Title: ‘Adequate level of data protection’ in third countries post

-
Schrems and under the General Data Protection Regulation
Author: Paul Roth
EAP Date (approved for print): 16 November 2017

Note to users: Articles in the ‘Epubs ahead of print’ (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), ‘Article Title’, Journal (Year),
Volume(Issue), EAP (page #).

The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue.

Collated print versions of the article will contain an additional volumetric
page number. Both page citations will be relevant, but any EAP reference
must continue to be preceded by the letters EAP.

ISSN-0729-1485
Copyright 2017 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication may be
reproduced, stored in a retrieval system or transmitted in any form or by any means
electronic, mechanical, photocopying, recording or otherwise, without the permission
of the owner of the copyright. All enquiries seeking permission to reproduce any part
of this publication should be addressed in the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart, Tasmania
7001, Australia.
editor@jlisjournal.org
http://www.jlisjournal.org/
‘Adequate level of data protection’ in third countries
post-Schrems and under the General Data Protection
Regulation

PAUL ROTH*

Abstract

This paper looks at the concept of an ‘adequate level of protection’ by third countries
for the purposes of transferring data out of the European Union (‘EU’) and European
Economic Area (‘EEA’)1 under the data protection Directive2 in the wake of the 2015
European Court of Justice (‘ECJ’)3 decision in Maximillian Schrems v Data
Protection Commissioner (Ireland), 4 as well as under the EU General Data
Protection Regulation (‘GDPR’),5 which comes into force on 6 May 2018.

Introduction

Under the Directive and the GDPR, if personal data is transferred outside EU
Member States and they do not fall under one of the derogations set out in the
Directive (art 26(1)) or the GDPR (art 49), the third country must ensure an
adequate level of protection for those data under contractual clauses
approved by a Member State, or the EU Standard Contractual Clauses or
Binding Corporate Rules. Alternatively, the European Commission

* Professor of Law, Faculty of Law, University of Otago, Dunedin, New Zealand.
1 The three additional EEA states are Iceland, Norway and Liechtenstein. The
requirements of the Directive (as adapted) are applicable through the Agreement on
the European Economic Area, signed 2 May 1992, [1994] OJ L 1/3 (entered into force 1
January 1994).
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data [1995] OJ L 281/31 (‘Directive’).
3 The common abbreviation ECJ is used throughout this paper in preference to
‘CJEU’ (Court of Justice of the European Union).
4 (Court of Justice of the European Union, C-362/14, 6 October 2015) (‘Schrems’).
5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Date Protection
Regulation) [2016] OJ L 119/1 (‘GDPR’).

EAP 1
Journal of Law, Information and Science Vol 25 2017

(‘Commission’) can make a decision that the third country generally can
ensure an adequate level of protection for personal data.6

Article 25(6) of the Directive, like art 45(3) of the GDPR, provides that the
Commission can made a finding that a third country ensures an adequate
level of protection, in which case no specific authorisation by a Member State
data protection supervisory authority (‘DPA’) is required for the transfer of
personal information. Such adequacy findings may cover all transfers to the
third country, or may apply to particular categories of information, such as air
transport passenger information of people flying to the United States or
Canada from Europe, 7 or to entities that have agreed to8 or are subject to
particular data protection standards. 9

One rationale for making provision for such Commission findings was that it
would be overly burdensome if Member States constantly had to assess the
adequacy of safeguards for personal data transferred to third countries.
Although art 25 envisages a case-by-case approach to assessing adequacy
where there are individual transfers or categories of transfers, it was clear that
given the huge number of transfers involved, no Member State would be able
to examine each in detail. Therefore, the Article 29 Working Party 10

6 Directive [1995] OJ L 281/31, art 25; GDPR [2016] OJ L 119/1, art 45.
7 Commission Decision of 14 May 2004 on the adequate protection of personal data
contained in the Passenger Name Record of air passengers transferred to the United States’
Bureau of Customs and Border Protection [2004] OJ L 235/11 (‘US Border Protection
Commission Decision’); Commission Decision of 6 September 2005 on the adequate
protection of personal data contained in the Passenger Name Record of air passengers
transferred to the Canada Border Services Agency [2006] OJ L 91/49 (‘Canada Border
Services Commission Decision’).
8 Under the former ‘Safe Harbor’ arrangement (Commission Decision of 26 July 2000
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequacy of the protection provided by the safe harbour privacy principles and related
frequently asked questions issued by the US Department of Commerce [2000] OJ L 215/7)
with the US, and currently the ‘Privacy Shield’ arrangement (Commission
Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of
the European Parliament and of the Council on the adequacy of the protection provided by
the EU-U.S. Privacy Shield [2016] OJ L 207/1 (‘Privacy Shield’)) that replaced it after
the Schrems decision.
9 Under the Canadian legislation, Personal Information Protection and Electronic
Documents Act, SC 2000.
10 The Article 29 Working Party is constituted under article 29 of the Directive. It has
an advisory status and acts independently of the Commission, and is composed of
representatives of the supervisory authorities of Member States and authorities of
EU institutions and bodies, as well as a representative of the Commission.

