Early last month, the European Commission tabled proposed amendments to its existing decisions on the adequacy of third countries’ data protection laws, and to its decisions on the EU standard contractual clauses.
When the CJEU invalidated the EU-U.S. Safe Harbor framework in the Schrems decision last year, it set in motion a review of all such existing adequacy arrangements.
The European Commission had used its powers under the EU Data Protection Directive to issue decisions about whether other third countries’ laws adequately protect personal data in a manner substantially similar to the law of the EU. Eleven countries (Andorra, Argentina, Canada, Faroe Island, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) are currently deemed to provide adequate protection and are now under the spotlight.
The Commission had used its powers under Article 25(6) of the Directive to make determinations about a non-EEA nation’s level of protection based on that nation’s domestic law or its international commitments, but the Directive was not intended to reduce the powers of the Member States. Notably, under Article 25(3), the Directive envisaged a collaboration between the Member States and the Commission when considering the adequacy levels of data protection of non-EEA nations (or “third countries”).
In practice, the Commission decisions tied the hands of each Member State’s data protection authority, effectively limiting its ability to make its own assessment and decisions regarding third-country adequacy levels. Thus, not only did the CJEU invalidate Safe Harbor, but it also found that decisions by the Commission under Article 25(6) do not prevent a national DPA from exercising its supervisory jurisdiction.
The two draft amendments (Commission Implementing Decisions) presented by the Commission to the Article 31 Committee seek to address the previous adequacy decisions, not just in non-EEA countries, but also in transfers of data using any of the EU Standard Contractual Clauses. As the CJEU in the Schrems ruling found that the Commission had exceeded its powers when imposing limitations on the powers of the DPAs to suspend or prohibit data transfers to so-called “white-listed” nations (i.e., those appearing on the Commission’s adequacy list), the Commission is compelled to remove such restrictions.
The amendments themselves have not yet been released to the public, but a summary of the Article 31 Committee meeting provides insight into the objectives of the amendments. In its summary, the Commission explains:
“…the purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s Schrems ruling. In Schrems, the Court invalidated Article 3 of the Safe Harbor adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.”
The Article 31 Committee was not able to take a decision on the proposed amendments during the meeting at which these were presented, as some Member States required more time to review and consider the proposals. A further meeting will be convened in the coming weeks for a vote on the amendments.
In the meantime, until these amendments are adopted, the Commission’s existing adequacy decisions remain in force.
Look for our update to follow…