At a meeting of the Article 31 Committee on 3 October, the European Commission discussed two draft Implementing Decisions as part of wider efforts to amend the existing adequacy decisions and decisions on current EU Model Clauses. The proposed changes include a significant amendment to remove provisions restricting national and local data protection authorities’ (“DPAs”) power in relation to these adequacy decisions and Model Clauses.
The Article 31 Committee, established by Directive 95/46 EC, had its 72nd meeting on 3 October to unveil two new draft European Commission Implementing Decisions. Representatives from 28 different Member States attended the meeting to give their opinion on the proposals. The Implementing Decisions propose various amendments to the existing adequacy decisions and decisions on EU Model Clauses.
Adequacy decisions are used by the European Commission to determine whether a ‘third country’ provides comprehensive and altogether sufficient safeguards for the protection of personal data in the Community; decisions are made by the Commission on the basis of an assessment of an individual country’s local law and their commitment to the protection of data in Europe and internationally. Where a conclusion is reached that a country’s mechanisms and procedures are adequate, they are added to the Commission’s ‘White List’ and transfers can be made from the EEA to that country without the need for further checks or safeguards.
According to the Commission, the move to amend the decisions in question is to “cure the illegality” that flows from the ruling in the widely discussed and much-debated case of Schrems v Facebook, heard by the European Court of Justice (“ECJ”) in October 2015. The ECJ ruled in Schrems that all national supervisory authorities still have the power to examine EU to US data transfers regardless of any pre-existing Commission decisions (e.g. the Safe Harbor Decision in 2000 which seemingly gave companies a ‘carte blanche’ to transfer data if they were compliant with certain principles), and that the Safe Harbour data transfer framework is invalid as it does not provide remedies for individuals who unsuccessfully seek to access their erased or amended data, or allow national supervisory authorities to exercise their powers in this respect. The main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that DPAs can use all of the powers provided under EU and national law.
The Implementing Decisions, which as yet are unpublished, divided opinion at the meeting. A number of the Member States present were in favour of the two key amendments, whilst others asked for further time to consider the proposed changes in more detail before making a decision. Accordingly, it was decided that another meeting would be scheduled, and that in the meantime the Article 29 Working Party would meet to present its own views on the suggested changes.
An official European Commission summary of the 72nd meeting, with a list of participants, is available here.