Data adequacy decisions under the GDPR
A thorough look at the rules on the free flow of personal data from the EU to other countries
TL;DR
This newsletter is about data adequacy decisions made by the European Commission under the GDPR. It looks the assessments and procedure that must be carried out by the Commission for these decisions, the form that these decisions can take and their legal status.
Here are the key takeaways:
Under the GDPR, transfers of personal data to countries outside of the EU are subject to specific rules. One of the ways in which such transfers can take place is if the country benefits from an adequacy decision made by the European Commission.
A data adequacy decision by the Commission made under Article 45 of the GDPR permits the free flow of data to the third country which the decision relates to. Such transfers therefore do not require prior authorisation by a data controller or processor.
A list of the countries with an EU data adequacy decision can be found on the Commission's website. There are currently 15 such decisions, including for the UK and the US.
To make an adequacy decision in favour of a third country, the Commission must assess the law of that country to ensure that it provides adequate protection of personal data. However, the law does not need to be identical to the legal regime in the EU, and must instead be 'essentially equivalent'.
The GDPR itself specifies the criteria that countries should be assessed against for an adequacy decision. Additionally, both the Commission and the former Article 29 Working Party have provided further guidance on the factors to be taken into consideration when making an adequacy decision.
Overall, an adequacy decision must contain the following:
That the third country or international organisation ensures adequate protection of personal data under its domestic law or international commitments.
The territorial and sectoral application of the adequacy decision.
A mechanism for periodic review.
Identify the supervisory authority responsible for enforcing compliance with data protection rules in the third country.
Intro
Whilst the flow of data is essential for trade and international cooperation, international data transfers can invite risks to the protection of personal data. This is because when data flows outside of the EU, it becomes subject to the laws of the recipient country. It is therefore important, from an EU perspective, that even where personal data may be transferred outside of the bloc, it is still processed in accordance with appropriate data protection laws.1
Accordingly, one of the most significant rules under the EU's GPDR are those pertaining to international data transfers. Where personal data are transferred and are intended for processing in a third country (i.e., a non-Member State of the EU), the relevant provisions under Chapter V of the Regulation apply.2 The aim of these rules is to ensure that the level of protection provided by the GDPR for EU citizens is maintained no matter where the personal data are located.3
One of the transfer mechanisms provided under the GDPR for data transfers out of the EU is an adequacy decision made by the European Commission in favour of a third country.4 Over the last 26 years, the Commission has managed to finalise 15 adequacy decisions, 11 of which were made under the Data Protection Directive and four (Japan, South Korea, the USA and the UK) have been made under the GDPR.5 Where such a decision is made, this essentially permits the free flow of all personal data from the EU to the third country and there is no requirement for any specific authorisation to be sought by the data controller or processor.
Assessing the law of the third country
An adequacy decision made by the European Commission under the GDPR is a decision affirming that a third country ensures an adequate level of protection under its domestic law. This therefore requires the Commission to carry out an assessment of the law of the third country to ensure that it provides this adequate level of protection. The assessments carried out for an adequacy decision is more thorough than is typically the case when negotiating international agreements.6
Article 45 GDPR of the Regulation sets out the criteria that the Commission must use in making an adequacy decision. However, the law of the third country in question does not need to be identical to the legal regime of the EU. Rather, the protection of personal data in the third country under its domestic law must be 'essentially equivalent' to the protection provided under EU law, namely the protection provided under the GDPR and the EU Charter.7
Nevertheless, according to the former Article 29 Data Protection Working Party, such equivalence must be evident both in terms of the content of the data protection laws of the third country and also their practical effect.8 This approach derives from the stipulations of the Court of Justice of the European Union (CJEU) in Schrems, whereby the Commission must assess the content of the applicable rules in the third country under its domestic law and international obligations as well as the mechanisms for ensuring compliance with those rules.9 The European Data Protection Board (EDPB), the successor to the Working Party, has endorsed this approach for adequacy decisions.10
Accordingly, the Commission's adequacy assessment includes identifying the following within the content of the third country's rules:11
Basic Data Protection Concepts. While these do not need to mirror the GDPR, the third country rules should contain concepts that are consistent with those under EU law.12 For instance, the concepts of 'personal data', 'data controller' and 'data processor' should be reflected.
