Case C‑33/22
Österreichische Datenschutzbehörde
v
WK
(Request for a preliminary ruling from the Verwaltungsgerichtshof (Austria))
Judgment of the Court (Grand Chamber) of 16 January 2024
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Article 16 TFEU – Regulation (EU) 2016/679 – Article 2(2)(a) – Scope – Exclusions – Activities which fall outside the scope of Union law – Article 4(2) TEU – Activities concerning national security – Committee of inquiry set up by the parliament of a Member State – Article 23(1)(a) and (h), Articles 51 and 55 of Regulation (EU) 2016/679 – Competence of the supervisory authority responsible for data protection – Article 77 – Right to lodge a complaint with a supervisory authority – Direct effect)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Scope – Exceptions – Processing of data in the course of an activity which falls outside the scope of EU law – Activity carried out by a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive – Not included – Application of the regulation
(Art. 16(2), first sentence, TFEU; European Parliament and Council Regulation 2016/679, recital 16 and Art. 2(2)(a))
(see paragraphs 37-43, operative part 1)
2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Scope – Exceptions – Processing of data in the course of an activity which falls outside the scope of EU law – Activity which is intended to safeguard national security or which falls into that category – Meaning – Activity carried out by a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive – Investigation as to whether there is any political influence over a police State-protection authority – Not included
(Art. 4(2) TEU; European Parliament and Council Regulation 2016/679, recital 16 and Arts 2(1) and (2)(a) and 23)
(see paragraphs 46, 50-57, operative part 2)
3. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – National supervisory authorities – Right of a Member State to establish a single supervisory authority – Competence of the supervisory authority conferred by the regulation – Limitation of the competence resulting from national provisions of a constitutional nature – Not permissible – Primacy and direct effect of EU law
(European Parliament and Council Regulation 2016/679, recital 117 and Arts 51(1), 55(1) and (3), and 77(1))
(see paragraphs 62-72, operative part 3)
Résumé
Ruling on a request for a preliminary ruling from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), the Court of Justice, sitting as the Grand Chamber, holds that the activity of a parliamentary committee of inquiry does not fall outside the scope of the GDPR. (1)
In order to examine whether there was any political influence over the Bundesamt für Verfassungsschutz und Terrorismusbekämpfung (Federal Office for the Protection of the Constitution and for Counterterrorism, Austria), (2) the Nationalrat (National Council, Austria) set up a committee of inquiry (‘the BVT Committee of Inquiry’). That committee heard WK as a witness. Despite his request for anonymisation, the minutes of his hearing, referring to his full family and first names, were published on the website of the Parlament Österreich (Austrian Parliament). Claiming that that disclosure of his identity was contrary to the GDPR and to Austrian legislation, (3) WK lodged a complaint with the Österreichische Datenschutzbehörde (Data Protection Authority, Austria) (‘the Datenschutzbehörde’). By a decision of 18 September 2019, the Datenschutzbehörde declared that it lacked competence to decide on the complaint, stating that the principle of the separation of powers precluded it, as a body of the executive, from being able to exercise scrutiny over the BVT Committee of Inquiry, which is a part of the legislature.
Following the decision of the Bundesverwaltungsgericht (Federal Administrative Court, Austria), which had upheld WK’s action and annulled the decision of the Datenschutzbehörde, the latter brought an appeal on a point of law (Revision) before the Verwaltungsgerichtshof (Supreme Administrative Court) against the decision of the Bundesverwaltungsgericht (Federal Administrative Court).
In that context, the referring court asked the Court whether the activities of a committee of inquiry set up by the parliament of a Member State fall within the scope of the GDPR and whether that regulation applies where those activities concern the protection of national security. Furthermore, it asked the Court to rule on whether the GDPR confers on a national supervisory authority such as the Datenschutzbehörde the competence to hear complaints relating to the processing of personal data by a committee of inquiry in the course of its activities.