EAP 2
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

recognised that the assessment of adequacy was going to have to be
rationalised,11 commenting that

mechanisms will need to be developed which rationalise the decision-making
process for large numbers of cases, allowing decisions, or at least provisional
decisions, to be made without undue delay or excessive resource implications. 12

The Working Party went on to observe that such rationalisation was
foreshadowed in art 25(6) of the Directive, and noted that ‘[s]uch findings
would be “for guidance only”, and therefore without prejudice to cases which
might present particular difficulties. … [Such an approach] would be a
practical response to the problem’.13

Another concern was the undesirability of a lack of some consensus among
Member States concerning whether a particular third country’s data
protection measures were adequate or not. Accordingly, the Working Party
commented that

a series of such [art 25(6)] determinations at Community level would contribute
to the establishment of a coherent approach on this issue and prevent the
development of a multiplicity of differing and perhaps conflicting ‘white lists’
issued by Member State governments or data protection authorities. 14

The making of adequacy decisions was also viewed as providing ‘a clear and
public incentive to those third countries still in the process of developing their
system of protection’,15 and thus it would have a positive effect on the growth
of data protection globally.

On the other hand, the Working Party acknowledged that ‘[t]he fewer
countries for which positive findings could be made, the less useful the
exercise would be, of course, in terms of providing greater certainty to data
controllers’.16 With only 12 jurisdictions receiving an ‘adequacy’ endorsement
from the Commission after nearly 20 years, the art 26(6) process could now
fairly be placed in the ‘less useful’ category. This situation does not look likely
to improve under the GPDR, but may go into reverse with the wider and
more rigorous standards under the GPDR.

11 P J Hustinx, ‘Transfers of personal data to third countries: Applying Articles 25
and 26 of the EU data protection directive’ (Working Paper No DG XV D/5025/98
WP 12, European Commission, 24 July 1998) Ch 6.
12 Ibid 26.
13 Ibid.
14 Ibid 27.
15 Ibid.
16 Ibid.

EAP 3
Journal of Law, Information and Science Vol 25 2017

1 The nature of the concept of ‘adequacy’

The concept of ‘adequacy’ has definitional, jurisdictional, and temporal
dimensions, each contributing to the complexity of the adequacy assessment
process. Moreover, there is a further contingent dimension that relates to the
particular circumstances considered relevant, as the case may be, to the
adequacy decision. These may variously involve pragmatic, economic or
political considerations.

1.1 The definition

1.1.1 Under the Directive
Under the Directive, adequacy is assessed:

• In light of all of the circumstances surrounding a data transfer
operation or set of operations.

• Particular consideration is given to the nature of the data, the purpose
and duration of the proposed processing operation or operations, the
country of origin and of final destination, the rules of law, both general
and sectoral, in force in the third country, and the professional rules
and security measures that are complied with in that country.17

A finding made in accordance with the above criteria will mean that the third
country ensures an adequate level of protection ‘by reason of its domestic law
or of the international commitments it has entered into … for the protection of
the private lives and basic freedoms and rights of individuals’.18

In addition to these general considerations, the Article 29 Working Party has
set out a number of core criteria that it considers relevant to the assessment of
adequacy.19 While these criteria have no particular legal status on their own,
they mainly track elements in the Directive and other international data
protection instruments. The criteria suggested by the Working Party are as
follows:

(i) Content Principles

17 Directive [1995] OJ L 281/31, art 25(2).
18 Ibid art 25(6).
19 See Working Party on the protection of individuals with regard to the processing
of personal data, ‘First orientation on Transfers of Personal Data to Third
Countries: Possible Ways Forward in Assessing Adequacy’ (Working Paper No XV
D/5020/97-EN final WP 4, European Commission, 26 June 1997); Hustinx, above n
11.

EAP 4
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

(1) the purpose limitation principle

(2) the data quality and proportionality principle

(3) the transparency principle

(4) the security principle

(5) the rights of access, rectification and opposition

(6) restrictions on onward transfers

Additional principles are to be applied to specific types of processing, such
as those concerning:

(1) sensitive data

(2) direct marketing

(3) automated decisions

(ii) Procedural/enforcement mechanisms

(1) Delivery of a good level of compliance

(2) Provision of support and help to individual data subjects

(3) Provision of appropriate redress to the injured parties

Lee Bygrave has commented that these criteria ‘form an important point of
departure for Commission decisions on adequacy’, 20 but ‘[a]t the same time,
these criteria are neither precisely formulated nor always rigidly applied’.21

Ratification of the Council of Europe Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data22 may go some way to
satisfaction of the adequacy standard, 23 but is not, on its own, sufficient.24 The

20 Lee A Bygrave, Data Privacy Law: An International Perspective (Oxford University
Press, 2014) 193.
21 Ibid.
22 Opened for signature 28 January 1981, ETS No 108 (entered into force 1 October
1985).
23 Working Party on the protection of individuals with regard to the processing of
personal data, above n 19, 7–9.
24 Christopher Kuner, European Data Protection Law: Corporate Compliance and
Regulation (Oxford University Press, 2nd ed, 2007) 175.

