CJEU - C-33/22 - Österreichische Datenschutzbehörde

CJEU - C-33/22 Österreichische Datenschutzbehörde

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 2(2)(a) GDPR Article 4(7) GDPR 16(2) TFEU
Decided:	16 January 2024
Parties:
Case Number/Name:	C-33/22 Österreichische Datenschutzbehörde
European Case Law Identifier:	ECLI:EU:C:2024:46
Reference from:
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU decided that the GDPR applies to national parliamentary committees and that its activity was unrelated to safeguarding national security meaning that it was not exempt under Article 2(2)(a) GDPR.

English Summary

Facts

A data subject served as a witness during a committeee hearing held by the Austrian national parliament. Against his wishes a publication of the minutes of the hearing, which included his full name, were published on the website of the Austrian Parliament. The data subject complained to the DPA, stating that he was working as an undercover investigator and that a publication exposing his identity would affect his ability to do his job.

The DPA rejected the complaint. It stated that the DPA is a body of the executive. Therefore, it does not have competence to oversee the activities of the committee under national law. This is because it considered the committee (the controller) to be a part of the legislative body. Under the principle of the separation of powers^[1] in Austria, the executive cannot oversee the legislature. The data subject appealed this decision.

The Federal Administrative Court anulled the DPA's decision. It held that the GDPR applies to acts done by the legislature because the GDPR concerns all data processing, irrespective of who carries it out. Therefore, the DPA was competent to review the decision. Moreover, it held that the legislature cannot rely on the exemption outlined in Article 2(2)(a) GDPR. The DPA appealed this decision.

The Supreme Administrative Court referred three questions to the CJEU:

1) Does the GDPR apply to the activities of a Parliamentary committee of a Member State?

2) If question 1 applies, do the activities of this committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR applicable?

3) If question 2 is answered in the negative, does the DPA have the competence to handle the complaint?

Holding

The CJEU held that the GDPR applies to bodies established by the legislature, that the activities of the committee did not fall under the definition of national security and that the DPA had competence to handle the complaint.

On the first question:

The CJEU held that

On the second question:

On the third question:

Comment

This case succeeds C-272/19 Land Hessen, which is also about Parliamentary Committee's.

Further Resources

Share blogs or news articles here!

↑ The system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system.

[1] The system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system.

[1]