Author: Peter Schantz

 

1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of [an] implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.
5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

1. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.
2. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
3. The Commission shall publish in the Official Journal of the European Unionand on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
4. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

 

 

A. Overview and legislative history

In contrast to Art. 25 para. 6 DPD, the assessment of the level of data protection of the third country is now centralized at the Commission.[1] The option for Member States[2] and controllers/processors to ascertain the level of protection of a third country at their own responsibility was in practice rather theoretical anyway. Instead, Art. 45 now lays down in a detailed manner the requirements of an adequacy decision and its repeal and stipulates expressly an obligation of the Commission to monitor the situation in third countries (para. 4).

Art. 36 LED contains an identically worded provision linking both legal instruments by requiring the Commission to consider in its assessment whether there is an adequacy decision under the GDPR.[3] Transfers of the EU and its bodies may also be based on an adequacy decision pursuant to Art. 45 para. 1 GDPR or Art. 36 LED (pursuant to Art. 47 para. 1 Regulation (EU) 2018/1725). So far, the Commission has only enacted an adequacy decision on the United Kingdom.[4]

B. Adequacy decisions

I. Content and legal effect (para. 1)

According to para. 1 sentence 1, a transfer to a recipient in a third country or an international organisation may take place if the Commission has decided that the third country or international organisation ensures an adequate level of data protection. Such an “adequacy decision” is taken by means of an implementing act pursuant to Art. 288 para. 1 TFEU. From the perspective of controllers and processors, this instrument of Chapter V provides for the highest degree of legal certainty. Presently, there are only thirteen adequacy decisions (→ mn. 29). The reason for this is that the assessment of the level of data protection provided by a third country requires a complex analysis.[5] Notably, the number of countries providing data protection regulations based on principles similar to the EU increased significantly to at least 108 countries in 2015.[6] The Commission declared that it will focus on adequacy decisions concerning countries with which the EU concludes free trade agreements,[7] as was the case with Japan and South Korea. Another adequacy decision concerned the United Kingdom after Brexit with the national security law of the United Kingdom, its close cooperation with the US intelligence agencies[8] and the US-UK Cloud Act Agreement remaining problematic issues.

Commonly, an adequacy decision covers a third country as a whole. However, sentence 1 clarifies that such decisions can be limited to specific regions or sectors of a third country. For the sake of legal certainty, the scope of a partial adequacy decision has to be unambiguously defined by clear and objective criteria, such as specific processing activities or the scope of legislation of the third country (recital 104 sentence 2). Partial adequacy decisions are becoming more common. Currently, there are several partial adequacy decisions. First, the adequacy decision on Canada is limited to enterprises that are subject to the Canadian Personal Information Protection and Electronic Documents Act (Art. 1 Decision 2002/2/EG) covering all processing of personal data by private sector organizations in the course of their commercial activities (recital 5 Decision 2002/2/EG). Second, the adequacy decision on Japan covers solely recipients falling under the Act on the Protection of Personal Information, exempts specific recipients such as media, political parties and academic institutions, and stipulates Supplementary Rules contained in Annex I which only apply to data from the EU (Art. 1 Implementing Decision (EU) 2019/419). A third partial adequacy decision was the nullified Privacy Shield[9] (Implementing Act (EU) 2016/2018), which only applied to recipients who voluntarily agree to comply with the principles of processing contained in Annex I and are under the oversight of the Federal Trade Commission (FTC) or the Department of Transportation. Fourth, the scope of the adequacy decision on South Korea is linked to the Korean Personal Information Protection Act, but also follows a new avenue by exempting the processing of personal data by religious entities for missionary activities, political parties in the context of the nomination of candidates and by controllers subject to the Financial Services Commission regarding personal credit information (Art. 1 para. 2 Implementing Act (EU) 2021/254). Similarly, the adequacy decision on the United Kingdom carves out data transferred for the purpose of immigration control (Art. 1 para. 2 Implementing Act (EU) 2021/1772).

If an adequacy decision exists, a transfer to the third country concerned does not require further authorization by a SA (para. 1 sentence 2). Due to the supremacy of EU law, the SAs are bound by the decision (Art. 288 para. 4 TFEU). They are not allowed to suspend transfers due to the lack of an adequate level of protection in that third country, even if they question the assessment of the Commission that a third country ensures an adequate level of data protection.[10] In that case, the SA may bring a claim against the validity of the adequacy decision before a national court that will refer the question to the CJEU for a preliminary ruling pursuant to Art. 267 TFEU.[11]

 

 

 

 

[…]

 

 

 

 

[1]Albrecht/Jotzo, Das neue Datenschutzrecht der EU (2016), Part 6 para. 7; Mouzakiti, ‘Transborder Data Flows 2.0: Mending the Holes of the Data Protection Directive’ (2015) 1 EDPL 39 (47).

[2]Zerdick in Ehmann/Selmayr, Art. 45 para. 2 and 4.

[3] On the differences beyond the wording see Drechsler, ‘Comparing LED and GDPR Adequacy: One Standard Two Systems’ (2020) 1 GDPR 93.

[4] Commission Implementing Decision of 28.6.2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom; on the reasons for the lack of LED adequacy decisions and its fundamental rights implications see Drechsler, ‘Wanted: LED adequacy decisions. How the absence of any LED adequacy decision is hurting the protection of fundamental rights in a law enforcement context’ (2021) 11 IDPL 182 (188 et seq.).

 

 

[5]Kuner, ‘Developing an Adequate Legal Framework for International Data Transfers’ in Gutwirth et al. (eds), Reinventing Data Protection? (2009) 263 under I.; Mouzakiti, ‘Transborder Data Flows 2.0: Mending the Holes of the Data Protection Directive’ (2015) 1 EDPL 39 (41).

[6]Greenleaf, ‘The influence of European data privacy standards outside Europe: implications for globalization of Convention 108’ (2012) 2 IDPL 68 (69 et seq.); Greenleaf, ‘Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories’ (2014) 23 J. of Law Information and Science 4.

[7]European Commission, Exchanging and Protecting Personal Data in a Globalised World, COM(2017) 7 final, 9.

[8]See Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) 7 IDPL 149.

[9]See Case C-311/18, 16.07.2020, Schrems II, ECLI:​EU:​C:​2020:559, para. 163–203.

[10]Case C-362/14, 06.10.2015, Schrems I, ECLI:​EU:​C:​2015:650, para. 51–52.

[11]Case C-362/14, 06.10.2015, Schrems I, ECLI:​EU:​C:​2015:650, para. 63 et seq.; Case C-311/18, 16.07.2020, Schrems II, ECLI:​EU:​C:​2020:559, para. 116–120.