Adequacy rebooted: data flows continue after EU Commission review

On Monday, the EU Commission concluded the review of its 11 ‘historic’ adequacy decisions that pre-dated the GDPR, finding that all 11 countries still provide an adequate level of protection for personal data transferred from the EU. The EU Commission’s obligation to carry out this review was written into the text of the GDPR itself and its outcome has been much anticipated. The review was due to be concluded by May 2020 and follows the intense court scrutiny of the US’ adequacy decision in the meantime (see our previous briefing).

The Commission’s review covers each of the 11 countries’ data protection frameworks, any developments to their frameworks since the adequacy decisions were adopted and critically, the rules governing governmental access to personal data (including for law enforcement and national security purposes) in each country, as well as their international commitments. In addition to obtaining information from the relevant authorities in the countries, the Commission also carried out wider research on the functioning of the decisions in practice, speaking to enforcement and oversight bodies as well as local experts.

The result of this process was ‘intense dialogue’ with each of the countries, which the Commission’s report outlines resulted in ‘many’ of the countries modernising and strengthening their privacy legislation through reforms (including Canada, Switzerland and New Zealand), issuing new guidance (e.g. Israel) or clarifying certain privacy rules (including Argentina, Canada, Guernsey and Jersey). The discussions also resulted in additional protections for EU data subjects’ data being put in place. For example, Canada has extended the right of access to public sector data to benefit all individuals (rather than just Canadian nationals or residents) and Israel has created new obligations in relation to EEA data, including around data accuracy, retention and individuals’ rights. As such, rather than simply being a passive ‘review’ of these adequacy decisions, the Commission worked together with the countries to make the necessary changes to ensure they met the required standard[1].

The Commission’s findings will be welcome news to businesses transferring data internationally, as they mean data can continue to flow freely between the EU and Andorra, Argentina, Canada (within the scope of the partial decision), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay without standard contractual clauses or other safeguards being put in place.

More broadly, the outcome of the report will be welcomed by many as demonstrating the flexibility of the EU adequacy standard post-GDPR and Schrems. The Commission’s proactive approach suggests real potential for the expansion of the adequacy list to new countries, such as Brazil (whose data protection authority said last week that it was hoping to start the process towards EU adequacy in 2024). It also provides comfort for organisations transferring data between the UK and Europe, as it gives weight to the UK’s argument in support of the DP reforms - maintaining adequacy seemingly does not require ‘cookie cutter’ equivalent DP laws to the EU after all, but arguably just a willingness to engage proactively with the Commission. 

[1] It is worth noting that in some cases, the update process is ongoing (with new legislation not yet finalised) or it is suggested by the Commission that it could go further – in both cases the Commission has confirmed it will be monitoring developments closely.