Friday, July 10, 2026Fri, Jul 10
HomePoliticsYour Financial Privacy Rights in Portugal Face a Legal Loophole
Politics · National News

Your Financial Privacy Rights in Portugal Face a Legal Loophole

Portugal's Audit Court has no data protection framework. If you're audited, your financial privacy rights are undefined. Learn why the CNPD says this matters.

Your Financial Privacy Rights in Portugal Face a Legal Loophole
Police officers monitoring surveillance camera feeds in a modern control room

Portugal's constitutional auditor has no formal legal framework governing how it handles personal information—and the data protection authority just told parliament this is a serious problem.

On July 9, the Comissão Nacional de Proteção de Dados (CNPD), which serves as Portugal's independent data regulator, publicly warned that the government's planned overhaul of the Tribunal de Contas (Court of Audit) fails to address a critical gap: nobody currently has a clear mandate to ensure that personal files processed through this oversight institution meet modern privacy standards. For anyone whose financial dealings fall under audit—contractors, public servants, grant recipients—this creates genuine uncertainty about what happens to their data.

Why This Matters

No supervisor exists: The CNPD itself cannot legally oversee how the Audit Court handles personal information, leaving a regulatory void with no backup authority designated to fill it.

Fundamental rights unprotected: Citizens cannot reliably exercise core data privacy rights—like accessing their file, correcting errors, or requesting deletion—when that information sits in an Audit Court case, because the legal mechanism for doing so does not exist.

Outdated law blocks solutions: The 2009 statute governing judicial data (Law 34/2009) predates the EU's comprehensive data protection rules by nearly a decade and lacks the safeguards now required across the bloc.

The Problem: A Regulatory Blind Spot

Paula Meira Lourenço, president of the CNPD, delivered her critique during a parliamentary committee hearing on the Proposta de Lei 72/XVII/1.ª, a legislative proposal to replace the 1997 law that currently structures how the Court of Audit operates. The government introduced this bill on April 28, fast-tracking it through an urgency procedure by early May, with the stated intention of streamlining public financial oversight and removing procedural delays that slow infrastructure projects.

Lourenço was direct: "The bill does not cover, at this moment, and has this gap regarding the legal regime applicable to processing data in Tribunal de Contas proceedings." The consequence, she explained, goes beyond administrative inconvenience. Data subject rights—the ability to know what information is stored about you, to correct inaccuracies, to object to processing, to request deletion—are fundamental. Yet when those data are held by the Court of Audit, the legal conditions under which citizens can actually exercise these rights remain undefined.

The EU's General Data Protection Regulation (RGPD in Portuguese) explicitly carves out judicial functions from national data protection authorities' supervisory powers. This exception recognizes a genuine constitutional principle: courts must remain independent, and external oversight of judicial decision-making poses risks to that independence. But the carve-out assumes that an alternative safeguard exists—either a dedicated supervisor within the judiciary itself, or clear legislative rules defining which data rights apply, which are restricted, and why.

Portugal's Audit Court presently has neither.

"Without a legislative solution, we are all unprotected," Lourenço warned. The phrase captures an unusual inversion of authority: the national regulator responsible for data protection cannot itself provide protection in this domain.

What This Means for Residents

Consider a practical scenario. A company receives a public grant and the Audit Court initiates a financial compliance review, generating a substantial personal data file in the process. That file contains names, financial records, communication logs, and possibly health or family information relevant to the investigation. Under normal circumstances, that company (or individual) could file a request with the CNPD seeking access, correction, or deletion.

But the CNPD lacks jurisdiction here. The company must instead appeal to the Court itself—an institution with no established procedures, no dedicated data officer, and no legislated privacy obligations. The result is legal ambiguity: Does the right of access apply? Can the subject demand deletion? What timelines govern a response? Who adjudicates disputes? Nobody knows, because nobody has yet written it down.

Lourenço acknowledged that some restrictions on data rights are permissible in the judicial context. Judicial independence sometimes requires that certain information remain confidential, and the integrity of ongoing investigations may necessitate limited subject access. But these restrictions must be explicitly stated in law, proportionate to their purpose, and subject to external review. "These rights can be restricted when necessary to preserve judicial independence," she said, "but this is not dealt with" in the current proposal.

Why Law 34/2009 Is Insufficient

The legislative foundation for data handling across Portugal's entire judicial system is Law 34/2009, enacted on July 14 of that year. It assigns magistrates and court staff responsibility for data security, specifies certain retention rules, and outlines basic access protocols. For its era, it provided a workable framework.

Today, it is a relic. The law predates the RGPD by nearly nine years. When the RGPD came into force across the EU on May 25, 2018, it introduced a fundamentally more demanding model: demonstrable accountability, privacy-by-design requirements, data processing agreements, mandatory breach reporting, and extensive transparency obligations. Portugal responded by adopting Law 58/2019 (implementing the RGPD generally) and Law 59/2019 (governing criminal justice data). Yet these newer laws did not repeal or substantially revise Law 34/2009. That statute still technically governs judicial data, but it coexists awkwardly with newer, more stringent requirements.

