In the post-Schrems II world we live in, data transfers to third countries (outside the EEA) require a thorough evaluation of the surveillance laws of the third country that the personal data is being transferred to. To clarify this issue, the European Data Protection Board (EDPB) published recommendations that are separate from their general data transfer guidelines.
Disclaimer: The EDPB recommendations discussed in this blog post on third country transfers and the evaluation of third country surveillance laws are currently under public consultation. However, it is not expected that the final versions will contain major changes compared to the version that is analysed in this blog post.
When assessing the third country’s surveillance laws, the EDPB sets out four guarantees. These guarantees, concerning the level of data protection and protection of the right to privacy in the third country, have to be jointly present. Before starting your assessment on the third country’s surveillance laws though, have in mind that these guarantees are closely connected and therefore you need to examine them jointly and in a more holistic approach than separately.
The four Essential European Guarantees are:
- The surveillance measures need to be based on a precise, clear and accessible law
- The surveillance interference of public authorities needs to be proportionate and strictly necessary
- An independent oversight mechanism needs to exist
- Effective remedies need to be available to individuals
Let’s break them down!
The surveillance measures need to be based on a precise, clear and accessible law
To start with, we need to check if there is a precise and clear law imposing the surveillance measures. Additionally, this law must be publicly accessible for all individuals. The reason why we need a precise, clear and easily accessible law is that the surveillance interference must be foreseeable by the individual and expect it if the conditions laid down in the law are fulfilled. In that case individuals easier and more effectively defend themselves against surveillance measures and therefore the risk of abuse by the public authorities is minimised.
For your assessment, take into consideration if the law imposing the surveillance measures addresses the following points:
- If the categories of people that might be subject to surveillance are clearly defined
- If the individuals that are/were subject to surveillance are notified
- If there is a limit on the duration of the measure
- If there is a procedure to be followed for examining, using and storing the data obtained
- If there are precautions to be taken when communicating the data to other parties
The surveillance interference needs to be proportionate and strictly necessary
Moving on, once we have identified the law(s) imposing surveillance measures, we will need to assess whether the surveillance measures are proportional and necessary to achieve the specific purpose of the law.
Assessing the proportionality
To determine the proportionality of a surveillance measure, we need to weigh the impact of the measure on the individuals’ rights to data protection and privacy against the public interest objective. One example could be, a country that imposes surveillance measures against terrorism, which entails the monitoring of email and phone communication of all country visitors. Such a law would not be proportionate unless it includes further limitations on circumstances in which the surveillance measures may be imposed, to ensure that the interference with the individuals’ rights and freedoms are proportionate with the purpose of the law. E.g. there need to be reasonable suspicions based on certain criteria that a person may be involved in terrorist activity.
Assessing the necessity
Assess whether the surveillance interference is strictly necessary in order to achieve the objective pursued. In other words, we need to determine whether the surveillance law dictates that the least intrusive measure needs to be applied if it is enough to achieve the same result. For example, a surveillance law that permits authorities to access the content of electronic communications on a generalised basis has been determined to compromise the essence of the right to respect for private life.
An independent oversight mechanism needs to exist
It is crucial that an independent, impartial and effective body is in charge of overseeing surveillance measures that are imposed, e.g. a judge or a similar entity. This oversight organ needs to:
- have access to all relevant facts and documents to ensure that abuse of surveillance is prevented and detected
- be sufficiently independent from the executive branch and from the authorities that carry out the surveillance
- be granted authority to issue binding decisions on the intelligence services that carry out the surveillance measures.
Effective remedies need to be available to the individual
Here you need to check if there are data protection rights (such as the right to access personal data or delete it) available to individuals who are subject to surveillance laws. Consider carefully if those remedies apply only to citizens of the country. What we need to ensure here is that EU individuals, protected by the GDPR or other EU data protection/privacy laws, are granted these rights.
Other important factors to consider are:
- whether individuals are informed that they are subject to surveillance
- whether individuals have effective remedies against unlawful surveillance and can bring up their case to a national court
Again, here you need to ensure that these points apply also to EU individuals whose personal data will be transferred to the third country.
That was the case in the Schrems II ruling, where the Court of Justice of the EU (CJEU) found that although there are effective remedies to individuals against surveillance measures, these apply to only US citizens. Therefore the CJEU held that US surveillance laws are not capable of offering an adequate level of data protection to EU individuals, equivalent to the EU one.