ARTICLE 29 DATA PROTECTION WORKING PARTY
1SANK0H
1SANK0H
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4.2 Application of the European Essential Guarantees to access by law enforcement<br />
authorities to data held by corporations<br />
4.2.1 Access by law enforcement authorities to personal data should be in accordance with<br />
the law and based on clear, precise and accessible rules<br />
Annex VII to the Privacy Shield contains a letter from the U.S. Department of Justice,<br />
“providing a brief overview of the primary investigative tools used to obtain commercial data<br />
and other record information from corporations in the United States for criminal law<br />
enforcement or public interest (civil and regulatory) purposes, including the access limitations<br />
set forth in those authorities”.<br />
All procedures mentioned in Annex VII stem either from the U.S. Constitution directly (the<br />
Fourth Amendment), from statutory and procedural law or from Guidelines and Policies of<br />
the Department of Justice. However, Annex VII does not refer specifically to all the statutes<br />
that provide for these procedures, but instead focuses on describing in short the procedures<br />
themselves. Annex VII also mentions that “there are other legal bases for companies to<br />
challenge data requests from administrative agencies based on their specific industries and the<br />
types of data they possess”, by giving several non-exhaustive examples such as the Bank<br />
Secrecy Act, the Fair Credit Reporting Act, the Right to Financial Privacy Act.<br />
The WP<strong>29</strong> notes that the framework of statutes, procedures and policies is fragmented and<br />
that the applicable legal basis to a given request for access will depend on the nature of the<br />
data sought, the nature of the company, the nature of the legal procedures (criminal,<br />
administrative, related to other public interest) and the nature of the entity requesting access.<br />
Since all applicable rules to limit access by law enforcement authorities to data transferred<br />
under the Privacy Shield are based on the Constitution, on statutory law and on transparent<br />
policies of the Department of Justice, a presumption of accessibility of these rules is taken<br />
into account by the WP<strong>29</strong>. However, the clarity and precision of the rules can only be<br />
assessed in each individual type of procedure and request for access. The WP<strong>29</strong> therefore<br />
regrets to note that, based on the available details in Annex VII to the Privacy Shield and the<br />
findings in the draft decision, such an assessment cannot be done at this moment.<br />
4.2.2 Necessity and proportionality with regard to the legitimate objectives pursued need to<br />
be demonstrated<br />
The WP<strong>29</strong> duly notes that requesting access to data for law enforcement purposes can be<br />
considered to pursue a legitimate objective. For instance, Article 8(2) ECHR accepts<br />
interferences to the right to the protection for private life by a public authority “in the interests<br />
of (…) public safety, (…) for the prevention of disorder or crime”. However, such<br />
interferences are only acceptable when they are necessary and proportionate 83 .<br />
83 See the Working Document on the European Essential Guarantees, p. 7-9. For a general assessment of the concepts of<br />
necessity and proportionality, see WP<strong>29</strong> “Opinion 01/2014 on the application of necessity and proportionality concepts and<br />
data protection within the law enforcement sector”, 27 February 2014.<br />
53