The European Data Protection Board (EDPB) has adopted a statement on restrictions on data subject rights in connection with the state of emergency in Member States. The EDPB emphasises that, despite the international crisis, the GDPR remains applicable and allows an efficient response to the pandemic, while still protecting fundamental rights and freedoms.
The EDPB’s statement was made in response to a Hungarian government decree dated 4 May 2020. The decree sets out certain derogations from the GDPR and, in particular, allows data controllers involved in Covid-19 related data processing to suspend the fulfilment of data subjects’ requests under Articles 15-22 GDPR (such as the right of access or erasure) until the state of emergency is revoked in Hungary. The decree does not indicate any time limit in respect of the state of emergency.
Article 23 of the GDPR allows national legislators to restrict the scope of certain GDPR obligations and rights. For example, in Ireland, section 60(3) of the Data Protection Act 2018 sets out a number of restrictions on individuals’ rights and controllers’ obligations. The EDPB have reiterated that such restrictions must respect the essence of the fundamental rights and freedoms, and be necessary and proportionate to safeguard, inter alia, important objectives of general public interest of the EU or of a Member State, in particular public health.
The EDPB announced that it would issue further guidelines on the implementation of Article 23 in the coming months and that any other documents adopted during the plenary session would be made available on the EDPB website once completed.
The EDPB statement sets out key principles regarding restrictions on data subject rights in connection with the state of emergency in Member States:
- Restrictions must not be general, extensive or intrusive to the extent that they void a fundamental right of its basic content. Data subject rights are at the core of the fundamental right to data protection and their application should be the general rule. Data subjects have a number of rights enshrined in Article 8 of the Charter of Fundamental Rights of the European Union (the Charter), such as the right of access and to rectification. The GDPR complements those rights with a number of additional rights, such as the right to object, the right to erasure and to portability.
- In accordance with Article 52(1) of the Charter, any restrictions must be provided for ‘by law’. In particular, the national law must be sufficiently clear as to allow citizens to understand the circumstances and conditions, in which data controllers may resort to such restrictions.
- Legislative measures restricting data subject rights must be foreseeable to persons subject to them, including with regard to their duration in time. Restrictions imposed for an undefined duration, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
- Any restriction must clearly contribute to the safeguarding of an important objective of general public interest, i.e. in the case of the current state of emergency, public health. The mere existence of an emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects. This link between the restriction and the objective pursued must be clearly established and demonstrated.
- All restrictions of the rights of data subjects must apply only in so far as it is strictly necessary and proportionate to safeguard the objective pursued. A state of emergency is a legal condition which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. Data subject rights can be restricted but not denied.
- Restrictions suspending or postponing the application of data subject rights and the obligations incumbent on data controllers/processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms of data subjects. If a data subject request is not handled in a timely manner then the right underpinning it is no longer meaningful or effective.
The EDPB statement reflects the European Commission’s (EC) growing concern with Hungary’s approach to data protection rights during the pandemic. In May 2020, the EC Vice-President for Values and Transparency, Vera Jourová, stated that the executive was monitoring the situation in Hungary and that legal action had been considered in this regard but the EC had not decided to open an infringement procedure yet. The EDPB statement refers to the fact that the EC, as Guardian of the Treaties, has the duty to monitor the application of EU primary and secondary law and to ensure its uniform application throughout the EU, including taking actions where national measures would fail to comply with EU law.
The statement also emphasises the need for governments to consult national supervisory authorities (SAs) regarding proposed restrictions in accordance with Article 57(1)(c) GDPR, and that SAs should be empowered to monitor the application of such restrictions. The EDPB has stated it supports SAs in their endeavour to ensure that the restrictions (which comply with the criteria set out above) apply only in so far as they are strictly necessary and proportionate to safeguard public health.
In contrast to the approach taken by Hungary, the UK and Irish SAs have acknowledged that organisations, in particular, healthcare and social services, may face difficulties in complying with statutory deadlines for responding to requests from data subjects, but that their data protection legal obligations still apply. They have indicated that in the event that a complaint is made by a data subject, they will adopt a proportionate regulatory response, taking into account an organisation’s need to prioritise other work areas during the health crisis, where applicable. The UK SA, in particular, has warned that it will take a strong regulatory approach against organisations taking advantage of the health crisis to breach data protection laws.