Early last month, the European Commission tabled proposed
amendments to its existing decisions on the adequacy of third
countries' data protection laws, and to its decisions on the EU
standard contractual clauses.
When the CJEU invalidated the EU-U.S. Safe Harbor framework in
the Schrems decision last year, it set in motion a
review of all such existing adequacy arrangements.
The European Commission had used its powers under the EU Data
Protection Directive to issue decisions about whether other third
countries' laws adequately protect personal data in a manner
substantially similar to the law of the EU. Eleven countries
(Andorra, Argentina, Canada, Faroe Island, Guernsey, Israel, Isle
of Man, Jersey, New Zealand, Switzerland and Uruguay) are currently
deemed to provide adequate protection and are now under the
The Commission had used its powers under Article 25(6) of the
Directive to make determinations about a non-EEA nation's level
of protection based on that nation's domestic law or its
international commitments, but the Directive was not intended to
reduce the powers of the Member States. Notably, under Article
25(3), the Directive envisaged a collaboration between the Member
States and the Commission when considering the adequacy levels of
data protection of non-EEA nations (or "third
In practice, the Commission decisions tied the hands of each
Member State's data protection authority, effectively limiting
its ability to make its own assessment and decisions regarding
third-country adequacy levels. Thus, not only did the CJEU
invalidate Safe Harbor, but it also found that decisions by the
Commission under Article 25(6) do not prevent a national DPA from
exercising its supervisory jurisdiction.
The two draft amendments (Commission Implementing Decisions)
presented by the Commission to the Article 31 Committee seek to
address the previous adequacy decisions, not just in non-EEA
countries, but also in transfers of data using any of the EU
Standard Contractual Clauses. As the CJEU in the Schrems
ruling found that the Commission had exceeded its powers when
imposing limitations on the powers of the DPAs to suspend or
prohibit data transfers to so-called "white-listed"
nations (i.e., those appearing on the Commission's adequacy
list), the Commission is compelled to remove such restrictions.
The amendments themselves have not yet been released to the
public, but a summary of the Article 31 Committee meeting provides
insight into the objectives of the amendments. In its summary, the
"...the purpose of both draft decisions is to cure the
illegality that follows from the findings in the Court of
Justice's Schrems ruling. In Schrems, the Court invalidated
Article 3 of the Safe Harbor adequacy decision because it found
that the Commission exceeded its powers in imposing limitations on
the powers of national supervisory authorities ("DPAs")
to suspend and prohibit data flows. Since a comparable provision
restricting the powers of DPAs is present in the existing adequacy
and SCCs decisions, the main objective of the proposed draft
amending decisions is to remove any such restriction, thereby
ensuring that the DPAs can use all the powers provided under EU and
The Article 31 Committee was not able to take a decision on the
proposed amendments during the meeting at which these were
presented, as some Member States required more time to review and
consider the proposals. A further meeting will be convened in the
coming weeks for a vote on the amendments.
In the meantime, until these amendments are adopted, the
Commission's existing adequacy decisions remain in force.
Look for our update to follow...
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).