On 10 November 2020, the European Data Protection Board (EDPB) adopted Recommendation 02/2020 on the European Essential Guarantees (EEG) for surveillance measures. The Recommendation updates a previous document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures by third countries’ national security or law enforcement authorities when transferring personal data. This document was issued by the Article 29 Working Party, the EDPB’s predecessor, following the Schrems I judgment of 6 October 2015 ( → eucrim 3/2015, 85). The Recommendation takes into account the recent CJEU’s and ECtHR’s case law on data protection, in particular the CJEU’s judgment of 16 July 2020 in Schrems II ( → eucrim 2/2020, 98-99).

The EEG help data exporters assess whether third country legislation ensures a level of protection essentially equivalent to that guaranteed within the EU. It should not be confused with the European Commission’s adequacy decision in accordance with Art. 45 GDPR that would generally open the path for data transfer to third countries from the EU. However, the EEG is part of this assessment.

The Recommendation explains the background and further details of the four European Essential Guarantees:

• Processing should be based on clear, precise and accessible rules;
• Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
• An independent oversight mechanism should exist;
• Effective remedies need to be available to the individual.

Recommendation 02/2020 supplements other guidelines and recommendations by the EDPB to be taken into account when proceeding with the assessment on lawful data transfers to third countries. Assessments depend on the transfer tool to be used and on the necessity to provide appropriate safeguards, including, if necessary, supplementary measures ( → Recommendation 01/2020 analysed in separate news item).