AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 2017 >> [2017] JlLawInfoSci 3

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Roth, Paul --- "'Adequate level of data protection' in third countries post-Schrems and under the General Data Protection Regulation" [2017] JlLawInfoSci 3; (2017) 25(1) Journal of Law, Information and Science 49


‘Adequate level of data protection’ in third countries post-Schrems and under the General Data Protection Regulation

PAUL ROTH[*]

Abstract

This paper looks at the concept of an ‘adequate level of protection’ by third countries for the purposes of transferring data out of the European Union (‘EU’) and European Economic Area (‘EEA’)[1] under the data protection Directive[2] in the wake of the 2015 European Court of Justice (‘ECJ’)[3] decision in Maximillian Schrems v Data Protection Commissioner (Ireland),[4] as well as under the EU General Data Protection Regulation (‘GDPR’),[5] which comes into force on 6 May 2018.

Introduction

Under the Directive and the GDPR, if personal data is transferred outside EU Member States and they do not fall under one of the derogations set out in the Directive (art 26(1)) or the GDPR (art 49), the third country must ensure an adequate level of protection for those data under contractual clauses approved by a Member State, or the EU Standard Contractual Clauses or Binding Corporate Rules. Alternatively, the European Commission (‘Commission’) can make a decision that the third country generally can ensure an adequate level of protection for personal data.[6]

Article 25(6) of the Directive, like art 45(3) of the GDPR, provides that the Commission can made a finding that a third country ensures an adequate level of protection, in which case no specific authorisation by a Member State data protection supervisory authority (‘DPA’) is required for the transfer of personal information. Such adequacy findings may cover all transfers to the third country, or may apply to particular categories of information, such as air transport passenger information of people flying to the United States or Canada from Europe,[7] or to entities that have agreed to[8] or are subject to particular data protection standards.[9]

One rationale for making provision for such Commission findings was that it would be overly burdensome if Member States constantly had to assess the adequacy of safeguards for personal data transferred to third countries. Although art 25 envisages a case-by-case approach to assessing adequacy where there are individual transfers or categories of transfers, it was clear that given the huge number of transfers involved, no Member State would be able to examine each in detail. Therefore, the Article 29 Working Party[10] recognised that the assessment of adequacy was going to have to be rationalised,[11] commenting that

mechanisms will need to be developed which rationalise the decision-making process for large numbers of cases, allowing decisions, or at least provisional decisions, to be made without undue delay or excessive resource implications.[12]

The Working Party went on to observe that such rationalisation was foreshadowed in art 25(6) of the Directive, and noted that ‘[s]uch findings would be “for guidance only”, and therefore without prejudice to cases which might present particular difficulties. ... [Such an approach] would be a practical response to the problem’.[13]

Another concern was the undesirability of a lack of some consensus among Member States concerning whether a particular third country’s data protection measures were adequate or not. Accordingly, the Working Party commented that

a series of such [art 25(6)] determinations at Community level would contribute to the establishment of a coherent approach on this issue and prevent the development of a multiplicity of differing and perhaps conflicting ‘white lists’ issued by Member State governments or data protection authorities. [14]

The making of adequacy decisions was also viewed as providing ‘a clear and public incentive to those third countries still in the process of developing their system of protection’,[15] and thus it would have a positive effect on the growth of data protection globally.

On the other hand, the Working Party acknowledged that ‘[t]he fewer countries for which positive findings could be made, the less useful the exercise would be, of course, in terms of providing greater certainty to data controllers’.[16] With only 12 jurisdictions receiving an ‘adequacy’ endorsement from the Commission after nearly 20 years, the art 26(6) process could now fairly be placed in the ‘less useful’ category. This situation does not look likely to improve under the GPDR, but may go into reverse with the wider and more rigorous standards under the GPDR.

1 The nature of the concept of ‘adequacy’

The concept of ‘adequacy’ has definitional, jurisdictional, and temporal dimensions, each contributing to the complexity of the adequacy assessment process. Moreover, there is a further contingent dimension that relates to the particular circumstances considered relevant, as the case may be, to the adequacy decision. These may variously involve pragmatic, economic or political considerations.

1.1 The definition

1.1.1 Under the Directive

Under the Directive, adequacy is assessed:

• In light of all of the circumstances surrounding a data transfer operation or set of operations.

