In its judgment of 16 January 2024, the ECJ clarified to which extent a parliamentary inquiry committee that scrutinizes national security activities is subject to the obligation under the General Data Protection Regulation (GDPR) and to which extent compliance with the GDPR must be monitored by the national data protection authority (Case C-33/22).

In the case at issue, the Austrian parliament set up committee of inquiry to investigate potential political influence over a security-related authority, the Austrian Federal Office for the Protection of the Constitution and Counter-Terrorism. The inquiry raised concerns about the processing of personal data, in particular the publication of a video on the parliament's website with the full name of a witness, despite his wish to remain anonymous. This led to a complaint under the GDPR.

The Austrian Supreme Administrative Court has asked the European Court of Justice (ECJ) whether the committee of inquiry, which is a part of the legislature and carries out an inquiry as regards national security activities, is subject to the GDPR.

The ECJ clarified that a parliamentary committee of inquiry must, in principle, comply with the GDPR, even when exercising its powers of scrutiny over the executive. There is an exception, however, for activities directly related to the protection of national security, when GDPR obligations cannot apply. In this particular case, the committee's investigation did not appear to be related to national security, as it focused on political influence over the executive body responsible for security and counter-terrorism. The ECJ emphasized that any limitation of GDPR obligations justified by national security should be based on legislative measures, which the committee could not claim.

The Austrian data protection authority initially rejected the complaint, citing the separation of powers. The ECJ now ruled that, despite the principle of separation of powers, the Data Protection Authority, as the sole supervisory authority in Austria under the GDPR, is competent to monitor the committee's compliance with the GDPR.

The decision underscores the direct effect and primacy of EU law, including the GDPR, over national constitutional law. The case now awaits further review by the referring Austrian Supreme Administrative Court to confirm whether the committee's actions were indeed related to national security and whether any legislative measures justified the disclosure of the witness's name.