How countries outside the European Union can qualify under the bloc’s new privacy regime as having adequate privacy laws to accept data transfers is the subject of new guidance from EU privacy regulators.
The guidance issued by the Article 29 Working Party of privacy regulators from the 28 EU member countries focuses on how the European Commission, the EU’s executive arm, should assess the adequacy of foreign privacy laws under the new EU General Data Protection Regulation taking effect in May 2018.
Countries, or particular governmental data-sharing programs within a country, will have to aim for the higher user consent, new mandatory data breach notification rule, and other raised standards of the GDPR.
“What is clear is that the guidance seeks to raise the bar with regard to adequacy findings, in that new adequacy findings will have to adhere to a GDPR level standard,” Alex van der Wolk, a privacy partner at Morrison Foerster LLP in Brussels, told Bloomberg Law.
A country’s privacy laws must include, among other things, principles to protect sensitive data; allowable purpose restrictions for using data; limits on how long data may be stored; data security rules; and individual rights to access and correct their collected personal information.
Although laws and implementing rules promising privacy protection are important in determining adequacy, a country must have a strong and efficient privacy enforcement scheme, the guidance stated.
The guidance said that in order to be found adequate, the enforcement regime of a country must have:
- competent independent regulators that monitor and enforce compliance with privacy laws;
- a high degree of accountability and awareness of obligations among companies that control the collection and use of data;
- obligations on companies that collect, control, or process data to demonstrate compliance with the privacy regime; and
- support for individuals seeking to exercise their rights and rapid and effective redress for infringements of those rights.
The bottom line is that countries can’t just talk the privacy talk, they must walk the privacy enforcement walk, Peter Van Dyke, privacy partner at Allen & Overy LLP in Brussels, told Bloomberg Law.
Japan and South Korea are in the process of seeking privacy adequacy approval from the commission.
The Court of Justice of the European Union, the EU’s highest court, has determined that countries must have privacy laws that are “essentially equivalent” to the EU in order for the commission to allow the data of EU citizens to be transferred out of the EU to third countries.
Given the new GDPR standards, it is possible that an earlier adequacy decision could be reversed, Van Dyke said. But even if a country lost its privacy adequacy status, data flows wouldn’t need to stop because companies could rely on other data transfer mechanisms, such as standard contractual privacy clauses approved by the EU, he said.
The EU recognizes the privacy regimes of Andorra, Argentina, Canada, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay as adequate to protect the personal data of EU citizens. In addition, the EU considers data transferred under the EU-U.S. Privacy Shield data transfer pact and certain airline passenger name data transfer agreements to be adequately protected.
The working party guidance said the group will continually monitor the laws of countries that have received an adequacy decision, and the guidance on the adequacy will be continually reviewed and updated when necessary.
To contact the reporter on this story: George Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com