• Particular consideration is given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and of final destination, the rules of law, both general and sectoral, in force in the third country, and the professional rules and security measures that are complied with in that country.[17]

A finding made in accordance with the above criteria will mean that the third country ensures an adequate level of protection ‘by reason of its domestic law or of the international commitments it has entered into ... for the protection of the private lives and basic freedoms and rights of individuals’.[18]

In addition to these general considerations, the Article 29 Working Party has set out a number of core criteria that it considers relevant to the assessment of adequacy.[19] While these criteria have no particular legal status on their own, they mainly track elements in the Directive and other international data protection instruments. The criteria suggested by the Working Party are as follows:

(i) Content Principles

(1) the purpose limitation principle

(2) the data quality and proportionality principle

(3) the transparency principle

(4) the security principle

(5) the rights of access, rectification and opposition

(6) restrictions on onward transfers

Additional principles are to be applied to specific types of processing, such as those concerning:

(1) sensitive data

(2) direct marketing

(3) automated decisions

(ii) Procedural/enforcement mechanisms

(1) Delivery of a good level of compliance

(2) Provision of support and help to individual data subjects

(3) Provision of appropriate redress to the injured parties

Lee Bygrave has commented that these criteria ‘form an important point of departure for Commission decisions on adequacy’,[20] but ‘[a]t the same time, these criteria are neither precisely formulated nor always rigidly applied’.[21]

Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data[22] may go some way to satisfaction of the adequacy standard,[23] but is not, on its own, sufficient.[24] The Article 29 Working Party noted in 1998 that adequacy does not necessarily entail equivalency with EU standards,[25] and reiterated that view in its adequacy opinion on New Zealand thirteen years later.[26] In Schrems, however, the ECJ raised the bar on what ‘adequacy’ entails. The ECJ held that while the term ‘adequate’ cannot require a third country

to ensure a level of protection identical to that guaranteed in the EU legal order, ... [it still] must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter [of Fundamental Rights of the European Union].[27]

The means of protection may differ from that in the EU, but the ‘means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union’.[28]

1.1.2 Under the GDPR

Generally speaking, in assessing adequacy the Commission must take into account ‘the fundamental values on which the Union is founded’.[29] Drawing upon the language in Schrems, recital 104 to the GDPR also states that the third country should be able to ‘offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors’.[30]

With the bolstering of EU data protection standards, essential equivalence will involve strengthened or additional obligations for third countries including: specific and explicit consent by the data subject for the processing of personal data (art 7); special conditions for the processing of children’s personal data arising from the provision of information society services (art 8); the right of data subjects to request erasure (the ‘right to be forgotten’, art 17); the right to data portability (art 20); privacy by design (art 25); data breach notification (arts 33 and 34); obligatory data protection impact assessments and prior consultation with DPAs (arts 35 and 36); and the effective protection of personal data that is transferred onward to other third countries (arts 44 and 45(2)(a)). There is also the provision for very high administrative fines for non-compliance with standards in the GDPR (art 83).

Unlike the Directive, the GDPR expressly particularises the matters to be considered for determining adequacy. Adequacy is considered in relation to the following elements set out in art 45(2):[31]

(a)

• the rule of law

• respect for human rights and fundamental freedoms

• access to justice (recital 104)

• relevant legislation, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data

• data protection rules and case law, including rules for the onward transfer of personal data to another third country which are complied with in that country

• effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred

(b) the existence of an effective independent supervisory authority with adequate enforcement powers for assisting and advising data subjects in exercising their rights, and for cooperation with EU supervisory authorities

(c) the third country’s international commitments, particularly in relation to the protection of personal data.[32]

An independent[33] European Data Protection Board (‘Board’)[34] has the express function, inter alia, of providing the Commission with opinions as to the adequacy of a third country’s or international organisation’s protection of privacy.[35]

1.2 Jurisdiction

1.2.1 The Directive

Where the Commission finds that a third country ensures an adequate level of protection, Member States must take the measures necessary to comply with the Commission’s decision that a third country ensures an adequate level of data protection,[36] arrived at in accordance with the comitology procedure.[37] Conversely where the Commission finds that a third country does not ensure an adequate level of protection, ‘Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country’.[38] Member States and the Commission are required to ‘inform each other of cases where they consider that a third country does not ensure an adequate level of protection’,[39] which implies that individual Member States can form their own views on adequacy. This power is acknowledged in the Commission’s adequacy decisions, which contain a standard clause that refers to the ‘existing powers’ of Member States to suspend data transfers where they consider that the level of data protection has fallen below the applicable standards of protection.[40]

