Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects' GDPR rights and organisations' GDPR obligations.
The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.
The Guidelines' purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects' rights and organisations' obligations.
GDPR Article 23
Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:
(i) Be set out in Union or Member State Law via a legislative measure
GDPR Recital 41 provides guidance about what constitutes a legislative measure. The GDPR does not necessarily require a legislative act to be adopted by parliament. However, it should be precise and easy for a non-professional to apply. GDPR Recital 8 states that the reason for the restriction, as well as how and when it may apply, should be clear to anyone whom it may affect.
(ii) Respect the essence of the fundamental rights and freedoms
The essence of a fundamental right means that any limitation must not go so far as to completely reduce the right of its core elements. An individual must not be prevented from exercising their fundamental rights and freedoms. Legislation not providing any possibility for an individual to pursue legal remedies to uphold their data protection rights may not be permissible. Any legislation must respect the essence of fundamental rights to effective protection.
(iii) Be necessary and proportionate in a democratic society
Necessity must be considered in the light of the specific circumstances surrounding the provisions of a measure and its intended purpose.
Proportionality requires that the restriction must be appropriate for attaining the legitimate objectives pursued by the legislation. The restriction should not exceed the limits of what is appropriate and necessary to achieve those objectives.
(iv) Safeguard one of the interests set out in GDPR Article 23(1)
The GDPR provides a general list of interests for...