The European Data Protection Board adopted on November 10 2020 Recommendations on European Essential Guarantees for surveillance measures dealing with the transfer and exchange of personal data with third countries which are not members of EU.
The Recommendations are related to the assessment of whether the law of the third country to which the personal data are transferred is in line with EU protection standards (including EU Charter of Fundamental Rights, European Convention on Human Rights, case law of the European Court of Justice and the European Court of Human Rights).
This document was adopted shortly after the Decision of the EU Court of Justice in the case Schrems II.
The consequence of this Decision is that controllers who rely on the EU Standard Contract Clauses are obliged to confirm in each specific case and as appropriate, in cooperation with the data recipient in the third country, whether the law of a third country ensures a level of protection for transferred personal data which is essentially equal to that guaranteed in the European Economic Area.
In this way, the Recommendations enable the so-called “Data exporters” to determine whether the legal framework governing access to data by public authorities for supervisory purposes in third countries can be seen as justified interference in the privacy and protection of personal data.
If the interference is justified, there is no violation of Article 46 of the General Data Protection Regulation (so-called GDPR) on which the EU data exporter and importer rely and which stipulates in paragraph 1 that The controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The Recommendations introduce four basic guarantees that must be present together when examining the law of a third country, namely:
The first guarantee means that any interference must be based on the law, and the law itself must clearly define the scope of all restrictions of fundamental rights and provide protection against arbitrary interference and abuse of power. Also, the law itself must be easily accessible to the public.
For the second condition, it is necessary that there is a legitimate aim (proportionality) for which the interference is performed (e.g., protection of public order and peace, protection against terrorism – in essence, justified public interest), but the law should set clear criteria for assessing it.
For the third guarantee, it is necessary to establish an independent and impartial body such as a judge or other independent authority that will have access to all necessary documents and facts and whose decisions will be binding on all, including the intelligence services that conduct surveillance, so that citizens can rely on this mechanism to prevent privacy violations.
To sum things up, these guarantees make it easier for EU data transmitters to assess the laws of third countries. If they are fulfilled, the transfer is allowed, and if not – the transfer should be rejected. Of course, the more concrete meaning of these guarantees has yet to be further determined through practice, and it should be borne in mind that the law of every state is not the same as the one of the EU, and that a deeper analysis of a third country law will often be necessary to determine whether these guarantees exist.
The mentioned Recommendations will certainly be a challenge for our legislator also, in terms of possible changes in the regulations on personal data protection.