Académique Documents
Professionnel Documents
Culture Documents
Note to users: Articles in the Epubs ahead of print (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), Article Title, Journal (Year),
Volume(Issue), EAP (page #).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.
ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication may be
reproduced, stored in a retrieval system or transmitted in any form or by any means
electronic, mechanical, photocopying, recording or otherwise, without the permission
of the owner of the copyright. All enquiries seeking permission to reproduce any part
of this publication should be addressed in the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart, Tasmania
7001, Australia.
editor@jlisjournal.org
http://www.jlisjournal.org/
Adequate level of data protection in third countries
post-Schrems and under the General Data Protection
Regulation
PAUL ROTH*
Abstract
This paper looks at the concept of an adequate level of protection by third countries
for the purposes of transferring data out of the European Union (EU) and European
Economic Area (EEA)1 under the data protection Directive2 in the wake of the 2015
European Court of Justice (ECJ)3 decision in Maximillian Schrems v Data
Protection Commissioner (Ireland), 4 as well as under the EU General Data
Protection Regulation (GDPR),5 which comes into force on 6 May 2018.
Introduction
Under the Directive and the GDPR, if personal data is transferred outside EU
Member States and they do not fall under one of the derogations set out in the
Directive (art 26(1)) or the GDPR (art 49), the third country must ensure an
adequate level of protection for those data under contractual clauses
approved by a Member State, or the EU Standard Contractual Clauses or
Binding Corporate Rules. Alternatively, the European Commission
EAP 1
Journal of Law, Information and Science Vol 25 2017
(Commission) can make a decision that the third country generally can
ensure an adequate level of protection for personal data.6
Article 25(6) of the Directive, like art 45(3) of the GDPR, provides that the
Commission can made a finding that a third country ensures an adequate
level of protection, in which case no specific authorisation by a Member State
data protection supervisory authority (DPA) is required for the transfer of
personal information. Such adequacy findings may cover all transfers to the
third country, or may apply to particular categories of information, such as air
transport passenger information of people flying to the United States or
Canada from Europe, 7 or to entities that have agreed to8 or are subject to
particular data protection standards. 9
One rationale for making provision for such Commission findings was that it
would be overly burdensome if Member States constantly had to assess the
adequacy of safeguards for personal data transferred to third countries.
Although art 25 envisages a case-by-case approach to assessing adequacy
where there are individual transfers or categories of transfers, it was clear that
given the huge number of transfers involved, no Member State would be able
to examine each in detail. Therefore, the Article 29 Working Party 10
6 Directive [1995] OJ L 281/31, art 25; GDPR [2016] OJ L 119/1, art 45.
7 Commission Decision of 14 May 2004 on the adequate protection of personal data
contained in the Passenger Name Record of air passengers transferred to the United States
Bureau of Customs and Border Protection [2004] OJ L 235/11 (US Border Protection
Commission Decision); Commission Decision of 6 September 2005 on the adequate
protection of personal data contained in the Passenger Name Record of air passengers
transferred to the Canada Border Services Agency [2006] OJ L 91/49 (Canada Border
Services Commission Decision).
8 Under the former Safe Harbor arrangement (Commission Decision of 26 July 2000
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequacy of the protection provided by the safe harbour privacy principles and related
frequently asked questions issued by the US Department of Commerce [2000] OJ L 215/7)
with the US, and currently the Privacy Shield arrangement (Commission
Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of
the European Parliament and of the Council on the adequacy of the protection provided by
the EU-U.S. Privacy Shield [2016] OJ L 207/1 (Privacy Shield)) that replaced it after
the Schrems decision.
9 Under the Canadian legislation, Personal Information Protection and Electronic
Documents Act, SC 2000.
10 The Article 29 Working Party is constituted under article 29 of the Directive. It has
an advisory status and acts independently of the Commission, and is composed of
representatives of the supervisory authorities of Member States and authorities of
EU institutions and bodies, as well as a representative of the Commission.
EAP 2
Adequate level of data protection in third countries post-Schrems and under the GDPR
The making of adequacy decisions was also viewed as providing a clear and
public incentive to those third countries still in the process of developing their
system of protection,15 and thus it would have a positive effect on the growth
of data protection globally.
