Ref. Ares(2022)291937 - 14/01/2022
Meeting with
Remote – 29 June 2021 at 15:30
1. Sustainable Corporate Governance
• The Commission is currently
working on the impact assessment with a view to
submitting
a proposal on Sustainable Corporate Governance to the EU co-legislators
later this year (announced in the 2021 Commission work programme).
• We are taking into account
a very broad range of evidence that demonstrates also the
benefits of switching businesses to a more sustainable modus of operation.
• The
aim of the legislative proposal is to
foster sustainability and resilience in corporate
decision-making and in particular to
help companies become environmentally and
socially sustainable. Embedding sustainability into corporate governance would also be
an important
catalyst for a sustainable recovery after the COVID crisis.
• The impact assessment is looking into
three main elements:
o Possible EU-wide rules on
corporate due diligence, to mitigate or prevent adverse
impacts in the
company’s own operations and its value chains.
o How to
clarify that directors have a duty to pursue
long-term value creation and
a
sustainable strategy for their company and
manage sustainability risks.
o Reflections on aligning
directors’ remuneration schemes to ensure that
incentives
support long term sustainability.
• We are looking into whether the
due diligence duty would have to apply across
all
industry sectors or not and how it could be
aligned with internationally recognised
human rights and labour standards and/or international environmental
commitments and EU goals, such as the 2050 climate neutrality objective and the EU’s
biodiversity goals. Ideally, all adverse impacts that can occur throughout the
value chain
should be captured.
• We are exploring how
civil liability can play a role and whether obligations would apply
beyond direct suppliers, as important risks to the environment as well as regards human
rights (e.g. forced labour) tend to materialise in supply chains beyond tier one suppliers.
We are also looking into the potential role of
public authorities and whether the due
diligence rules would
also cover some third-country companies to level the playing
field in the EU market.
• We also aim at ensuring
consistency, in particular, with the recently proposed new
Corporate Sustainability Reporting Directive.
2
Meeting with
Remote – 29 June 2021 at 15:30
2. Investment protection and facilitation initative
• We share the objective of the importance of creating a favourable environment for
investors in the intra-EU context. This will also help the twin transition with digital and
green transition targets.
• Facilitating and promoting intra-EU investments is crucial for the development of the
EU economy, the creation of business opportunities and new jobs. Mobilising private
capital is essential to finance the green and digital transition and the post-Covid
economic recovery.
• As announced in the CMU Action Plan, the Commission has been exploring ways to
further improve the intra-EU investment environment.
• After analysing the evidence and stakeholder contributions, the impact assessment work
is entering its final stage.
• The preparation of the initiative involves the analysis of complex questions, also from a
legal viewpoint and it is too early to comment on its content. We are trying to make it
as attractive as possible with concrete, new elements that will be genuine add-ons
changing the status quo.
• A number of options are being explored, in particular in relation to investors to state
disputes resolution mechanisms – which seems to be a focal point for investors.
• We will have more clarity in the autumn.
• Courts remain a key dispute resolution mechanism under the EU legal framework.
• The Commission work on rule of law and the Justice Scoareboard are the main tools to
address potential shortcomings in the national judicial systems. The options envisaged
in the initiative will be complementary to existing EU judiciary system.
3
Meeting with
Remote – 29 June 2021 at 15:30
3. Rule of Law enforcement
• Respect for the rule of law is of particular importance for the functioning of our Union
and the effective application of EU law.
• Over the past years, we have seen rule of law concerns emerging in certain Member
States. These developments have only made the Commission more convinced of the
importance of using all the instruments at our disposal to uphold the rule of law.
• Therefore, the Commission has gradually developed and used during the last years a
variety of instruments to address these challenges.
The annual Rule of Law Report
• A new tool has been added to the rule of law toolbox last year with the annual Rule of
Law Report.
• It is conceived as a
yearly process, during which
we aim to prevent problems from
emerging or deepening. It also
allows Member States to learn from each other,
through an exchange of best practices.
• The Commission intends to publish the second annual Rule of Law Report in July this
year and preparations are well advanced. It will cover the same four pillars and will in
particular follow-up on the challenges identified in the first Report.
Infringement proceedings
• In critical situations where judicial independence or the independence of regulatory
authorities in a Member State is affected, the Commission can, as the guardian of the
Treaties,
launch infringement proceedings against a Member State, as it did for
example
in the case of Poland.
