3 minute read
4.6.1 Applicable lega l framework for onward transfers by la w en forcem ent authorities
transfer to recipients in a third country, i.e. onward transfers should be permitted only where a continued level of protection essentially equivalent to the one provided under EU law is ensured. Consequently, when assessing whether a third country ensures an adequate level of data protection, the country’s legal framework for onward transfers must be taken into account. This is undisputed and in line with the view of both the European Commission84 and the EDPB.
162. In this context, the EDPB takes note that the ECtHR has in its recent decisions “Big Brother Watch and Others v. UK” and “Centrum för Rättvisa v. Sweden” provided guidance85 regarding the data protection precautions to be observed in Contracting States when communicating personal data to other parties for law enforcement and national security purposes in bulk collection cases: “First of all, the circumstances in which such a transfer may take place must be set out clearly in domestic law. Secondly, the transferring State must ensure that the receiving State, in handling the data, has in place safeguards capable of preventing abuse and disproportionate interference. In particular, the receiving State must guarantee the secure storage of the material and restrict its onward disclosure. […] Thirdly, heightened safeguards will be necessary when it is clear that material requiring special confidentiality – such as confidential journalistic material – is being transferred.”86
Advertisement
163. In applying these standards, the ECtHR found in “Centrum för Rättvisa v. Sweden” that the absence of any express legal requirement in the interception regime to assess the necessity and proportionality of intelligence sharing for its possible impact on the right to privacy constitutes a violation of Article 8 ECHR. The ECtHR criticised that, as a result of the level of generality of the law, intercept material could generally be sent abroad whenever this is considered to be in the national interest irrespective of whether the foreign recipient offers an acceptable minimum level of safeguards87 .
164. Acknowledging that the legal framework of South Korea does not allow for bulk interception, still in light of the implications of the jurisprudence of the ECtHR as outlined above, the EDPB considers that, in addition to the requirements stemming from EU law as interpreted by the CJEU, the ECtHR’s line of arguments should be considered for assessing whether the legal framework for onward transfers to a third country provides for adequate data protection standards.
4.6.1 Applicable legal framework for onward transfers by law enforcement authorities
165. In regard to onward transfers by the competent authorities for law enforcement purposes, the EDPB understands from the explanations by the European Commission that the Section 2 of Annex I of the draft decision concerning the limitation of onward transfers is applicable, including when the transfer is made on the basis of a statute other than PIPA. According to this rule, “if personal information is provided to a third party overseas, it may not receive the level of protection guaranteed by the Personal Information Protection Act of Korea due to differences in personal information protection systems of different countries. Accordingly, such cases will be deemed as ‘cases where disadvantages may be caused to the data subject’ mentioned in Paragraph 4 of Article 17 of the Act or ‘cases where the interest of a data subject or third party is infringed unfairly’ mentioned in Paragraph 2 of Article 18 of the Act and Article 14(2)of the Enforcement Decree of the same Act. To fulfil the requirements of these provisions, the personal information controller and third party must therefore explicitly ensure a level of protection equivalent to the Act, including the guarantee of the data subject’s exercise of his/her
84 See Reci tal 84 et s eq. of the draft decision. 85 The fol l owing elements were es tablished on the occasion of the cases Big Brother Watch and Centrum för Rättvisa, whi ch concern bul k i nterception regi mes . The requi rement of precautions to be taken when communi cating material to other parties was already part of the cri teria devel oped by the ECtHR i n the context of targeted i nterception and had not been further specified by the ECtHR (s ee Big Brother Watch and Others v. UK, para. 335, 362). 86 ECtHR, Big Brother Watch and others v. UK, 25 May 2021, ECLI:CE:ECHR:2021:0525JUD005817013, para. 362. 87 See ECtHR, Centrum för Rättvisa v. Sweden, 25 May 2021, ECLI:CE:ECHR:2021:0525JUD003525208, para. 326.
