Commission decisions on the adequacy of the protection of personal data in third countries

Overview

The Council and the European Parliament have given the Commission the power to determine, on the basis of Article 25(6) of directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The adoption of a (comitology) Commission decision based on Article 25.6 of the Directive involves:

• a proposal from the Commission;

• an opinion of the group of the national data protection commissioners (Article 29 working party);
• an opinion of the Article 31 Management committee delivered by a qualified majority of Member States;
• a thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executing powers correctly. The EP may, if it considers it appropriate, issue a recommendation;
• the adoption of the decision by the College of Commissioners.

The effect of such a decision is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary .

The Commission has so far recognized Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, the US Department of Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection as providing adequate protection.

AD - Andorra

• Commission Decision C(2010) 7084 of 19 October 2010 - OJ L 277/27, 21.10.2010
• Opinion 7/2009   on the level of protection of personal data in the Principality of Andorra

Top

AR - Argentina

• Commission Decision   C(2003) 1731 of 30 June 2003 - OJ L 168, 5.7.2003
• Opinion 4/2002   of the Art. 29 Working Party

Top

AU - Australia

• Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service; OJ L213 of 08/08/2008, p.47-48
• AGREEMENT between the European Union and Australia on the processing and transfer of European Union sourced passenger name record (PNR) data by air carriers to the Australian customs service; OJ L213 of 08/08/2008, p.49-57

Top

CA - Canada

• COMMISSION STAFF WORKING DOCUMENT   : The application of Commission Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documentation Act
• COUNCIL DECISION   of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data
• COMMISSION DECISION of 6 September 2005 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency
• Opinion 1/2005   on the level of protection ensured in Canada for the transmission of Passenger Name Record and Advance Passenger Information from airlines (19.1.2005)
• Opinion 3/2004   on the level of protection ensured in Canada for the transmission of Passenger Name Records and Advanced Passenger Information from airlines (11.2.2004)
• Frequently Asked Questions   on the Commission's adequacy finding on the Canadian Personal Information Protection and Electronic Documents Act (March 2002)
• Commission Decision 2002/2/EC of 20.12.2001 on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act - O.J. L 2/13 of 4.1.2002
• Opinion 2/2001 of the Art. 29 Data Protection Working Party

Top

CH - Switzerland

• Report   on the application of Commission Decision 2000/518/EC of 26 July 2000 pursuant to Directive 95/46/EC
• Commission Decision 2000/518/EC of 26.7.2000 - O. J. L 215/1 of 25.8.2000
• Opinion 5/99 of the Art. 29 Data Protection Working Party

Top

FO - Faeroe Islands

• Commission Decision of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data (notified under document C(2010) 1130) - OJ L58, 09.03.2010, p.17-19
• Opinion 9/2007   of the Art. 29 Data Protection Working Party

Top

GG - Guernsey

• Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey - OJ L 308, 25.11.2003
• Opinion 5/2003   of the Art. 29 Working Party

Top

IL - State of Israel

• COMMISSION DECISION 2011/61/EU of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (notified under document C(2011) 332), OJ L 27, 1 February 2011, p. 39
• 2011 Non-legislative acts International agreements
• Opinion 6/2009   on the level of protection of personal data in Israel of the Art. 29 WP

Top

IM - Isle of Man

• Commission Decision 2004/411/EC of 28.4.2004 on the adequate protection of personal data in the Isle of Man, OJ L 151, 30 April 2004, p. 48
• Opinion 6/2003   of the Art. 29 Working Party

Top

JE - Jersey

• Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey (notified under document number C(2008) 1746) - OJ L 138, 28.05.2008
• Opinion 8/2007   of the Art. 29 Working Party

Top

US - United States - Transfer of Air Passenger Name Record (PNR) Data

• Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)
• Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)
  Signed in Brussels, 23 July 2007 and in Washington, 26 July 2007
• Agreement   between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security
  Signed in Washington on 19.10.2006
• Letter   from the 'US Department of Homeland Security' (PNR interpretations)
• Reply   by the Council Presidency and the Commission to the letter from the USA's Department of Homeland Security
• Council decision   2006/729/CFSP/JHA
• Commission Staff Working Paper on the Joint Review of the implementation by the U.S. Bureau of Customs and Border Protection of the Undertakings set out in Commission Decision 2004/535/EC of 14 May 2004 (Redacted version - 2005)
• European Court of Justice judgment   on Passenger Name Records: The court annuls the council decision concerning the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of personal data and the Commission decision on the adequate protection of those data
• Opinion 8/2004   on the information for passengers concerning the transfer of PNR data on flights between the European Union and the United States of America (30.9.2004)
• Agreement   between the European Community and the United States of America on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection
  Signed in Washington on 28.5.2004
• Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC)
• Commission Decision of 14 May on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States' Bureau of Customs and Border Protection
• Commission secures guarantees for protecting personal data of transatlantic air passengers (17.5.2004)
• Opinion 2/2004   on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (US CBP) (2.2.2004)
• Letter   from Commissioner Bolkestein to US Secretary Tom Ridge, Department of Homeland Security, 18.12.2003
• Communication from the Commission to the Council and the Parliament of 16.12.2003  
• Speech by Commissioner Bolkestein of 16.12.2003

