During its 30th plenary session that took place on June 2, 2020, the European Data Protection Board (EDPB) adopted:
- a statement on data subject rights in connection to the state of emergency in Member States;
- a letter in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union (HCLU) regarding the Hungarian Government’s Decree 179/2020 of 4 May.
These document mainly focus on the restrictions to the rights of individuals the Member States may adopt in the COVID-19 pandemic context as permitted under article 23 GDPR and provide a first guidance/the EDPB position as to the approach the Member States should take when planning to implement such restrictions.
Besides, the EDPB also announced it will issue guidelines on the implementation of Article 23 GDPR in the coming months.
The application of individuals’ rights should be the general rule and restrictions the exception
In these documents, the EDPB reiterates that the GDPR remains applicable and must be upheld in all emergency measures including the COVID-19 Pandemic. Indeed, data protection law is not an obstacle to the implementation of the data processing operations that contribute to the fight against the COVID-19.
It also reminds that the application of individuals’ rights should be the general rule and restrictions the exception and states the conditions under which restrictions should apply. Therefore, these restrictions should:
- be provided for ‘by law’ and be sufficiently clear to allow citizens to understand the conditions under which controllers are empowered to resort to them;
- only be applied in limited circumstances;
- not be general, extensive or intrusive to the extent to void a fundamental right of its basic content;
- be foreseeable for persons subject to them (e.g. they should be limited in time, not apply retroactively or be subject to undefined conditions);
- respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as in particular public health.
The emergency state may justify restrictions to the rights of individuals
The EDPB is of the opinion that the mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects.
However, the emergency state, adopted in a pandemic context may legitimise restrictions of data subject rights, provided these restrictions comply with the other conditions set out above and the guarantees provided for under Article 23(2) GDPR must fully apply (i.e. the legal provisions must contain details such as the identification of the controllers, the purposes of the processing operations, the safeguards to be implemented, the retention period etc.).
If the restrictions adopted by the Member States do not meet the conditions set out above, especially if they are not limited in time, they would “de facto” not respect the essence of the fundamental rights and freedoms of data subjects.
