Privacy & Information Security Law Blog

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.

The Working Document is specifically intended to address data protection issues arising out of the Snowden revelations that began in 2013 and the bulk data collection activities of various intelligence and security agencies. The Working Document is, in part, a follow up to the Working Party’s previous Opinion on surveillance, which was published earlier this year.

The Working Document examines the boundaries between the concepts of privacy and national security, and emphasizes the importance of privacy as a fundamental right in the EU. The Working Document concludes that the activities of intelligence and security agencies should not always fall within the scope of the national security exemption under EU data protection law, and that where the meaning of the term “national security” is unclear, the exemption should be construed narrowly.

The Working Party points out that, under a literal interpretation of the law, the national security of a non-EU country cannot be invoked as an exemption to the application of EU data protection law. However, the Working Party also acknowledges that where the national security interests of a non-EU country align with the national security interests of an EU Member State (e.g., the shared interests of EU Member States and the U.S. in combatting terrorism) the exemption may apply.

Notably, in the view of the Working Party, none of the existing EU cross-border data transfer mechanisms (i.e., Model Clauses, Binding Corporate Rules or Safe Harbor) can be used to justify the transfer of personal data out of the European Economic Area for mass surveillance purposes. Instead, the Working Party considers activities involving “massive, indiscriminate, secret and structural surveillance of personal data” as prima facie non-compliant with the principles of EU data protection law.

In addition to publishing the Working Document, on December 8, 2014, the Working Party published a Joint Statement outlining its views on surveillance of electronic communications and shared European data protection values in the context of an increasingly digital world. The Joint Statement shares many of the themes noted above and provides some insight into the views of EU DPAs on the future of data protection enforcement in this area.