The European Data Protection Board (EDPB), together with Recommendations 01/2020 following Schrems II ruling, has published Recommendations 02/2020 on the European Essential Guarantees (EEGs) for surveillance measures, de facto updating them.
These Recommendations are considerably important in light of the Schrems II ruling as well, because they need to be assessed to determine whether the legal framework governing access to personal data by public authorities in a third country can be regarded as a justifiable interference or not. Therefore, the EEGs form part of the assessment to be conducted in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU but they do not aim, per se, to define all the necessary elements.
Access, retention and further use of personal data by public authorities within the remit of surveillance measures must not exceed the limits of what is strictly necessary, assessed in the light of the Charter, otherwise it “cannot be considered to be justified, within a democratic society”. The main takeaways from the Recommendations are the following:
A. Processing should be based on clear, precise and accessible rules;
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
C. An independent oversight mechanism should exist;
D. Effective remedies need to be available to the individual.