In Schrems, the ECJ indicated that while a Member State had an obligation to comply with Commission adequacy decisions on the basis that they were presumed to be lawful under art 25(6), an adequacy decision could not affect the powers of a DPA under art 8(3) (‘Protection of Personal Data’) of the Charter of Fundamental Rights of the European Union.[41] Such a situation would arise when an individual complains of a breach of their data protection rights because an adequate level of protection is not ensured in a third country to which the data has been transferred. The right to lodge complaints with a Member State’s DPA is provided for under art 28(4) of the Directive. Thus, a Commission decision on a third country’s adequacy would not prevent a DPA from re-examining the issue of adequacy for itself and suspending personal data transfers. However, only the ECJ has the power to pronounce on the validity of the adequacy decision. While a DPA or national court on review does not have the jurisdiction to declare an adequacy decision to be invalid, a national court could refer a claim alleging invalidity of a Commission decision to the ECJ.[42] Thus, where an individual, such as Mr Schrems, claims that a third country has failed to ensure an adequate level of protection, the DPA can examine the claim to see if it is well-founded, engage in proceedings before a national court questioning the validity of the Commission decision, and then have it referred to the ECJ for an examination of the decision’s validity. On the face of it, therefore, an adequacy decision could be disputed on a Member State-by-State basis.

In light of the Schrems decision, the Commission adopted an implementing decision that, in part, amended existing adequacy decisions to cure the illegality that had been found by the ECJ.[43] The Commission had wrongly exceeded its power under art 25(6) by imposing limitations on the powers of DPAs to suspend and prohibit data transfers. The Commission’s implementing decision therefore replaced the offending provision in its adequacy decisions to date with one that acknowledged the powers of Member States’ DPAs. The implementing decision also requires the Commission to periodically check whether a third country is ensuring adequate protection. This was in response to the finding in Schrems that the level of protection afforded by a third country may be liable to change.[44]

1.2.2 The GDPR

As with the Directive, the Commission makes the adequacy decision with effect for the entire European Union, ‘thus providing legal certainty and uniformity throughout the Union as regards the third country’.[45] The Commission may also decide to amend or revoke such a decision.[46] DPAs continue to have the power to order the suspension of data flows to a recipient in a third country,[47] as affirmed in Schrems in relation to the Directive.

The GDPR goes further than the Directive in relation to providing specifically for cooperation and consistency among DPAs.[48] Such cooperation and consistency may relate to the application of the GDPR in various ways, including, presumably, consideration of the adequacy of data protection measures in third countries. Although cooperation is mainly conceived as between lead supervisory authorities and other DPAs in relation to processing within the EU,[49] there is still possible scope for cooperation among EU DPAs in relation to the consideration of adequacy of data protection in third countries.[50] Likewise, the GDPR consistency mechanism appears to be aimed mainly at issues that affect other EU Member States,[51] but again, there is nothing to exclude its application to the consideration of adequacy of data protection in third countries. Article 63 is quite broad in stating that the purpose of the consistency mechanism is ‘to contribute to the consistent application of this Regulation throughout the Union’. In relation to third countries, the mechanism, in so far as it involves the Board issuing opinions,[52] does not specifically mention the consideration of adequacy, but it does refer to standard data protection clauses (art 46(2)(d)), standard contractual clauses (art 46(3)(a)), and binding corporate rules (art 47). However, any DPA ‘may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion’.[53]

Unlike the Article 29 Working Party, the Board has an express natural justice duty to ‘consult interested parties and give them the opportunity to comment within a reasonable period’.[54]

1.3 The temporal dimension

1.3.1 The Directive

The Article 29 Working Party commented that the process of making a series of findings under art 25(6) ‘should be seen as a continuing one, not one that would produce a definitive list, but rather a list that would be constantly added to and revised in the light of developments’.[55] The approach of the Article 29 Working Party necessarily implies that an ‘adequacy’ decision is not a type of determination that carries the same sense of finality as a legal decision, but involves a more fluid and dynamic approach, though in practical terms it may become static through inertia. As the Schrems decision has indicated, ‘adequacy’ is an assessment upon which the Commission and Member States can differ in relation to a particular third country. Under both the Directive and the GDPR, third countries can move in and out of a state of adequacy over time.

