by João Marques, member of the Portuguese Data Protection National Commission
Portuguese DPA won’t apply the country’s GDPR law
In spite of its nature[i], the GDPR leaves some room of manoeuvre to the Member States. This European legal instrument has even been called a hybrid[ii] between a directive and a regulation, precisely because there is a significant amount of issues where national legislation can in fact diverge from the general solutions the GDPR brings to the table. Although such leeway is not to be misunderstood for a “carte blanche” to the Member States, there is nevertheless a relevant part to be played by national legislators.
From the definition of a minimum legal age for children’s consent to be considered valid for its personal data to be processed (in relation to information society services), which can vary between 13 and 16 years of age, to the waiver on fines being applied to the public sector (Article 83, 7), there is a vast array of subjects left for the Member States to determine. In fact, a whole chapter of the GDPR[iii] is dedicated to these subjects, namely: Processing and freedom of expression and information (Article 85); Processing and freedom of expression and information (Article 86); Processing of the national identification number (Article 87); Processing in the context of employment (Article 88); Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89); Obligations of secrecy (Article 90) and Existing data protection rules of churches and religious associations (Article 91).
Additionally, matters of procedural law, according to the Principle of Conferral (Article 5 of the Treaty on the European Union) are almost entirely left for Member States to regulate, with few exceptions such as the deadlines and the (in)formalities of the reply to a data subject rights request (Article 12) and, most notably, the one-stop shop procedure (instated in Article 60) and all its related and non-related issues that are undertaken by the European Data Protection Board, the new European Union Body provided by the GDPR (section 3 of Chapter VII).
The task that lied ahead of the Portuguese legislator, concerning the national reform of the Data Protection Law[iv], was therefore demanding but framed in a way that should have helped steer its drafting in a comprehensive and relatively straightforward manner[v].
The legislative procedure in Portugal took some time to be jumpstarted and it wasn’t until the 22nd of March 2018 that a proposal from the government was finally approved and forwarded to the Parliament, as this is a matter of its competence under Article 165(1)(b) of the Portuguese Constitution.
After the Parliament took matters into his own hands several entities were consulted, one of which was the national Data Protection Agency (Comissão Nacional de Proteção de Dados – CNPD). During that hearing procedure, a number of issues were raised by the national DPA in light of the contradictory nature some of the national provisions seemed to entail given what was prescribed in the GDPR[vi].
The final version of the law was passed in July 2019, while August was the month when the national law that ensures the execution of the GDPR in the Portuguese legal system – Law 58/2019 (hereinafter LEGDPR) got published and entered into effect.
For the national DPA though, the main issues raised during the legislative procedure remained untouched and unresolved. The excessive repetition of legal provisions of the GDPR was only one and probably the less important aspect of the several problems that the national law ignored and upheld after the lengthy legislative process in the Parliament.
Quite more serious and in need of a rapid response were complex topics, such as the territorial and material scope of national law that restricted the application of the GDPR in full. Article 2 of the Portuguese national law provides for its application to processing activities occurring outside Portugal only when these activities occur in the context of the activities pursued by the establishment located in the country. Given that the LEGDPR revoked the Portuguese Naitonal Data Protection Law of 1998, where the competence of the CNPD is established, this is now the only legal instrument in Portugal that provides for the competence of CNPD in the context of the GDPR (cf. article 3 of LEGDPR). Therefore, this would mean that the said authority wouldn’t have the competence to act on transnational cases as provided by the GDPR in the One Stop Shop mechanism (cf. Article 60 of the GDPR) rendering this innovation impractical.
Other issue raised by the CNPD related to the way in which the right of access was limited under Article 20 of the national law, considered too broad and unspecified to be in line with the margin for restrictions introduced by Article 23 of the GDPR.
Equally unspecified and detailed is the way in which the LEGDPR frames the possibility of the public sector to deviate from the purpose limitation principle. Article 6 (4) of the GDPR, provides for the possibility of “processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1)”. Nevertheless, such possibility cannot be conceived and translated into national law in a way that enables a general principle of admissibility of these purpose limitation exceptions or deviations, as is the case in LEGDPR.
