The European Commission published a report reviewing 11 of 16 existing data protection adequacy agreements to facilitate data transfers, finding each adequacy partner "continues to benefit from adequate data protection safeguards." The reviews confirmed data protection standards in Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay are unchanged or have been amended in a way that satisfies equivalency to the EU General Data Protection Regulation.
The GDPR calls for the Commission to conduct periodic reviews of adequacy decisions. The Commission indicated its reviews focused on "developments in the countries and territories' data protection frameworks since the adoption of the adequacy decisions, and also assessed the rules in place on government access to data for law enforcement and national security purposes."
European Commissioner for Justice Didier Reynders forecasted the report during his keynote speech at the IAPP European Data Protection Congress in November 2023. In a statement, Reynders welcomed the positive reviews while noting countries "have brought their data protection regimes even closer to ours."
"Our adequacy decisions form the world’s broadest network of safe and free data flows. We will step up our engagement with international partners to develop this network even further," he added.
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said the report reflects how data protection is "always work in practice," for countries and organizations, and the Commission's understanding that "data protection regimes are evolving should be seen as an opportunity to improve things."
While the Commission's report acknowledged countries "have further converged with the EU's framework and strengthened protection of personal data in their jurisdictions," there was also recognition of ongoing legislative reform for some adequacy partners. The review generated recommendations for "enshrining in legislation the protections that have been developed at sub-legislative level and by case law," particularly in the cases of Argentina, Canada and Israel.
Argentina Agency of Access to Public Information Director Beatriz Anchorena issued a statement on the EU-Argentina adequacy review, noting how it "ratifies the work that we have been doing at the AAIP to harmonize our regulatory framework with the highest international standards." She added the reaffirmation of adequacy "is an important step" as it relates to updates on to the Personal Data Protection Law updates, which are being debated by the National Congress of Argentina.
The AAIP gave a window into some of the factors behind the Commission's decision to uphold adequacy. The independence of the AAIP was a "central" factor while Argentina's participation in the Council of Europe's Convention 108+ was important given that it provides "the only legally binding multilateral instrument that aims to protect the privacy of individuals against possible abuses in the processing of their data."
Israel's adequacy with the EU follows a similar methodology, according to Or-Hof Law owner Dan Or-Hof, CIPP/E, CIPP/US, CIPM, FIP. He said the Commission's determination "is based on guidelines published by the Privacy Protection Authority and on caselaw."
The PPA produced a wealth of pertinent Privacy Protection Law guidance in 2023, including explicit guidelines for European Economic Area data transfers. The authority also covered employee biometric and location data handling, and the right of access.
Or-Hof added that rescinding adequacy or threatening as much while legislative reform is ongoing may present as "pressure" to fast-track legislation.
"Israel has put tremendous efforts to satisfy the EU, with new regulations, government decisions and years of discussions," He said. "However, there are still considerable gaps between the GDPR and the PPL, and at the same time Israeli laws include provisions that do not exist under the GDPR, especially concerning cybersecurity."
The circumstances around Argentina and Israel's adequacy further prove the EU's standards for equivalence do not correlate with a framework identical to the GDPR.
"A crucial aspect to appreciate is that the principle that a legal framework does not need to be a carbon copy to create appropriate protections is still valid as far as the Commission is concerned," Hogan Lovells' Ustaran said. "This is key because it is aligned with the idea that it should be possible to have interoperable systems, even if they emanate from different legal traditions and frameworks."
Reviews for decisions with the Japan, South Korea, the U.K. — one for commercial entities under the GDPR and another under the EU Law Enforcement Directive — and the U.S. were not included in the report. Notably, the U.K. decision is likely to be revisited once the U.K. General Data Protection Regulation is reformed or replaced while the U.S. decision under the EU-U.S. Data Privacy Framework is expected to be challenged in EU courts.
The reviews may signal the start of a fresh EU data transfer initiative to come in 2024. Reynders told DPC 2023 attendees last November that the Commission was engaging on "several" potential adequacy decisions "with like-minded partners," including dialogues in Brazil and California. He also alluded to a potential 2024 conference bringing together the EU and its 16 adequacy partners to discuss the broader international data transfer landscape.
If you want to comment on this post, you need to login.