The result is a patchwork. Lourenço characterized Law 34/2009 as "completely outdated" and unfit to deliver the granular protections the RGPD now demands. She suggested two legislative pathways forward: either incorporate a targeted data protection chapter into the Tribunal de Contas reform itself, or undertake a comprehensive modernization of Law 34/2009 to align the entire judicial data framework with current EU standards.

"There are two paths," she said, adding that parliament must choose. "It falls to the Assembly of the Republic to decide whether to integrate this discipline into the proposal under discussion, or to opt for a general revision of the regime."

A Constitutional Requirement: Data Rules Must Be Laws

Lourenço also drew a constitutional line that constrains how lawmakers can solve the problem. Because personal data protection involves fundamental rights—explicitly recognized in both the Charter of Fundamental Rights of the European Union and Portugal's Constitution—the rules governing data processing cannot be relegated to lower-order instruments like internal court protocols or administrative regulations.

"Referring matters of fundamental rights to sub-legal instruments, such as protocols, internal regulations, and the like, would be clearly unconstitutional," she stated. In other words, the Court of Audit cannot simply issue a data-handling manual and call the matter settled. Whatever regime emerges must take the form of a statute passed by the Assembleia da República.

This constraint may explain some of the legislative hesitation. Codifying data rights in judicial contexts is complex—it requires balancing transparency against investigative confidentiality, subject rights against judicial independence, and uniform rules against case-specific circumstances. Attempting that balance through detailed law is more challenging than through administrative discretion.

The Missing Impact Assessment

Another criticism Lourenço raised concerns process, not substance. She noted that the legislative process has proceeded without a Data Protection Impact Assessment (DPIA), a structured analysis that identifies what personal data will flow through a new system, where risks exist, and what safeguards should be built in. Such assessments are standard practice—and often legally required—when public-sector reforms involve large-scale data handling.

"It was very important for us to have that impact assessment," Lourenço said, describing it as "absolutely fundamental" for a "finer, more considered, and demanding analysis, as is required in the protection of fundamental rights." Without a DPIA, the CNPD can offer only general observations, rather than detailed, empirically grounded guidance that lawmakers could use to calibrate the bill's privacy provisions. The absence signals, perhaps inadvertently, that data protection was an afterthought rather than a design principle in the reform's conception.

Broader Institutional Resistance

The Audit Court reform has faced criticism beyond data protection circles. The Comissão Permanente do Tribunal de Contas (the Court's own permanent commission) issued an opinion on May 12 warning that the proposal interferes "inadmissibly" with the Court's constitutional role and its model of independent external financial oversight. The Conselho das Finanças Públicas (Public Finance Council) noted on June 16 that structural changes to the Audit Court should have been framed by a parallel update to Portugal's Budget Framework Law.

The data protection gap thus sits within a larger institutional dispute over the balance of power between executive efficiency and constitutional safeguards. But unlike the procedural objections, which are ultimately negotiable, the data protection void is non-negotiable: it either gets fixed legislatively now, or it persists indefinitely.

How Europe's Other Courts Navigate the Problem

Portugal is not alone in grappling with judicial data protection. Across the EU, member states must reconcile the RGPD's transparency and accountability demands with the constitutional imperative of judicial independence. The RGPD permits restrictions on subject rights "for the defense of judicial independence and judicial proceedings," but it does not specify the mechanism by which those restrictions are applied or reviewed.

Some EU jurisdictions have designated Data Protection Officers within their judiciaries, creating an internal supervisory function. Others rely on what amounts to judicial self-regulation, with presiding magistrates acting as de facto data controllers. Still others have established specialized commissioners or ombudspersons with jurisdiction over judicial data handling. None, however, fall back on their national data protection authorities to directly police the courts—a gap that mirrors Portugal's regulatory vacuum.

What distinguishes Portugal's situation is the pending legislative opportunity. The Tribunal de Contas reform offers a rare window to codify what other countries have left to administrative custom or judicial convention. Whether lawmakers will use it remains to be seen.

The Road Ahead

The Proposta de Lei 72/XVII/1.ª remains under review in the specialized parliamentary committee. If the CNPD's recommendations take hold, the final text will include either a dedicated data protection chapter for the Audit Court or trigger parallel legislation updating Law 34/2009 across the judicial system. If they do not, the legal void persists—and with it, the practical exposure that citizens' data rights in one of the state's most consequential oversight arenas remain undefined.

Lourenço was unsparing in her assessment of the status quo: "There is a duty to act" in the face of the "legislative vacuum" and the "inability of Law 34/2009 to respond." For now, that duty rests with parliament. The clock is ticking, and the committee's deliberations will determine whether this gap becomes a permanent feature of how Portugal protects personal information in its financial oversight system.

Author

Sofia Duarte

Political Correspondent

Covers Portuguese politics and policy with a keen eye for how legislation shapes everyday life. Drawn to stories about migration, identity, and the evolving relationship between citizens and institutions.