ARTICLE 29 DATA PROTECTION WORKING PARTY
1SANK0H
1SANK0H
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1.1 General comments<br />
1.1.1 Scope of the WP<strong>29</strong>’s assessment<br />
The WP<strong>29</strong> first of all took into account the applicable data protection framework in the<br />
Member States of the European Union, including Article 8 of the European Convention on<br />
Human Rights (hereinafter: ECHR) protecting the right to private and family life as well as<br />
Articles 7, 8 and 47 of the Charter of Fundamental rights of the European Union (hereinafter:<br />
the Charter) respectively protecting the right to private and family life, the right to protection<br />
of personal data and the right to an effective remedy and fair trial. It also took into<br />
consideration the relevant jurisprudence, as well as the requirements of the Directive.<br />
The requirement for a third country to ensure an adequate level of data protection was further<br />
defined by the CJEU in Schrems. The Court did not only explain that the provisions of the<br />
Directive must be interpreted “in the light of the fundamental rights guaranteed by the<br />
Charter” 3 and in particular Articles 7 and 8. It also indicated that the wording ‘adequate level<br />
of protection’ must be understood as “requiring the third country in fact to ensure, by reason<br />
of its domestic law or its international commitments, a level of protection of fundamental<br />
rights and freedoms that is essentially equivalent to that guaranteed within the European<br />
Union by virtue of the Directive read in the light of the Charter” 4 . For the former Safe<br />
Harbour decision, such an assessment has never been made with a sufficient level of detail.<br />
The WP<strong>29</strong> therefore assessed the draft adequacy decision in light of the requirement to<br />
provide an analysis of the level of protection of fundamental rights and freedoms being<br />
essentially equivalent to that guaranteed within the EU. The WP<strong>29</strong> stresses this opinion<br />
contains its principal concerns, but that given the limited time that has passed since the draft<br />
adequacy decision was published further issues may be discovered at a later date.<br />
The WP<strong>29</strong> acknowledges that by defining the word ‘adequate’ in Article 25(6) of the<br />
Directive as ‘essentially equivalent’, the CJEU further detailed adequacy in the Schrems case.<br />
The Court has underlined that the term ‘adequate level of protection’, although not requiring<br />
the third country to ensure a level of protection identical to that guaranteed in the EU legal<br />
order, must be understood as requiring the third country in fact to ensure, by reason of its<br />
domestic law or its international commitments, a level of protection of fundamental rights and<br />
freedoms that is essentially equivalent to that guaranteed within the European Union by virtue<br />
of the Directive read in the light of the Charter.<br />
1.1.2 The assessment of the commercial part of the draft adequacy decision<br />
The WP<strong>29</strong> has already explained the way it applied the core EU data protection principles to<br />
transfers of personal data to third countries in its Working Document 12 ‘Transfers of<br />
personal data to third countries: Applying Articles 25 and 26 of the EU data protection<br />
directive’ 5 . The WP<strong>29</strong> tried to find the equivalent safeguards which ensure a level of<br />
3 Schrems, §38<br />
4 Schrems, §73<br />
5 Adopted by the WP<strong>29</strong> on 24 July 1998, see in particular page 6<br />
10