European Union: EDPB adopts updated guidelines on restrictions in Art. 23 GDPR following consultation

The European Data Protection Board (EDPB) has published Version 2.0 of its guidelines on assessing the meaning and scope of 'restrictions' in Art. 23 GDPR following a public consultation on the previous version. Restrictions are defined by the guidelines as any limitation of scope of the rights and obligations in Arts. 12, 22, 34, and (where relevant) 5 of the GDPR. The guidelines contain detailed discussion of the legitimate scope and grounds of restrictions (Art. 23(1)) and the information which must be specified in a restricting law (Art. 23(2)). Further, they reemphasize the exceptional nature of all restrictions under Art. 23, requiring them to respect the essence of the fundamental right to data protection and the principle of proportionality. Compared to Version 1.0, the updated version contains some further elaboration on how 'Other important objectives of general public interest' may justify restrictions, a note that a necessity and proportionality test should be carried out before adoption of restrictions, as well as a change in the style of presentation of the provisions relevant to data controllers and processors once restrictions have been imposed.