EU: EDPB publishes legal study on government access to data in third countries
The European Data Protection Board ('EDPB') published, on 8 November 2021, a legal study, prepared by external providers, on Government access to data in third countries. In particular, the study states that it is part of a study analysing the implications for the work of the EU and the EEA data protection supervisory authorities ('SAs') in relation to transfers of personal data to third countries after the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Ltd, Maximilian Schrems (C-311/18). In addition, the study notes that it provides the EDPB and the SAs in the EU and EEA with information on the legislation and practice in China, India, and Russia on their governments' access to personal data processed by economic operators. Furthermore, the study notes that it contains an overview of the relevant information in order for the SAs to assess whether and to what extent legislation and practices in the abovementioned countries imply massive and/or indiscriminate access to personal data processed by economic operators.
In addition, with respect to the People’s Republic of China ('PRC'), the study states that the PRC is not a democratic, liberal state, nor does it have a rule of law and that the PRC cannot be considered as having the ability to provide people with the protection of personal data equivalent to the EU. Furthermore, the study highlights that an analysis of both the Constitution of the PRC and secondary laws indicates that substantial protection of personal data against government access does not exist in the PRC. Hence, the study concludes that government access to personal data is not constrained. Moreover, with respect India, the study notes that, while the right to privacy was recently recognised by the Supreme Court of India, the government still benefits from wide exemptions to the data protection regime for governmental access to personal data. Lastly, with respect to Russia, the study notes that it can be concluded that, while the legislative framework seems comprehensive, the enforcement and application of the legislation shows the weaknesses of data protection in Russia.
You can read the study here.