• In particular, in addition to the several infringement proceedings to safeguard judicial
independence in Poland, the Commission sent on 8 March 2021 a reasoned opinion to
Poland for breaching EU law safeguarding the independence of the national regulatory
authority for telecommunications (NRA), a key principle of the EU's telecom law. More
specifically, the legal provisions amending the Polish Telecommunications Law that
resulted in the early termination of the mandate of the Head of the Polish NRA – the
Office for electronic communications, raise concern.
• The Commission will not hesitate to take further action to launch infringement
proceedings in order to uphold the rule of law and judicial independence.
Article 7 procedures
• Another instrument to react to threats to our values is provided by
Article 7 of the Treaty
on European Union. It establishes a procedure in case of a “clear risk of a serious breach
of the [Union’s] values” or in the case of “the existence of a serious and persistent
breach” of such values.
• The deterioration of the situation of the rule of law in Poland led the Commission to
initiate the procedure under Article 7 TEU in December 2017. In September 2018, the
European Parliament decided to do the same for Hungary. Both Article 7 proceedings are
still ongoing before the Council.
4
Meeting with
Remote – 29 June 2021 at 15:30
4. Prevention of the misuse of European funds (RRF and MFF)
General
• The EU has a sound system in place to ensure that the EU budget is implemented in line
with sound financial management principles.
• Further to recent initiatives such as the new Financial Regulation, the amendment of the
European Anti-Fraud Office (OLAF) Regulation, the Commission Anti-fraud Strategy,
the Commission spearheaded the establishment of the European Public Prosecutor’s
Office (EPPO) and will continue to cooperate with the EPPO to protect the Union budget.
• The Regulation for the new Recovery and Resilience Facility explicitly provides for the
funds to be implemented in accordance with the Conditionality Regulation.
• For the multiannual financial framework and the Recovery and Resilience Facility, the
quality of the beneficiaries’ data to be collected by Member States (including beneficial
ownership data) will be enhanced.
• The Commission will provide Member States with a single data-mining tool that they can
voluntarily use for control and audit purposes, with a view to a generalised application by
Member States.
• In the context of the Recovery and Resilience Facility, Member States must have control
and audit systems in place to ensure compliance with EU and national laws, including to
prevent, detect and correct serious irregularities, and avoid double funding. These systems
are assessed ex ante by the Commission when it looks at the national plans.
• The Commission will also implement its own risk-based control strategy and intervene
where needed during the implementation of Recovery and Resilience Facility.
European Semester & Recovery and Resilience Facility
• In recent years, the Commission has also deployed other instruments to protect the rule of
law in the Union, including measures under the European Semester, the annual cycle for
aligning economic and fiscal policies in the Union. In this context, the Commission has
made several country-specific recommendations on justice reforms in Member States,
which were subsequently adopted by the Council.
• Member States are expected to address these recommendations in their national recovery
and resilience plans. These plans set out the reforms and investments they wish to
implement when spending funds from the EU’s 670 billon euro Recovery and Resilience
Facility.
Rule of Law Conditionality Regulation
• A new Regulation on a general regime of conditionality has been adopted, and applies as
from 1 January 2021. For the first time, the Union will be able to
protect its budget from
breaches of the principles of the rule of law which
affect the EU’s financial interests
in a
sufficiently direct way.
• The
measures that can be proposed under the Regulation include, for instance,
suspension and termination of payments, as well as prohibition of new legal commitments
and financial corrections.
5
Meeting with
Remote – 29 June 2021 at 15:30
• The Commission is fully committed to enforcing the Regulation and
is already
monitoring possible breaches of the rule of law principles that would be relevant under
the Regulation. In parallel, we are also
preparing guidelines to ensure that this
mechanism is applied in fair and objective way.
6
Meeting with
Remote – 29 June 2021 at 15:30
5. Rule of law issues that affect cross-border investments within the EU
• The rule of law is
crucial for the effective functioning of our internal market. Where
judicial systems guarantee the enforcement of rights, creditors are more likely to lend,
firms are dissuaded from opportunistic behaviour, transaction costs are reduced and
innovative businesses are more likely to invest. In other words, the rule of law is
important for a business and investment-friendly environment.
• A study has indicated a
positive correlation between perceived judicial independence
and foreign direct investment flows. Another study has found that a higher percentage
of companies perceiving the justice system as independent by 1% tends to be associated
with higher turnover and productivity growth.
• I would be
very interested to hear your experiences with regard to the business climate
and the situation of the rule of law in the Member States that fall in your area of
competence.
