Following the Schrems II decision, EU Data Protection Authorities d their European Essential Guarantees.(EEG). While updating the European Essential Guarantees, the decisions of the Court of Justice of the EU and the ECtHR were taken into account. With this regulation, it is aimed to respected to make sure interferences with the rights to privacy and the protection of personal data, through surveillance measures, when transferring personal data, do not go beyond what is necessarry and proportionate in a democratic society.
EEGs are based specifically on case law. Schrems I and II decisions constituted a turning point. The d EEGs are a tool to help assess whether surveillance measures in a third country can be justified as an intervention.
Following the case law analysis, the European Data Protection Board's requirements to impose restrictions on data protection and privacy rights can be summarized in four European Essential Guarantees.
A. Processing should be based on clear, precise and accessible rules.
In accordance with the EU Charter of Fundamental Rights, personal data must be processed for a specified period of time in accordance with the purpose, based on the consent of the person concerned or on other legitimate grounds. In addition, any restrictions on the use of the rights and freedoms granted to the person must be made by law. This legal basis should lay down clear and precise rules governing the scope and application of the document in terms of the measure in question and the implementation of the minimum measures. In order to provide adequate and effective protection against arbitrary intervention and the risk of abuse, the impact of the intervention on the individual must be predictable.
B. The necessity and proportionality of legitimate objectives need to be demonstrated.
It is against this principle to keep all personal data of persons whose data is transferred from the EU without any distinction, limitation or exception.
Countries that do not place any restrictions on foreign intelligence surveillance programs are not compliant with this principle.
The principle of proportionality must be assessed by measuring whether a limitation on privacy and data protection rights can be justified and, on the one hand, the severity of the impact caused by such interference.
C. An independent oversight mechanism should be in place.
Surveillance measures should be subject to review by a court or an independent administrative body whose decision is binding. The intervention should not be arbitrary including checks and balances over the exercise and existence or absence of potency.
The manner in which members of the supervisory body are appointed and their legal status, independence should be taken into account.
D. Effective remedies must be provided to the individual.
It is the fundamental right of a person to take legal action to gain access to personal data about herself/himself or to have such data corrected or d.
These four elements should be seen as the basic element to be found in the assessment of the level of interference in privacy and data protection rights