The Commission decision adopted in the wake of the Schrems decision stated that since the level of protection in a third country could change, the Commission, after adopting an adequacy decision, must ‘check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified’.[56]

1.3.2 The GDPR

The Commission recently commented that ‘[a]dequacy decisions are “living” documents that need to be closely monitored and adapted in case of developments affecting the level of protection ensured by the third country’.[57] Monitoring of third countries has become more formalised under the GDPR. Once the Commission decides that a third country ensures an adequate level of protection, the implementing act must provide for a periodic review mechanism, at least every four years, which must take into account all relevant developments in the third country.[58] Moreover, the Commission must monitor on an ongoing basis developments in third countries that could affect the functioning of adequacy decisions.[59] The Commission can repeal, amend or suspend an adequacy decision when there is information that indicates (particularly following the four-yearly review) that the third country no longer ensures an adequate level of data protection.[60] Adequacy decisions made under the Directive will remain in force until amended, replaced or repealed by a Commission decision.[61]

1.4 The contingent dimension

The concept of adequacy is adaptable to the circumstances of its application. Thus, the Article 29 Working Party found that data protection under the New Zealand regime was adequate even though its rules relating to onward transfers of information were not perfect:

In reality, given the geographical isolation of New Zealand from Europe, its size and the nature of its economy, it is unlikely that New Zealand agencies will have any business interest in sending significant volumes of EU-sourced data to third countries.[62]

Such considerations are among the four ‘key criteria’ set out recently by the Commission in relation to assessing adequacy, whether under the Directive or the GDPR:[63]

(i) the extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;

(ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;

(iii) the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region;[64] and

(iv) the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.

Adequacy findings have been made in relation to Argentina, Canada and the United States on the basis that they are ‘important trading partners’.[65] In the case of Argentina, this was made despite serious concerns about ‘some weaknesses’ of its data protection law, in particular its enforcement mechanisms, and ‘in the absence of any substantial experience with the practical application of the legislation’.[66] The Article 29 Working Party commented that it merely ‘assumes that Argentina ensures an adequate level of protection’.[67]

In the case of Canada and the United States, adequacy decisions have been ‘partial’ only. Canada has been found to ensure adequate protection for transfers to recipients, subject to the Personal Information Protection and Electronic Documents Act 2000, SC 2000.[68] Adequacy has also been found in respect of the Safe Harbour arrangement[69] (until invalidated by the ECJ in Schrems) and the current replacement (but still controversial) Privacy Shield,[70] which have applied only to participating companies that have committed themselves to ensuring a high level of data protection. The Commission has also made adequacy decisions concerning the transfer of Passenger Name Record (PNR) data to Canada[71] and the United States.[72]

Christopher Kuner has commented that ‘[i]n practice, it can be difficult for a State or regional organization to pass judgment on a foreign regulatory system without political considerations playing some role’.[73] Thus, in 2010 the Irish Minister of Justice formally objected to a favourable Article 29 Working Party adequacy report on the basis that Israeli officials could not be trusted with Europeans’ personal data, as shown by the forging of passports for the Israeli intelligence agency Mossad.[74] At the time, Ireland accused Israel’s Mossad of killing a Hamas arms dealer in Dubai. The Mossad agents had travelled on forged passports, including several from Ireland.

2 Analysis

2.1 Has the bar been raised unreasonably or unfairly high?

Europe raised the bar on data protection standards in the Schrems decision, with its shift from ‘adequacy’ to ‘essential equivalence’. This stricter approach has been carried over into the GDPR, which also comes with extended and additional obligations. The higher standards, however, are not likely to be achievable for most third countries due to push-back by public and private sector entities, which affects the political will to strengthen existing data protection law. This is reflected in largely widespread legislative indifference to developments in the EU. Moreover, the nature of existing data protection frameworks (such as those in Australia, New Zealand and Hong Kong) have not all been constituted to accommodate the level of DPA involvement or supervision required. Given the role that the contingent dimension has played in some adequacy decisions, rendering adequacy assessment somewhat of a moveable feast, substantial compliance may be a more realistic standard.

