Corporations frequently operate on a global scale. International data transfers have thus become essential to the day-to-day running of companies. The easiest mechanism by which this can be regulated is through Adequacy Decisions. These ensure that the business case for international data transfers can continue to occur whilst running in a privacy safe manner.
The European Commission first introduced the adequacy decision under the 1995 Data Protection Directive. Currently, it is established under Article 45 of the GDPR where a transfer of personal data can take place to a third country where the European Commission has decided that it ensures an adequate level of protection. As the adoption of this decision involves a proposal from the European Commission, an opinion of the European Data Protection Board & an approval from EU countries, it is a highly stringent process. Re-evaluation takes place every four years to ensure the data protection standards remain “adequate”. To date, the European Commission has listed 13 “adequate” states.
What does it mean to have an "adequacy decision"?
For many the phrase “adequacy decision” can be artificial, at best. The European Commission has been useful in publishing its judgements and conclusions when deciding whether a certain country is deemed adequate.
The Court of Justice of the European Union has established that an “adequacy decision” does not mean finding an identical or equivalent level of protection. Countries therefore do not need to have the exact same legal recourse or rights outlined or employed by the European Union. The test lies in whether through the substance of data protection rights and the “effective implementation, supervision and enforcement”[1] of these rights, the required level of protection has been delivered.
Importantly, this widens the scope of what it means to be an “adequate” country because it validates the notion that the European Commission is not looking for “identical” data privacy laws but allows each country to retain their data practices’ individuality. In effect, safeguards which create the same level of protection will be sufficient to be considered “adequate”
[1] COMMISSION IMPLEMENTING DECISION of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, p.2
Practical Effects of the Adequacy Decision
Due to the highly stringent process which countries must adhere to, many countries have fallen foul of the European Commission’s data protection standards and thus have been left without adequacy decisions. One might naturally question the importance of an adequacy decision if only a handful of countries are privy to its benefits. However, this would be an incorrect approach.
International data transfers underpin our increasingly connected world. As outlined in the UK government paper of 2021 “International data transfers: building trust, delivering growth and firing up innovation”[2],these transfers are fundamental in building and driving innovation, research, and development across a wide range of sectors.
Not only do many small and large businesses rely on these transfers to ensure stable cash flow through access to a network of consumers or workforce abroad, across the more tech based or digitally intensive sectors, this becomes a necessity. Across the UK, almost 75% of data transfers are with EU countries and thus companies operating across the EU would monopolise the market through a competitive advantage where restrictions on data flows were implemented. Moreover, the EU’s GDP is estimated to represent around one sixth of the global economy and thus transactionally, a lot of the market would be lost by not being able to capitalise on data transfers to the EU.
Importantly, for the day-to-day lives of individuals, international data transfers allow us to remain socially connected to one another. The use of a unified data privacy framework through the implementation of an adequacy decision means that individuals are better protected from nefarious uses of data which occur on a cross-border basis. Countries can thus cooperate through real-time and collaborative data sharing to keep the public safe. The sharing of data for research purposes is also a requirement for substantial and large-scale studies, the impact of which can be hugely beneficial; the sharing of medical studies from across the world for example allows progress to be made in attaining better diagnoses, the development of life-saving treatments and more cost-effective research.
In absence of an adequacy decision, additional contractual, technical, and organisational measures would need to be implemented to ensure that a transfer can take place. For many businesses, this would mean needing to contract a legal counsel to instate contractual protections such as the Standard Contractual Clauses or Binding Corporate Rules. Potentially, some EU countries may decide to stop doing business with UK counterparts as a result of further burden and legal uncertainty.
The European Commission has encouraged other countries’ data protection programmes through leveraging its economic influence and thus the necessity for data transfers into the European Union. Thus, it has become vital for many countries to reach such a decision.
[2] Guidance International data transfers: building trust, delivering growth and firing up innovation, published 26 August 2021
Why does the US not have a privacy shield?
As has been well-established, the GDPR provides a strong level of protection to ensure that businesses keep personal information confidential. The US, however, does not provide such a high level of data protection. This is because businesses have greater freedom to sell the personal information of Data Subjects and the government has greater means to intervene on this basis.
The Privacy Shield acknowledged this disparity where businesses in the US and the EEA can freely share the personal information of European Data Subjects akin to an adequacy decision. Although it did establish a set of requirements within a framework for companies to observe, in Schrems I [3], a claim was put forward about Facebook to argue that the Safe Harbor framework did not protect Schrems’ personal information against the US government interference. The CJEU abolished this principle, stating that allowing the government to have access to electronic communications is a breach of fundamental rights to the respect for private life, thus interfering with European guaranteed human rights.
Schrems I
This case followed on from Max Schrems’ complaint when asking the Irish DPC to suspend data transfers from Facebook Ireland to Facebook Inc due to concerns that the data could be accessed by US intelligence authorities. It was held that the US-EU Safe Harbour Framework was invalid.
Schrems II [4] concluded that the use of Standard Contractual Clauses are a valid safeguard for transfers of personal information with further limitations provided on such transfers. Yet, although this case was regarding the implementation of the SCCs, it decided the Privacy Shield was invalidated on a similar basis to the Safe Harbor previously.
Schrems II
In July 2020, the Court of Justice of the European Union issued its decision on Data Protection Commission v Facebook Ireland, Schrems which invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield.
Through analysing Schrems II further, we can observe that the justification for invalidating the Privacy Shield was on the basis that public authorities can access the personal information of the EEA’s data subjects without limitations which could prevent unruly access by the government, such as by Presidential decree. In addition to this, a judge would not have full, unlimited review of the US authorities’ actions. The ombudsperson implemented in this respect does little to meet the standard needed under the EU Charter of fundamental rights of a “tribunal”.
The GDPR has clearly established a framework for the rights of data subjects to be vindicated however, the US does not similarly provide individuals with an actionable right before the courts. The US Courts cannot therefore ensure an adequate level of protection as rights for data subjects must be effective and enforceable.
Unless there is an alteration of these standards in the US, it seems unlikely that such a Privacy Shield will be granted again.
[3] Schrems v Data Protection Commissioner 62014CJ0362 C‑362/14
[4] Data Protection Commission v. Facebook Ireland, Schrems Case C-311/18, ¶ 105
Bottom Line
Having an adequacy decision makes international data transfers that much easier for companies looking to access the lucrative EU market company and consumer base, thus it would be wise for third countries to meet adequacy.
Adequacy decisions are not set in stone and are reviewed every four years.
To date, thirteen countries have one and the US special case of the Privacy Shield has been revoked.