Grounds for Lawful and Fair Processing for Legitimate Purposes. The law should require that data are processed in a lawful, fair and legitimate manner.13 The GDPR contains several different grounds for procesing personal data, such as consent, the performance of a contract or legitimate interests.14
The Purpose Limitation Principle. The GDPR requires that data are processed for specific purposes and other compatible purposes.15 This should be reflected in the third country's rules.
The Data Quality and Proportionality Principle. Under EU law, data must be accurate, kept up-to-date and also adequate and relevant in relation to the particular processing purpose.16
The Data Retention Principle. The rules of the third country should require that personal data are only retained for no longer than is necessary for the processing purpose, as provided in the GDPR.17
The Security and Confidentiality Principle. The processing of personal data should be secured by measures protecting against unauthorised or unlawful processing and against accidental loss, destruction or damage.18 The state of the art and the related costs should be taken into account when implementing such measures.19
The Transparency Principle. The third country law should require those entities processing personal data to convey to data subjects, in a clear, accessible, concise, transparent and intelligible form, the main elements of the processing.20 In particular, data subjects should be informed of the processing purposes, the identity of the controller and their rights in relation to their personal data. Some exceptions may apply to this, such as to safeguard criminal investigations or national security.
The Right of Access, Rectification, Erasure and Objection. The GDPR allows data subjects to obtain information about their personal data being processed (including a copy of that personal data),21 to rectify any inaccuracies of that data,22 request for its deletion on certain grounds,23 and also to object to processing in the absence of compelling legitimate grounds for processing.24
Restrictions on Onward Transfers. The GDPR aims to ensure that the protection it provides for the personal data of EU citizens is not undermined when transferred abroad. In order to maintain this, personal data flows beyond the third country to where data are originally transferred to must be subject to appropriate safeguards in the absence of an adequacy decision. Therefore, the third country should ensure that such onward transfers are subject to certain restrictions, including the requirement for a legal basis for the transfer.
Rules for Specific Types of Processing. Additional assessment may be made of other rules within the third country’s law, such as those on special categories of data, direct marketing or automated decision making and profiling.25
The Working Party also enunciated the procedural and enforcement mechanisms that should be evident in the third country’s data protection law. These include the existence of a competent independent supervisory authority, a system for ensuring a good level of compliance (for example through effective and dissuasive sanctions), requirements for those processing personal data being able to demonstrate such compliance (reflecting the accountability principle under the GDPR),26 and a system for providing support for data subjects in exercising their rights and appropriate redress mechanisms.27
To identify these requirements as articulated by the Working Party, the particular aspects of the third country's law that must be assessed by the European Commission, pursuant to the GDPR, include:
Overall Legal Framework.28 The rule of law, respect for human rights and fundamental freedoms and the relevant legislation, as well as the implementation of such legislation, must be assessed. That legislation includes any data protection rules but may also relate to laws on public security, defence, national security, criminal law and the access of public authorities to personal data. The rules on onward transfers to another third country must also be assessed by the Commission, whilst taking into account the relevant case-law, enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.
Independent Supervisory Authority.29 The Commission must assess the existence of any independent SA in the third country with the responsibility for ensuring and enforcing compliance with the data protection rules. It must be equipped with adequate enforcement powers, be able to assist and advise data subjects in exercising their rights and cooperate with the SAs of the Member States of the EU.
International Commitments.30 Any commitments that the third country has entered into at an international level must be examined by the Commission. This particularly pertains to obligations arising from legally binding conventions or instruments or the participation in multilateral or regional systems relating to the protection of personal data.
However, the assessment criteria under the GDPR are not exhaustive.31 The European Commission has previously stated that other factors may be taken into account when making an adequacy decision. Those factors include:32
The extent of the EU’s (actual or potential) commercial relations within a given third country, including the existence of a free trade agreement or ongoing negotiations.
The extent of personal data flows from the EU, reflecting geographical and/or cultural ties.
The pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region (this may be particularly relevant for developing and transition countries as the protection of personal data is both a crucial element of the rule of law and an important factor for economic competitiveness).
The overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.