After Edward Snowden’s 2013 revelations concerning national intelligence agencies and mass surveillance of EU citizens, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs called on the Commission and Member States to assess without delay whether the levels of protection for personal information by New Zealand and Canada were indeed adequate, as previously declared by Commission decisions under art 25 of the Directive. It asked the Commission ‘if necessary, to take appropriate measures to suspend or reverse the adequacy decisions’ of New Zealand and Canada,[75] and to assess the situation with respect to other countries deemed to be ‘adequate’. It called upon the Commission to report to Parliament on its findings no later than December 2014.[76] This text was subsequently adopted by the European Parliament,[77] but nothing appears to have happened as a consequence.

While New Zealand and Canada are indeed part of the ‘Five Eyes’ programme,[78] the United Kingdom also belongs; and several other Member States participate in the ‘9-Eyes’ (Denmark, Netherlands and France) and ‘14-Eyes’ programmes with the US (including Germany,[79] Belgium, Italy, Spain and Sweden). This participation was acknowledged by the European Parliament, which called

on the EU Member States, and in particular those participating in the so-called ‘9-eyes’ and ‘14-eyes’ programmes to comprehensively evaluate, and revise where necessary, their national legislation and practices governing the activities of the intelligence services so as to ensure that they are subject to parliamentary and judicial oversight and public scrutiny, that they respect the principles of legality, necessity, proportionality, due process, user notification and transparency, including by reference to the UN compilation of good practices and the recommendations of the Venice Commission, and that they are in line with the standards of the European Convention on Human Rights and comply with Member States’ fundamental rights obligations, in particular as regards data protection, privacy, and the presumption of innocence[.][80]

A tu quoque (‘you also’, or ‘pot calling the kettle black’) argument might therefore also be raised on the basis that Member States are not always entirely compliant with their own standards, and there is the prospect that Member States will be even less compliant with the GDPR when it comes into force in 2018. It therefore seems inequitable if third countries should be held to a higher standard. Tu quoque arguments, sometimes unsuccessfully raised in connection with breaches of international humanitarian law standards,[81] conventionally fail, however, because they are based on the logical fallacy that two wrongs make a right. In the particular circumstances of some civil cases a tu quoque argument may sometimes be valid,[82] such as where the equitable ‘clean hands’ doctrine is raised. In such cases, the plaintiff’s past misconduct must somehow be relevant to the plaintiff’s current seeking of a remedy. Thus, on analogy, a tu quoque argument may at least hold some moral force where it would be unfair or hypocritical for a third country to be held to a higher standard than is attained by Member States.

2.2 How important is it to achieve adequacy status: does it really matter?

It is difficult to gauge how important it is to achieve or maintain adequacy status. The numbers may offer an answer.

After nearly 20 years, most countries in the world have either not been able to satisfy the EU adequacy standard, or else they have not sought to do so. Of those that have ensured adequate protection: the US and Canada have only partially ensured adequacy; there are a handful of small countries that are, apart from New Zealand, important trading partners with the EU (Israel, Switzerland, Argentina and Uruguay);[83] and there are a handful of miniscule states (Guernsey, Jersey, the Isle of Man, the Faroe Islands and Andorra). In total, this amounts to only 12 jurisdictions, many of whom are small in size and economic power.

There are, in addition, 12 other non-EU/EEA countries (not already found to be ‘adequate’ by the EU)[84] that have ratified both the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981)[85] and its Additional Protocol 181 Regarding Supervisory Authorities and Transborder Data Flows (2001),[86] which could possibly be regarded as ‘almost there’ in terms of EU adequacy standards, at least in relation to automated processing, because of the similarity of many of the basic obligations.[87] But as the saying goes, ‘almost’ only counts in horseshoes and hand grenades.

For the rest of the world, the available derogations for particular circumstances, standard contractual clauses (adopted by the Commission or DPAs), and binding corporate rules for groups of enterprises, will have to suffice in place of adequacy determinations. If achieving adequacy under the GDPR proves to be yet more difficult for third countries, only the most highly motivated are going to attempt to bring their data protection laws in line. Such motivation is likely to stem from a need to facilitate existing commercial activity with the EU. To adapt an old saw, ‘necessity is the mother of compliance’.