EAP 5
Journal of Law, Information and Science Vol 25 2017

Article 29 Working Party noted in 1998 that adequacy does not necessarily
entail equivalency with EU standards,25 and reiterated that view in its
adequacy opinion on New Zealand thirteen years later.26 In Schrems, however,
the ECJ raised the bar on what ‘adequacy’ entails. The ECJ held that while the
term ‘adequate’ cannot require a third country

to ensure a level of protection identical to that guaranteed in the EU legal order,
… [it still] must be understood as requiring the third country in fact to ensure,
by reason of its domestic law or its international commitments, a level of
protection of fundamental rights and freedoms that is essentially equivalent to
that guaranteed within the European Union by virtue of Directive 95/46 read
in the light of the Charter [of Fundamental Rights of the European Union].27

The means of protection may differ from that in the EU, but the ‘means must
nevertheless prove, in practice, effective in order to ensure protection
essentially equivalent to that guaranteed within the European Union’.28

1.1.2 Under the GDPR
Generally speaking, in assessing adequacy the Commission must take into
account ‘the fundamental values on which the Union is founded’. 29 Drawing
upon the language in Schrems, recital 104 to the GDPR also states that the
third country should be able to ‘offer guarantees ensuring an adequate level
of protection essentially equivalent to that ensured within the Union, in
particular where personal data are processed in one or several specific
sectors’.30

With the bolstering of EU data protection standards, essential equivalence
will involve strengthened or additional obligations for third countries
including: specific and explicit consent by the data subject for the processing
of personal data (art 7); special conditions for the processing of children’s
personal data arising from the provision of information society services (art
8); the right of data subjects to request erasure (the ‘right to be forgotten’, art
17); the right to data portability (art 20); privacy by design (art 25); data

25 Hustinx, above n 11, 5.
26 Jacob Kohnstamm, ‘Opinion 11/2011 on the level of protection of personal data in
New Zealand’ (Opinion No 00665/11/EN WP 182, European Commission, 4 April
2011), 15.
27 Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [73]
(emphasis added).
28 Ibid [74]; See also [96] (emphasis added).
29 GDPR [2016] OJ L 119/1, recital 104.
30 Ibid.

EAP 6
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

breach notification (arts 33 and 34); obligatory data protection impact
assessments and prior consultation with DPAs (arts 35 and 36); and the
effective protection of personal data that is transferred onward to other third
countries (arts 44 and 45(2)(a)). There is also the provision for very high
administrative fines for non-compliance with standards in the GDPR (art 83).

Unlike the Directive, the GDPR expressly particularises the matters to be
considered for determining adequacy. Adequacy is considered in relation to
the following elements set out in art 45(2): 31

(a)
• the rule of law
• respect for human rights and fundamental freedoms
• access to justice (recital 104)
• relevant legislation, including concerning public security, defence,
national security and criminal law and the access of public
authorities to personal data
• data protection rules and case law, including rules for the onward
transfer of personal data to another third country which are
complied with in that country
• effective and enforceable data subject rights and effective
administrative and judicial redress for the data subjects whose
personal data are being transferred

(b) the existence of an effective independent supervisory authority with
adequate enforcement powers for assisting and advising data subjects
in exercising their rights, and for cooperation with EU supervisory
authorities

(c) the third country’s international commitments, particularly in relation
to the protection of personal data.32

An independent 33 European Data Protection Board (‘Board’) 34 has the express
function, inter alia, of providing the Commission with opinions as to the

31 See also GDPR [2016] OJ L 119/1, recital 104.
32 For many countries, these would include ratification of the International Covenant
on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171
(entered into force 23 March 1976) (‘ICCPR’) and any regional human rights treaty
that includes a right to privacy (as in art 17 of the ICCPR). Recital 105 of the GDPR
expressly refers to a third country’s accession to the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data, opened for signature
28 January 1981, CETS No 108 (entered into force 1 October 1985).
33 GDPR [2016] OJ L 119/1, art 69.

EAP 7
Journal of Law, Information and Science Vol 25 2017

adequacy of a third country’s or international organisation’s protection of
privacy.35

1.2 Jurisdiction

1.2.1 The Directive
Where the Commission finds that a third country ensures an adequate level of
protection, Member States must take the measures necessary to comply with
the Commission’s decision that a third country ensures an adequate level of
data protection,36 arrived at in accordance with the comitology procedure.37
Conversely where the Commission finds that a third country does not ensure
an adequate level of protection, ‘Member States shall take the measures
necessary to prevent any transfer of data of the same type to the third
country’.38 Member States and the Commission are required to ‘inform each
other of cases where they consider that a third country does not ensure an
adequate level of protection’,39 which implies that individual Member States
can form their own views on adequacy. This power is acknowledged in the
Commission’s adequacy decisions, which contain a standard clause that refers
to the ‘existing powers’ of Member States to suspend data transfers where
they consider that the level of data protection has fallen below the applicable
standards of protection. 40

