On April 12, 2017, the European Data Protection Supervisor (EDPS) issued a Toolkit, titled “Assessing the necessity of measures that limit the fundamental rights to the protection of personal data”, which is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary.
This Toolkit responds to requests from EU institutions for guidance on the particular requirements stemming from Article 52(1) of the Charter, which states that any limitation on the exercise of the right to personal data protection (Article 8 of the Charter) must be "necessary" for an objective of general interest or to protect the rights and freedoms of others. In this necessity toolkit, the EDPS provides policymakers with a practical step-by-step checklist, setting out the criteria to be considered by policymakers when they assess the necessity of new legislation, and providing examples to illustrate each step.
The Toolkit is based on the case law of the Court of Justice of the European Union (hereafter CJEU), the European Court of Human Rights (ECtHR), and previous Opinions of the EDPS and of the Article 29 Working Party. It follows a background paper5 issued in 2016 for public consultation.
According to the Toolkit, policymakers must performed the test of necessity in assessing the legality of any proposed measure involving processing of personal data, since to be lawful, any limitation on the exercise of the fundamental rights protected by the Charter must comply with the following criteria, laid down in Article 52(1) of the Charter:
- ? it must be provided for by law,
- ? it must respect the essence of the rights,
- ? it must genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others,
- ? it must be necessary - the subject of this Toolkit, and
- ? it must be proportional.
The necessity test should be performed in cases where the proposed legislative measure entails the processing of personal data. A proposed measure should be supported by evidence describing the problem to be addressed by the measure, how it will be addressed by the measure, and why existing or less intrusive measures cannot sufficiently address it .
In addition, the Toolkit highlights that the checklist for assessing necessity consists of four consecutive steps. Each step corresponds to a set of questions which will facilitate the assessment of necessity.
- ? Step 1 is preliminary; it requires a detailed factual description of the measure proposed and its purpose, prior to any assessment.
-? Step 2 will help identify whether the proposed measure represents a limitation on the rights to the protection of personal data or respect for private life (also called right to privacy), and possibly also with other rights.
-? Step 3 considers the objective of the measure against which the necessity of a measure should be assessed;
- ? Step 4 provides guidance on the specific aspects to address when performing the necessity test, in particular that the measure should be effective and the least intrusive.
If the assessment of any of the elements detailed in Steps #2 to #4 leads to the conclusion that a measure might not comply with the requirement of necessity, then the measure should either not be proposed, or should be reconsidered in line with the results of the analysis.
Silvia Giampaolo
News archive