| Published date | 17 December 2016 |
| Official Gazette Publication | Official Journal of the European Union, L 344, 17 December 2016 |
L_2016344EN.01008301.xml
| 17.12.2016 | EN | Official Journal of the European Union | L 344/83 |
COMMISSION IMPLEMENTING DECISION (EU) 2016/2295
of 16 December 2016
amending Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2003/821/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU, 2011/61/EU and Implementing Decisions 2012/484/EU, 2013/65/EU on the adequate protection of personal data by certain countries, pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council
(notified under document C(2016) 8353)
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,
After consulting the European Data Protection Supervisor,
Whereas:
| (2) | Article 3(1) first subparagraph of Decision 2000/520/EC laid down restrictive conditions under which national supervisory authorities could decide to suspend data flows to a U.S. self-certified company, notwithstanding the Commission's adequacy finding. |
| (3) | In its Schrems judgment, the Court of Justice clarified that national supervisory authorities remain competent to oversee the transfer of personal data to a third country which has been the subject of a Commission adequacy decision and that the Commission has no competence to restrict their powers under Article 28 of Directive 95/46/EC. Pursuant to this Article, those authorities possess, in particular, investigative powers, such as the power to collect all the information necessary for the performance of their supervisory duties, effective powers of intervention, such as that of imposing a temporary or definitive ban on the processing of data, and the power to engage in legal proceedings (4). |
| (4) | The Court of Justice recalled in the Schrems judgment that, in line with the second subparagraph of Article 25(6) of Directive 95/46/EC, Member States and their organs must take the measures necessary to comply with acts of the Union institutions, as the latter are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment, or declared invalid following a reference for a preliminary ruling or a plea of illegality. |
| (5) | Consequently, a Commission adequacy decision adopted pursuant to Article 25(6) of Directive 95/46/EC is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities, in so far as it has the effect of authorising transfers of personal data from the respective Member State to the third country covered by it (5). It follows that national supervisory authorities cannot adopt measures contrary to a Commission adequacy decision, such as acts declaring that decision invalid or which are intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. As clarified by the Schrems judgment, this does not prevent a national supervisory authority from examining the claim of an individual concerning the level of protection of personal data ensured in a third country subject to a Commission adequacy decision and, where it considers it well founded, to engage in legal proceedings before the national courts, in order for them, if they share the doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision's validity (6). |
| (6) | Commission Decisions 2000/518/EC (7), 2002/2/EC (8), 2003/490/EC (9), 2003/821/EC (10), 2004/411/EC (11), 2008/393/EC (12), 2010/146/EU (13), 2010/625/EU (14) and 2011/61/EU (15) and Commission Implementing Decisions 2012/484/EU (16) and 2013/65/EU (17), which are adequacy decisions, contain a limitation on the powers of the national supervisory authorities that is comparable to Article 3(1) first subparagraph of Decision 2000/520/EC, which the Court of Justice considered invalid. |
| (7) | In the light of the Schrems judgment and pursuant to Article 266 of the Treaty, the provisions in those Decisions limiting the powers of national supervisory authorities should therefore be replaced. |
| (8) | In the Schrems judgment, the Court of Justice further clarified that, as the level of protection ensured by a third country may be liable to change, it is incumbent on the Commission, after it has adopted a decision pursuant to Article 25(6) of Directive 95/46/EC, to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified (18). In the light of the findings in that judgment as regards access to personal data by public authorities, the rules and practice governing such access should also be monitored. |
| (9) | Therefore, for those countries for which it has adopted an adequacy decision, the Commission will, on an ongoing basis, monitor developments, both in law and in practice, that could affect the functioning of such decisions, including developments concerning access to personal data by public authorities. |
| (10) | In order to facilitate the effective monitoring of the functioning of the adequacy decisions currently in force, the Commission should be informed by Member States about relevant action undertaken by national supervisory authorities. |
| (11) | The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion, which has been taken into account in the preparation of this Decision. |
| (12) | The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC. |
| (13) | Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2003/821/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU and 2011/61/EU and Implementing Decisions 2012/484/EU and 2013/65/EU should therefore be amended accordingly, |
HAS ADOPTED THIS DECISION:
Article 1
Decision 2000/518/EC is amended as follows:
| (1) | Article 3 is replaced by the following: ‘Article 3 Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to Switzerland in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.’; |
| (2) | the following Article 3a is inserted: ‘Article 3a 1. The Commission shall, on an ongoing basis, monitor developments in the Swiss legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Switzerland continues to ensure an adequate level of protection of personal data. 2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Switzerland fails to secure such compliance. 3. The Member States and the Commission shall inform each other of any indications that interferences by Swiss public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences. 4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Swiss authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.’. |
Article 2
Decision 2002/2/EC is amended as follows:
| (1) | Article 3 is replaced by the following: ‘Article 3 Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to a recipient in Canada whose activities fall under the scope of the Canadian Personal Information Protection and Electronic Documents Act in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.’; |
| (2) | the following Article 3a is inserted: ‘Article 3a 1. The Commission shall, on an ongoing basis, monitor developments in the Canadian legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Canada continues to ensure an adequate level of protection of personal data. 2. The Member States and the Commission |
...
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