In Schrems, the ECJ indicated that while a Member State had an obligation to
comply with Commission adequacy decisions on the basis that they were
presumed to be lawful under art 25(6), an adequacy decision could not affect
the powers of a DPA under art 8(3) (‘Protection of Personal Data’) of the
Charter of Fundamental Rights of the European Union.41 Such a situation would
arise when an individual complains of a breach of their data protection rights

34 Ibid art 68(1). Its members are the head of one supervisory authority of each
Member State and of the European Data Protection Supervisor, or their respective
representatives: art 68(3).
35 Ibid art 70(1)(s).
36 Directive [1995] OJ L 281/31, art 25(6).
37 Ibid art 31.
38 Ibid art 25(4).
39 Ibid art 25(3).
40 See, for example, Commission Implementing Decision of 19 December 2012 pursuant to
Directive 95/46/EC of the European Parliament and of the Council on the adequate
protection of personal data in New Zealand [2013] OJ L 28/12, art 2(1).
41 [2000] OJ C 364/6; Schrems (Court of Justice of the European Union, C-362/14, 6
October 2015) [53].

EAP 8
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

because an adequate level of protection is not ensured in a third country to
which the data has been transferred. The right to lodge complaints with a
Member State’s DPA is provided for under art 28(4) of the Directive. Thus, a
Commission decision on a third country’s adequacy would not prevent a
DPA from re-examining the issue of adequacy for itself and suspending
personal data transfers. However, only the ECJ has the power to pronounce
on the validity of the adequacy decision. While a DPA or national court on
review does not have the jurisdiction to declare an adequacy decision to be
invalid, a national court could refer a claim alleging invalidity of a
Commission decision to the ECJ. 42 Thus, where an individual, such as Mr
Schrems, claims that a third country has failed to ensure an adequate level of
protection, the DPA can examine the claim to see if it is well-founded, engage
in proceedings before a national court questioning the validity of the
Commission decision, and then have it referred to the ECJ for an examination
of the decision’s validity. On the face of it, therefore, an adequacy decision
could be disputed on a Member State-by-State basis.

In light of the Schrems decision, the Commission adopted an implementing
decision that, in part, amended existing adequacy decisions to cure the
illegality that had been found by the ECJ.43 The Commission had wrongly
exceeded its power under art 25(6) by imposing limitations on the powers of
DPAs to suspend and prohibit data transfers. The Commission’s
implementing decision therefore replaced the offending provision in its
adequacy decisions to date with one that acknowledged the powers of
Member States’ DPAs. The implementing decision also requires the
Commission to periodically check whether a third country is ensuring
adequate protection. This was in response to the finding in Schrems that the
level of protection afforded by a third country may be liable to change. 44

42 Shrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [52],
[62], [65].
43 Commission Implementing Decision of 16 December 2016 amending Decisions
2000/518/EC, 2002/2/EC, 2003/490/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU,
2010/625/EU, 2011/61/EU and Implementing Decisions 2012/484/EU, 2013/65/EU on the
adequate protection of personal data by certain countries, pursuant to Article 25(6) of
Directive 95/46/EC of the European Parliament and of the Council [2016] OJ L 344/83
(‘Commission Implementing Decision’). The decision was preceded by an earlier
proposal to the Article 31 Committee: European Commission, Summary record of
the 72nd meeting of the Committee on the Protection of Individuals with regard to the
Processing of Personal Data (Article 31 Committee) (3 October 2016). Some delegations
required further time to study the proposal, and the Article 29 Working Party was
asked to provide its views, which it did: Commission Implementing Decision [2016]
OJ L 344/83, recital 11.
44 Schrems (Court of Justice of the European Union, C-362/14, 6 October 2015) [76].

EAP 9
Journal of Law, Information and Science Vol 25 2017

1.2.2 The GDPR
As with the Directive, the Commission makes the adequacy decision with
effect for the entire European Union, ‘thus providing legal certainty and
uniformity throughout the Union as regards the third country’.45 The
Commission may also decide to amend or revoke such a decision.46 DPAs
continue to have the power to order the suspension of data flows to a
recipient in a third country,47 as affirmed in Schrems in relation to the Directive.

The GDPR goes further than the Directive in relation to providing specifically
for cooperation and consistency among DPAs. 48 Such cooperation and
consistency may relate to the application of the GDPR in various ways,
including, presumably, consideration of the adequacy of data protection
measures in third countries. Although cooperation is mainly conceived as
between lead supervisory authorities and other DPAs in relation to
processing within the EU, 49 there is still possible scope for cooperation among
EU DPAs in relation to the consideration of adequacy of data protection in
third countries.50 Likewise, the GDPR consistency mechanism appears to be
aimed mainly at issues that affect other EU Member States,51 but again, there
is nothing to exclude its application to the consideration of adequacy of data
protection in third countries. Article 63 is quite broad in stating that the
purpose of the consistency mechanism is ‘to contribute to the consistent