Adequacy decisions and international agreements
It is also possible for the Commission to legalise the transfer of personal data to a third country by concluding an international agreement or treaty with that country.33 This is reflected in the GDPR which states that its provisions on data transfers are without prejudice to international agreements concluded with third countries regulating the transfer of personal data including appropriate safeguards for the data subjects.34
However, while such agreements may be possible, the Commission has insisted that the conclusion of data transfer agreements will be separate from any trade agreements with the same third country.35 This is due to the fact that the right to data protection is a fundamental right in the EU of which should not be subject to negotiation in the same way that a trade agreement might be. In particular, the EU “cannot embark on any international trade commitments that are incompatible with its domestic data protection legislation”.36 Accordingly, for the EU, discussions on data protection and trade may take place across similar timeframes and even complement each other, but they must be conducted on separate tracks.37
'Partial' adequacy decisions
An adequacy decision may relate to the whole of a third country or a particular sector or territory of the third country.38 For example, the Canadian adequacy decision only permits data transfers to organisations that process data in course of a commercial activity (namely those entities subject to the Canadian Personal Information Protection and Electronic Documents Act) and thus prohibits transfers to public bodies.39 When making these ‘partial’ adequacy decisions, the Commission will take into account a range of elements, such as “whether certain sectors of the economy are particularly exposed to data flows from the EU”.40
Duration of adequacy decisions
Adequacy decisions must be reviewed at least every four years taking into account all relevant developments in the third country.41 In addition, the Commission is required, on an ongoing basis, to monitor developments in third countries that could affect the functioning of their adequacy decisions.42 When reviewing such developments, the Commission must amend or suspend the adequacy decision where the third country no longer provides an adequate level of protection essentially equivalent to EU law.43 The Commission must enter onto consultations with the third country before doing so44 and the amendment or suspension of an adequacy decision must be without prejudice to data transfers based on a transfer tool providing appropriate safeguards or transfers based on one of the derogations in the GDPR.45 All adequacy decisions must be published in the Official Journal of the European Union and also on its website.46
Legal status of adequacy decisions
An adequacy decision is a ‘decision’ for the purposes of the Treaty of the Functioning of the EU.47 It therefore can be brought before, and indeed invalidated by, the European Court of Justice (ECJ), of which was the case in relation to the US in both Schrems and Schrems II.48 However, so long as an adequacy decision remains valid, that decision has priority over any contrary finding of a SA that the third country does not provide an adequate level of protection essentially equivalent to EU law.49
Even so, a data subject may lodge a complaint regarding an adequacy decision with its local SA.50 If an SA rejects that complaint, then the data subject is entitled to bring an action against that SA in the national courts where the question as to whether the adequacy decision complies with EU law can be submitted to the ECJ for a preliminary ruling.51
Alternatively, if the SA determines that the complaint is well- founded, then it must be able to initiate proceedings in the national courts of which may also lead to a preliminary ruling of the ECJ on the validity of the decision.52 Also, a SA that does not consider a third country to provide an adequate level of protection despite the existence of an adequacy decision in its favour, and that therefore transfers to that country should be prohibited, can refer the matter to the EDPB for an opinion on that issue.53
Procedure for adopting data adequacy decisions
That procedure for the adoption of an adequacy decision by the European Commission in accordance with the GDPR is as follows:
Commission Draft Decision. The European Commission, after assessing the laws of the third country in question, produces a draft adequacy decision. This takes place after a consultation process involving the Commission and the third country, of which could take a number of months or even years.
EDPB Opinion. The Commission is then required to consult with the EDPB.54 This requires the Commission to provide all the necessary documentation, including correspondence with the government of the third country.55 From there, the Board produces an opinion on the draft adequacy decision.56 That opinion may “identify insufficiencies in the adequacy framework” and “propose alterations and amendments to address possible insufficiencies”.57 While the EDPB’s opinion is not legally binding on the Commission, it may nevertheless carry significant political weight as it will represent the sentiment of the SAs from each EU Member State that will be bound by the decision if adopted.58 In addition, the opinions of the EDPB are often followed by the ECJ.59
Comitology Procedure. After this, the draft adequacy decision becomes subject to the examination procedure.60 This involves a committee of the Commission that is composed of representatives of the Member States and is chaired by a representative of the Commission.61 At this stage, the committee, with the exception of the chair,62 delivers an opinion on the draft adequacy decision.63 A qualified majority is required for a positive opinion to be delivered.64 This means that at least 55% of the committee representatives comprising at least 65% of the population of the Member States must vote in favour of the decision.65 Until the committee delivers an opinion, any committee member may suggest amendments and the chair may present amended versions of the draft adequacy decision.66 Where the committee delivers a positive opinion, the Commission can adopt the draft adequacy decision.67
The European Parliament is not formally involved in the adequacy procedure. However, the Parliament can adopt its own position on any draft adequacy decisions of the Commission, as it did with respect to the UK.68
Content of adequacy decisions
As per the GDPR, the adequacy decision finalised by the European Commission must contain the following:69
That the third country or international organisation ensures adequate protection of personal data under its domestic law or international commitments.
