National Parliamentary Committees and the Scope of the GDPR

In a reference for a preliminary ruling[1], the Court of Justice of the European Union (CJEU) (Grand Chamber), held that the activity of a committee of a national parliament does not fall outside the scope of the GDPR[2].

In order to establish whether there was political influence on a public body in Austria – the Federal Office for the Protection of the Constitution and for Counter-terrorism – the Nationalrat, the lower house of the Austrian national Parliament, set up a committee of inquiry.

As part of its work, this committee heard an individual, WK, as a witness and despite his request for anonymity, the minutes of the hearing were published in the website of the Austrian Parliament, which included his full name.

The aggrieved individual lodged a complaint with the Austrian Data Protection Authority claiming that the disclosure of his identity was a breach of the GDPR and national law.

The Austrian Data Protection Authority rejected the complaint, declaring that it had no competence to decide on the basis of the principle of separation of powers, the authority being a body of the executive, which is being asked to exercise scrutiny over a committee of inquiry which is part of the legislative branch.

The case was brought before the Federal Administrative Court of Austria, which annulled the decision of the Data Protection Authority and ruled in favour of WK’s action. The Authority appealed the ruling on a point of law before the Supreme Administrative Court which referred the matter to the CJEU for a preliminary ruling.

The referring Court asked the CJEU:

1. whether the activities of a committee of inquiry set up by the parliament of a Member State fall within the scope of the GDPR;
2. whether the same Regulation applies when those activities relate to the protection of national security;
3. whether the GDPR confers on a national supervisory authority such as the Austrian Data Protection Authority the competence to hear complaints relating to processing of personal data by a parliamentary committee of inquiry in the course of its activities.

In its ruling, the Court made reference to Art 2(2)(a) of the GDPR which provides:

2. This Regulation does not apply to the processing of personal data;

(a) in the course of an activity which falls outside the scope of Union law;

The Court held that the sole purpose of excluding from its scope the processing carried out by State authorities, is in the course of an activity whose aim is to safeguard national security or any other activity which may be classified within the same category.

It held that the mere fact that an activity is a characteristic of the State or a public authority, it is not sufficient to exclude the application of the GDPR[3] as Article 4(7) of the GDPR does not make any distinction based on the identity of the controller:

4.  For the purposes of this Regulation:

(7) ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …

The Court further stated that the parliamentary nature of the committee of inquiry under review does not mean that its activities fall outside the scope of the GDPR. The exception provided in Article 2(2)(a) does not refer to categories of persons.

Secondly, in reference to the element of national security, the Court held that although it is for the Member States to define their essential security interests and implement measures accordingly as provided in the Treaties, the mere fact that a national measure is taken for the purpose of protecting national security cannot render EU law inapplicable and as a consequence exempting Member States from complying with EU law.

The CJEU held that in the case under review, where the political scrutiny exercised by a parliamentary committee of inquiry, does not appear to constitute an activity that qualifies under the exemption of Art 2(2)(a) of the Regulation and consequently it is not outside the scope of the GDPR.

On the other hand, the Court noted that in terms of Article 23 of the Regulation, a parliamentary committee can have access to personal data which must enjoy specific protection for reasons of national security. This may be carried out by a legislative measure restricting the rights and obligations emanating from the GDPR justifying that the restriction respects the essence of the fundamental rights and freedoms of the data subjects and are a necessary and proportionate measure in a democratic society.

Finally, the Court stated that the provisions of the GDPR on the competence of the national supervisory authorities[4]  and the right to lodge a complaint[5] have a clear, precise and unconditional direct effect and therefore not requiring implementing measures on a national level. It further reiterated that reliance on national law cannot be allowed to undermine the unity and effectiveness of EU Law.[6]

The court pointed out that GDPR does leave a measure of discretion to Member States as to the composition and number of supervisory authorities but if a Member State opts for a single national supervisory authority, it cannot then “rely on provisions of national law, be they constitutional in nature, in order to exclude the processing of personal data coming within the scope of the GDPR from the supervision of that authority”[7]. It is precisely to prevent such limitations that the GDPR provides this discretion on how the supervisory authority or authorities operate in each Member State.

Therefore, in terms of this judgment handed down on the 16^th of January 2024, the committees set up by national parliaments of Member States are subject to scrutiny by supervisory authorities in terms of GDPR compliance, irrespective of any constitutional or other national laws that bar such scrutiny.

In such instances, Member States may have to set up additional supervisory authorities with a special remit to supervise GDPR compliance by the legislative branch.

[1] Case C-33/22 Request for a preliminary ruling from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), decided on 16^th January 2024.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 94/46/EC

[3] C-439-19, (para.66) decided on 22^nd June 2021, and C-306/21, (para 39) decided on 20^th October 2022

[4] Art 55(1) GDPR

[5] Art 77(1) GDPR

[6] C-33/22 para 70

[7] Ibid. para 71

This article does not purport to give legal advice. Should you require further information or legal assistance, please do not hesitate to contact us.