Answer given by Ms Jourová on behalf of the Commission
The Commission would like to recall that the standard for an adequacy finding is to ascertain that the third country ensures ‘a level of protection (…) that is essentially equivalent to that guaranteed within the European Union (…)’(1). By referring to a standard of ‘essential equivalence’ (rather than identical) and by stating that ‘the means to which that third country has recourse (…) may differ from those employed by within the European Union’(2), the Court of Justice made clear that this does not require the third country in question to have data protection rules which are a ‘photocopy’ of the EU system.
What matters therefore is not whether each individual provision in EC law is reflected in the third country's legal order.
It should also be noted that the General Data Protection Regulation (GDPR) rests on the same core principles, rights and obligations as Directive 95/46/EC. The Privacy Shield framework already reflects these core elements.
The Commission has nevertheless made it clear, in the Privacy Shield adequacy decision (Recital 146 in fine), that it will assess whether there might be a need to adapt the decision in the light of the entry into application of the GDPR (for instance with respect to the rules on automated decision-making, Recital 25 of the decision).
This will also form part of the discussions with the U.S. authorities in the context of the annual review planned for the second half of 2017.