IPOL | Policy Department for Citizens’ Rights and Constitutional Affairs
2 EUROPEAN DATA PROTECTION STANDARDS KEY FINDINGS In the EU, data protection is a fundamental right, enshrined in primary law. Under the GDPR, personal data can only be freely transferred to countries held by the European Commission to provide “adequate”/“essentially equivalent” protection. Otherwise, “appropriate safeguards” must be adopted by the EU data exporter. Furthermore, there must be one or more independent public authorities with responsibility for ensuring compliance with the relevant data protection instruments, which ensure “a good level of compliance” in practice, and provide “support and help to individual data subjects in the exercise of their rights and appropriate redress mechanisms”. A third country’s laws can only be said to provide such protection if they meet the standards set out in the European Data Protection Board (EDPB) Adequacy Referential, on matters such as scope, purpose specification and limitation, and restrictions on onward transfers. And in relation to access to personal data by a third country’s intelligence agencies, its laws can only be said to provide this protection if they meet the standards set out in the EDPB’s European Essential Guarantees for surveillance. While activities of Member State authorities for national security purposes are outside EU competence, national constitutions and the European Convention on Human Rights apply. Moreover, the exemption does not apply to the imposition of legal obligations on private sector organisations, or to non-EU countries. Any persistent failure by an EU Member State to comply with the ECHR and with the judgments of the Strasbourg Court would be incompatible with membership in good standing of the Union.
2.1 Introduction Under the GDPR, 5 personal data can only be freely transferred from the EU 6 to a non-EU country (a “third country”) held by the European Commission (the executive branch of the EU), on the basis of an assessment under a set of prescribed standards, to provide “adequate” protection to such data. The CJEU has held this means the third country must provide “essentially equivalent” protection to that accorded in the EU by the GDPR. If a third country does not afford “adequate”/“essentially equivalent” protection to personal data, “appropriate safeguards” must be adopted by the EU data exporter and the third country data importer to ensure that the EU level of protection is not undermined.
5
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88.
6
The GDPR data transfer regime also applies to the three non-EU Member States of the European Economic Area (EEA), Iceland, Liechtenstein, and Norway. However, in this short study, we will generally just refer to the EU. This should be read as applying to the EU and those three other EEA Member States that are, for data protection purposes, not “third countries”.
16
PE 694.678