45 GDPR [2016] OJ L 119/1, recital 103.
46 Ibid art 45(5).
47 Ibid art 58(2)(j).
48 Ibid ch VII, s 1 (Cooperation), s 2 (Consistency).
49 For example, GDPR [2016] OJ L 119/1, art 60(2) refers to a lead supervisory
authority requesting mutual assistance from a DPA ‘in particular for carrying out
investigations or for monitoring the implementation of a measure concerning a
controller or processor established in another Member State’ and art 60(10) refers
to a controller or processor taking the necessary measures after notification by a
lead supervisory authority under art 60 ‘to ensure compliance with the decision as
regards processing activities in the context of all its establishments in the Union’.
50 GDPR [2016] OJ L 119/1, recital 116 might be construed as relevant here: ‘For the
purposes of developing international cooperation mechanisms to facilitate and
provide international mutual assistance for the enforcement of legislation for the
protection of personal data, the Commission and the supervisory authorities
should exchange information and cooperate in activities related to the exercise of
their powers with competent authorities in third countries’.
51 GDPR [2016] OJ L 119/1, recital 135 states that the consistency mechanism ‘should
in particular apply where a supervisory authority intends to adopt a measure
intended to produce legal effects as regards processing operations which
substantially affect a significant number of data subjects in several Member States’.

EAP 10
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

application of this Regulation throughout the Union’. In relation to third
countries, the mechanism, in so far as it involves the Board issuing opinions,52
does not specifically mention the consideration of adequacy, but it does refer
to standard data protection clauses (art 46(2)(d)), standard contractual clauses
(art 46(3)(a)), and binding corporate rules (art 47). However, any DPA ‘may
request that any matter of general application or producing effects in more
than one Member State be examined by the Board with a view to obtaining an
opinion’.53

Unlike the Article 29 Working Party, the Board has an express natural justice
duty to ‘consult interested parties and give them the opportunity to comment
within a reasonable period’.54

1.3 The temporal dimension

1.3.1 The Directive
The Article 29 Working Party commented that the process of making a series
of findings under art 25(6) ‘should be seen as a continuing one, not one that
would produce a definitive list, but rather a list that would be constantly
added to and revised in the light of developments’.55 The approach of the
Article 29 Working Party necessarily implies that an ‘adequacy’ decision is
not a type of determination that carries the same sense of finality as a legal
decision, but involves a more fluid and dynamic approach, though in
practical terms it may become static through inertia. As the Schrems decision
has indicated, ‘adequacy’ is an assessment upon which the Commission and
Member States can differ in relation to a particular third country. Under both
the Directive and the GDPR, third countries can move in and out of a state of
adequacy over time.

The Commission decision adopted in the wake of the Schrems decision stated
that since the level of protection in a third country could change, the
Commission, after adopting an adequacy decision, must ‘check periodically
whether the finding relating to the adequacy of the level of protection

52 Ibid art 64(1).
53 Ibid art 64(2).
54 Ibid art 70(4). Under art 29(6) of the Directive, the Article 29 Working Party adopts
its own rules of procedure, which do not include an express right for interested
parties to comment: see Article 29 Data Protection Working Party, ‘Working Party
on the Protection of Individuals with Regard to the Processing of Personal Data’
(Rules of Procedure, European Commission, 15 February 2012).
55 Hustinx, above n 11, 27.

EAP 11
Journal of Law, Information and Science Vol 25 2017

ensured by the third country in question is still factually and legally
justified’.56

1.3.2 The GDPR
The Commission recently commented that ‘[a]dequacy decisions are “living”
documents that need to be closely monitored and adapted in case of
developments affecting the level of protection ensured by the third country’.57
Monitoring of third countries has become more formalised under the GDPR.
Once the Commission decides that a third country ensures an adequate level
of protection, the implementing act must provide for a periodic review
mechanism, at least every four years, which must take into account all
relevant developments in the third country. 58 Moreover, the Commission
must monitor on an ongoing basis developments in third countries that could
affect the functioning of adequacy decisions.59 The Commission can repeal,
amend or suspend an adequacy decision when there is information that
indicates (particularly following the four-yearly review) that the third country
no longer ensures an adequate level of data protection. 60 Adequacy decisions
made under the Directive will remain in force until amended, replaced or
repealed by a Commission decision.61

1.4 The contingent dimension

The concept of adequacy is adaptable to the circumstances of its application.
Thus, the Article 29 Working Party found that data protection under the New
Zealand regime was adequate even though its rules relating to onward
transfers of information were not perfect:

In reality, given the geographical isolation of New Zealand from Europe, its
size and the nature of its economy, it is unlikely that New Zealand agencies
will have any business interest in sending significant volumes of EU-sourced

56 Commission Implementing Decision [2016] OJ L 344/83, recital 8.
57 European Commission, ‘Communication from the Commission to the European
Parliament and the Council, Exchanging and Protecting Personal Data in a
Globalised World’ (Communication No COM(2017) 7 Final, European
Commission, 10 January 2017, 8–9.
58 GDPR [2016] OJ L 119/1, art 45(3).
59 Ibid art 45(4).
60 Ibid art 45(5).
61 Ibid art 45(9).

