After the GDPR came into force on 25 May 2018, a number of businesses subject to the new EU privacy rules claimed that they could not comply with EU investigations, including those run by DG COMP (the arm of the European Commission responsible for competition law investigations and enforcement), as they claimed their GDPR obligations prevented them from disclosing personal data or required them to notify the data subjects affected of any such disclosure.
Needless to say, in response to a request for clarity from EU authorities responsible for investigations and enforcement in various fields, including DG COMP, the European Data Protection Supervisor confirmed that the GDPR is not an obstacle to disclosing personal data to investigating EU institutions nor is there a legal obligation to inform data subjects of any such disclosure in relation to a particular inquiry.
In the same vein and to maintain the pre-GDPR status quo to some extent, the EU confirmed on Monday in a formal decision that DG COMP’s investigatory powers will not be undermined by new privacy rules which apply to EU bodies in line with the GDPR requiring them to notify data subjects of any processing of their personal data. It confirmed that DG COMP will be able to:
- override the new privacy rights to prevent investigations from being compromised for so long as is necessary to do;
- avoid the obligations requiring it to inform data subjects of the processing of their personal data in certain circumstances; and
- keep historical archives of case-related personal data after it is no longer necessary for processing.
However, DG COMP will not be immune from the GDPR (and associated laws) and its underlying principles. For example, DG COMP will publish information notices of its processing activities online to inform all data subjects of processing of their personal data in the interests of transparency and will assess restrictions on any data rights regularly and on closing its investigations in the interests of fairness.
The EU’s flagship data-protection law — known as the General Data Protection Regulation, or GDPR — has caused upheaval in corporations as they redesign information policies in line with stricter privacy rules. But the GDPR has a lesser-known sibling*, which introduces similar restrictions on the EU’s own institutions. Today, the European Union published a formal decision that grants competition enforcers derogations from the normal duty to “inform all individuals of its activities involving processing of their personal data.”