In two implementing decisions dated 16 December 2016 (No. 2016/2295 and No. 2016/2297), the European Commission changed the standard contractual clauses and adequacy decisions in order to take certain criticisms into account resulting from the Court of Justice of the European Union's "Schrems" judgement (case C-361/14 of 6 October 2015; see our presentation on LEXplicite).
In answer to the question of whether national authorities responsible for data protection were bound by a decision noting the existence of adequate protection, the Court clearly replied that these authorities must remain able to conduct audits completely independently, and that no such decision could reduce the authority conferred upon them by Article 28.3 of Directive 95/46 of 24 October 1995.
In the two decisions on 16 December 2016, the Commission reiterated that the decisions adopted in accordance with Articles 26.4 (related to standard contractual clauses) or 25.6 (related to adequacy decisions), although they benefit from the presumption of legality, must not prevent a national supervisory authority from:
- suspending or prohibiting a transfer when it notes that said transfer breaches European law; or
- initiating an action before national courts for a preliminary ruling for the purposes of examining the validity of an adequacy decision.
Implementing decision 2016/2297 thereby amends decisions 2001/497 and 2010/87 related to standard contractual clauses by eliminating any restriction to the authorities' ability to suspend or ban data flows.
It is worth noting that this measure had only been possible to date in cases where:
"(a) it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided [...];
(b) a competent authority has established that the data importer or a sub-processor has not respected the standard contractual clauses in the Annex; or
(c) there is a substantial likelihood that the standard contractual clauses in the Annex are not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects."
Implementing decision 2016/2295, for its part, modifies the following decisions:
- 2000/518 relative to Switzerland;
- 2002/2 relative to Canada;
- 2003/490 relative to Argentina;
- 2003/821 relative to Guernsey;
- 2004/411 relative to the Isle of Man;
- 2008/393 relative to Jersey;
- 2010/146 relative to the Faroe Islands;
- 2010/625 relative to Andorra;
- 2011/61 relative to Israel;
- 2012/484 relative to Uruguay;
- 2013/65 relative to New Zealand.
On the one hand, it eliminates the restrictions imposed by these decisions on the powers of the supervisory authorities, and, on the other, requires the Commission to monitor changes in the legal order of the relevant States that may impede the proper functioning of adequacy decisions.
Do these decisions constitute the end of the saga triggered by Schrems? For the legal security of transfers to third countries, we might hope so.