Privacy & Information Security Law Blog

On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.

According to the Guidelines, the relevant restriction must be set out in a clear and precise legislative measure and its potential application must be foreseeable (i.e., obvious) to those subject to it. In practice, this means that the relevant domestic law should be sufficiently clear to give individuals an adequate indication of the circumstances in and conditions under which controllers are empowered to rely on the restriction (i.e., the objective to be safeguarded).

Further, the restrictions do not always need to be limited to a specific timeframe. For example, Article 23 includes as an objective for a restriction the protection of judicial independence and judicial proceedings, which, according to the Guidelines, is an ongoing objective in a democratic society, and restrictions for the purpose of this objective should not be time-limited. Restrictions adopted in the context of a public health emergency, on the other hand, should be imposed for a specific period of time. The Guidelines emphasize that the relevant legislative measure should clearly state the link between the proposed restrictions and the objective pursued to meet the foreseeability criterion.

With respect to Article 23’s requirement that the restriction be necessary and proportionate in a democratic society, the Guidelines state that a restriction must pass a necessary and proportionate test. The necessity of the restriction must first be assessed, and the objective to be safeguarded by the restriction should be identified in sufficient detail in the legislative measure to allow for this assessment. Once necessity is established, the proportionality of the proposed restriction then must be assessed, but if a restriction is not proven to be necessary, the proportionality part of the test is irrelevant. The proportionality test requires a determination that the restriction is an appropriate means of achieving the legitimate objectives pursued, and does not exceed the limits of what is appropriate and necessary to achieve those objectives.

The Guidelines also indicate that legislative measures containing restrictions must set out the information required under Article 23, where relevant, such as the risk the restriction poses to the rights and freedoms of data subjects (from the perspective of the data subjects). The Guidelines state that this will permit data subjects to understand the potential impact of the restrictions, as well as provide background for the necessity and proportionality test.

Additionally, the Guidelines highlight further actions that organizations should undertake when relying on a restriction, such as documenting and keeping a record of how the restriction has been applied, including the necessity and proportionality test. The Guidelines make clear that controllers who apply the restrictions should be aware of their “exceptional nature.”

Read the Guidelines.