State surveillance under EU scrutiny once again
The Article 29 Working Party (DPWP) has published a Working Document on surveillance of electronic communications for intelligence and national security purposes (WP228), together with a short Joint Statement (WP227) on the ways in which the EU should influence policy in this area through its data protection legal framework.
The Working Document contains the legal analysis behind the DPWP’s Opinion on surveillance of electronic communications for intelligence and national security purposes. As a reminder, the Opinion was adopted in April 2014 (a copy of the original press release is here) following protracted discussions in the EU on the legality of mass surveillance activities in light of the Snowden revelations. It emphasises the DPWP’s firmly-held belief that terrorism or other threats to national security do not justify “secret, massive and indiscriminate”, systematic surveillance of EU citizens as they interfere with their fundamental rights. Consequently, the DPWP concludes that this type of activity is illegal under EU legislation on the basis that “restrictions to the fundamental rights of all citizens could only be accepted if the measure is strictly necessary and proportionate in a democratic society” and “under no circumstance” could bulk surveillance activities meet these data protection requirements. The Opinion also recommends policy measures for governments to strengthen privacy and data protection in this context, including more transparency on how surveillance programmes work and independent, effective oversight of intelligence services.
Amongst other things, the Working Document looks in detail at its reasons for suggesting in the Opinion that the scope of the national security exemption be clarified and it discusses the applicability of EU data protection law to transfers of personal data outside the EU. In particular, it considers the issue of whether a non-EU country’s national security interests can be invoked legitimately using the existing legal framework (i.e. those EU legal instruments designed to frame international data transfers between private parties) when the law enforcement or security agencies of that country requests access to personal data held by an EU data controller. The DPWP concludes that they cannot and the non-EU agency should therefore make use of formal means of cooperation, including mutual legal assistance schemes and other international agreements. The Working Document contains illustrative scenarios in application of its analysis.
In the Joint Statement, the DPWP sets out a 15-point declaration highlighting the increasing importance of data sharing for the digital economy and emphasises the dangers of uncontrolled data collection and use for the fundamental rights of individuals, which in turn could erode consumer trust. In other words, surveillance activities may have a detriment effect on consumer confidence as well as commercial effects on the business activities of EU (and indirectly non-EU) providers of online service.
The Joint Statement once again emphasises the DPWP’s view that the processing of personal data in the context of governmental electronic surveillance may take place only under adequate safeguards defined by law, in accordance with Article 8 of the European Charter of Fundamental Rights that entered into force in 2009 under the Treaty of Lisbon. The Joint Statement therefore calls for the adoption of the EU data protection proposals for reform package by 2015 and encourages the EU institutions to ensure that level of protection of personal data in the EU is not undermined, in whole or part, by international agreements. In this respect, the DPWP has also been a fervent supporter of the idea of a public-domain agreement providing for privacy and data protection in relation to intelligence services at the international level. The DPWP goes as far as suggesting that upcoming reform provides “a unique window of opportunity” to demarcate the situations to which the data protection regime shall apply when dealing with data transmissions to law enforcement and intelligence services”. (An interesting side-question that can be raised here for further investigation is the extent to which such measures could be expected, in reality, to restrict surveillance activities carried out in the name of ‘national security’ – a somewhat open-ended term – as they remain primarily a matter of domestic, EU Member State competence). The DPWP remains optimistic, however, in expecting a proportionate balancing of interests to be achievable in this context and states that, “Europe must make its voice heard in terms of ensuring that fundamental rights, including the rights to privacy and data protection, are respected without obstructing innovation or the need to ensure security in our society”.
The publication of the Working Party and Joint Statement is timely given that the EU is currently negotiating a number of international agreements, including changes to the EU-US safe-harbour privacy principles and the Transatlantic Trade and Investment Partnership (TTIP). Furthermore, the publication of these documents by the DPWP is an opportune reminder that a number of legal questions related to the legality of blanket, government surveillance of communications data and unrestricted, bulk retention of personal data wait to be heard by the Court of Justice of the EU (CJEU). The most notable CJEU statement on this issue this year was its ruling that the EU Data Retention Directive (2006/24/EC) was invalid, a topic on which the DPWP was also keen to comment in another Statement it released this April.
The DPWP welcomes comments on the Joint Statement by interested stakeholders through the dedicated website available at www.europeandatagovernance-forum.com and says that it will consider comments in its forthcoming activities. We are sure to be hearing lots more from the DPWP, the CJEU and the EU Institutions in this area in 2015.