3 minute read
4.4 Voluntary disclosures
minimum threshold of protection to interpret corresponding rights in the Charter, i.e. to the extent that the Charter, as interpreted by the CJEU, does not provide for a higher level of protection75 .
151. The EDPB notes that, while prior (independent) approval of surveillance measures is deemed an important safeguard against arbitrariness, such approval cannot be derived from the jurisprudence of the CJEU as an absolute requirement for the proportionality of surveillance measures. However, the ECtHR has now explicitly established the requirement of ex ante independent authorisation for bulk interception76 . While the draft decision does not explicitly say so, the EDPB understands that the legal framework of the Republic of Korea does not provide for bulk interception but only for targeted interception of telecommunications77 . The European Commission has confirmed this understanding.
Advertisement
152. That being said, the above-mentioned decisions of the ECtHR, in line with the case law of the CJEU78 and previous case law of the ECtHR79, once again show the importance of comprehensive supervision by independent supervisory authorities. The EDPB emphasizes that independent oversight at all stages of the process of government access for law enforcement and national security purposes is an important safeguard against arbitrary surveillance measures and thus for the assessment of an adequate level of data protection. The guarantee of independence of the supervisory authorities within the meaning of Article 8(3) of the Charter is intended to ensure effective and reliable monitoring of compliance with the rules on the protection of individuals with regard to the processing of personal data. This applies in particular in circumstances where, due to the nature of secret surveillance, the individual is prevented from seeking review or from taking a direct part in any review proceedings prior or during the execution of the surveillance measure.
153. The lack of prior independent approval cannot in itself be considered as a substantial shortcoming in Korean law with respect to the assessment of an essentially equivalent level of data protection. The assessment of adequacy depends, again, on all the circumstances of the case, in particular on the effectiveness of ex post oversight and legal redress as provided for in the legal framework of Korea (see further sections 4.7 and 4.8).
4.4 Voluntary disclosures
154. According to Article 83(3) TBA, telecommunication service providers may voluntarily hand over socalled “subscriber data”80 to national security and law enforcement authorities upon request. While the EDPB notes that cases involving personal data that have been transferred from the EEA to Korea are likely to be rare, they still need to be analysed in order to assess the level of data protection, as already mentioned above.
75 See CJEU, j oi ned cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, 6 October 2020, para. 124. 76 See ECtHR, Big Brother Watch and others v. UK, 25 May 2021, ECLI:CE:ECHR:2021:0525JUD005817013, para. 351: “Bul k intercepti on should be subject to i ndependent authorization at the outset”, “bulk interception should be authorized by an i ndependent body; that i s, a body which i s independent of the executi ve”. 77 Onl y Annex II, section 3.2 contains an explicit declaration for national s ecurity purposes when it is specified that the l i mi tations and s afeguards “ensure that the collection and processing of information is limited to what is strictly necessary to achieve a legitimate objective. This excludes any mass and indiscriminate collection of personal information for national security purposes” . 78 See, for exampl e, CJEU j oined cases C-203/15 and C-698/15, Tele2 Sverige AB and others, ECLI:EU:C:2016:970. 79 See, for exampl e, ECtHR, Case of Roman Zakharov v. Russia, 4 December 2015, ECLI:CE:ECHR:2015:1204JUD004714306. 80 Concerned datasets would be: the name, res i dent regi stration number, address and phone number of users, the dates on whi ch users subscribe or terminate thei r s ubscription as wel l as user i dentification codes (used to i denti fy the ri ghtful us er of computer s ystems or communication networks).
