In February 2020, the European Data Protection Board released a recommendation guide on essential guarantees for surveillance measures implemented under the European General Data Protection Regulation – GDPR.
According to the recommendations guide, the purpose of these guarantees is to provide elements to examine whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.
Thus, the purpose of this examination is to determine whether a country offers a level of protection essentially equivalent to that guaranteed within the European Union.
Considering the above, the elements listed below must be interpreted as essential guarantees to be provided by third countries to justify surveillance measures by foreign countries, interfering with rights related to privacy and data protection of European citizens.
The elements referred to above are listed below:
1. Processing should be based on clear, precise and accessible rules
2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
3. An independent oversight mechanism should exist
4. Effective remedies need to be available to the individual.
This issue gained considerable relevance when the European Court found that the Privacy Shield (a previous agreement to guarantee the exchange of European citizens' personal data between the European Union and the United States) alone would no longer be sufficient to guarantee the transfer of data of European citizens to recipients in the United States, as interference by the US on privacy and data protection rights was verging on unreasonable, even if on the grounds of national security or law enforcement.
Finally, it is important to point out that the document recommends that any government that interfered with a citizen's right to privacy should notify such citizen, so that they could exercise their rights to request access to their personal data that has been made available, and where appropriate, to have the latter rectified or erased, although such notification must occur only to the extent as as soon as it does not jeopardize the legitimate purpose of the tasks performed by the respective authorities.
The prerogatives established in this document could certainly contribute to analysis by the National Data Protection Authority - ANPD, in regulating Article 33, I of the Brazilian Data Protection Act - LGPD, on international transfer of data, with permission being based on the appropriate degree of protection by the country or international organization.