ARTICLE 29 DATA PROTECTION WORKING PARTY
1SANK0H
1SANK0H
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.3.3 Conclusion<br />
Despite the limitations brought following the introduction of PPD-28, the concerns of the<br />
WP<strong>29</strong>, particularly regarding the proportionality of the data collection, remain. First of all,<br />
there are indications that the U.S. continue to collect massive and indiscriminate data, or at<br />
least do not exclude that they may still do so in the future. The WP<strong>29</strong> has consistently held<br />
that such data collection is not in conformity with EU law and is therefore not acceptable.<br />
Secondly, the WP<strong>29</strong> notes that also targeted data processing, or processing that is ‘as tailored<br />
as feasible’, can still be considered to be massive. Whether or not such massive data<br />
collection should be allowed or not is currently subject to proceedings before the CJEU. For<br />
this reason, the WP<strong>29</strong> shall not make a final assessment as to the legality of targeted, but<br />
massive data processing. However, it stresses that if targeted, but massive data processing<br />
would be allowed, the targeting principles should apply to both the collection and the<br />
subsequent use of the data, and cannot be limited to just the use. In any case, a clarification of<br />
the draft adequacy decision is needed in relation to the six purposes mentioned in PPD-28 for<br />
which data can be collected ‘in bulk’. The WP<strong>29</strong> is, at this stage, not convinced these<br />
purposes are sufficiently restricted to ensure the data collection is indeed restricted to what is<br />
necessary and proportional.<br />
3.4 Guarantee C - An independent oversight mechanism should exist<br />
The U.S. does not have one single oversight body at the federal level tasked to oversee the<br />
implications of intelligence and surveillance programmes for privacy and data protection.<br />
Rather, the U.S. intelligence activities are subject to a multi-layered oversight process: a<br />
distinction can be made between internal and external oversight. The WP<strong>29</strong> recognises that<br />
the U.S. oversight bodies reporting practice is very detailed and mostly public.<br />
3.4.1 Internal oversight<br />
All intelligence and security agencies have staff members that are responsible for ensuring<br />
compliance with their legislative framework including Inspectors-General whose primary task<br />
is to assess overall compliance of the work of the agencies with the legislation, including but<br />
not limited to the laws related to privacy and data protection. The Inspectors-General are<br />
established by statute and are (or soon will be) all appointed by the President followed by<br />
Senate confirmation, in an attempt to ensure that they will be organisationally independent<br />
and report to Congress. The WP<strong>29</strong> considers the Inspectors-General therefore are likely to<br />
meet the criterion for organisational independence as defined by the CJEU and the European<br />
Court of Human Rights (ECtHR), at least from the moment the new nomination process<br />
applies to all. For the time being, some concerns remain regarding Inspectors-General that are<br />
still appointed by the Director of the agency they oversee.<br />
The Inspectors-General can make recommendations which can then be referred to the<br />
Department of Justice and to the PCLOB or even to the Congressional committee who can<br />
enforce the recommendations. If a violation is found by the Inspector-General, it can be dealt<br />
40