19 December 2016 - Post by:Charlotte Mullarkey
The Article 29 Working Party (WP29) has published Opinion 04/2016 (the Opinion) on two European Commission draft Decisions aimed at curing the defects in the Commission determinations of the adequacy of protection (Adequacy Decisions) identified by the CJEU in Schrems. Although dated 31st October 2016, it appears to have been only published on Friday and the underlying Commission draft Decisions have not yet been published. The draft Decisions must still be submitted to the Article 31 Committee for approval before adoption.
Draft decision on Standard Contractual Clauses (SCCs)
The Commission proposes to amend Article 4 of the Adequacy Decision on SCCs which provides the conditions under which the DPAs can exercise their powers to suspend or prohibit data flows carried out pursuant to SCCs. WP29 recommends:
- adding a recital to make it clear that the binding character of the SCCs Adequacy Decision does not prevent national supervisory authorities from suspending or prohibiting personal data flows;
- adding a non-exhaustive list of examples of situations in which these powers may be exercised including when the data importer has not respected the standard contractual clauses or when the legislation applicable to the data importer imposes upon him requirements which go beyond the restrictions strictly necessary in a democratic society. Including the latter example would create uncertainty over data flows to many jurisdictions.
Draft decision on adequacy for Third Countries
The WP 29 noted that the draft decision includes an acknowledgement that DPAs may suspend or prohibit data flows and a duty on the Commission to monitor the findings relating to adequacy decisions. However, it recommends:
- expressly incorporating a provision that Commission decisions are binding and that supervisory authorities may challenge them before national courts with a view to a reference to the CJEU;
- clarifying that such proceedings may be brought where the DPA considers that the data importer or any further recipient is subject to legal requirements which may interfere with the applicable data protection law in a manner which goes beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC;
- incorporating a power to suspend or prohibit data flows where the DPA considers that the transfer of personal data is carried out in violation of EU data protection law, including when the data importer or any further recipient is not complying with the applicable standard of protection subject to the relevant adequacy decision;
- referring not only to the legal order but also to the practices in the third country – presumably meaning that the Commission should declare that it has assessed the actual application of data protection law rather than simply the legislation; and
- including an agreement for DPAs and the Commission to inform each other of any indications of interference by government authorities beyond what is strictly necessary in a democratic society, or if there is no effective legal protection against such interference.
WP29 heavily emphasised the need for adequacy decisions to address government agency access to data in all adequate jurisdictions, referring specifically to Canada, Switzerland, Argentina, Israel, Uruguay and New Zealand and saying that the lack of assessment could jeopardize the legal validity of the decisions.
This update was first published on “Rulefinder Cross Border Data Transfer” by aosphere on 19 December 2016. For further details about Rulefinder please see here.