Greetings from snowy Brussels. It has been about 10 years since the EU capital was last properly covered in white. This week was worth the wait. This might also be the thought of the 11 countries and territories subject to a data protection adequacy decision, as the European Commission published this week its long-awaited review of their existing adequacy agreements.
"In its report, the Commission finds that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continues to benefit from adequate data protection safeguards," a press release said.
The 339-page annex contains individual country reports, highlighting how the European Commission integrated the "Schrems II" ruling by the Court of Justice of the European Union in its evaluation grid. Indeed, these adequacy decisions all long predate the past few years of intense debate of U.S., and to a lesser extent, U.K. arrangements.
The report confirms adequacy is a living mechanism, as well as a powerful tool for the EU to further coalesce international partners around its vision on data flows and privacy cooperation in 2024. It formalizes the message delivered by EU Commissioner for Justice Didier Reynders at the IAPP European Data Protection Congress last November: the European Commission will organize a global conference in 2024, inviting other jurisdictions around the world that have adequacy capabilities to advance global collaboration. According to IAPP research, 74 jurisdictions vest powers in either a data privacy regulator or government authority to designate other jurisdictions as having "adequate" data privacy standards.
Another report in waiting came out this week from the European Data Protection Board after 25 EU and European Economic Area data protection authorities spent a year conducting inquiries and analysis of the role, designation and position of data protection officers across the continent. The report finds that although the overall results are encouraging, the role and recognition of DPOs must be strengthened.
This effort was launched in March 2023 under the EDPB's Coordinated Enforcement Framework. Adopted in 2020, the CEF aims to streamline cooperation and enforcement among European DPAs by conducting a yearly coordinated action that covers a specific pre-agreed topic. In 2022, the first-ever action analyzed the use of cloud services by the public sector.
Over 2023, the focus turned to DPOs. IAPP research found 700,000 organizations have a DPO registered across Europe.
Participating DPAs gathered information based on a jointly drafted questionnaire to determine whether the designation, legal status and tasks of the DPOs in Europe conform to the requirements set under Articles 37-39 of the EU General Data Protection Regulation, and whether the resources allotted to carry out their tasks are adequate.
The report highlights seven recommendations and areas of focus. Among others, it clearly identifies a need to increase the resources allocated to DPOs, not only in terms of budget but also time. It attests that it is becoming increasingly difficult for DPOs to keep up to date with developments and trainings, especially with the introduction of new EU legislation in the digital field, including on artificial intelligence, which often results in an expanded DPO role. The report also reveals that some organizations may lack an understanding of the DPO role as required by the GDPR and are consequently poorly assigning tasks that lead to questions regarding DPO independence and conflict of interest.
The report suggests possible solutions to address the challenges identified, including the need for more guidance from DPAs and the EDPB for DPOs and organizations to fully comprehend the role.
The report's publication does not close the chapter for action on this topic. On the contrary, work is ongoing as its results provide guidance for deciding whether any specific areas require follow-up action at both national and EU levels. At the very least, this year's action encouraged the majority of participating DPAs to consider providing further guidance concerning DPOs.