On January 15, 2024, the European Commission (EC) published its report on 11 adequacy decisions made under the Data Protection Directive. This is the first review of its kind in GDPR times for adequacy decisions that were living their own existence, with not many troubles (leaving the US one aside). A periodic checkup is foreseen in the most recent adequacy decisions (and Japan last review was published in April 2023), but not much was done for the other ones; this is now remedied.

The EC report concluded that the data protection frameworks in each of those countries, territories or sectors have not only maintained, but also further aligned with the (evolving) EU framework, contributing to enhanced protection of personal data within their jurisdictions. Personal data transfers from the European Economic Area (EEA) to Andorra, Argentina, Canada,[1] the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay are healthy and can continue. But there are some recommendations to stay fit and in good shape. Next will be a review of the adequacy decisions with respect to the UK and the US (if not challenged earlier).

Adequacy decisions confirm that a country, a territory or specified sectors offer an adequate level of protection for personal data to flow freely. They play an important role in favoring transfers of personal data from the EU/EEA. We will briefly discuss the main findings of the EC report and their importance for private organizations, but also what the EC will do to broaden what Commissioner Reynders referred to as Europe’s “network of safe and free data flows.”

Background

Adequacy decisions must be considered “living instruments” that need to be reviewed periodically to ensure a consistent level of protection is maintained over the years, while monitoring the data protection developments of the territory at stake. A review was needed to account for the changes to data protection frameworks, but also the consequences of the exponential development of global digital technologies. Finally, substantial elaborations on the assessment criteria of what constitute “essential equivalence” came from the Court of Justice of the EU in the aftermath of the Schrems II case, and needed to be factored in.

Therefore, for each of the countries or territories concerned, the evaluation of the existing adequacy decisions encompassed an examination of the data protection framework and any developments with respect to that legal framework since the adequacy finding was adopted (for some, more than 20 years ago), as well as the rules around government access to data, particularly in the context of law enforcement and national security purposes.

Main Findings

In most instances, the data protection frameworks have continued to align closely with the framework of the EU. The laws around government access to data impose suitable safeguards and limitations to government access to data, as well as include oversight and redress mechanisms.

In two cases (Argentina and Israel), the report includes recommendations on “enshrining in legislation the protections that have been developed at sub-legislative level and by case law.” This is particularly important given the recent introduction of the draft Data Protection Bill to the Argentinian’s Congress and the ongoing legislative reforms in Israel’s Protection of Privacy Law.

For Canada, the EC also included a recommendation to strengthen privacy protections, while the Personal Information Protection and Electronic Documents Act is currently being subject to legislative reform.

Why Are Adequacy Decisions Important?

Free flows of personal data are a key element of doing business in a globalized economy. Adequacy decisions offer a straightforward and comprehensive solution for personal data transfers without the need for the data exporter to provide further safeguards or build arguments on the use of complex and legally uncertain derogations. They facilitate compliance by small and medium enterprises, with the international transfer requirements of the GDPR. They also promote the convergence between privacy systems based on high standards of protection. This means that, in principle at least, it should ease up global business’ data protection compliance, despite a widespread international presence.

Finally, adequacy decisions have established the groundwork for enhanced cooperation and increased regulatory alignment between the EU and likeminded partners. By facilitating the free flow of personal data, these decisions have opened commercial channels for EU operators, including by complementing and amplifying the advantages of trade agreements, as well as simplified cooperation with foreign partners in a broad range of regulatory fields, by increasing trust.

What Comes Next?

The EC confirms that it will continue to monitor developments with the aim of sending a message to the UK. It insists on the fact that it will not hesitate to use the powers granted by Article 45(5) GDPR to suspend, amend or withdraw an adequacy decision should data protection safeguards be impaired. Adequacy, like privacy compliance, is a journey and not an endpoint.

Finally, the EC has confirmed its intention to gather all “adequate” partners in 2024 to strengthen cooperation at an international level for promoting safe and free data flows (including on enforcement cooperation). This is a further step in delivering on a November 2023 announcement made by Commission Reynders; time to play catch up in international data transfer diplomacy? We will know soon enough.

[1] For commercial operators.