
Article 1 
Decision 2000/518/EC is amended as follows:

((1)) Article 3 is replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to Switzerland in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.';
((2)) the following Article 3a is inserted:
'
Article 3a 

1. The Commission shall, on an ongoing basis, monitor developments in the Swiss legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Switzerland continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Switzerland fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Swiss public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Swiss authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 2 
Decision 2002/2/EC is amended as follows:

((1)) Article 3 is replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to a recipient in Canada whose activities fall under the scope of the Canadian Personal Information Protection and Electronic Documents Act in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.';
((2)) the following Article 3a is inserted:
'
Article 3a 

1. The Commission shall, on an ongoing basis, monitor developments in the Canadian legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Canada continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Canada fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Canadian public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations covered by paragraphs 2 and 3 of this Article, the Commission shall inform the competent Canadian authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 3 
Decision 2003/490/EC is amended as follows:

((1)) Article 3 is replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to Argentina in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.';
((2)) the following Article 3a is inserted:
'
Article 3a 

1. The Commission shall, on an ongoing basis, monitor developments in the Argentinian legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Argentina continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Argentina fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Argentinian public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Argentinian authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 4 
Articles 3 and 4 of Decision 2003/821/EC are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to the Bailiwick of Guernsey in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Guernsey legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Guernsey continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Guernsey fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Guernsey public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Guernsey authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 5 
Articles 3 and 4 of Decision 2004/411/EC are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to the Isle of Man in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the legal order of the Isle of Man that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether the Isle of Man continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in the Isle of Man fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by public authorities of the Isle of Man responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Isle of Man authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 6 
Articles 3 and 4 of Decision 2008/393/EC are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to Jersey in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Jersey legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Jersey continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Jersey fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Jersey public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Jersey authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 7 
Articles 3 and 4 of Decision 2010/146/EU are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to a recipient in the Faeroe Islands whose activities fall under the scope of the Faroese Act on Processing of Personal Data in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Faeroese legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether the Faeroe Islands continue to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in the Faeroe Islands fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Faeroese public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to paragraphs 2 and 3 of this Article, the Commission shall inform the competent Faeroese authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 8 
Articles 3 and 4 of Decision 2010/625/EU are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to Andorra in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Andorran legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether Andorra continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in Andorra fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Andorran public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Andorran authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 9 
Articles 3 and 4 of Decision 2011/61/EU are replaced by the following:
'
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to the State of Israel in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Israeli legal order that could affect the functioning of this decision, including developments concerning access to personal data by public authorities, with a view to assessing whether the State of Israel continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in the State of Israel fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Israeli public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent Israeli authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 10 
Articles 2 and 3 of Implementing Decision 2012/484/EU are replaced by the following:
'
Article 2 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to the Eastern Republic of Uruguay in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 3 

1. The Commission shall, on an ongoing basis, monitor developments in the legal order of the Eastern Republic of Uruguay that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether the Eastern Republic of Uruguay continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in the Eastern Republic of Uruguay fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Uruguayan public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3, the Commission shall inform the competent Uruguayan authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 11 
Articles 2 and 3 of Implementing Decision 2013/65/EU are replaced by the following:
'
Article 2 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to New Zealand in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 3 

1. The Commission shall, on an ongoing basis, monitor developments in the New Zealand legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether New Zealand continues to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in New Zealand fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by New Zealand public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to in paragraphs 2 and 3 of this Article, the Commission shall inform the competent New Zealand authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.'.
Article 12 
This Decision is addressed to the Member States.
Done at Brussels, 16 December 2016.
For the Commission
Věra JOUROVÁ
Member of the Commission