With the entry into force of Directive 95/46/EC, the EU based its approach toward data transfers on adequacy decisions, unilateral acts of the European Commission, issued as implementing acts. The EU co-legislators subsequently copied this model into the GDPR and the LED. Since the very beginning, the adequacy procedure involves a comitology phase in which a committee consisting of representatives of Member States expresses its opinion about the Commission's draft implementing act. I argue that adequacy, designed as a technical process, evolved into a tool in which politics, including economic relations and commercial interests, play an ever-greater role. This goes against the concept of comitology, the legitimacy of which is built on denying the political nature of what is delegated. Taking into account the above, as well as other shortcomings of the EU adequacy model, I argue that it is the right time to rethink it. There is also the need for a separate discussion regarding the role of the Article 93 Committee in the adequacy procedure, to be conducted together with the debate on the role and accountability of the European Commission.
Read full abstract