Privacy & Information Security Law Blog

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

Since the Snowden revelations began last year, the Working Party has been expected to release its official point of view on surveillance activities of intelligence services, both in the United States and in the European Union. The Opinion analyzes the mass collection of personal data of EU citizens by both EU and non-EU intelligence services through their surveillance programs. The Opinion concludes that secret, massive and indiscriminate surveillance programs are illegal and cannot be justified by the fight against terrorism or other such threats to national security. The Opinion goes on to recommend several measures, including:

Increased Transparency and Maximizing Public Awareness

The Opinion recommends that EU Member States should be transparent to the greatest extent possible about their involvement in intelligence data collection and sharing programs, at least with their national parliaments and data protection authorities. In addition, the Opinion indicates that individuals should be better informed regarding both the consequences of their use of electronic communications services, and how better to protect themselves. To this end, the Working Party intends to organize a conference in the second half of 2014 bringing together all stakeholders to discuss a possible approach.

Effective and Independent Supervision of Intelligence Services in the EU

The Opinion recommends that EU Member States maintain a coherent legal framework for their intelligence services, including rules on data protection and the transfer of personal data to foreign government authorities. Intelligence services should be subject to effective and independent supervision involving the relevant national data protection authorities.

Improved Data Protection at the EU Level

The Opinion urges EU institutions to ensure that the proposed EU General Data Protection Regulation is adopted in 2014, and to endorse the European Parliament’s proposal for a new Article 43A, which would require informing individuals when access to their data has been given to public authorities in the preceding 12 months. The Opinion also recommends that EU institutions define the concept of national security, and clarify that protecting other countries’ national security is not sufficient to override EU law.

International Protection for EU Residents

Finally, the Opinion recommends expediting negotiations on an international agreement to provide adequate data protection safeguards for individuals in the context of intelligence operations.

The Opinion also reiterates that companies subject to EU law must comply with applicable EU data protection law, and that there is no legal basis for transferring personal data to a foreign government authority for massive and indiscriminate surveillance purposes.