On September 3, 2019, the Portuguese Data Protection Authority (“CNPD”) issued resolution 2019/494, declaring several provisions of Law 58/2019, of August 8, unenforceable. Law 58/2019 ensures the execution in Portuguese territory of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”).
The CNPD concluded that it had the power to declare these incompatible provisions unenforceable.
The CNPD highlights that its legal powers are based on the principle of supremacy of European law and the direct applicability of European regulations in national legal systems. Under the case law of the Court of Justice of the European Union (“ECJ”), all public entities, including administrative and judicial ones, must disregard national provisions that are incompatible with European law.
Unenforceable national provisions:
- Territorial Scope
Article 2, no. 1 and 2 determines the objective and subjective scope of national jurisdiction over supervising data protection. The law established that national jurisdiction applies to data processing “carried out within the scope of an enterprise established in the national territory.”
The CNPD considered that this provision jeopardized the application of procedural and jurisdiction distribution rules between the national supervisory entities of the Member States in cases of cross-border processing activities.
If the data processor or subcontractor has more than one establishment in the EU, article 56 of the GDPR establishes the criteria to determine the national authority responsible for directing the procedure and issuing the final decision. This one-stop-shop mechanism ensures a healthy distribution of competences between the supervisory authorities of the Member States of the EU.
The key rule is that the authority of the Member State in which the data processor’s main establishment is located is the main supervisory authority.
However, under Law 58/2019, the CNPD would have jurisdiction over the data processing that a data processor carries out in Portugal, regardless of whether its main establishment is in another Member State of the EU.
The CNPD considered these provisions incompatible with article 56 of the GDPR, as they would cause an overlap of supervisory jurisdictions between national authorities, so it declared these national provisions unenforceable.
- Right to information and access
Article 20, no. 1 states, “The right to information and access to personal data under articles 13 and 15 of the GDPR must not be exercised when the law imposes on the controller or processor a duty of secrecy to the data subject.”
Regarding the indirect collection of personal data, the GDPR already imposes all the restrictions on exercising these rights. Therefore, the CNPD considers the national law redundant, and it will disregard it when supervising the GDPR’s implementation.
Regarding the direct collection of data, articles 13 and 15 of the GDPR do not impose any restrictions on exercising the right to access.
Under article 23 of the GDPR, Member States may only restrict the right to access if “this limitation respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society.”
As the CNPD notes, the national provision does not specify the legitimate reasons for processing data, a requirement established under article 23 of the GDPR Consequently, the CNPD considered this provision unenforceable.
- Public entities
Article 23 allows public entities to process and transfer data for purposes other than those for which the data was originally collected, provided they issue a resolution identifying how reusing the data is in the public interest.
Article 6, no. 4 of the GDPR allows public entities to reuse data, provided it is a “necessary and proportionate measure in a democratic society to safeguard the objectives referred to in article 23 (1) of the GDPR.”
However, the CNPD considered the national provision too broad to comply with these articles and the principle of purpose limitation under article 5 of the GDPR.
According to the CNPD, under the GDPR, data processors must assess each step involved in reusing data, evaluating the necessity and proportionality of reusing data. However, it does not allow abstract provisions that fail to specify how reusing the data is in the public interest.
- Employee’s Consent
Article 28, no. 3 (a) states, “Unless stated otherwise, employees’ consent must not constitute a requirement for a legitimate processing of their personal data: a) if the advantage or economic benefits for the employee results from the data processing (…).”
The CNPD considered this provision an “inappropriate, unnecessary and excessive restriction of the fundamental right to informational self-determination and the employees’ right to control their own data.” This is because it disregards an individual’s free will to make decisions about his or her personal data.
The CNPD considered that the provision greatly undermines the importance of employees’ consent, ignoring circumstances in which they may authorize their employers to process their data, provided it does not breach their rights or jeopardize their interests.
The penalties established in national legislation under article 37, no 1 (a), (h) and (k), and no. 2 differ from those established in the GDPR.
Subparagraph (a) provides that the intentional failure to comply with the data protection principles set out in article 5 of the GDPR will result in a penalty. However, this penalty is already established in article 83, no. 5 (a), regardless of the data controller or data processor’s intent or negligence.
