Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects’ GDPR rights and organisations’ GDPR obligations.
The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.
The Guidelines’ purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects’ rights and organisations’ obligations.
GDPR Article 23
Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:
(i) Be set out in Union or Member State Law via a legislative measure
GDPR Recital 41 provides guidance about what constitutes a legislative measure. The GDPR does not necessarily require a legislative act to be adopted by parliament. However, it should be precise and easy for a non-professional to apply. GDPR Recital 8 states that the reason for the restriction, as well as how and when it may apply, should be clear to anyone whom it may affect.
(ii) Respect the essence of the fundamental rights and freedoms
The essence of a fundamental right means that any limitation must not go so far as to completely reduce the right of its core elements. An individual must not be prevented from exercising their fundamental rights and freedoms. Legislation not providing any possibility for an individual to pursue legal remedies to uphold their data protection rights may not be permissible. Any legislation must respect the essence of fundamental rights to effective protection.
(iii) Be necessary and proportionate in a democratic society
Necessity must be considered in the light of the specific circumstances surrounding the provisions of a measure and its intended purpose.
Proportionality requires that the restriction must be appropriate for attaining the legitimate objectives pursued by the legislation. The restriction should not exceed the limits of what is appropriate and necessary to achieve those objectives.
(iv) Safeguard one of the interests set out in GDPR Article 23(1)
The GDPR provides a general list of interests for safeguarding. These include things like national security, defence and public security. An organisation that seeks to rely upon a restriction must ensure that it safeguards at least one of these issues.
(v) Contain specific provisions set out in the GDPR as per GDPR Article 23(2)
It is mandatory that any measure proposing to introduce a restriction contains the following information:
- the purposes of the processing or categories of processing;
- the categories of personal data;
- the scope of the restrictions introduced;
- the safeguards to prevent abuse or unlawful access or transfer;
- the specification of the controller or categories of controllers;
- the storage periods and the applicable safeguards taking into account the nature, scope and the risks to the rights and freedoms of data subjects; and
- the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
Consultation with the DPC
Section 60 of the Act gives further effect to GDPR Article 23. Section 60(10) requires the Irish government to consult the DPC about any intended restrictions based on GDPR Article 23.
Implementation
A proposed legislative measure should be supported by evidence describing:
- the problem to be addressed,
- how the problem will be addressed by the measure, and
- why existing or less intrusive measures cannot sufficiently address the problem.
There is a requirement to also demonstrate how any proposed interference or restriction genuinely meet objectives of general interest of: (i) the Irish state and/or the EU; or (ii) protecting the rights and freedoms of others.