The territorial and sectoral application of the adequacy decision.
A mechanism for periodic review.
Identify the supervisory authority responsible for enforcing compliance with data protection rules in the third country.
GDPR, Recital (101).
GDPR, Article 44.
GDPR, Article 44.
GDPR, Article 45.1.
European Commission Adequacy Decisions. Also, Article 45.9 of the GDPR states that decisions adopted on the basis of Article 26(6) of the Data Protection Directive remain in force until amended, replaced or repealed by a Commission decision adopted in accordance with Article 45.
Christopher Kuner et al (eds),The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p.777.
GDPR, Recital (104).
Article 29 Data Protection Working Party, Adequacy Referential (adopted November 2017), p.3.
Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), para. 75.
European Data Protection Board, Endorsement 1/2018 (25 May 2018).
Article 29 Data Protection Working Party, Adequacy Referential (adopted November 2017), pp.5-7.
GDPR, Article 5(1)(a).
GDPR, Article 6(1).
GDPR, Article 5(1)(b) and 6(4).
GDPR, Article 5(1)(e).
GDPR, Article 5(1)(f).
GDPR, Article 32(1).
GDPR, Article 15.
GDPR, Article 16.
GDPR, Article 17.
GDPR, Article 21.
Article 29 Data Protection Working Party, Adequacy Referential (adopted November 2017), p.7.
Article 29 Data Protection Working Party, Adequacy Referential (adopted November 2017), p.8.
GDPR, Article 45(2)(a).
GDPR, Article 45(2)(b).
GDPR, Article 45(2)(c).
Christopher Kuner et al (eds),The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p.788.
European Commission, Communication on Exchanging and Protecting Personal Data in a Globalised World, COM(2017) 7 final, 1 January 2017, p.8.
Opinion 1/15 (26 July 2017), para. 214.
GDPR, Recital (102) and Article 96.
European Commission, Press Release (31 January, 2018).
European Data Protection Supervisor, Opinion 3/2021 on the conclusion of the EU and UK trade agreement and the EU and UK exchange of classification information agreement (22 February 2021), para. 14.
This was the case for both the Japanese and UK adequacy decisions.
GDPR, Article 45(3).
Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act.
European Commission, Communication on Exchanging and Protecting Personal Data in a Globalised World, COM(2017) 7 final, 1 January 2017, p.8.
GDPR, Article 45(3).
GDPR, Article 45(4).
GDPR, Article 45(5).
GDPR, Article 45(6).
GDPR, Article 45(7).
GDPR, Article 45(8).
Treaty for the Functioning of the European Union, Article 288.
TFEU Article 263. Although see Case T-670/16, Digital Rights Ireland v European Commission (8 April 2014) in which it was held by the ECJ (more specifically the General Court) that, among other things, Article 263 of the Treaty for the Functioning of the European Union does not, in principle, allow for the possibility of an NGO to bring an action in the public interest on behalf of its supporters and the general public.
Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited (16 July 2020), para. 118.
Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), para. 63. See also GDPR, Article 77.
Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited (16 July 2020), para. 120. See also Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), paras. 64–65 and GDPR, Article 78.
Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), para. 65.
Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), para. 147. See also GDPR, Article 64(2).
GDPR, Recital (105).
GDPR, Article 70(1)(s).
GDPR, Article 70(1)(s).
Article 29 Data Protection Working Party, Adequacy Referential (adopted November 2017), p.4.
GDPR, Article 68(3).
Dara Hallinan et al (eds), Data Protection and Privacy: Data Protection and Artificial Intelligence (Hart Publishing 2021), p.33.
Regulation (EU) No. 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers, Article 5. See also GDPR, Article 93.
Regulation (EU) No. 182/2011, Article 3(2).
Regulation (EU) No. 182/2011, Article 3(2).
Regulation (EU) No. 182/2011, Article 5(1).
Regulation (EU) No. 182/2011, Article 5(1).
Treaty for the Functioning of the European Union, Article 238(3)(a).
Regulation (EU) No. 182/2011, Article 3(4).
Regulation (EU) No. 182/2011, Article 5(2).
European Parliament recommendation of 18 June 2020 on the negotiations for a new partnership with the United Kingdom of Great Britain and Northern Ireland, paras. 79–83.
Christopher Kuner et al (eds),The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p.785.