The Data Protection Commission (DPC) has published Guidelines to support the Government with drafting future regulations restricting the rights of individuals afforded by the GDPR. Whilst the GDPR strengthens the rights of individuals, Article 23 allows Member States or the EU to restrict the scope of individuals’ rights and controllers’ obligations in certain circumstances. Section 60 of the Irish Data Protection Act 2018 (the Act), which came into effect alongside the GDPR, provides for a number of such restrictions, as well as allowing Government Ministers to make regulations further restricting individuals’ rights. It is a mandatory requirement that the Government Minister consults with the DPC before making such regulations.
Article 23 GDPR
Article 23 sets out a number of conditions which must be met in order to lawfully restrict the rights of a data subject afforded by Articles 12-22 and Article 34 (and Article 5 insofar as those principles correspond to the rights and obligations provided for in the aforesaid Articles). Any legislative measure used to restrict the rights of a data subject must be of limited scope, and be applied in a strictly necessary, proportionate and specific manner. Section 60 of the Act gives further effect to Article 23, and both provisions should be read together.
The Conditions
Article 23 provides that any restriction must:
(I) Be set out in Union or Member State Law via a legislative measure
Recital 41 of the GDPR provides guidance about what constitutes a legislative measure. Whilst the GDPR does not necessarily require a legislative act to be adopted by parliament, such a legal basis should be clear and precise. Recital 8 of the GDPR notes that the reason for the restriction, and how and when it may apply, should be clear to persons to whom it applies.
(II) Respect the essence of the fundamental rights and freedoms
The essence of a fundamental right means that any interference with the right should not be such that the right is in effect emptied of its basic content and the individual cannot exercise the right.. Legislation not providing any possibility for an individual to pursue legal remedies to uphold their data protection rights may not be permissible. Any legislation must respect the essence of fundamental rights to effective protection.
(III) Be necessary and proportionate in a democratic society
Necessity is a facts/evidence-based concept which must be considered in light of the specific circumstances surrounding the provisions of a measure and the defined purpose it aims to achieve. Proportionality requires that the restriction must be appropriate for attaining the legitimate objectives pursued by the legislation.
(IV) Safeguard one of the interests set out in Article 23(1)
The GDPR provides a general list of interests which can be safeguarded. These are further clarified in sections 60(3) and 60(7) of the Act. An organisation that seeks to rely upon a restriction must ensure that it is safeguarding at least one of these public interests.
(V) Contain specific provisions set out in the GDPR as per Article 23(2)
It is mandatory that any legislative measure restricting individuals’ rights lays down clear rules concerning its scope and imposing minimum safeguards. In particular, any proposed legislative measure must contain information concerning:
- the purposes of the processing or categories of processing;
- the categories of personal data;
- the scope of the restrictions introduced;
- the safeguards to prevent abuse or unlawful access or transfer;
- the specification of the controller or categories of controllers;
- the storage periods and the applicable safeguards taking into account the nature, scope and the risks to the rights and freedoms of data subjects; and
- the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
When a Government Minister consults with the DPC in regard to regulations restricting individuals rights, all of the above conditions should be specifically addressed and appropriately underpinned in the draft proposed legislative measures in advance of any approach to the DPC.