EU: EDPB guidelines on Post-Schrems II Part three: Surveillance measures and fundamental rights
The European Data Protection Board ('EDPB') issued its long-awaited guidelines on conducting transfers of personal data from the EU after the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Part one of this three-part series discussed the roadmap laid out by the EDPB for conducting a transfer impact analysis, while part two discussed the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data1 and how they can aid exporters in appropriately assessing third countries and identifying appropriate supplementary measures when required. In part three, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, now discusses the Recommendations 02/2020 on the European Essential Guarantees for surveillance measures2 ('the Recommendations') and how to assess whether surveillance measures by public authorities in third countries are reconcilable with fundamental rights.
The EDPB has revised the Recommendations that were first issued following the Schrems I judgment. The Recommendations set forth the principles that need to be respected to ensure that interferences with the rights to privacy and the protection of personal data, through surveillance measures, when transferring personal data, do not go beyond what is necessary and proportionate in a democratic society.
The Recommendations are based on the jurisprudence of the Court of Justice of the European Union ('CJEU') related to Articles 7, 8, 47, and 52 of the Charter of Fundamental Rights of the EU and on the jurisprudence of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights ('ECHR') dealing with surveillance issues in states party to the ECHR.
- As regards possible interferences with fundamental rights under EU law, the obligation imposed on providers of electronic communications services to retain traffic data for the purpose of making it available, if necessary, to the competent national authorities, raises issues relating to compatibility with Articles 7 and 8 of the Charter. The same applies to other types of data processing, such as the transmission of data to persons other than users or access to that data with a view to its use which thus entails an interference with those fundamental rights. Moreover, access to the data by a public authority constitutes a further interference, according to settled case law.
- In order to find an interference, it does not matter 'whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference.' Whether or not the retained data has been subsequently used is irrelevant.
- The four European Essential Guarantees intend to further specify how to assess the level of interference with the fundamental rights to privacy and to data protection in the context of surveillance measures by public authorities in a third country, when transferring personal data, and what legal requirements must consequently apply in order to evaluate whether such interferences would be acceptable under the Charter.
The four guarantees
A. Processing should be based on clear, precise, and accessible rules
- A justifiable interference needs to be in accordance with the law.
- This legal basis should lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.
- Where individuals are not provided with enforceable rights against public authorities, the level of protection granted cannot be considered as essentially equivalent to that arising from the Charter, contrary to the requirement in Article 45(2)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
- The applicable law must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted.
- The requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned.
- The legal basis should at least include:
- a definition of the categories of people that might be subject to surveillance;
- a limit on the duration of the measure; and
- the procedure to be followed for examining, using, and storing the data obtained, and the precautions to be taken when communicating the data to other parties.
- The interference must be foreseeable as to its effect for the individual in order to give him/her adequate and effective protection against arbitrary interference and the risk of abuse.
- In the context of secret measures of surveillance, such as the interception of communications, 'foreseeability cannot mean that an individual should be able to foresee when the authorities are likely to intercept his communications so that he can adapt his conduct accordingly'. The domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of other derogations from and limitations on the protection of personal data must apply only insofar as is strictly necessary.
- The legislation in question must impose minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data is subject to automated processing.
- Laws permitting public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.
C. An independent oversight mechanism should exist
- Any interference with the right to privacy and data protection should be subject to an effective, independent, and impartial oversight system that must be provided for either by a judge or by another independent body (e.g. an administrative authority or a parliamentary body).
- 'The manner of appointment and the legal status of the members of the supervisory body' need to be taken into account when assessing independence. This includes persons qualified to hold judicial office, appointed either by parliament or by the Prime Minister.
- It is essential that the supervisory body has access to all relevant documents, including closed materials. It is important to consider whether the supervisory body's activities are open to public scrutiny.
D. Effective remedies need to be available to the individual
- The individual must have an effective remedy to satisfy his/her rights when (s)he considers that they are not or have not been respected.
- 'Data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data'.
- The CJEU considers that an effective judicial protection against such interferences can be ensured not only by a court, but also by a body which offers guarantees essentially equivalent to those required by Article 47 of the Charter.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
1. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
2. Available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf