EDPB: Pandemic is No Reason to Suspend GDPR

June 9, 2020Alerts

The European Data Protection Board has issued a statement on the adoption by the Hungarian government of derogations from certain data protection and access to information provisions of the European Union's General Data Protection Regulation.

Key takeaways:

  • Article 23 of the GDPR allows under specific conditions, a national legislature to restrict by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 of GDPR.
  • Even in these exceptional times, all emergency measures must uphold the protection of personal data, including restrictions adopted at national level, as per Article 23 of the GDPR, thus contributing to the respect for overarching values of democracy, rule of law and fundamental rights on which the Union is founded.
  • Any limitation on the exercise of the rights and freedoms recognized must be "provided for by law sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in and conditions on which controllers are empowered to resort to any such restrictions."
  • Legislative measures which seek to restrict the scope of data subject rights must be foreseeable to persons subject to them, including with regard to their duration in time.
  • The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguarding of an important objective of general public interest of the Union or of a member state.
  • All restrictions on the rights of data subjects must apply only insofar as it is strictly necessary and proportionate to safeguard such a public health objective.
  • If restrictions contribute to safeguarding public health in a state of emergency, they must still be strictly limited in scope.
  • The guarantees provided for under Article 23(2) of the GDPR must fully apply.
  • Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. She can be reached at [email protected] or 215.444.7313.