Top

NZ - New Zealand

• Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand (notified under document C(2012) 9557) Text with EEA relevance - OJ L 28, 30.01.2013
• Opinion 11/2011   of the Art. 29 Working Party

Top

US - United States - Safe Harbor

• Letter from United States Department of the Treasury regarding SWIFT/Terrorist Finance Tracking Programme, 28 June 2007, OJ C 166, 20.07.2007
• Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes - 'SWIFT', OJ C 166, 20.07.2007
• Reply from European Union to United States Treasury Department - SWIFT/Terrorist Finance Tracking Programme
• Statement issued by the French delegation on the occasion of the Council Decision authorising the Presidency to sign the draft reply to the letter from the US Secretary of the Treasury regarding access to SWIFT data
• Information about the EU Data protection Panel established under the Safe Harbour Decision and standard complaint forms:
  • Information about the EU Data protection Panel  
  • Standard complaint form(75 KB)    
    • Address for complaints: Commission européenne, Directorate General Justice, Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Data Protection Panel, B-1049 Brussels, Belgium, Telephone: (32-2) 299 11 11, Fax: (32-2) 298.80.94, email: ec-dppanel-secr@ec.europa.eu
  • EU Data Protection Panel - Internal Operating Procedures(44 KB)  
  • EU Data Protection Panel Authorities under FAQ 5(80 KB)  
  • EU Data Protection Panel Authorities for Employee Data (FAQ 9)(78 KB)  
  • EU Data Protection Panel Payment of Annual Fee by SH organisation(29 KB)  
• Commission Staff Working Document - The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce
  SEC(2004)1323   
• The application of Commission Decision 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce 14.02.2002  
• Commission Decision 2000/520/EC of 26.7.2000 - O. J. L 215/7 of 25.8.2000: Corrigendum and Decision
• Report on the Draft Commission Decision from the European Parliament  
• Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles"
• Opinion 3/2000 on the EU/US dialogue concerning the "Safe harbor" arrangement
• Opinion 7/99 on the Level of Data Protection provided by the "Safe Harbor" Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce
• Working document on the current state of play of the ongoing discussions between the european Commission and the United States Government concerning the "International Safe Harbor Principles"
• Opinion 4/99 on the Frequently Asked Questions to be issued by the US Department of Commerce in relation to the proposed "Safe Harbor Principles"on the Adequacy of the "International Safe Harbor Principles"
• Opinion 2/99 on the Adequacy of the "International Safe Harbor Principles" issued by the US Department of Commerce on 19th April 1999
• Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussions between the European Commission and the United States Government
• US Department of Commerce - Safe Harbor website
  • Safe Harbor List of Companies

 

Top

UY - Eastern Republic of Uruguay

• Commission Decision C(2012) 5704 of 21 August 20102- OJ L 227/11, 23.08.2012
• Opinion 6/2010(85 KB)   of the Art. 29 Working Party

 

 

Top

Press releases

• 08.05.2008 Data protection: Commission recognises that Jersey provides adequate protection for personal data   European Court of Justice judgment on Passenger Name Records: The court annuls the council decision concerning
• 30.05.2006 the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of personal data and the Commission decision on the adequate protection of those data  
• 02.07.2003 The Commission recognises adequacy of the Argentine regime
• 12.03.2003 Airline passenger data transfers from the EU to the United States (Passenger Name Record)
  Frequently asked questions
• 28.02.2002 How will the "Safe Harbor" arrangement for personal data transfers   to the US work
• 14.01.2002 The commission recognises adequacy of Canadian regime
• 13.07.2000 Frits Bolkestein tells Parliament Committee he intends to formally approve "safe harbor"arrangement with US on data protection
• 15.03.2000 Draft package agreed for protection of data transferred from EU to US
• 24.02.2000 Significant progress made at February 21/22 talks on facilitating EU/US data transfers
• 21.06.1999 Joint Report on Data Protection Dialogue to the EU/US Summit, 21 June 1999
• 17.06.1999 EU/US-Data Protection dialogue - 14 June meeting of EU Member States
• 10.12.1998 Technical Briefing for journalists on Data Protection -EU/US Dialogue