Findings of the Court
In the first place, the Court recalls that Article 2(2)(a) of the GDPR, which provides that that regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of EU law, has the sole purpose of excluding from its scope the processing carried out by State authorities in the course of an activity which is intended to safeguard national security or which can be classified in the same category. Thus, the mere fact that an activity is characteristic of the State or of a public authority is not sufficient automatically to preclude the application of the GDPR to such an activity. (4)
That interpretation, which follows from the absence of any distinction depending on the identity of the controller concerned, is borne out by Article 4(7) of the GDPR. (5)
The Court states that the parliamentary nature of the BVT Committee of Inquiry does not mean that its activities fall outside the scope of the GDPR. The exception provided for in Article 2(2)(a) of that regulation refers only to categories of activities which, by their nature, fall outside the scope of EU law, and not to categories of persons. Accordingly, the fact that the processing of personal data is carried out by a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive does not make it possible, as such, to establish that that processing is carried out in the course of an activity which falls outside the scope of EU law.
In the second place, the Court states that, although it is for the Member States to define their essential security interests and to take appropriate measures to ensure them, (6) the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from the need to comply with EU law. The exception provided for in Article 2(2)(a) of the GDPR refers only to categories of activities which, by their nature, fall outside the scope of EU law. In that regard, the fact that the controller is a public authority whose main activity is to safeguard national security cannot suffice, as such, to exclude from the scope of the GDPR the processing of personal data that it carries out in the course of its other activities.
In the present case, the political scrutiny exercised by the BVT Committee of Inquiry does not appear to constitute, as such, an activity intended to safeguard national security or falling within the same category. Accordingly, subject to verification by the referring court, that activity does not fall outside the scope of the GDPR.
That said, a parliamentary committee of inquiry can have access to personal data which, for reasons of national security, must enjoy specific protection. In that regard, restrictions on the obligations and rights flowing from the GDPR may be laid down, by way of a legislative measure, to safeguard, inter alia, national security. (7) Restrictions concerning the collection of personal data, the provision of information to data subjects and their access to those data, or the disclosure of those data, without the consent of the data subjects, to persons other than the controller, could thus be justified on that basis, on the condition that such restrictions respect the essence of the fundamental rights and freedoms of data subjects and are a necessary and proportionate measure in a democratic society.
The Court notes that it is nevertheless not apparent from the information available to it that the BVT Committee of Inquiry alleged that the disclosure of the personal data of the data subject was necessary for the safeguarding of national security and had its basis in a national legislative measure laid down to that end, which it is, as the case may be, for the referring court to ascertain.
In the third and last place, the Court states that the provisions of the GDPR relating to the competence of national supervisory authorities and to the right to lodge a complaint (8) do not require the adoption of national implementing measures and are sufficiently clear, precise and unconditional to have direct effect. It follows that, while the GDPR leaves a margin of discretion to the Member States as regards the number of supervisory authorities to be established, (9) it determines, by contrast, the extent of their competences to monitor the application of the GDPR. Thus, where a Member State decides to establish a single national supervisory authority, that authority necessarily has all the competences provided for by that regulation. Any other interpretation would undermine the effectiveness of those provisions and risk weakening the effectiveness of all the other provisions of the GDPR that may be the subject of a complaint.
As regards the fact that national constitutional provisions preclude the possibility for a supervisory authority which is part of the executive branch to monitor the application of the GDPR by a body which is part of the legislature, the Court points out that it is precisely with due regard for the constitutional structure of the Member States that the GDPR merely requires Member States to establish at least one supervisory authority, while offering them the possibility of establishing more than one. That regulation thus grants each Member State a margin of discretion enabling it to establish as many supervisory authorities as may be required, in particular, in the light of its constitutional structure.
Furthermore, a Member State’s reliance on rules of national law cannot be allowed to undermine the unity and effectiveness of EU law. The effects of the principle of the primacy of EU law are binding on all the bodies of a Member State, without, in particular, provisions of domestic law, including constitutional provisions, being able to prevent that. (10)
Thus, where a Member State has chosen to establish a single supervisory authority, it cannot rely on provisions of national law, be they constitutional in nature, in order to exclude the processing of personal data coming within the scope of the GDPR from the supervision of that authority.