On the other hand, the Working Party acknowledged that [t]he fewer
countries for which positive findings could be made, the less useful the
exercise would be, of course, in terms of providing greater certainty to data
controllers.16 With only 12 jurisdictions receiving an adequacy endorsement
from the Commission after nearly 20 years, the art 26(6) process could now
fairly be placed in the less useful category. This situation does not look likely
to improve under the GPDR, but may go into reverse with the wider and
more rigorous standards under the GPDR.
EAP 3
Journal of Law, Information and Science Vol 25 2017
A finding made in accordance with the above criteria will mean that the third
country ensures an adequate level of protection by reason of its domestic law
or of the international commitments it has entered into for the protection of
the private lives and basic freedoms and rights of individuals.18
EAP 4
Adequate level of data protection in third countries post-Schrems and under the GDPR
Lee Bygrave has commented that these criteria form an important point of
departure for Commission decisions on adequacy, 20 but [a]t the same time,
these criteria are neither precisely formulated nor always rigidly applied.21
EAP 5
Journal of Law, Information and Science Vol 25 2017
Article 29 Working Party noted in 1998 that adequacy does not necessarily
entail equivalency with EU standards,25 and reiterated that view in its
adequacy opinion on New Zealand thirteen years later.26 In Schrems, however,
the ECJ raised the bar on what adequacy entails. The ECJ held that while the
term adequate cannot require a third country
The means of protection may differ from that in the EU, but the means must
nevertheless prove, in practice, effective in order to ensure protection
essentially equivalent to that guaranteed within the European Union.28
EAP 6
Adequate level of data protection in third countries post-Schrems and under the GDPR
(a)
the rule of law
respect for human rights and fundamental freedoms
access to justice (recital 104)
relevant legislation, including concerning public security, defence,
national security and criminal law and the access of public
authorities to personal data
data protection rules and case law, including rules for the onward
transfer of personal data to another third country which are
complied with in that country
effective and enforceable data subject rights and effective
administrative and judicial redress for the data subjects whose
personal data are being transferred
EAP 7
Journal of Law, Information and Science Vol 25 2017
1.2 Jurisdiction
In Schrems, the ECJ indicated that while a Member State had an obligation to
comply with Commission adequacy decisions on the basis that they were
presumed to be lawful under art 25(6), an adequacy decision could not affect
the powers of a DPA under art 8(3) (Protection of Personal Data) of the
Charter of Fundamental Rights of the European Union.41 Such a situation would
arise when an individual complains of a breach of their data protection rights
34 Ibid art 68(1). Its members are the head of one supervisory authority of each
Member State and of the European Data Protection Supervisor, or their respective
representatives: art 68(3).
35 Ibid art 70(1)(s).
36 Directive [1995] OJ L 281/31, art 25(6).
37 Ibid art 31.
38 Ibid art 25(4).
39 Ibid art 25(3).
40 See, for example, Commission Implementing Decision of 19 December 2012 pursuant to
Directive 95/46/EC of the European Parliament and of the Council on the adequate
protection of personal data in New Zealand [2013] OJ L 28/12, art 2(1).
41 [2000] OJ C 364/6; Schrems (Court of Justice of the European Union, C-362/14, 6
October 2015) [53].
EAP 8
Adequate level of data protection in third countries post-Schrems and under the GDPR
42 Shrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [52],
[62], [65].
43 Commission Implementing Decision of 16 December 2016 amending Decisions
2000/518/EC, 2002/2/EC, 2003/490/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU,
2010/625/EU, 2011/61/EU and Implementing Decisions 2012/484/EU, 2013/65/EU on the
adequate protection of personal data by certain countries, pursuant to Article 25(6) of
Directive 95/46/EC of the European Parliament and of the Council [2016] OJ L 344/83
(Commission Implementing Decision). The decision was preceded by an earlier
proposal to the Article 31 Committee: European Commission, Summary record of
the 72nd meeting of the Committee on the Protection of Individuals with regard to the
Processing of Personal Data (Article 31 Committee) (3 October 2016). Some delegations
required further time to study the proposal, and the Article 29 Working Party was
asked to provide its views, which it did: Commission Implementing Decision [2016]
OJ L 344/83, recital 11.
44 Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [76].