CNPD also took note of the way in which the workers consent was being excessively dismissed by Article 28(3)(a) of the LEGDPR, in the context of labour relations. It is obvious that an imbalance exists in the labour market between workers and employers[vii]. Nevertheless, that should not be regarded as depriving a worker of, in any case, using his own free will in certain processing activities relating to him and occurring in the context of employment.
The biggest array of articles that were cause for the CNPD’s concern were the ones relating to administrative fines. In Articles 37, 38 and 39 of the LEGDPR, the Portuguese legislator chose to create new limits (minimum and maximum) and new criteria (such as the size of the company) to the ones established in the GDPR. It also provided for different frameworks of gravity for some of the infringements that the GDPR regulated, as it defined the lack of specific information as a less serious offense than article 83 (5) of the GDPR would have provided for.
These and other shortcomings of the national law led to a rather relevant decision by the Portuguese DPA, in the form of a deliberation of its commissioners[viii], stating that, in concrete cases, the independent authority will not apply any of the provisions of the LEGDPR that, in their view, contradict the GDPR.
CNPD did so having regard of EU law, specifically Article 8 of the Charter of Fundamental Rights of the EU and Article 16(2) of the Treaty on the Functioning of the European Union, both on the right to data protection. CNPD also took into consideration Article 8(4) of the Portuguese Constitution that ensures that EU law applies in the national territory.
Lastly and more importantly, CNPD looked to the EU’s Court of Justice jurisprudence to ascertain not only the famous “Precedence of European Law” principle but also and above all the fact that all “Administrative authorities (…) are under the same obligation as a national court to apply the provisions of Article 29 (5) of Council Directive 71/305/EEC and to refrain from applying provisions of national law which conflict with them“[ix].
Having determined that national provisions of the LEGDPR did contradict EU law, the Portuguese DPA was (and is) then forced not to apply such provisions, in light of the said jurisprudence, but also regarding the rulings made by the ECJ in case 6—64 Flaminio Costa v E.N.E.L. and Case 34-73 Fratelli Variola S.p.A. v Amministrazione Italiana delle Finanze, on the matter of the admissibility of national laws that contradict EU law.
It should be noted that this is not the first time CNPD has decide not to apply national provisions, as it had done the same regarding the national law on data retention[x], in light of the ECJ’s ruling in the judgment of the joined Cases C-293/12 and C-594/12Digital Rights Ireland and Seitlinger and Others[xi].
[i] According to article 288 of the Treaty on the Functioning of the European Union, “A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.”.
[ii] As Katie Nolan explains in her article “GDPR: Harmonization or Fragmentation? Applicable Law Problems in EU Data Protection Law”, published in the Berkeley Technological Law Journal blog, available at http://btlj.org/2018/01/gdpr-harmonization-or-fragmentation-applicable-law-problems-in-eu-data-protection-law/.
[iii] Chapter IX, regarding “Provisions relating to specific processing situations”.
[iv] Lei 67/98, de 26 de outubro.
[v] The European Commission stretched a helpin hand on this matter issuing a Communication (COM(2018) 43 final) on “Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018”, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A52018DC0043&qid=1517578296944&from=EN.
[vi] The Portuguese version of the Opinion of CNPD is available at https://www.cnpd.pt/bin/decisoes/Par/40_20_2018.pdf.
[vii] As repeatedly stated by EU’s DPAs, namely in Article 29 Working Party guidance on consent (endorsed by the EDPB), available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.
[viii] Deliberação 2019/424, available in Portuguese at https://www.cnpd.pt/bin/decisoes/Delib/DEL_2019_494.pdf.
[ix] Case 103/88, Fratelli Costanzo SpA v Comune di Milano.
[x] With the arguments Deliberation 641/2017, available in portuguese at https://www.cnpd.pt/bin/decisoes/Delib/20_641_2017.pdf and Deliberation 1008/2017, also available in Portuguese at https://www.cnpd.pt/bin/decisoes/Delib/20_1008_2017.pdf.
[xi] Which resulted in the invalidation of Directive 2006/24/EC of the European Parliament and of the Council of 15March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
Pictures credits: Data protection regulation by geralt.