Luxembourg, 16 January 2024
PRESS RELEASE No 8/24
A parliamentary committee of inquiry must in principle comply with the General Data Protection Regulation
That is not the case where it in fact carries out an activity intended to safeguard national security.
A committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive must, in principle, comply with the General Data Protection Regulation (GDPR)1. Furthermore, where there is only one supervisory authority in that Member State, that authority is, in principle, competent to monitor compliance with the GDPR on the part of the committee of inquiry. By contrast, where the committee of inquiry in fact carries out an activity that, as such, is intended to safeguard national security, it is not subject to the GDPR or, consequently, to monitoring on the part of the supervisory authority.
The chamber of representatives of the Austrian Parliament, set up a committee of inquiry tasked with shedding light on whether there was any political influence over the Austrian Federal Office for the Protection of the Constitution and for Counterterrorism2.
That committee of inquiry heard a witness during a hearing covered by the media. The minutes of that hearing were published on the website of the Austrian Parliament. They contained the witness’ full name, despite his request for anonymisation. Claiming that the reference to his name was contrary to the GDPR, the witness lodged a complaint with the Austrian Data Protection Authority. He stated that he was working as an undercover investigator in the police intervention group responsible for combating street crime. The Data Protection Authority rejected the complaint, on the ground that the principle of the separation of powers precludes that authority, as a part of the executive branch, from monitoring whether the committee of inquiry, which is a part of the legislature, complies with the GDPR. The witness then challenged that finding before the Austrian courts.
The Austrian Supreme Administrative Court has asked the Court of Justice whether the committee of inquiry, which is a part of the legislature and carries out an inquiry as regards national security activities, is subject to the GDPR and monitoring on the part of the Data Protection Authority. The Court rules that even a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive must, in principle, comply with the GDPR.
It is true that the GDPR does not apply to the processing of personal data carried out by State authorities in the course of an activity which is intended to safeguard national security. However, subject to verification by the Austrian Supreme Administrative Court, the inquiry in question does not appear to be intended, as such, to safeguard national security. That committee of inquiry was said to investigate whether there was any political influence over an authority belonging to the executive, which had been tasked with protecting the Constitution and combating terrorism.
That said, national security may justify a limitation, by way of a legislative measure, on the obligations and rights flowing from the GDPR. However, it is not apparent from the case file that the committee of inquiry in question alleged that the disclosure of the witness’ name was necessary in order to safeguard national security and had its basis in a legislative measure. It is nevertheless for the Austrian Supreme Administrative Court to carry out the verifications necessary in that regard. Since Austria has chosen to establish only one supervisory authority within the meaning of the GDPR, namely the Data Protection Authority, that authority is in principle also competent to monitor compliance with the GDPR on the part of a committee of inquiry such as the one in question, notwithstanding the principle of the separation of powers. That follows from the GDPR’s direct effect and the primacy of EU law, including vis-à-vis national constitutional law.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2 On 1 December 2021, the Directorate of State Protection and Intelligence Services succeeded that office.
Source – EU Court of Justice – Email