EAP 9
Journal of Law, Information and Science Vol 25 2017
The GDPR goes further than the Directive in relation to providing specifically
for cooperation and consistency among DPAs. 48 Such cooperation and
consistency may relate to the application of the GDPR in various ways,
including, presumably, consideration of the adequacy of data protection
measures in third countries. Although cooperation is mainly conceived as
between lead supervisory authorities and other DPAs in relation to
processing within the EU, 49 there is still possible scope for cooperation among
EU DPAs in relation to the consideration of adequacy of data protection in
third countries.50 Likewise, the GDPR consistency mechanism appears to be
aimed mainly at issues that affect other EU Member States,51 but again, there
is nothing to exclude its application to the consideration of adequacy of data
protection in third countries. Article 63 is quite broad in stating that the
purpose of the consistency mechanism is to contribute to the consistent
EAP 10
Adequate level of data protection in third countries post-Schrems and under the GDPR
Unlike the Article 29 Working Party, the Board has an express natural justice
duty to consult interested parties and give them the opportunity to comment
within a reasonable period.54
The Commission decision adopted in the wake of the Schrems decision stated
that since the level of protection in a third country could change, the
Commission, after adopting an adequacy decision, must check periodically
whether the finding relating to the adequacy of the level of protection
EAP 11
Journal of Law, Information and Science Vol 25 2017
In reality, given the geographical isolation of New Zealand from Europe, its
size and the nature of its economy, it is unlikely that New Zealand agencies
will have any business interest in sending significant volumes of EU-sourced
EAP 12
Adequate level of data protection in third countries post-Schrems and under the GDPR
Such considerations are among the four key criteria set out recently by the
Commission in relation to assessing adequacy, whether under the Directive or
the GDPR:63
(i) the extent of the EU's (actual or potential) commercial relations with a
given third country, including the existence of a free trade agreement
or ongoing negotiations;
(ii) the extent of personal data flows from the EU, reflecting geographical
and/or cultural ties;
(iii) the pioneering role the third country plays in the field of privacy and
data protection that could serve as a model for other countries in its
region;64 and
(iv) the overall political relationship with the third country in question, in
particular with respect to the promotion of common values and shared
objectives at international level.
Adequacy findings have been made in relation to Argentina, Canada and the
United States on the basis that they are important trading partners. 65 In the
case of Argentina, this was made despite serious concerns about some
weaknesses of its data protection law, in particular its enforcement
mechanisms, and in the absence of any substantial experience with the
practical application of the legislation.66 The Article 29 Working Party
62 Kohnstamm, above n 26, 10. This approach has attracted the comment (admittedly
exaggerated) that [a]dequacy is in inverse proportion to proximity including
economic and social proximity, not just geographical: Graham Greenleaf and Lee
Bygrave, Not Entirely Adequate but Far Away: Lessons from How Europe Sees
New Zealand Data Protection (2011) 111 Privacy Laws & Business International
Report 8, 9.
63 European Commission, above n 57, 8.
64 Ibid 7. The Commission referred to New Zealand and Uruguay as such third
countries.
65 Ibid.
66 Stefano Rodota, Opinion 4/2002 on the level of protection of personal data in
Argentina (Opinion No 11081/02/EN/Final WP 63, European Commission, 3
October 2002) 17. See also Christopher Wolf, Delusions of Adequacy? Examining
the Case for Finding the United States Adequate for Cross-Border EU-U.S. Data
Transfers (2013) 43 Washington University Journal of Law & Policy 227, 2423.
EAP 13
Journal of Law, Information and Science Vol 25 2017
In the case of Canada and the United States, adequacy decisions have been
partial only. Canada has been found to ensure adequate protection for
transfers to recipients, subject to the Personal Information Protection and
Electronic Documents Act 2000, SC 2000.68 Adequacy has also been found in
respect of the Safe Harbour arrangement69 (until invalidated by the ECJ in
Schrems) and the current replacement (but still controversial) Privacy Shield,70
which have applied only to participating companies that have committed
themselves to ensuring a high level of data protection. The Commission has
also made adequacy decisions concerning the transfer of Passenger Name
Record (PNR) data to Canada 71 and the United States. 72
Christopher Kuner has commented that [i]n practice, it can be difficult for a
State or regional organization to pass judgment on a foreign regulatory
system without political considerations playing some role.73 Thus, in 2010 the
Irish Minister of Justice formally objected to a favourable Article 29 Working
Party adequacy report on the basis that Israeli officials could not be trusted
with Europeans personal data, as shown by the forging of passports for the
Israeli intelligence agency Mossad. 74 At the time, Ireland accused Israels
EAP 14
Adequate level of data protection in third countries post-Schrems and under the GDPR
Mossad of killing a Hamas arms dealer in Dubai. The Mossad agents had
travelled on forged passports, including several from Ireland.
