Abstract

The regime on transborder data flows set down in the European Union (EU) data protection acquis provides for a variety of tools legitimising the transfer of personal data toward third countries and international organisations. Specifically, it addresses the following legal aspects: adequacy decisions, appropriate safeguards and derogation clauses. So far, the relationship between adequacy decisions and international agreements concluded by the EU and/or its Member States has not been clarified from a legal perspective. This leaves the choice of one instrument or another at the mercy of the colegislators. This analysis examines the interrelationship between the EU’s treaty-making power based on external (implied) competence on the protection of personal data and the free movement of such data – namely Article 16 of the Treaty of the Functioning of the EU (TFEU) – and the European Commission’s implementing powers, which is exercised through the adoption of adequacy decisions. The aim is to explain the adequacy decision/legally binding (enforceable) instrument interconnection. This could lead to limiting the discretion of the co-legislators. In this respect, the theory on implied powers applicable to international organisations and the relevant case law of the Court of Justice of the EU are duly taken into account