This week the EU published amendments that were adopted in the middle of the month to:
- The EU Model Clauses Decisions (which we reported on previously here); and,
- The Eleven country-specific EU Adequacy Decisions.
The amendments are in two EU Decisions which can be found here.
Following the collapse of the EU-US Safe Harbor scheme in light of the European Court’s October 2015 ruling in the Schrems case (which we reported on extensively here) the European Commission has had to revise both the Model Clauses and all the country-specific Adequacy Decisions to be in line with the judgment.
The amendments to the 2001 controller-to-controller and 2010 controller-to-processor Model Clauses are brief and straightforward in that they simply require the EU Member State data protection authorities to inform the European Commission when those authorities have suspended or banned data transfers to third countries. It is only the part of the Decision that precedes the actual Model Clauses (the latter being in the Annex to the Decision) that has been changed and which is addressed to the Member States. The actual Model Clauses themselves remain unchanged and therefore there is nothing that has to be done to existing Model Clause agreements between parties at this time.
The amendments to the Adequacy Decisions are also brief and straightforward and similarly require the EU Member State data protection authorities to inform the European Commission when those authorities have suspended or banned data transfers to the eleven countries in question, along with imposing some other information communication and monitoring requirements for the Commission and the other EU Member States. It will be recalled that the eleven countries in question that the EU has so far adopted Adequacy Decisions for are as follows:
- Andorra;
- Argentina;
- Canada;
- the Faeroe Islands;
- Guernsey;
- the Isle of Man;
- Jersey;
- Israel;
- New Zealand;
- Switzerland; and,
- Uruguay.
The EU-US Privacy Shield scheme is of course also an (additional) EU Adequacy Decision, which was agreed this summer, and our FAQs on this can be found here.
As we mention in those FAQs there is also a challenge to the EU Model Clauses which is likely to continue despite these Adequacy Decision Amendments.
We report regularly on data protection issues, which can be found here.
We have also developed a special product to assist with compliance with the GDPR, Cordery GDPR Navigator – more details about this can be found here. We also write regularly and produce films about data protection and privacy issues which can be found here.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com