Regulating surveillance: the legal framework
Surveillance by for national security or law enforcement is mostly legislated by member states, with compliance with the Charter tested case-by-case by the CJEU or ECtHR. The EDPB's European Essential Guarantees for surveillance measures distil four requirements from that case law. The GDPR lets law restrict data subject rights under Article 23, the LED governs law-enforcement processing, and the ePrivacy Directive (Article 15(1)) lets states restrict confidentiality of communications - all subject to necessity and proportionality in a democratic society.
| # | Requirement |
|---|---|
| 1 | Processing should be based on clear, precise and accessible rules |
| 2 | Necessity and proportionality with the legitimate objectives must be demonstrated |
| 3 | An independent oversight mechanism should exist |
| 4 | Effective remedies must be available to the individual |
| Instrument | What it allows | Condition |
|---|---|---|
| GDPR Article 23 | EU/member-state law to restrict Chapter 3 rights and Articles 5 and 34 | Necessary and proportionate measure in a democratic society; respect the essence of rights (Recital 73) |
| LED (Recital 66) | Covert investigations and video surveillance by law enforcement | Laid down by law; necessary and proportionate; due regard to legitimate interests |
| ePrivacy Directive Art 15(1) | States to restrict confidentiality of communications | Necessary, appropriate and proportionate measure within a democratic society |
Surveillance can be carried out by public and state agencies (for national security or law enforcement, respecting Charter Articles 7 and 8 and ECHR Article 8) or by private entities (subject to EU and member-state law on confidentiality, privacy, data protection and other civil rights such as employment law). State surveillance is mostly legislated by member states, and whether those national laws comply with the Charter is decided case-by-case in the CJEU or ECtHR.
They were drafted to help assess whether a country's surveillance laws maintain the EU level of protection in the context of international data transfers (the Schrems line of cases). They are also a general reference for assessing proportionality under member-state laws.
Private-sector surveillance should be understood as any other personal data processing activity - it must follow the GDPR and applicable national law. But private entities may also be put under an obligation to retain and/or share personal data with state agencies, so their activities can indirectly serve national security purposes too.