On Monday 15 January, the European Commission announced that it was extending the adequacy decisions for the transfer of data between the EU and 11 third countries.
“Cross-border data flows are an integral part of our economy and our daily lives. I am delighted that the 11 countries and territories concerned by this revision have brought their data protection regimes into line with ours”, commented Commissioner for Justice Didier Reynders.
In detail, the European Commission found that Argentina, Andorra, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay had “further aligned their frameworks with the GDPR” or introduced “specific reforms” that “significantly strengthen safeguards for personal data”.
However, for some countries, such as Israel, adjustments have been requested from the relevant authorities, with one European official pointing out that “breaches” had been noted in the protection of sensitive data, particularly ethical data. “The Knesset has adopted an implementing act” to bring its legislation into line with European standards, he added.
“The adequacy decisions are a perfect reflection of the GDPR and previous rulings by the Court of Justice, such as the Schrems and Schrems II rulings” (see EUROPE 12529/2 ; 11404/1), added another European official.
In addition, the European Commission adds, its examination of these evolving documents has enabled it to ensure that the public authorities of the 11 third countries concerned have provided “appropriate guarantees in the area of access to data by public authorities, in particular for law enforcement or national security purposes”.
To date, 16 suitability decisions have been adopted. The most recent ones date from June and July 2023 respectively, with the United Kingdom and the United States, whose previous attempts at adequacy decisions had been rejected by the courts (see EUROPE 13219/11). (Original version in French by Thomas Mangin)