CJEU delivers a new ruling on the scope of the GDPR


Today, 16 January 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C‑33/22, Österreichische Datenschutzbehörde.

In this case, the Chamber of Representatives of the Austrian Parliament set up a committee of inquiry to investigate whether there was political influence on the Austrian Federal Agency for the Protection of the Constitution and Counter Terrorism. This committee of inquiry heard a witness during a hearing with media coverage. Despite the request of the witness for anonymization, the minutes of the hearing which included the full name of the witness were published on the website of the Austrian parliament. The witness filed a complaint with the Austrian DPA, claiming that the reference to his name violated the GDPR.

The CJEU judgment is in line with the position of the Advocate General, who issued his Opinion in May 2023.

On the question of whether an activity should fall outside the scope of Union law, and therefore outside the scope of the GDPR, merely because it is an activity of a committee of inquiry set up by the parliament of a Member State in the exercise of its right of control over enforcement, the CJEU highlights the following:

  • the GDPR applies to both processing carried out by individuals and by public authorities;
  • the exception in Article 2(2) of the GDPR should be interpreted narrowly and should only exclude from its scope the processing of personal data by public authorities in the course of activities to safeguard national security or similar activities;
  • the exception to the scope of the GDPR relates exclusively to categories of activities, and not to categories of persons (private or public law);
  • as follows, the fact that the processing is carried out by a committee of inquiry set up by the Parliament of a Member State does not, in itself, lead to the conclusion that such processing is carried out in the context of an activity excluded from the scope of the GDPR.

The CJEU also clarified that the processing of personal data carried out by such an investigative committee meant to investigate the activities of a police state security authority on the basis of suspicion of political influence on that authority is not to be regarded as such as activities relating to national security which are excluded from the scope of the GDPR.

The activities aimed at safeguarding national security within the meaning of the GDPR include, in particular, those which aim to protect the fundamental functions of the state and the fundamental interests of society. Thus, the fact that the controller is a public authority whose main activity is to ensure national security is not in itself sufficient to exclude from the scope of the GDPR the processing of personal data by that public authority in the context of other activities carried out by it.

Finally, the CJEU notes that Art. 51 (1) of the GDPR grants each Member State a margin of discretion, which enables it to establish as many supervisory authorities as are necessary, in particular due to its constitutional structure. Thus, in line with the Advocate General’s opinion, the CJEU stated that if a Member State has established only a single supervisory authority pursuant to Article 51 (1) of the GDPR, that authority shall be competent in respect of complaints referred to in Article 77 (1) of the GDPR, irrespective of provisions of national law that exclude from its competence processing of personal data falling within the scope of the GDPR.

The judgment of the CJEU is available here (currently available only in German and French).