The National Data Protection Commission (CNPD) has decided to stop applying in whole or in part nine of the 67 articles that make up the National Law implementing the General Data Protection Regulation. In a determination approved on September 3, the data supervisor has on its own initiative decided to 'de-apply' part of the articles concerned on the grounds that they violate the spirit of the text of the RGPD approved by the European Parliament, or generate potentially erroneous interpretations of the dates and contraventions envisaged for entities that do not respect privacy rules. The RGPD became effective in Portugal on August 8 through Law 58/2019. This means that part or all of the nine articles of the National Law targeted by the CNPD did not even have a month of application. Articles and items that are no longer applicable include those providing for fines of up to EUR 20 million for the most serious breaches of privacy.
According to the CNPD, articles regulating offenses for those who do not respect the National Law violate the RGPD by setting minimum and maximum values, which should be determined by the supervisory authorities (such as the CNPD) and not by national law. The personal data supervisory authority also recalls that the European Regulation prevents Member States from distinguishing between offenses according to the size of the entities, and blocks the creation of categories of infringements that will mitigate offenses. Although not applying the National Law, the CNPD should take into account the procedures and values (also 20 million euros or a percentage of the revenue in the most serious cases), which are foreseen for the breaches by the RGPD approved by the European instances.
Recently, 20 public entities have invoked the exemption from the payment of fines for breach of the practices provided for by National Law 58/2019 and / or the RGPD. The use of exemption from fines (National Law 58/2019 provides for this possibility for public entities for three years) can only be invoked during the hearing with the CNPD, the privacy supervisor herself argued. Since the CNPD's deliberation provides for the direct application of the RGPD, it seems that it will be in the light of the European regulation that these 20 cases will be examined.
In its determination of 3 September, the CNPD justifies the unapplication of part of National Law 58/2019 by the fact that the articles contradict the texts of the EU-wide approved RGPD, as well as the judgments of the EU Court of Justice (ECJ). , the Charter of Fundamental Rights of the European Union, or the Portuguese Constitution itself.
The CNPD does not mention any National Law, but invokes a ruling of the CJUE to justify the RGPD's unapplication by its sole decision: 'Whereas it follows from the principle of primacy that, in addition to national courts, administrative entities are also required to to disregard national rules contrary to European Union law, as the ECJ expressly ruled in Fratelli Costanzo, which bound all public administration bodies to the duty to fully apply Union constitute an obstacle to the full effectiveness of the rules of that law '.
On the Internet it is possible to find a judgment of the CJEU dating back to 1989 and known as 'Fratelli Costanzo'.
This is not the first time that the CNPD has invoked a ruling by the ECJ to disregard national legislation. In January, it was learned that the data processing supervisor no longer monitors the metadata repositories that are maintained by telecommunications operators for criminal purposes.
As regards the refusal to apply the articles in question, the CNPD submits that 'certain provisions of that law are manifestly incompatible with (European) Union law, focusing for the moment on those provisions which, by their relevance and frequency of of application raise the urgency of formal adoption of such an understanding. '
It is on the basis of the 'rule of law of the European Union' that the CNPD also informs that it will no longer apply points and points of the nine articles 'in future cases that it will consider' during the inspections, notifications or authorizations requested. .
The CNPD explains that the application of the nine articles has as its consequence the 'direct application of the rules' of the European Regulation which could be 'manifestly restricted, contradicted or compromised in their useful effect'.
Prior to this deliberation the CNPD had already made a devastating analysis of the draft law that the Government submitted to the Assembly of the Republic with the aim of implementing the European Regulation for national legislation one year late (the European Regulation should have been implemented by Law National until May 25, 2018, but only became effective August 8 in early August 2019).
The decapplication decided by the CNPD covers the following articles, points and points of National Law 58/2019:
Article 2 (1) and (2);
Article 20 (1);
Article 28 (3) (a);
Article 37 (1) (a), (h) and (k) and paragraph 2;
Article 38 (1) (b) and (2);
Article 39 (1) and (3);
Article 61 (2);
and Article 62 (2)
In the case of Article 2 (1) and (2), the CNPD submits that the National Law contravenes provisions of the European RGPD regarding the processing of data by entities which are present in more than one Member State.
In Article 20 (1), Law 58/2019 provides for the possibility of limiting the access of data subjects (the data subjects) where the National Law allows information to be kept secret.
In addition to repeating what the European Regulation refers to, the CNPD considers that the National Law does not specify the purposes or take into account citizens' rights to be able to apply this limitation. '(…) Any legal limitation on the exercise of rights, in particular the exercise of a fundamental right such as the right of access, recognized in its own right in Article 8 (2) of the Charter of Fundamental Rights and Article 35 (1) of the CRP (the Constitution of the Portuguese Republic) can never result from the content of a rule such as that of Article 20 (1) of the national law ”, states the CNPD.
Article 23 is intended to regulate cases in which public entities process data other than originally foreseen – but the CNPD considers that National Law does not respect the purpose principle nor does it meet the legal requirements for data sharing between various entities that are consecrated by the European RGPD.
In Article 28, the explanation applies to paragraph 3 (a). In this case, the explanation is due to the fact that National Law allows an entity to process data without the consent of a worker, if it benefits the user. The CNPD recalls the excerpt from the European RGPD, which even where there are benefits, considers that consent is 'legally relevant' only when the data subject is free to decide.
The CNPD also proceeds with the unenforcement of the National Law for Offenses. Which covers Article 37 (1) (a), (h) and (k); Article 38 (2), and paragraph 1 (b) and Article 39 (2) (b). In addition to considering that the State cannot mitigate misdemeanors by distinguishing between intent and negligence, the CNPD points out, among the various arguments, that the minimum and maximum sanctions (EUR 20 million or a percentage of revenue for the worst cases of all) ) should be determined by supervisory authorities such as the CNPD and not by national law. CNPD has therefore ceased to apply part of these articles – which does not mean that it does not impose fines by directly interpreting the points in the European Regulation.
Article 61 (2) has also been unapplied by the CNPD. In processing the data necessary for the performance of contracts, the CNPD recalls that termination of the contract cannot simply be based on the holder's consent terminating, as this may represent a loss of citizens' freedom of decision vis-à-vis the entities handling the contracts. Dice.
Finally, the CNPD justifies the misapplication of Article 62 (2) by obliging the different entities, for notification and authorization purposes, to take into account the entry into force of the European Regulation, which was applicable May 25, 2018, but entered into force on May 4, 2016. This would lead to entities subject to the National Law having to request from CNPD authorizations and notifications for the different retroactive data processing, which are relative when national legislation had not yet implemented the European RGPD into national legislation.