Conclusion

The concept of ‘adequacy’ has definitional, jurisdictional, temporal and contingent dimensions that render the adequacy assessment process complex. The ‘adequacy’ of a third country’s data protection measures will continue to be relevant under the GDPR as under the current Directive. The criteria for determining ‘adequacy’, however, have acquired greater specificity, and the shift of the standard from ‘adequacy’ to ‘essential equivalence’, prefigured in the Schrems decision, means that the bar has been raised considerably for third countries. Few third countries, however, have achieved ‘adequacy’ thus far, and the GDPR’s higher standards will mean that fewer countries should be able to satisfy them going into the future.

It may be, therefore, that if the Commission follows through on its recently announced flexible approach to making ‘adequacy’ determinations, this will compensate for what appear, on the face of it, to be stricter standards. The Commission’s proposed ad hoc approach takes into account the political and economic desirability of making an ‘adequacy’ finding in a particular case, the extent of data flows from the EU to the third country in question, and whether that third country could play a pioneering role in getting other countries in its region to raise their data protection standards.


[*] Professor of Law, Faculty of Law, University of Otago, Dunedin, New Zealand.

[1] The three additional EEA states are Iceland, Norway and Liechtenstein. The requirements of the Directive (as adapted) are applicable through the Agreement on the European Economic Area, signed 2 May 1992, [1994] OJ L 1/3 (entered into force 1 January 1994).

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 (‘Directive’).

[3] The common abbreviation ECJ is used throughout this paper in preference to ‘CJEU’ (Court of Justice of the European Union).

[4] (Court of Justice of the European Union, C-362/14, 6 October 2015) (‘Schrems’).

[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Date Protection Regulation) [2016] OJ L 119/1 (‘GDPR’).

[6] Directive [1995] OJ L 281/31, art 25; GDPR [2016] OJ L 119/1, art 45.

[7] Commission Decision of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection [2004] OJ L 235/11 (‘US Border Protection Commission Decision’); Commission Decision of 6 September 2005 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency [2006] OJ L 91/49 (‘Canada Border Services Commission Decision’).

[8] Under the former ‘Safe Harbor’ arrangement (Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L 215/7) with the US, and currently the ‘Privacy Shield’ arrangement (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield [2016] OJ L 207/1 (‘Privacy Shield’)) that replaced it after the Schrems decision.

[9] Under the Canadian legislation, Personal Information Protection and Electronic Documents Act, SC 2000.

[10] The Article 29 Working Party is constituted under article 29 of the Directive. It has an advisory status and acts independently of the Commission, and is composed of representatives of the supervisory authorities of Member States and authorities of EU institutions and bodies, as well as a representative of the Commission.

[11] P J Hustinx, ‘Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive’ (Working Paper No DG XV D/5025/98 WP 12, European Commission, 24 July 1998) Ch 6.

[12] Ibid 26.

[13] Ibid.

[14] Ibid 27.

[15] Ibid.

[16] Ibid.

[17] Directive [1995] OJ L 281/31, art 25(2).

[18] Ibid art 25(6).

[19] See Working Party on the protection of individuals with regard to the processing of personal data, ‘First orientation on Transfers of Personal Data to Third Countries: Possible Ways Forward in Assessing Adequacy’ (Working Paper No XV D/5020/97-EN final WP 4, European Commission, 26 June 1997); Hustinx, above n 11.

[20] Lee A Bygrave, Data Privacy Law: An International Perspective (Oxford University Press, 2014) 193.

[21] Ibid.

[22] opened for signature 28 January 1981, ETS No 108 (entered into force 1 October 1985).

[23] Working Party on the protection of individuals with regard to the processing of personal data, above n 19, 7–9.

[24] Christopher Kuner, European Data Protection Law: Corporate Compliance and Regulation (Oxford University Press, 2nd ed, 2007) 175.

[25] Hustinx, above n 11, 5.

[26] Jacob Kohnstamm, ‘Opinion 11/2011 on the level of protection of personal data in New Zealand’ (Opinion No 00665/11/EN WP 182, European Commission, 4 April 2011), 15.

[27] Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [73] (emphasis added).

[28] Ibid [74]; See also [96] (emphasis added).

[29] GDPR [2016] OJ L 119/1, recital 104.

[30] Ibid.

[31] See also GDPR [2016] OJ L 119/1, recital 104.

