - without undue delay whenever data subject rights are restricted.
Exercise of data subject rights after restriction is lifted
The controller should lift the restrictions as soon as the circumstances that justify them no longer apply. If the data subjects have not yet been informed of the restrictions before that moment, they should be at the latest when the restriction is lifted.
During the application of a restriction, data subjects may be allowed to exercise all their rights, that are not restricted.
- When the restriction is lifted - which should be documented in the record mentioned in section 5 - data subjects can exercise all their rights.
- If the controller does not allow data subjects to exercise their rights after the restriction has been lifted, the data subject can submit a complaint to the supervisory authority.
Non-observation of a legislative measures by a controller
- Where the legislative measures imposing restrictions under Article 23 of the GDPR comply with the GDPR but are infringed by a controller, supervisory authorities can make use of their advisory, investigative, and corrective powers against it, as in any other case of non-observation of GDPR rules.
- If corrective measures need to be applied, the supervisory authorities can: issue warnings, reprimands, and order compliance with the data subject requests; order the controller or processor to bring the processing into compliance; order the controller to communicate a data breach to the data subject; impose a temporary or definitive ban on processing; order rectification or erasure of personal data; impose an administrative fine; or order the suspension of data flows.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia