Differences Between Commission Decisions

Rise To Different Application Of The “Essentially Equivalent” Test There are procedural differences between a Commission adequacy determination relating to a third country pursuant to Article 25(6) of Directive 95/46 and

determinations by DPAs or national courts (or, companies in “self-assessment” countries, such as the UK111) must carry out with respect to specific transfers or sets of transfers under Article 25(2).

When the European Commission prepares a Decision under Article 25(6), it will have to assess not only the level of protection ensured by the third country’s laws and practices, but also compare them to the level of protection in the EU legal order as a whole. It will also have to take into account the additional level of protection granted by individual company commitments, such as a promise to adhere to the Safe

Harbour Principles.

When a DPA or a national court assesses data transfers to the US by a specific company, Article 25(2) of the Directive requires a more focused test than the general test under Article 25(6). In such individual cases, Article 25(2) requires a

comparative assessment of “all the circumstances surrounding a data transfer operation.” This includes not only the nature of the data and the purpose and duration of the proposed processing, but also the country of origin and country of final destination, and the rules of law, including general and sectoral rules, as well as professional rules and security measures in the third country.

As a first step, the determination must assess the data protection laws and

surveillance laws and practices applied in the particular (exporting) Member State. Under Directive 95/46, it is these laws (rather than the EU legal order as whole) that establish the actual level of data protection in that Member State.

Second, “the nature of the data” must be assessed. The nature of data can affect the “rules of law, both general and sectoral,” applicable before, and especially after the transfer to the US; as discussed in Part 3.3.1, particular US sectoral protections may apply to the data once they arrive in the US (for example, the Fair Credit Reporting Act (FCRA) for consumer credit reporting data, or the Health Insurance Portability and Accountability Act (HIPAA) for health data). The nature of the data can also affect the risk of surveillance; not all data is the same in this regard, and a large proportion of the 4,000 companies that have relied on the 2000 Safe Harbour Framework do not transfer personal information of types (such as communications) that are targets of surveillance. In addition, some types of records ‒ such as health research ‒ may present strong public interest reasons to permit a transfer due to their potential to better human life, without regard to the risk of surveillance.

111 _{In the UK, the Information Commissioner’s Office has provided detailed guidance on application of}

the adequacy assessment with criteria divided into two categories: “general adequacy criteria” and legal adequacy criteria. See Information Commissioner’s Office, Sending personal data outside the

European Economic Area (Principle 8), https://ico.org.uk/for-organisations/guide-to-data-

Third, the impact of the transfer of the data to the US is also affected by the location where the data are being transferred, because it can trigger the application of

specific state laws in the US. Hence, a thorough determination should assess the privacy and data protections of states with jurisdiction over the data. If the state of destination is California, for example, one of the more than 100 California state level laws containing data protection provisions may apply, as further discussed in Part 3.3.1.

A fourth step is to assess the safeguards, including any Binding Corporate Rules (BCRs) or other contractual clauses, put in place by the company to ensure compliance with the data protection principles set out in Chapter II of Directive 95/46. While, under Article 26(2), such safeguards can – indeed, are intended to – enable data transfers even where the third country does not ensure an adequate level of protection, in the US they serve to reinforce a high level of privacy rules and practice, backed up (as noted in Part 3.3.1) by a vigorous private enforcement climate.

If, as this report concludes, the level of protection in the US in the case of secret surveillance is essentially equivalent to the EU Benchmark, an exporting Member State cannot legitimately argue that the transfer will lower the level of protection without specific evidence as to why the transfer, in the specific situation of that specific company, will expose the data subject to a reduction in the level of protection for their personal data.

And even if the level of protection in the US for the data of that specific company would be lower than the EU Benchmark, a general prohibition on the data flows to the US still could not be imposed without evidence that the level of protection in the exporting Member State itself meets the EU Benchmark, and that the exporting Member State also objects to data transfers to other countries that are in a situation comparable to the US. If these requirements are not met, the exporting Member State would be discriminating against companies that do business with the US, and this would potentially infringe the international commitments discussed below in Part 1.4.3.112

1.4.2 Application Of The “Essentially Equivalent” Test Must Be Based On Correct, Complete, And Accurate Facts

The first requirement for proper application of the “essentially equivalent” test – whether in the general context of Article 25(6) or an individualised determination under Article 25(2) (as discussed above) – is that it is based on facts that are correct, complete, and substantiated. For the European Commission, the obligation to

assess thoroughly all of the relevant facts pertaining to all of the factors listed in Article 25(2) of Directive 95/46 was highlighted by the Schrems judgment. Hence, it forms an “essential procedural requirement” within the meaning of the TFEU.113

112 _{See infra.}

113 _{TFEU, art. 263, para. 2. See, by analogy, CJEU 24 October 2013, Case C-510/11 P, Kone and}

Others v. European Commission, ECLI:EU:C:2013:696, para. 28, in which the CJEU confirmed the

For supervising authories, the CJEU confirmed in Schrems that they must act with “all due diligence” when taking decisions pursuant to Article 28 of the Directive.114 Generally, the obligation to carefully establish the relevant facts before taking administrative and judicial decisions affecting citizens and companies is firmly

embedded in the legal traditions of all Illustrative Member States, and it is reflected in Article 41 of the Charter and the EU Code of Good Administrative Behaviour.115 Moreover, a failure to establish the relevant facts could contribute to a finding that discrimination is arbitrary or unjustified within the meaning of GATT or GATS.116 The obligation to properly establish the facts means, first, that a determination cannot be based simply on press reports, especially those that been retracted or proved wrong. Likewise, a determination cannot be based on mere allegations, much less those that have proven to be inaccurate or unsubstantiated. It follows directly from the language of Article 25(2) of the Directive(“the laws in force”), referred to in paragraphs 70 and 75 of Schrems, that the obligation to properly establish the facts also means, relying on information that is relevant and not

outdated. With regard to the US, this means that all recent changes in the laws and practices in the US must be taken into account:117 every “essentially equivalent” test must be ex nunc.

1.4.3 The “Essentially Equivalent” Test Cannot Result In A Test That Is