[32] For many countries, these would include ratification of the International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171 (entered into force 23 March 1976) (‘ICCPR’) and any regional human rights treaty that includes a right to privacy (as in art 17 of the ICCPR). Recital 105 of the GDPR expressly refers to a third country’s accession to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS No 108 (entered into force 1 October 1985).

[33] GDPR [2016] OJ L 119/1, art 69.

[34] Ibid art 68(1). Its members are the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives: art 68(3).

[35] Ibid art 70(1)(s).

[36] Directive [1995] OJ L 281/31, art 25(6).

[37] Ibid art 31.

[38] Ibid art 25(4).

[39] Ibid art 25(3).

[40] See, for example, Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in New Zealand [2013] OJ L 28/12, art 2(1).

[41] [2000] OJ C 364/6; Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [53].

[42] Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [52], [62], [65].

[43] Commission Implementing Decision of 16 December 2016 amending Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU, 2011/61/EU and Implementing Decisions 2012/484/EU, 2013/65/EU on the adequate protection of personal data by certain countries, pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council [2016] OJ L 344/83 (‘Commission Implementing Decision’). The decision was preceded by an earlier proposal to the Article 31 Committee: European Commission, Summary record of the 72nd meeting of the Committee on the Protection of Individuals with regard to the Processing of Personal Data (Article 31 Committee) (3 October 2016). Some delegations required further time to study the proposal, and the Article 29 Working Party was asked to provide its views, which it did: Commission Implementing Decision [2016] OJ L 344/83, recital 11.

[44] Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [76].

[45] GDPR [2016] OJ L 119/1, recital 103.

[46] Ibid art 45(5).

[47] Ibid art 58(2)(j).

[48] Ibid ch VII, s 1 (Cooperation), s 2 (Consistency).

[49] For example, GDPR [2016] OJ L 119/1, art 60(2) refers to a lead supervisory authority requesting mutual assistance from a DPA ‘in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State’ and art 60(10) refers to a controller or processor taking the necessary measures after notification by a lead supervisory authority under art 60 ‘to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union’.

[50] GDPR [2016] OJ L 119/1, recital 116 might be construed as relevant here: ‘For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries’.

[51] GDPR [2016] OJ L 119/1, recital 135 states that the consistency mechanism ‘should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States’.

[52] Ibid art 64(1).

[53] Ibid art 64(2).

[54] Ibid art 70(4). Under art 29(6) of the Directive, the Article 29 Working Party adopts its own rules of procedure, which do not include an express right for interested parties to comment: see Article 29 Data Protection Working Party, ‘Working Party on the Protection of Individuals with Regard to the Processing of Personal Data’ (Rules of Procedure, European Commission, 15 February 2012).

[55] Hustinx, above n 11, 27.

[56] Commission Implementing Decision [2016] OJ L 344/83, recital 8.

[57] European Commission, ‘Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World’ (Communication No COM(2017) 7 Final, European Commission, 10 January 2017, 8–9.

[58] GDPR [2016] OJ L 119/1, art 45(3).

[59] Ibid art 45(4).

[60] Ibid art 45(5).

[61] Ibid art 45(9).

[62] Kohnstamm, above n 26, 10. This approach has attracted the comment (admittedly exaggerated) that ‘[a]dequacy is in inverse proportion to proximity including economic and social proximity, not just geographical’: Graham Greenleaf and Lee Bygrave, ‘Not Entirely Adequate but Far Away: Lessons from How Europe Sees New Zealand Data Protection’ (2011) 111 Privacy Laws & Business International Report 8, 9.

[63] European Commission, above n 57, 8.

[64] Ibid 7. The Commission referred to New Zealand and Uruguay as such third countries.

[65] Ibid.

[66] Stefano Rodota, ‘Opinion 4/2002 on the level of protection of personal data in Argentina’ (Opinion No 11081/02/EN/Final WP 63, European Commission, 3 October 2002) 17. See also Christopher Wolf, ‘Delusions of Adequacy? Examining the Case for Finding the United States Adequate for Cross-Border EU-U.S. Data Transfers’ (2013) 43 Washington University Journal of Law & Policy 227, 242–3.

[67] Rodota, above n 66.

[68] Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronics Documents Act [2002] OJ L 2/13.

[69] Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe habour privacy principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L 215/7.