2 Analysis
Europe raised the bar on data protection standards in the Schrems decision,
with its shift from adequacy to essential equivalence. This stricter approach
has been carried over into the GDPR, which also comes with extended and
additional obligations. The higher standards, however, are not likely to be
achievable for most third countries due to push-back by public and private
sector entities, which affects the political will to strengthen existing data
protection law. This is reflected in largely widespread legislative indifference
to developments in the EU. Moreover, the nature of existing data protection
frameworks (such as those in Australia, New Zealand and Hong Kong) have
not all been constituted to accommodate the level of DPA involvement or
supervision required. Given the role that the contingent dimension has
played in some adequacy decisions, rendering adequacy assessment
somewhat of a moveable feast, substantial compliance may be a more realistic
standard.
<www.jta.org/2010/07/08/news-opinion/world/ireland-blocks-eu-data-sharing-
with-israel>.
75 Committee on Civil Liberties, Justice and Home Affairs, Report on the US NSA
surveillance programme, surveillance bodies in various Member States and their
impact on EU citizens fundamental rights and on transatlantic cooperation in
Justice and Home Affairs (Report No 2013/2188(INI), European Parliament, 2014)
[45], recitals AQAR.
76 Ibid.
EAP 15
Journal of Law, Information and Science Vol 25 2017
While New Zealand and Canada are indeed part of the Five Eyes
programme, 78 the United Kingdom also belongs; and several other Member
States participate in the 9-Eyes (Denmark, Netherlands and France) and 14-
Eyes programmes with the US (including Germany, 79 Belgium, Italy, Spain
and Sweden). This participation was acknowledged by the European
Parliament, which called
A tu quoque (you also, or pot calling the kettle black) argument might
therefore also be raised on the basis that Member States are not always
entirely compliant with their own standards, and there is the prospect that
Member States will be even less compliant with the GDPR when it comes into
force in 2018. It therefore seems inequitable if third countries should be held
to a higher standard. Tu quoque arguments, sometimes unsuccessfully raised
EAP 16
Adequate level of data protection in third countries post-Schrems and under the GDPR
After nearly 20 years, most countries in the world have either not been able to
satisfy the EU adequacy standard, or else they have not sought to do so. Of
those that have ensured adequate protection: the US and Canada have only
partially ensured adequacy; there are a handful of small countries that are,
apart from New Zealand, important trading partners with the EU (Israel,
Switzerland, Argentina and Uruguay);83 and there are a handful of miniscule
states (Guernsey, Jersey, the Isle of Man, the Faroe Islands and Andorra). In
total, this amounts to only 12 jurisdictions, many of whom are small in size
and economic power.
EAP 17
Journal of Law, Information and Science Vol 25 2017
For the rest of the world, the available derogations for particular
circumstances, standard contractual clauses (adopted by the Commission or
DPAs), and binding corporate rules for groups of enterprises, will have to
suffice in place of adequacy determinations. If achieving adequacy under the
GDPR proves to be yet more difficult for third countries, only the most highly
motivated are going to attempt to bring their data protection laws in line.
Such motivation is likely to stem from a need to facilitate existing commercial
activity with the EU. To adapt an old saw, necessity is the mother of
compliance.
Conclusion
EAP 18
Adequate level of data protection in third countries post-Schrems and under the GDPR
far, and the GDPRs higher standards will mean that fewer countries should
be able to satisfy them going into the future.
It may be, therefore, that if the Commission follows through on its recently
announced flexible approach to making adequacy determinations, this will
compensate for what appear, on the face of it, to be stricter standards. The
Commissions proposed ad hoc approach takes into account the political and
economic desirability of making an adequacy finding in a particular case, the
extent of data flows from the EU to the third country in question, and
whether that third country could play a pioneering role in getting other
countries in its region to raise their data protection standards.
EAP 19