EAP 12
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

data to third countries.62

Such considerations are among the four ‘key criteria’ set out recently by the
Commission in relation to assessing adequacy, whether under the Directive or
the GDPR:63

(i) the extent of the EU's (actual or potential) commercial relations with a
given third country, including the existence of a free trade agreement
or ongoing negotiations;

(ii) the extent of personal data flows from the EU, reflecting geographical
and/or cultural ties;

(iii) the pioneering role the third country plays in the field of privacy and
data protection that could serve as a model for other countries in its
region;64 and

(iv) the overall political relationship with the third country in question, in
particular with respect to the promotion of common values and shared
objectives at international level.

Adequacy findings have been made in relation to Argentina, Canada and the
United States on the basis that they are ‘important trading partners’. 65 In the
case of Argentina, this was made despite serious concerns about ‘some
weaknesses’ of its data protection law, in particular its enforcement
mechanisms, and ‘in the absence of any substantial experience with the
practical application of the legislation’.66 The Article 29 Working Party

62 Kohnstamm, above n 26, 10. This approach has attracted the comment (admittedly
exaggerated) that ‘[a]dequacy is in inverse proportion to proximity including
economic and social proximity, not just geographical’: Graham Greenleaf and Lee
Bygrave, ‘Not Entirely Adequate but Far Away: Lessons from How Europe Sees
New Zealand Data Protection’ (2011) 111 Privacy Laws & Business International
Report 8, 9.
63 European Commission, above n 57, 8.
64 Ibid 7. The Commission referred to New Zealand and Uruguay as such third
countries.
65 Ibid.
66 Stefano Rodota, ‘Opinion 4/2002 on the level of protection of personal data in
Argentina’ (Opinion No 11081/02/EN/Final WP 63, European Commission, 3
October 2002) 17. See also Christopher Wolf, ‘Delusions of Adequacy? Examining
the Case for Finding the United States Adequate for Cross-Border EU-U.S. Data
Transfers’ (2013) 43 Washington University Journal of Law & Policy 227, 242–3.

EAP 13
Journal of Law, Information and Science Vol 25 2017

commented that it merely ‘assumes that Argentina ensures an adequate level
of protection’.67

In the case of Canada and the United States, adequacy decisions have been
‘partial’ only. Canada has been found to ensure adequate protection for
transfers to recipients, subject to the Personal Information Protection and
Electronic Documents Act 2000, SC 2000.68 Adequacy has also been found in
respect of the Safe Harbour arrangement69 (until invalidated by the ECJ in
Schrems) and the current replacement (but still controversial) Privacy Shield,70
which have applied only to participating companies that have committed
themselves to ensuring a high level of data protection. The Commission has
also made adequacy decisions concerning the transfer of Passenger Name
Record (PNR) data to Canada 71 and the United States. 72

Christopher Kuner has commented that ‘[i]n practice, it can be difficult for a
State or regional organization to pass judgment on a foreign regulatory
system without political considerations playing some role’.73 Thus, in 2010 the
Irish Minister of Justice formally objected to a favourable Article 29 Working
Party adequacy report on the basis that Israeli officials could not be trusted
with Europeans’ personal data, as shown by the forging of passports for the
Israeli intelligence agency Mossad. 74 At the time, Ireland accused Israel’s

67 Rodota, above n 66.
68 Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequate protection of personal data
provided by the Canadian Personal Information Protection and Electronics Documents Act
[2002] OJ L 2/13.
69 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequacy of the protection provided by the safe habour
privacy principles and related frequently asked questions issued by the US Department of
Commerce [2000] OJ L 215/7.
70 Privacy Shield [2016] OJ L 207/1. For adequacy shortcomings with the Privacy
Shield, see Article Working Party, ‘Opinion 01/2016 on the EU—U.S. Privacy
Shield draft adequacy decision’ (Opinion No 16/EN WP 238, European
Commission, 13 April 2016).
71 Canada Border Services Commission Decision [2006] OJ L 91/49.
72 US Border Protection Commission Decision [2004] OJ L 235/11.
73 Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University
Press, 2013) 66.
74 Ibid; Christopher Wolf, ‘Delusions of Adequacy? Examining the Case for Finding
the United States Adequate for Cross-Border EU-U.S. Data Transfers’ (2013) 43
Washington University Journal of Law & Policy 227, 242; John Ihle, Ireland blocks EU
data sharing with Israel (8 July 2010) Jewish Telegraphic Agency

EAP 14
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

Mossad of killing a Hamas arms dealer in Dubai. The Mossad agents had
travelled on forged passports, including several from Ireland.

2 Analysis

2.1 Has the bar been raised unreasonably or unfairly high?

Europe raised the bar on data protection standards in the Schrems decision,
with its shift from ‘adequacy’ to ‘essential equivalence’. This stricter approach
has been carried over into the GDPR, which also comes with extended and
additional obligations. The higher standards, however, are not likely to be
achievable for most third countries due to push-back by public and private
sector entities, which affects the political will to strengthen existing data
protection law. This is reflected in largely widespread legislative indifference
to developments in the EU. Moreover, the nature of existing data protection
frameworks (such as those in Australia, New Zealand and Hong Kong) have
not all been constituted to accommodate the level of DPA involvement or
supervision required. Given the role that the contingent dimension has
played in some adequacy decisions, rendering adequacy assessment
somewhat of a moveable feast, substantial compliance may be a more realistic
standard.