[70] Privacy Shield [2016] OJ L 207/1. For adequacy shortcomings with the Privacy Shield, see Article Working Party, ‘Opinion 01/2016 on the EU—U.S. Privacy Shield draft adequacy decision’ (Opinion No 16/EN WP 238, European Commission, 13 April 2016).

[71] Canada Border Services Commission Decision [2006] OJ L 91/49.

[72] US Border Protection Commission Decision [2004] OJ L 235/11.

[73] Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press, 2013) 66.

[74] Ibid; Christopher Wolf, ‘Delusions of Adequacy? Examining the Case for Finding the United States Adequate for Cross-Border EU-U.S. Data Transfers’ (2013) 43 Washington University Journal of Law & Policy 227, 242; John Ihle, Ireland blocks EU data sharing with Israel (8 July 2010) Jewish Telegraphic Agency <www.jta.org/2010/07/08/news-opinion/world/ireland-blocks-eu-data-sharing-with-israel>.

[75] Committee on Civil Liberties, Justice and Home Affairs, ‘Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs’ (Report No 2013/2188(INI), European Parliament, 2014) [45], recitals AQ–AR.

[76] Ibid.

[77] European Parliament, European Parliament Resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs 2013/2188(INI), (5 March 2014) [46] <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2014-0139+0+DOC+XML+V0//EN> .

[78] ‘Five Eyes’ is a multilateral espionage alliance for sharing intelligence among Australia, Canada, New Zealand, the United Kingdom and the United States. ‘Nine Eyes’ consists of the Five Eyes members together with Denmark, France, the Netherlands and Norway. ‘14 Eyes’ consists of the members of 9 Eyes plus Germany, Belgium, Italy, Spain and Sweden.

[79] Germany has expressed interest in joining 9-eyes, and possibly 5-eyes: See Ewan MacAskill and James Ball, ‘Portrait of the NSA: no detail too small in quest for total surveillance’, The Guardian (online) 3 November 2013 <www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance >.

[80] Committee on Civil Liberties, Justice and Home Affairs, above n 75, [21]–[22].

[81] Maartje Krabbe, Excusable Evil: An Analysis of Complete Defenses at International Criminal Law (Intersentia, 2014) 243–53. A defence of tu quoque was implicitly accepted concerning aspects of submarine warfare at the Nuremberg trials: The Trial of German Major War Criminals (Judgement) (International Military Tribunal, Trial Chamber, 1 October 1946) 305 (Karl Dönitz), 308 (Erich Raeder). Subsequent international criminal law cases, however, have expressly ruled out the defence: see Prosecutor v Kupreškić (Judgement) (International Criminal Tribunal for the former Yugoslavia, Trial Chamber, Case No IT-95-16-T, 14 January 2000) [510], [515]–[520].

[82] Ruggero J Aldisert, Logic for Lawyers (Clark Boardman Callaghan, 2nd ed, 1992) 11–36; Kevin W Saunders, ‘Informal Fallacies in Legal Argumentation’ (1992–93) 44 South Carolina Law Review 343, 373–4; Paul Bosanac, Litigation Logic: A Practical Guide to Effective Argument (American Bar Association, 2009) ch 6.

[83] European Commission, above n 57, 7.

[84] These are Albania, Armenia, Bosnia and Herzegovina, Georgia, Moldova, Montenegro, Serbia, Macedonia, Turkey, and Ukraine. In addition, two non-European countries, Mauritius and Senegal, acceded to the Council of Europe instruments in 2016.

[85] Opened for signature 28 January 1981, CETS No 108 (entered into force 1 October 1985).

[86] Opened for signature 8 November 2001, CETS No 181 (entered into force 1 July 2004).

[87] The position in these countries has been labelled ‘de facto adequacy’ in relation to other Council of Europe states, obviating the need to obtain an EU adequacy decision: Graham Greenleaf, ‘Do not dismiss “adequacy”: European standards entrenched’ (2011) 114 Privacy Laws & Business 16. Elsewhere, Greenleaf comments that the adequacy standard for Convention 108 ‘can be thought of as half way between the 1980s OECD standards and those of the Directive’: Graham Greenleaf, ‘Balancing Globalisation’s Benefits and Commitments: Accession to Data Protection Convention 108 by Countries Outside Europe’ [2016] University of New South Wales Law Research Series 52, 4.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2017/3.html