European Commissioner for Democracy, Justice, and the Rule of Law Michael McGrath has stated that the General Data Protection Regulation (GDPR) does not provide a general right or obligation to refuse disclosure of personal data, pushing back against national executive authorities that cite the regulation to block parliamentary access to donor lists of public funds. The answer, given on 16 June 2026, clarifies that GDPR cannot automatically override national constitutional principles of parliamentary oversight and democratic accountability, particularly when the requested information concerns legal persons rather than natural persons.
The response comes after a question from Renew MEP Sandro Gozi, submitted on 2 February 2026, following a political scandal in Cyprus where the House of Representatives sought donor information from a national public fund for social assistance. The Cypriot executive refused, citing potential GDPR breaches. McGrath's answer emphasises that member states bear primary responsibility for enforcing GDPR, with national supervisory authorities and courts handling supervision, while the Commission acts as guardian of the Treaties. The Commissioner did not commit to seeking an opinion from the European Data Protection Board, leaving the matter to national-level resolution.
The answer signals that the Commission views GDPR as a framework that must be balanced with democratic oversight, not as a blanket shield against transparency. It reinforces that legal persons fall outside GDPR's core protections for natural persons. Institutional follow-up is limited, as the Commission defers to national authorities and courts, but the statement may influence how member states interpret GDPR in similar parliamentary oversight cases. Stakeholders impacted include national parliaments (gaining clearer grounds to demand transparency), national executives (losing a convenient GDPR-based refusal argument), and data protection authorities (whose role in adjudicating such disputes is reaffirmed).