Section 5

Restrictions

 

Author: Alexander Dix

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

A. Preliminary remarks

The rights of the data subject in Chapter III of the Regulation themselves contain exceptions and restrictions formulated by the Union legislature. Furthermore Art. 23 provides for an extensive list of additional restrictions of these rights and certain rights under Article 34 which the Union or the Member States may stipulate by law. These restrictions are exceptions by nature. To begin with the data subject’s rights which substantiate the fundamental right under Art. 8 of the European Charter are only restricted to the extent foreseen in Articles 12–22 and 34 of the Regulation. To the extent to which the Union or the Member States make use of the options in Art. 23 the rule/exception relationship between the principal rights of the data subject and the exceptional restrictions may not be reversed, i.e. the exception must not in practice become the rule. Furthermore the legislative measures containing the restrictions have to be interpreted restrictively in the light of the fundamental right substantiated by the provision concerned so as to prevent a complete obliteration of the data subject’s right when implementing the provision. Art. 23 provides legislative powers of the Union and the Member States with an option to restrict the scope of the obligations and rights; there is no obligation to make use of these powers. Such an obligation may however arise from other provisions in Union law (e.g. Art. 85 para. 1 GDPR) or constitutional law of the Member States which may require restrictions to protect the fundamental rights of others from significant curtailment through the exercise of a data subject’s rights. Systematically Art. 23 has to be read in conjunction with the exceptions and restrictions contained in the Regulation elsewhere in order to avoid overlaps. As far as Articles 12–22 and 34 contain exemptions or restrictions covering the purposes mentioned in Art. 23 para. 1 there is no room for further restrictions under Art. 23.

Art. 23 has to be applied in a differentiated way. The European Data Protection Board in its detailed Guidelines has stressed that “even in exceptional cases, the protection of data cannot be restricted in its entirety.” Generally it will be necessary to examine each right of the data subject and each principle separately if and to what extent a restriction under Art, 23 is justified. For reasons of proportionality the option of case-by-case decisions should be provided for (→ mn. 13).

On the whole the restrictions under Art. 23 must be in line with the European Charter of Fundamental Rights , the European Convention on Human Rights and Convention No. 108 of the Council of Europe the wording of which is taken up at least in part in Art. 23 para. 1 (→ Recital 73). Therefore the jurisprudence of the European Court of Human Rights and the Court of Justice is especially relevant to the interpretation of Art. 23 (→ Recital 41). The Court of Justice considers the jurisprudence of the Human Rights Court to be a “minimum threshold of protection” in interpreting corresponding rights in the Charter. In case the legislative measures taken under Art. 23 do not meet the requirements of this provision and there is no way to interpret these measures in line with the Regulation and the Charter the rights and obligations under Art. 12 – 22 and 34 as well as the principles under Art. 5 apply without restrictions (→ mn. 8). Even taking these provisos into account Art. 23 does leave the Union and the Member States a wide room for manoeuvre which may endanger the very aim of harmonization of data protection rules like hardly any other provision in the Regulation. On the whole the catalogue of possible restrictions in Art 23 goes far beyond the possible restrictions under Directive 95/46. However, as opposed to the Directive this excessive catalogue of possible restrictions is limited by material hurdles in Art 23 para. 1 (→ mns. 6 et seq.) as well as substantive requirements restricting Union or Member state law in Art. 23 para. 2 (→ mns. 30 et seq.). The European Commission in its first evaluation of the GDPR has criticized that most Member States when providing for restrictions under Art 23 “do not specify the objectives of general public interest safeguarded by these restrictions and/or do not sufficiently meet the conditions and safeguards required by Art. 23 (2).”

B. Legislative history

The Directive 95/46 in Art. 13 contains a general exception clause with a catalogue of purposes which is hardly shorter than in Art. 23 para. 1 of the Regulation. However, the Directive does not contain material conditions taken from the European Convention on Human Rights such as the essence of fundamental rights or the necessity in a democratic society. In part the same situations where restrictions may be justified where taken from the Directive but the catalogue in the Regulation was also extended. Besides the data subject’s rights in the Directive did not contain any exceptions; only the duty to inform in the case of obtaining data from third parties was restricted in a similar way as in Art. 14 para. 5 lit. b and c of the Regulation. The Commission had proposed in 2012 to allow for restrictions if they are necessary and proportionate in a democratic society. The European Parliament proposed that restrictions in addition had to serve a specified public interest, had to respect the essence of the fundamental rights and freedoms of the data subject and were proportionate in relation to a legitimate purpose. This proposal was at first not accepted by the Council but was nevertheless in large parts adopted during the trilogue. Only due to these material conditions the broad exception clause in Art. 23 with rather vague restrictive purposes was in the end accepted by the European Parliament. The exceptions relating to national security and defence were adopted following proposals by the Council. The Commission overcame the opposition by Parliament to have the “other objectives of general public interest” integrated in the text which includes economic and financial interests (Art. 23 para. 1 lit. c). The Council added that “important” objectives must be at stake and extended this provision to include public health and social security. The European Parliament succeeded to include an extensive catalogue of compensatory measures which legislative measures have to provide for (Art. 23 para. 2).

The Directive (EU) 2016/680 for law enforcement and police matters does not contain an equivalent general clause which allows for restrictions to data subjects’ rights. However, the rights of the data subjects may be restricted by Member States according to specific provisions which contain exceptions in order to prevent the impairment of official investigations or the execution of a sentence and to protect public and national security as well as the rights and freedoms of others. The Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies in Art. 25 allows for similar restrictions either through legal acts on the basis of the Treaties or internal rules.

 

 

 

[…]