Article 45 GDPR
Legal Text
1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
- (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
- (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
- (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.
5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).
6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.
7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.
8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.
9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.
Relevant Recitals
Recital 103
Recital 104
Recital 105
Recital 106
recital 107
Commentary
Overview
Article 45 GDPR refers to the complex issue of international data transfers. The huge amounts of data transferred from the EU to third countries created the necessity to adopt provisions that could ensure the implementation of precautionary measures to protect the transfers. The level of protection that should be achieved is promoted and delimitated in Chapter V of the GDPR. Chapter V of the GDPR creates a three-tiered structure for legal bases for international data transfers, with adequacy decisions being at the top, appropriate safeguards at the middle and negotiations at the bottom. [1] On the basis of Art. 45 GDPR the European Commission has the power to determine, whether a country outside the EU offers an adequate / "essentially equivalent" level of data protection with the EU. Adequacy means that the rules implemented in the third countries or international organisations are effective in practice[2].
In 2017 the Working Party 29 published a paper in which it states that the rules must comply with a "core" of principles relating both to the content of data protection rules and their enforcement, based on the GDPR, the Charter of Fundamental Rights of the European Union (CFR) and other relevant international instruments, such as Council of Europe Convention 108.[3]
The European Commission has so far recognised the following countries as providing adequate protection by means of 'adequacy decisions': Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The current adequacy decisions can be found here.
Adequacy decision
Under Article 45, a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
Criteria
In order to be granted with an adequacy decision, the country (or other geographical area - see above) must be able to ensure an adequate level of data protection. In performing the assessment, the European Commission takes into account different elements. Among these are the national laws and the respect and protection of human rights and freedoms, national security, data protection laws, as well as the existence of a DPA or another kind of data protection body and the binding commitments or agreements that the country has applied nationally.
In the published paper, endorsed by the EDPB, the WP29, detects the principles and mechanisms that should exist in the data protection system of a third country or an international organisation to be considered as adequate. The principles include: (1) Basic data protection principles (2) lawful and fair processing for legitimate purposes, (3) the purpose limitation principle, (4) the data quality and proportionality principle, (5) the data retention principle, (6) the security and confidentiality principle, (7) the transparency principle, (8) the right of access, rectification, erasure and objection, (9) restrictions on onward transfers.
The third countries don’t have to implement the exact, identical or equivalent measures of protection provided by the EU in order for their data protection system to be deemed adequate. The fundamental different ideas on the protection of personal data among the different states, in combination with the economic policy and entrepreneurial freedoms promoted by the EU, leave space for adaptation for the third countries.
It must also be noted that, an adequacy decision cannot regulate the exchange of data for the purpose of national security or the common foreign and security policy. [4]
Procedure
The process in order to adopt an adequacy decision requires[5] a submission of a proposal from the European Commission, an opinion from the European Data Protection Board (EDPB), an approval from representatives of EU countries and finally the adoption of the decision by the European Commission. The significance of the decision is easy to be understood due to its effect. After the adoption of a decision personal data can flow from the EEA to a third country without the requirement of further safeguards needed. [6]
The Commission can issue adequacy decisions for any country that is not an EU Member State or party to the EEA, or as the article provides a decision can be issued for an international organisation. So far, as it was mentioned above, the Commission has issued adequacy decisions for a number of countries such as: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, while a partial adequacy decision has been issued for Canada.[7] Adequacy talks were concluded with South Korea on 30 march 2021.
Time of validity
Adequacy decisions have to be reviewed at least every four years while they can be repealed, amended, or suspended without a retroactive effect, when the third country or the organisation no longer ensures an adequate level of protection. The absence of a retroactive effect departures from EU law and avoids the disappearance of an EU act from the legal order from the date of entering into force (ex tunc). [8] Following the amendment or the repeal, the Commission has to enter into consultations with the third country or the international organisation in order to remedy the situation. [9]
All decisions concerning adequacy must be published in the official journal of the EU.
Content
An adequacy decision must contain a number of specific elements. [10] More precisely, it must contains at least:
1. A statement that the third country or the international organisation ensures adequate protection through its domestic law and regulations.
2. The territorial and sectoral application of the decision (Article 45(3)).
3. A mechanism for periodic review.
4. Identification of the supervisory authority or of authorities holding the responsibility for ensuring and enforcing compliance with the data protection rules (Article 45(2)(b) and (3) GDPR).
