1

On the 10th of July the EU Commission adopted a new adequacy decision, as a successor to the failed Safe Harbour and Privacy Shield agreements, to allow data transfers from the EU to the USA. The two areas this covers are legal redress if data is wrongly handled, and the question if the surveillance laws that allow the US government to collect data are "necessary and proportionate".

As a citizen of a EU member state I am happy that these questions are addressed. What I do wonder is if we (as in "we, the EU") ask more from others than we are prepared to deliver ourselves, because of course every EU member state has their own surveillance laws and agencies, and constitutional protections only apply to their own nationals, and the GDPR applies only to EU residents. It does not seem like we offer any protection e.g. to the data of US nationals that is processed in the EU (I might be wrong here, but such laws are certainly not broadly discussed if they exist).

I am also not sure if national laws are always particularly proportional - e.g. in my native Germany, the Bundesnachrichtendienst has a right by law to listen in to telecommunication world wide; while it says that complete surveillance is unlawful, the constraint is that they have to restrict themselves to not tap into more than 30% of global telecommunication networks at the same time. If your constraint exceeds your actual capabilities, then for practical purposes you do not have a constraint at all.

So, would surveillance in the EU pass muster under the GDPR, or does the EU ask for protections for its citizens that it is not willing to grant to foreigners?

I am not asking for a line-by-line discussion of specific laws, that would be impractical, but I am curious if if this has been discussed as a part of the process that resulted in the GDPR or the adequacy decisions, and if so, if the discussion had any influence on the proceedings.

Eike Pierstorff
  • 866
  • 3
  • 11

2 Answers2

4

These are only tangentially related to the GDPR

A government entity processing data in accordance with a member state law is ipso facto in compliance with the GDPR.

That’s because lawful government data processing is a legitimate reason for processing data under the GDPR. If Germany, for example, passes a law saying German police can record every phone call in Germany, then that would be a lawful basis for processing under the GDPR. There may be constitutional or other legal limitations on such a law but as far as the GDPR is concerned, they’re fine.

Noch
  • 70
  • 4
Dale M
  • 237,717
  • 18
  • 273
  • 546
-3

The discussions leading up to the adoption of the GDPR were extensive and involved a wide range of stakeholders. This included representatives from member states, the European Parliament, the European Commission, data protection authorities, as well as businesses, non-governmental organizations, and academics.

The aim of these discussions was to create a framework that would balance the competing interests of privacy and security, economic growth, and the free flow of data. As such, it's reasonable to assume that the topics you've highlighted - such as the proportionality of surveillance laws and the protections afforded to non-EU citizens - were likely part of these discussions.

However, the exact impact these discussions had on the final text of the GDPR and the subsequent adequacy decisions is difficult to measure. The GDPR is a complex piece of legislation that represents a compromise between many different views and interests.

As for the adequacy decisions, these are based on a comprehensive assessment of the data protection laws and practices in the third country. This includes the rules regarding access to data by public authorities. Therefore, issues such as surveillance laws and protections for foreigners would certainly have been considered in these assessments.

Uk rain troll
  • 1
  • 5
  • 16