Data Protection: The warning for the unconstitutionalities of the 2020 State Budget

Manuel MagalhãesPartner, Sérvulo & Associados

On January 14, 2020, the Portuguese Data Protection Supervisory Authority (“Comissão Nacional de Proteção de Dados”, hereinafter “CNPD”) issued an opinion about the Proposed Law No. 5/XI/1 (GOV) which approved the State Budget for 2020, expressing its concern about the possible unconstitutionality of certain provisions on the protection of personal data (Opinion/20204). However, in the middle of the pandemic caused by COVID-19, Law No. 2/2020, of March 31 came into force yesterday, April 1, and the President of the Portuguese Republic did not raise any doubt about its constitutionality before promulgating it.

CNPD paid particular attention to the interconnection between the personal databases that public bodies and other entities hold about citizens. A personal data interconnection consists in the possibility of relating the information contained in one personal database to the information contained in another, either when kept by the same data controller (but used for different purposes) or when kept by different controllers.

The proposed law provided, inter alia, for the interconnection between the Portuguese Social Security, Tax Authority and public registers databases.

CNPD warned that it provided for “the general establishment of databases, not only without specifying the databases which are the object of the interconnection but also without identifying the public entities, services or bodies whose databases are the object of that operation”, in some cases constituting unregulated prerogatives. This could constitute a violation of the principle of legality by not allowing “the degree of normative density required to limit rights, freedom and guarantees, which these interconnections always represent”, in particular the right to the protection of personal data and the fundamental right to respect for private life (as established in Articles 26 and 35 of the Constitution of the Portuguese Republic).

CNPD has therefore recommended that the essential elements for the processing of personal data in question should be legally defined (e.g. identifying the entity responsible for each interconnection and the categories of data involved) under penalty of their unlawfulness under the current legislation, including the General Data Protection Regulation (hereinafter “GDPR”).

For CNPD the “Tax Authority databases cannot constitute a repository of information about citizens (…) as this is not the purpose of their existence”. Access to these databases must be strictly subsidiary and “only to the extent that it is not possible or there is no other information on assets (sufficient for the execution of the debt) of the executioner in those registers”.

So, according to Article 6(3) of the GDPR, where the processing is done for the performance of a task carried out in the public interest or in the exercise of an official authority vested as the controller, a law is required, with specific provisions to determine who are the controllers, the type of personal data subject to processing, the data subjects concerned, the entities who will receive the data, the purposes for which the personal data may be disclosed, storage periods, and other measures to ensure the lawfulness and fairness of processing.

Similarly, in accordance with the guidelines of the (now extinct) Article 29: Data Protection Working Party (and replaced by the European Data Protection Board), where a controller wishes to substantiate the necessity of the processing with the fulfilment of a legal obligation imposed by law, the controller must be able to find clearly in it not only the nature but also the object of the processing it is subject to. If the legal provision imposing the processing is not sufficiently clear as to the limits of such processing and leaves the controller with an undue degree of discretion as to how to comply with such legal obligation, the processing can hardly be based on compliance with a legal obligation imposed by law. This does not mean that processing cannot be considered legitimate using other legal basis under the GDPR, such as the legitimate interest of the controller. However, this legal basis can only be used if the legitimate interest takes precedence over the interests, rights and freedoms of the data subjects, subject to the use and results of the so-called ‘supplementary weighting test’, which is the controller’s responsibility. Moreover, where the processing is based on the legitimate interest of the controller, the data subject has a legal right to object to the processing, contrary to what is expected when the legal basis for processing is the compliance of a legal obligation imposed by law. Therefore, such legal obligation must be laid down in law as clearly and concretely as possible.

The Portuguese legislator must be able to ensure that any new legal provisions are drawn up are in accordance with the applicable legal and constitutional limits. If properly applied, such limits are a fundamental plus to guarantee rights and freedoms of citizens under the Constitution are not infringed.

Inês de Sá | is@servulo.com

Catarina Mira Lança | cml@servulo.com