Additionally, the WP 29 has also highlighted the mechanisms that the data protection system, the third country or the international organisation must contain: A supervisory authority, a data protection system that ensures a good level of compliance, providing support and help to data subjects in the exercise of their rights and redress mechanisms, accountability.[11]
Also in line with Article 45 (2)(a) GDPR third countries must ensure the minimum of interference with fundamental rights by providing guarantees for law enforcement and national security access: Clear, precise and accessible rules for data processing. necessity and proportionality must be demonstrated with regards to the legitimate objectives pursued, the processing must be subject to independent oversight, effective remedies must be available to individuals. [12]
Schrems II
Regarding transfers to the USA: The European Commission and the US Department of Commerce negotiated special terms for data transfers from the EU to the US in the framework of the 'Privacy Shield'. Transfers to the US are not allowed per se, but to companies in the USA that are participating the Privacy Shield. For this purpose companies have to commit to comply with the Principles of the Privacy Shield and self-certify to the US Department of Commerce. The validity of this framework was broadly discussed at the Court of Justice of the EU in the light of the Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (case C-311/18, Schrems II). In the judgement issued by the court on 16 July 2020 it was decided and highlighted the importance of the maintenance of a high level protection of the data that are transferred from the EU to third countries.
According to the court, [13] the lack of necessary limitations and safeguards on the power of the authorities under US law, the primacy of US law enforcement requirements over those of the Privacy Shield (para. 164), the lack of an effective remedy in the US by EU data subjects (paras. 191-192), particularly in light of proportionality requirements (paras. 168-185) and the deficiencies in the Privacy Shield Ombudsman mechanism (paras. 193-197), should all lead to the invalidation of the Privacy Shield. The Court found that the Privacy Shield Decision was invalid (para. 201) with immediate effect (para. 202). [14]
In another decision by the ECJ and since GDPR does not provide the special conditions that should be met in order for international agreement to provide a legal basis for personal data transfers. In Opinion 1/15 the Court found that international agreement can legalise data transfers if the agreements meet the Schrems standard of "essential equivalence" with the EU law and especially the Charter[15]. The opinion refers to the agreement for the processing and transfer of passenger name records (PNR) data between the EU and Canada and examined whether the agreement is compatible with the provision of the Treaties (Article 16 TFEU) and the Charter of Fundamental Rights of the European Union (Articles 7, 8, 52 (1)) as regards the right of individuals to protection of personal data. Additionally, whether do articles 82(1)(d) and 987(2)(a) TFEU constitute the appropriate legal basis of the act of the Council concluding the envisaged agreement, or must the act be based on Article 16 TFEU?
The answer was negative to both questions since it was found that the correct legal basis of the Agreement was provided by Articles 16(2) and 87(2)(a) TFEU and not by Article 8291)(d) TFEU.
Enforcement
As regards the enforcement of article 45, it was also stated in Schrems II judgement (para. 63), that an individual must be able to make a claim to a DPA contesting the compatibility of a data transfer based on an adequacy decision with the protection of privacy and fundamental rights, and the DPA must examine the claim with all due diligence.
Decisions
→ You can find all related decisions in Category:Article 45 GDPR
References
- ↑ The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 774
- ↑ Article 29 Working Party, "Adequacy Referential (updated) " (WP 254, 28 November 2017) p. 3
- ↑ Article 29 Working Party, "Adequacy Referential (updated) " (WP 254, 28 November 2017), p. 4
- ↑ Decision of the Com. 2004/535 / EG v. May 14, 2004, repealed by the ECJ ruling v. May 30, 2006 - C-317/04 and C-318/04 , EuZW 2006, 357
- ↑ https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- ↑ https://www.dataprotection.ie/en/organisations/international-transfers/transfers-personal-data-third-countries-or-international-organisations
- ↑ https://tietosuoja.fi/en/transfers-on-the-basis-of-an-adequacy-decision
- ↑ Lenaerts, Maselis and Gutman 2014, locations 18058 -18065
- ↑ The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 789
- ↑ The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Dockse, p. 785
- ↑ The EU General Data Protection Regulation (GDPR), A commentary, edited by Christopher Kuner, Lee A. Bygrave and Christopher Docksey, p. 789
- ↑ Article 29 Working Party, "Adequacy Referential (updated) " (WP 254, 28 November 2017), p. 9
- ↑ https://europeanlawblog.eu/2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutional-implications-for-europe/
- ↑ https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation/
- ↑ EP Request Opinion 1/15: Request for an opinion submitted by the European Parliament pursuant to Article 218 (11) TFEU (Opinion 1/15), OJ 2015 C 138/24.