7
Meeting with
Remote – 29 June 2021 at 15:30
6. Transatlantic data flows/Schrems II
• In response to the Schrems II judgment, we have been working on different work streams.
• We recently adopted modernised Standard Contractual Clauses for international data
transfers. These have been fully aligned with the GDPR and adapted to modern business
realities. They also take into account the requirements of the Schrems II judgment and
operationalise the clarifications offered by the Court.
• The new clauses provide companies with a practical toolbox to assist them in their
compliance efforts.
• The standard contractual clauses are the most used tool by European companies for their
international data transfers and finalising the new clauses was therefore a priority for us.
• We will now work together with stakeholders to develop a user-friendly practical guide,
on the basis of questions and answers, to further facilitate the use of these new Clauses.
• Of course, also the new Clauses have to be used in accordance with the Schrems II
judgment and the guidance of the EDPB.
• That is why we worked closely with the Board to ensure consistency between our work.
This is reflected in the final guidance of the EDPB that was adopted two weeks ago,
which is aligned with the approach of the standard contractual clauses.
• When it comes to transatlantic data transfers, the most comprehensive solution remains a
new adequacy decision, which is what we are currently discussing with the US.
• As indicated in my recent statement with US Secretary of Commerce Raimondo,
developing a successor arrangement to the Privacy Shield is a priority for both sides.
• At the same time, it should be clear that there are no shortcuts and there will be no quick
fix. We will only accept a solution that is fully in line with the requirements of Union
law, as interpreted by the Court of Justice in the Schrems II judgment.
• Developing an arrangement that complies with the Schrems II judgment is also the only
way to provide stakeholders on both sides of the Atlantic with the stability and legal
certainty they expect.
8
Meeting with
Remote – 29 June 2021 at 15:30
DEFENSIVES
Transatlantic data flows/Schrems II
We are concerned about calls for data localisation.
• We have repeatedly confirmed the Commission’s commitment to facilitate data flows.
• This is notably reflected in our approach to digital trade in trade negotiations, consisting in
preserving our regulatory autonomy in the area of data protection while prohibiting data
localisation measures. In other words, we should not confuse data protection with digital
protectionism. This is reflected in the recently concluded EU-UK Trade and Cooperation
Agreement, the first trade agreement that contains a straightforward prohibition of data
localisation requirements while stressing the importance of data flows.
• That is also what we continue to pursue in our engagement with international partners in
different fora, including the WTO e-commerce negotiations, where we promote safe and
free data flows. This includes for instance the very promising work at the OECD on
developing global principles for government access – which builds on the Japanese “Data
Free Flow with Trust” initiative – or the conclusion of our adequacy talks with South
Korea.
We are concerned about the uncertainty created by the Schrems II judgment, which is
further fuelled by the very strict guidance of the data protection authorities
• We understand the need for practical guidance and therefore worked closely with the
European Data Protection Board, which issued detailed guidance on 18 June.
• In our own work on standard contractual clauses, which are the most used tool for
international data transfers, we have operationalised some of the clarifications provided by
the Court, which we believe provide a helpful toolbox to assist companies in their
compliance efforts.
• While we were finalising the clauses, we also worked closely together with the EDPB to
ensure consistency between our approaches.
9
Meeting with
Remote – 29 June 2021 at 15:30
10
Meeting with
Remote – 29 June 2021 at 15:30
11
Meeting with
Remote – 29 June 2021 at 15:30
Transatlantic data flows/Schrems II
Negotiations on a successor to the Privacy Shield
Immediately after the invalidation of the Privacy Shield by the Schrems II judgment, the EU
and US expressed strong willingness to work on a new, strengthened framework
1. In a recent
joint press statement, Commissioner Reynders and Secretary of Commerce Raimondo
announced that the EU and US are intensifying their negotiations
2.
While we are seeing a willingness across the Biden administration to engage
, the issues that have to be
addressed are very complex and concern the delicate balance between privacy and national
security. At the same time, the only way to ensure stability of data flows and deliver the legal
certainty stakeholders are expecting is to develop a new arrangement that is fully compliant
with the Schrems II judgment, which may take some time.
At the moment, it is too early to say whether this engagement on US side will translate into
proposals that will allow to comply with the requirements of the Court.