After Edward Snowden’s 2013 revelations concerning national intelligence
agencies and mass surveillance of EU citizens, the European Parliament’s
Committee on Civil Liberties, Justice and Home Affairs called on the
Commission and Member States to assess without delay whether the levels of
protection for personal information by New Zealand and Canada were
indeed adequate, as previously declared by Commission decisions under art
25 of the Directive. It asked the Commission ‘if necessary, to take appropriate
measures to suspend or reverse the adequacy decisions’ of New Zealand and
Canada,75 and to assess the situation with respect to other countries deemed to
be ‘adequate’. It called upon the Commission to report to Parliament on its
findings no later than December 2014. 76 This text was subsequently adopted

<www.jta.org/2010/07/08/news-opinion/world/ireland-blocks-eu-data-sharing-
with-israel>.
75 Committee on Civil Liberties, Justice and Home Affairs, ‘Report on the US NSA
surveillance programme, surveillance bodies in various Member States and their
impact on EU citizens’ fundamental rights and on transatlantic cooperation in
Justice and Home Affairs’ (Report No 2013/2188(INI), European Parliament, 2014)
[45], recitals AQ–AR.
76 Ibid.

EAP 15
Journal of Law, Information and Science Vol 25 2017

by the European Parliament, 77 but nothing appears to have happened as a
consequence.

While New Zealand and Canada are indeed part of the ‘Five Eyes’
programme, 78 the United Kingdom also belongs; and several other Member
States participate in the ‘9-Eyes’ (Denmark, Netherlands and France) and ‘14-
Eyes’ programmes with the US (including Germany, 79 Belgium, Italy, Spain
and Sweden). This participation was acknowledged by the European
Parliament, which called

on the EU Member States, and in particular those participating in the so-called
‘9-eyes’ and ‘14-eyes’ programmes to comprehensively evaluate, and revise
where necessary, their national legislation and practices governing the
activities of the intelligence services so as to ensure that they are subject to
parliamentary and judicial oversight and public scrutiny, that they respect the
principles of legality, necessity, proportionality, due process, user notification
and transparency, including by reference to the UN compilation of good
practices and the recommendations of the Venice Commission, and that they
are in line with the standards of the European Convention on Human Rights
and comply with Member States' fundamental rights obligations, in particular
as regards data protection, privacy, and the presumption of innocence[.]80

A tu quoque (‘you also’, or ‘pot calling the kettle black’) argument might
therefore also be raised on the basis that Member States are not always
entirely compliant with their own standards, and there is the prospect that
Member States will be even less compliant with the GDPR when it comes into
force in 2018. It therefore seems inequitable if third countries should be held
to a higher standard. Tu quoque arguments, sometimes unsuccessfully raised

77 European Parliament, European Parliament Resolution of 12 March 2014 on the US
NSA surveillance programme, surveillance bodies in various Member States and their
impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and
Home Affairs 2013/2188(INI), (5 March 2014) [46]
<http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-
//EP//TEXT+REPORT+A7-2014-0139+0+DOC+XML+V0//EN>.
78 ‘Five Eyes’ is a multilateral espionage alliance for sharing intelligence among
Australia, Canada, New Zealand, the United Kingdom and the United States.
‘Nine Eyes’ consists of the Five Eyes members together with Denmark, France, the
Netherlands and Norway. ‘14 Eyes’ consists of the members of 9 Eyes plus
Germany, Belgium, Italy, Spain and Sweden.
79 Germany has expressed interest in joining 9-eyes, and possibly 5-eyes: See Ewan
MacAskill and James Ball, ‘Portrait of the NSA: no detail too small in quest for total
surveillance’, The Guardian (online) 3 November 2013
<www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance >.
80 Committee on Civil Liberties, Justice and Home Affairs, above n 75, [21]–[22].

EAP 16
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

in connection with breaches of international humanitarian law standards, 81
conventionally fail, however, because they are based on the logical fallacy that
two wrongs make a right. In the particular circumstances of some civil cases a
tu quoque argument may sometimes be valid,82 such as where the equitable
‘clean hands’ doctrine is raised. In such cases, the plaintiff’s past misconduct
must somehow be relevant to the plaintiff’s current seeking of a remedy.
Thus, on analogy, a tu quoque argument may at least hold some moral force
where it would be unfair or hypocritical for a third country to be held to a
higher standard than is attained by Member States.

2.2 How important is it to achieve adequacy status: does it really
matter?

It is difficult to gauge how important it is to achieve or maintain adequacy
status. The numbers may offer an answer.