Subparagraph (h) presents a similar problem, as it establishes a penalty for those who do not comply with the obligation to provide “relevant” information. However, article 83, no. 5 (b) of the GDPR does not define the nature of the information (i.e., relevant or otherwise).
Subparagraph (k) establishes a major penalty for not cooperating with the national supervisory authority for data protection. However, article 83, no. 4 (a) establishes an ordinary penalty.
Therefore, the CNPD considered these three subparagraphs incompatible with the GDPR, i.e., unenforceable.
The fine limits established in article 37, no. 2 and article 38, no. 2 differ from those established in article 83, nos. 4 and 5 of the GDPR. In the national provisions, the fine depends on whether the offender is a large enterprise, a small or medium-sized enterprise, or an individual.
The CNPD highlights that article 83 of the GDPR is a legislative mandate to the national supervising authorities of each Member State, but not to national legislators. The CNPD understands that Member States cannot establish different fine limits or criteria in their national laws.
In fact, the CNPD considered that there was no room for “consideration of the size of an enterprise, so the criteria the national legislator adopted to distinguish small and medium-sized enterprises so it could impose the highest fines on large enterprises is a breach of the GDPR.”
The CNPD applied the same reasoning to the limitation of fines for individuals.
Article 39, no. 1 established three criteria that the CNPD must consider when determining the fine (in addition to those established in article 83 of the GDPR).
The CNPD stated, “The GDPR leaves no room for Member States to define further weighting criteria for the penalties established in article 83, no. 4 and 5.”
The CNPD further stated that, under article 83, no. 2 (k) of the GDPR, other aggravating or mitigating factors of the infringement may be considered. However, it deemed that “the choice of these factors is for specific cases only, decided on by the entity (administrative or judicial) applying the fine, but not by the national legislator of each Member State.” Therefore, the CNPD found the provisions establishing additional criteria unenforceable.
Article 39, no. 3 states, “Except in cases of intentional misconduct, before starting an infringement procedure, the CNPD must first issue a warning to the agent, ordering him or her to stop breaching the data processing provisions within a reasonable timeframe.”
The CNPD considered this legal obligation to issue a warning to a negligent offender to stop the unlawful conduct within a reasonable timeframe was an unauthorized limitation of the discretionary powers granted by the GDPR. Consequently, this provision was incompatible with the GDPR, i.e., unenforceable.
- Insurance Sector
Article 61, no. 2 sought to safeguard data controllers that handle health and life insurance contracts by stipulating that consent would only be revoked once the insurance contract is terminated.
According to the CNPD, article 61, no. 2confuses two separate requirements to process data (one being consent and the other to perform a contract). The CNPD considered the performance of a contract to justify processing the data necessary to execute the contract.
Controllers are only obliged to obtain the data subject’s consent when they intend to carry out other processing operations that are not necessary for performing the contract. Therefore, they do not need to obtain the data subject’s consent to process the data necessary to perform the contact.
However, the CNPD did not take a position on whether the GDPR allows insurers to legitimately process sensitive data (e.g., health information) to perform contracts.
Therefore, it is not clear whether (or how) insurers should process essential sensitive data to offer health and life insurance products.
To conclude, the CNPD’s decision to declare these national provisions unenforceable is in line with the principle of supremacy of EU law. Public authorities are obliged to rule on whether national provisions are enforceable and to recognize citizen’s rights that could otherwise be restrained by national law. This obligation applies to all administrative entities (including the CNPD) and judicial entities such as courts.
In several judgments (e.g., Decision C-103/88 – Fratelli Constanzo), the ECJ has already ruled that national public authorities must disregard national provisions when they impede the direct applicability of European regulations or when Member States fail to transpose European directives into their national legal systems.
Both European and national legal doctrine support the ECJ’s understanding.
The CNPD’s resolution does not create any legal loopholes, as it enables the GDPR to be applied directly without any impediments.
If the CNPD were to change its position and reapply any rules that it had previously declared unenforceable (e.g., should a court disagree with its interpretation of national provisions), data controllers and processors would not be jeopardized for processing data in accordance with an invalid interpretation of the GDPR and other data protection applicable rules.
Authors: Sónia Queiróz Vaz, Teresa Isabel Gonçalves, João Diogo Quartilho