Are national Parliaments subject to the GDPR? Yes, says the CJEU, they are: Case C-272/19 VK v Land Hessen (EU:C:2020:535). The reference to a “public authority” within the definition of “controller” in Article 4(7) GDPR was capable of including the Petitions Committee of the State Parliament, and the CJEU noted that there was no exception in Article 23 for legislative bodies.
The issue arose because the data subject, VQ, had made a subject access request to the Petitions Committee of the Parliament of the Land Hessen (i.e. the German State of Hesse) in relation to personal data processed by the Committee when dealing with his petition. The Parliament refused the request on the basis that it fell outside the scope of the GDPR. The German Administrative Court disagreed, considering that the concept of “public authority” in Article 4(7) had to be defined broadly but it referred the question.
Slightly oddly, the German Administrative Court also referred the question of whether it was able to refer the question, doubting that it was sufficiently independent to amount to a “court or tribunal” within the meaning of Article 267 TFEU. The CJEU had little truck with this, dismissing concerns about how national Ministries organised the administration of the courts and the presence of some politicians in the appointments process, and having no difficulty with the idea that the domestic court was indeed independent in substance (or at least independent enough to keep jurisdiction over references from it).
Much of the argument on the scope of the GDPR appears to have turned on whether the functions of a domestic legislature were “an activity which falls outside the scope of Union law” in Article 2(2)(a) GDPR. In an outcome which will surprise no-one who has ever looked at any CJEU case law on the scope of EU law, the CJEU did not agree with the Land Hessen’s arguments. It held that “it is not appropriate to interpret the expression ‘activity which falls outside the scope of [Union] law’ as having a meaning which would require it to be determined in each individual case whether the specific activity at issue directly affected freedom of movement between Member States”: at [66], reiterating a point made previously in Case C-101/01 Lindqvist (EU:C:2003:596). Article 2(2)(a) must be interpreted restrictively. Just because the Petitions Committee was a public authority and a political one at that, did not mean that their activities were analogous to the other provisions of Article 2(2), which is a particularly narrow approach to the ejusdem generis principle. The CJEU held at [70] that “It is necessary that that activity is one of the activities that are explicitly mentioned by that provision or that it can be classified in the same category as those activities.”
The CJEU declined to enter into any sort of construction of “public authority” in Article 4(7), emphasising instead that there was no exception for legislative bodies in Article 23 GDPR (contrasting recital (20) on judicial bodies). In the UK, there is no suggestion in the Data Protection Act 2018 that the GDPR does not apply to Parliament, although paragraph 13 of Schedule 2 gives a broad exemption from data subject rights where compliance would infringe Parliamentary privilege.
Christopher Knight