EU: EDPB recommendations post-Schrems II Part 2: European Essential Guarantees for surveillance measures
The European Data Protection Board ('EDPB') adopted its highly anticipated recommendations following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). The documents are available for public consultation and OneTrust DataGuidance has produced several resources to understand and navigate these, including this two-part series breaking down the recommendations.
The EDPB adopted two recommendations:
- Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the Supplementary Measures Recommendations'); and
- Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures ('the EEGs Recommendations').
Part one of our series provides an overview the Supplementary Measures Recommendations, whilst part two addresses of the Essential Guarantees Recommendations.
Role of European Essential Guarantees
The Schrems II judgement established a new threshold for data transfers to third countries from the EU. One of the key requirements involved in meeting this threshold is to ensure that a recipient third country provides an adequate, essentially equivalent, level of protection for personal data. In order to understand whether such protection can be maintained, data exporters, in collaboration with data importers where appropriate, are expected to conduct assessments of third countries' relevant legislation and practices.
The European Essential Guarantees ('EEGs') are referential standards identified after the Court of Justice of the European Union ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems 2016/4809P ('Schrems I') as a means to ensure that national surveillance measures would not inappropriately impede upon the rights to privacy and the protection of personal data of citizens during international data transfers. The EDPB notes in its EEGs Recommendations that the EEGs, 'provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.'
The EDPB stresses that although the EEGs may form part of the assessment of third country legislation for data transfers, they are not exclusive and do not constitute a complete list of what is necessary to demonstrate essentially equivalence in a jurisdiction. Furthermore, the EEGs overlap in their scope and should be assessed on an overall basis rather than separately.
The EDPB begins the EEGs Recommendations by considering relevant provisions of the Charter of Fundamental Rights of the EU ('the Charter'), and in particular that it cannot be justified for public authorities to further use personal data for surveillance measures beyond what is strictly necessary. Furthermore, the EPDB then goes on to analyse CJEU commentary on the Charter and the right to privacy. In so doing, the EDPB sets out the basis upon which the EEGs are established.
The EDPB specifies, 'Following the analysis of the jurisprudence, the EDPB considers that the applicable legal requirements to make the limitations to the data protection and privacy rights recognised by the Charter justifiable can be summarised in four European Essential Guarantees':
- Guarantee A - Processing should be based on clear, precise and accessible rules
- Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Guarantee C - An independent oversight mechanism should exist
- Guarantee D - Effective remedies need to be available to the individual
Guarantee A indicates that the applicable domestic legislation should ensure that processing is based on clear, precise and accessible rules, including the following:
- precise, clear, and accessible legal basis, which includes;
- clear and precise rules on scope and minimum safeguards;
- categories of individuals potentially subject to surveillance;
- limits on duration of measure;
- procedure for examining, using and storing collected data;
- precautions for communicating data to third parties;
- actionable data subject rights;
- law must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted; and
- There should be foreseeability for the individual to allow effective protection against arbitrary interference and abuse risks.
Guarantee B states that necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated in the applicable legislation.
In relation to the principle of proportionality, the EDPB notes that the assessment of the proportionality of limitations to rights to privacy consists of:
- measuring the severity of the interference; and
- verifying the importance of the public interest objective.
Furthermore, the EDPB highlights, 'In Schrems II, the CJEU has stressed that legislation of a third country which does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter. Indeed, according to the case law, a legal basis which permits interference with fundamental rights must, in order to satisfy the requirements of the principle of proportionality, itself define the scope of the limitation on the exercise of the right concerned.'
The EDPB also addresses the principle of necessity and outlines that legislation should not authorise the retention of all personal data, or all electronic communications content, and as such should identify limits to the powers of public authorities to access and use such personal data. For example, the EDPB notes that, 'laws permitting public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life'.
Guarantee C specifies that an effective, independent and impartial oversight system provided by a judge or another independent body, such as an administrative authority or a parliamentary body, should oversee any interference with the right to privacy.
The EDPB outlines some of the challenges of what constitutes independence. In addition, the EDPB highlights several factors that can be taken into considerations including, among other things:
- measures for effective reviews;
- openness to public scrutiny;
- manner of appointment; and
- legal status.
Guarantee D refers to the availability of effective legal remedies for individuals to exercise their data subject rights, specifying that it should be necessary to notify individuals whose personal data has been collected or analysed, as far as the notification no longer poses a threat to the purposes of the interventions by the public authorities.
Regarding the effectiveness of a legal remedy, the EDPB outlines that such effectiveness is inextricably linked to the notification of a surveillance measure to the individual once surveillance has been completed. Nevertheless, where there is no notification, an effective remedy must still be provided.
The criteria for a court to be recognised as supplying sufficient redress possibilities includes if the court:
- is an independent and impartial body;
- has adopted rules of procedure;
- includes members that hold or have held high judicial office or are experienced lawyers;
- has no evidential burden to overcome in order to lodge an application with it;
- has access to all relevant information during complaint examinations; and
- has powers to remedy non-compliance.
However, an effective remedy might be provided by a court, tribunal, or non-judicial independent body which offers guarantees essentially equivalent to those required by Article 47 of the Charter.
The EDPB's EEGs Recommendations includes final remarks which highlight that the guarantees should be considered together, that they are subject to interpretation, and an assessment using the EEGs can only come to two conclusions: either the jurisdiction adheres to the EEGs, or it does not.
While the EEGs Recommendations are a referential standard, they include many key factors that are likely to suggest that transfers to a third country is of a high or lower risk. In particular, where an assessment suggests a third country does not meet the threshold of the EEGs, significant consideration will need to be made of the effectiveness of any supplementary measures.
Amelia Williams Privacy Analyst