Privacy & Cybersecurity Law Blog

Earlier this month, at a meeting of the Article 31 Committee, the European Commission (“Commission”) unveiled two draft Commission Implementing Decisions that propose amendments to the existing adequacy decisions and decisions on EU Model Clauses.

Adequacy decisions establish whether a third country provides adequate safeguards to protect personal data, and decisions are made by the Commission following its assessment of a country’s national law and international commitments on data protection. Countries deemed to be adequate are added to the Commission’s ‘white list’ and transfers can be made from the EEA to that country without requiring further safeguards.

The Commission’s move to amend the decisions follows the ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems case. In its ruling, the CJEU held that the EU-U.S. Safe Harbor data transfer framework was invalid. The Commission’s proposed amendments remove provisions restricting DPAs’ power in the existing adequacy decisions and under EU Model Clauses.

A number of the EU Member States that presented at the Article 31 Committee meeting were in favor of the two amendments, although others requested more time to consider the proposed changes before making a decision. As a result, it was agreed that another meeting would be scheduled. In the meantime, the Article 29 Working Party will be asked to present its views on the amendments. The draft texts have yet to be made public.