Standard Contractual Clauses
The Standard Contractual Clauses (SCCs) are model data protection clauses that an EU-based
exporter of data and a data importer in a third country can decide to incorporate into their
contractual arrangements (e.g. a service contract requiring the transfer of personal data) and
that set out the requirements related to appropriate safeguards. These SCCs can be used as a
tool for transfer of personal data to countries outside the EU that are not subject to a
Commission adequacy decision. SCCs represent by far the most widely used data transfer
mechanism for EU companies that rely on them to provide a wide range of services to their
clients, suppliers, partners and employees. Their broad use indicates that, through their
standardisation and pre-approval, SCCs are an easy-to-implement tool for businesses to meet
data protection requirements in a transfer context and are of particular benefit to companies,
especially the SMEs, that do not have the resources to negotiate individual contracts with
each of their commercial partners. The SCCs are of general nature and are not country
specific.
The SCCs that had been adopted under the previous data protection regime (the Data
Protection Directive) had to be modernised and on 4 June 2021, the Commission adopted
new SCCs. Compared to the previous ones, the modernised SCCs:
• Have been updated in line with new GDPR requirements;
• Provide one single entry-point covering a broad range of transfer scenarios, instead of
separate sets of clauses;
• Provide more flexibility for complex processing chains, through a ‘modular approach'
and by offering the possibility for more than two parties to join and use the clauses;
• Contain a practical toolbox to comply with the Schrems II judgment.
For controllers and processors that are currently using previous sets of standard contractual
clauses, a transition period of 18 months is provided.
EDPB Recommendations on supplementary measures
1 https://ec.europa.eu/info/news/joint-press-statement-european-commissioner-justice-didier-reynders-and-us-
secretary-commerce-wilbur-ross-7-august-2020-2020-aug-07 en.
2 https://ec.europa.eu/commission/presscorner/detail/en/statement 21 1443.
12
Meeting with
Remote – 29 June 2021 at 15:30
On 18 June, the
EDPB adopted the final version of its ‘Recommendations on measures that
supplement transfer tools to ensure compliance with the EU level of protection of personal
data’, which provide an overview of the steps companies have to take following the Schrems
II ruling when using tools such as standard contractual clauses. This is the version
after the
public consultation, which ended in December.
The
main change in the recommendations (compared to the version that was published in the
fall) concerns the approach of the EDPB to the
factors that companies can take into
account when assessing whether sufficient protections are in place for their transfers.
According to the first version of the recommendations, this assessment would only have to
take into account the scope of relevant laws in the third country of destination, i.e. whether
the data importer would be subject to those laws. This would have meant that data importers
that fall within the scope of third country legislation but in practice never receive government
access requests would still need to put in place supplementary measures, or would no longer
be able to receive data from the EU. This was heavily criticised by stakeholders, who
expressed a preference for the approach of the draft SCCs (as they were published in
November), which included the relevant practical experience of companies with prior
requests (or the absence thereof) as one of the factors to be taken into account in this
assessment. The
final version of the recommendations contains more nuanced wording,
allowing companies to take into account their practical experience with government
access requests. The language is
overall aligned with the approach in the final SCCs.
The language of the recommendations has
also been nuanced on several other aspects, e.g.
on some of the so-called ‘use cases’, i.e. examples of situations for which the EDPB has
identified/has not managed to identify possible supplementary measures. For example, the
revised recommendations no longer contain an example that requires companies transferring
data to countries benefiting from an adequacy decision to put in place supplementary
measures if their data would be ‘routed’ via a another third country where it may be subject
to disproportionate government access.
At the same time, the two ‘negative’ use cases, i.e. examples of situations where the EDPB
was not able to identify any solution that would allow companies to continue transferring
personal data to a third country where it would be subject to disproportionate government
access,
have been maintained. These examples were
heavily criticised by stakeholders, as
they concern two scenarios that are very common in the commercial sector. First, the scenario
where EU companies use cloud providers (or other service providers) in a third country that
need to have access to ‘clear’, unencrypted data. Second, the scenario where an EU company
shares clear, unencrypted data with a commercial partner outside the EU for common
business purposes (e.g. within a corporate group).
However, given that the final
recommendations allow companies to take into account their practical experience,
companies
in those scenarios will now be provided with more flexibility and could still transfer data if
they conclude that the data importer/the transferred data will in practice not be subject to
government access requests (whereas under the first version, such data transfers could never
take place as long as the non-EU company fell within the scope of disproportionate
surveillance laws, regardless of whether or not access requests are received in practice).
13
Meeting with
Remote – 29 June 2021 at 15:30
14
