Opinion of Advocate General Szpunar delivered on 11 May 2023.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2023:397
• Date: 11 May 2023
• Celex Number: 62022CC0033
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 11 May 2023 (1)

Case C‑33/22

Österreichische Datenschutzbehörde

other parties:

WK,

Präsident des Nationalrates

(Request for a preliminary ruling from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria))

(Reference for a preliminary ruling – Data protection – Article 16(2) TFEU – Activities falling within the scope of EU law – General Data Protection Regulation – Activities concerning national security – Committee of inquiry of the Parliament of a Member State – Scrutiny of the activity of a police authority – Competence of the data protection supervisory authority – Article 55(1) – Article 77(1) – Direct effect)

Introduction

1. Do the activities of a committee of inquiry of the Parliament of a Member State fall within the scope of Regulation (EU) 2016/679, (2) particularly when the inquiry concerns matters relating to national security? If so, can the provisions of the GDPR relating to the right to lodge a complaint with a national supervisory authority be applied directly, despite a constitutional principle that precludes external interference in the Parliament’s activities? These are, in essence, the questions raised in the present case by the Verwaltungsgerichtshof (Supreme Administrative Court, Austria).

2. In accordance with the case-law of the Court of Justice, I propose to answer in the affirmative. In my view, such a solution would be consistent not only with the intentions of the EU legislature, which established the GDPR as a true lex generalis on the protection of personal data, but also with the underlying reasons for the provisions of Article 16 TFEU, the scope of which extends to the supervisory activities of the Member States, such as those at issue in the main proceedings.

3. In the present case, an officer in the criminal police, WK (‘the person concerned’), was heard by a committee of inquiry of the Austrian Parliament on the subject of searches carried out, inter alia, at the premises of the Bundesamt für Verfassungsschutz und Terrorismusbekämpfung (Federal Office for the Protection of the Constitution and for Counterterrorism, Austria; ‘the BVT’). The minutes of the hearing were then published on the Austrian Parliament’s website together with the full name of the person concerned, on the grounds that the press had already revealed his identity.

4. Taking the view that his right to confidentiality of personal data had been breached, the person concerned lodged a complaint with the Österreichische Datenschutzbehörde (National Data Protection Authority, Austria; ‘the Datenschutzbehörde’) under Article 77(1) of the GDPR. However, the substance of the complaint was not examined: the Datenschutzbehörde declared that it did not have the necessary competence, finding that its supervisory power in the present case was incompatible with the constitutional independence of Parliament bodies, given the principle of the separation of powers enshrined in Austrian law.

5. The person concerned therefore commenced proceedings, the outcome of which depends on the answers to the questions referred to the Court of Justice for a preliminary ruling. Those questions relate, in essence, to the material scope and the direct effect of the relevant provisions of the GDPR, the content of which is set out below.

Legal framework

European Union law

6. Recitals 16, 20 and 117 of the GDPR state:

‘(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

…

(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. …

…

(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.’

7. Article 2 of the GDPR, entitled ‘Material scope’, provides:

‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

…’

8. Article 23(1) of the GDPR, entitled ‘Restrictions’, provides:

‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

…

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

…’

9. Article 51(1) of the GDPR, entitled ‘Supervisory authority’, reads as follows:

‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).’

10. Article 55 of the GDPR, entitled ‘Competence’, reads as follows:

‘1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

…

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.’

11. Article 77(1) of the GDPR, headed ‘Right to lodge a complaint with a supervisory authority’, states:

‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, … if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’

Austrian law

12. Article 53 of the Bundes-Verfassungsgesetz (Federal Constitutional Law) of 2 January 1930 (BGBl. 1/1930), in the version of 30 December 2021 (BGBl. I 235/2021), provides:

‘(1) The National Council can by resolution set up committees of inquiry. In addition, a committee of inquiry must be set up on demand of one quarter of its members.

(2) The subject matter of the investigation is a certain completed process regarding matters in which the Federation is responsible for implementing the laws. This includes all activities of executive bodies or officers of the Federation through which the Federation exercises rights associated with holding an economic interest and supervisory rights irrespective of the proportion of its interest. An examination of jurisdiction is excluded.

(3) All executive bodies or officers of the Federation, the provinces, the municipalities and the municipal associations and of the other self-administering bodies shall submit to a committee of inquiry, on demand, their files and documents to the extent to which these relate to the subject matter of the investigation and shall comply with the request of a committee of inquiry to take evidence in connection with the subject matter of the investigation. …

…’

13. As provided in Paragraph 18(1) of the Datenschutzgesetz (Law on the protection of personal data) of 17 August 1999 (BGBl. I 165/1999), in the version of 26 July 2021 (BGBl. I 148/2021; ‘DSG’), entitled ‘Establishment’:

‘The Datenschutzbehörde is established as a national supervisory authority pursuant to Article 51 of the GDPR.’

14. Paragraph 24 of the DSG, entitled ‘Complaints with the Datenschutzbehörde’, reads as follows:

‘(1) Every data subject has the right to lodge a complaint with the Datenschutzbehörde if the data subject is of the opinion that the processing of the personal data concerning the data subject infringes the GDPR …’

15. Paragraph 35 of the DSG, entitled ‘Specific powers of the Datenschutzbehörde’, provides, in subparagraph 1:

‘The Datenschutzbehörde shall safeguard data protection in accordance with the detailed provisions of the GDPR and this federal law.’

The facts giving rise to...