After nearly 20 years, most countries in the world have either not been able to
satisfy the EU adequacy standard, or else they have not sought to do so. Of
those that have ensured adequate protection: the US and Canada have only
partially ensured adequacy; there are a handful of small countries that are,
apart from New Zealand, important trading partners with the EU (Israel,
Switzerland, Argentina and Uruguay);83 and there are a handful of miniscule
states (Guernsey, Jersey, the Isle of Man, the Faroe Islands and Andorra). In
total, this amounts to only 12 jurisdictions, many of whom are small in size
and economic power.

There are, in addition, 12 other non-EU/EEA countries (not already found to
be ‘adequate’ by the EU)84 that have ratified both the Council of Europe

81 Maartje Krabbe, Excusable Evil: An Analysis of Complete Defenses at International
Criminal Law (Intersentia, 2014) 243–53. A defence of tu quoque was implicitly
accepted concerning aspects of submarine warfare at the Nuremberg trials: The
Trial of German Major War Criminals (Judgement) (International Military Tribunal,
Trial Chamber, 1 October 1946) 305 (Karl Dönitz), 308 (Erich Raeder). Subsequent
international criminal law cases, however, have expressly ruled out the defence:
see Prosecutor v Kupreškić (Judgement) (International Criminal Tribunal for the
former Yugoslavia, Trial Chamber, Case No IT-95-16-T, 14 January 2000) [510],
[515]–[520].
82 Ruggero J Aldisert, Logic for Lawyers (Clark Boardman Callaghan, 2nd ed, 1992) 11–
36; Kevin W Saunders, ‘Informal Fallacies in Legal Argumentation’ (1992–93) 44
South Carolina Law Review 343, 373–4; Paul Bosanac, Litigation Logic: A Practical
Guide to Effective Argument (American Bar Association, 2009) ch 6.
83 European Commission, above n 57, 7.
84 These are Albania, Armenia, Bosnia and Herzegovina, Georgia, Moldova,
Montenegro, Serbia, Macedonia, Turkey, and Ukraine. In addition, two non-

EAP 17
Journal of Law, Information and Science Vol 25 2017

Convention 108 for the Protection of Individuals with regard to Automatic
Processing of Personal Data (1981)85 and its Additional Protocol 181 Regarding
Supervisory Authorities and Transborder Data Flows (2001),86 which could
possibly be regarded as ‘almost there’ in terms of EU adequacy standards, at
least in relation to automated processing, because of the similarity of many of
the basic obligations.87 But as the saying goes, ‘almost’ only counts in
horseshoes and hand grenades.

For the rest of the world, the available derogations for particular
circumstances, standard contractual clauses (adopted by the Commission or
DPAs), and binding corporate rules for groups of enterprises, will have to
suffice in place of adequacy determinations. If achieving adequacy under the
GDPR proves to be yet more difficult for third countries, only the most highly
motivated are going to attempt to bring their data protection laws in line.
Such motivation is likely to stem from a need to facilitate existing commercial
activity with the EU. To adapt an old saw, ‘necessity is the mother of
compliance’.

Conclusion

The concept of ‘adequacy’ has definitional, jurisdictional, temporal and
contingent dimensions that render the adequacy assessment process complex.
The ‘adequacy’ of a third country’s data protection measures will continue to
be relevant under the GDPR, as under the current Directive. The criteria for
determining ‘adequacy’, however, have acquired greater specificity, and the
shift of the standard from ‘adequacy’ to ‘essential equivalence’, prefigured in
the Schrems decision, means that the bar has been raised considerably for
third countries. Few third countries, however, have achieved ‘adequacy’ thus

European countries, Mauritius and Senegal, acceded to the Council of Europe
instruments in 2016.
85 Opened for signature 28 January 1981, CETS No 108 (entered into force 1 October
1985).
86 Opened for signature 8 November 2001, CETS No 181 (entered into force 1 July
2004).
87 The position in these countries has been labelled ‘de facto adequacy’ in relation to
other Council of Europe states, obviating the need to obtain an EU adequacy
decision: Graham Greenleaf, ‘Do not dismiss “adequacy”: European standards
entrenched’ (2011) 114 Privacy Laws & Business 16. Elsewhere, Greenleaf comments
that the adequacy standard for Convention 108 ‘can be thought of as half way
between the 1980s OECD standards and those of the Directive’: Graham Greenleaf,
‘Balancing Globalisation’s Benefits and Commitments: Accession to Data
Protection Convention 108 by Countries Outside Europe’ [2016] University of New
South Wales Law Research Series 52, 4.

EAP 18
‘Adequate level of data protection’ in third countries post-Schrems and under the GDPR

far, and the GDPR’s higher standards will mean that fewer countries should
be able to satisfy them going into the future.

It may be, therefore, that if the Commission follows through on its recently
announced flexible approach to making ‘adequacy’ determinations, this will
compensate for what appear, on the face of it, to be stricter standards. The
Commission’s proposed ad hoc approach takes into account the political and
economic desirability of making an ‘adequacy’ finding in a particular case, the
extent of data flows from the EU to the third country in question, and
whether that third country could play a pioneering role in getting other
countries in its region to raise their data protection standards.

EAP 19