Recent media coverage has brought to light the internal deliberations of the Government of Canada regarding the possible impact of the entry into force in 2018 of the GDPR on Canada’s adequacy status to receive personal data from the European Union (EU). Ten other countries, and the businesses in those countries, should examine the same question: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU-US Privacy Shield, to which U.S. companies may self-certify, has received adequacy status.
Two issues arise: i) since the provisions of the new GDPR are stricter than the current European regime with which these eleven States have been deemed adequate, will adequacy survive the coming into force of the new GDPR? And, ii) now that adequacy may be repealed, how should governments or business prepare in that regard?
The following seeks to summarize what to watch for and how to weather this significant, yet still ill-defined legal development.
- Why is adequacy status important?
European privacy law prohibits the transfer of personal data outside of the EU, except to states that have been recognized as providing adequate privacy protection (GDPR, Chapter V). “Non-adequate” states may only receive EU data under onerous conditions, namely:
- Individual consent, and even then this is not valid for employee information as the employer-employee relationship is one of authority which defeats the assurance of “free” consent; or,
- Standard model clauses, adopted by the European Commission, that bind the parties to the same level as European data protection law and submits the party receiving the data to audits by the party transferring the data; or,
- Binding Corporate Rules, which apply within “a group of enterprises engaged in a joint economic activity” (Article 43.1) and bind the companies within the group to the European standards of privacy law.
Non-EU states that have been recognized as providing adequate protection for privacy may receive transfers of personal data from Europe without “any specific authorization.” (Article 41.1)
With a European market of 500 million, this is a critical economic advantage.
- How is a State considered adequate?
Article 41.2 of the GDPR summarizes the conditions for adequacy:
- Respect for “the rule of law, human rights and fundamental freedoms, relevant legislation both general and sectoral, data protection rules and security measures, including rules for onward transfer of personal data to another third country or international organization, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for the concerned data subjects;
- Existence of an effective data protection authority;
- International commitment of the State to uphold protection of personal data.
- What is the difference between State adequacy and the EU-US Privacy Shield?
Because the U.S. does not have adequacy status for not meeting the criteria above, U.S. companies require a specific legal instrument to receive EU personal data. That is the EU-US Privacy Shield under which U.S. companies self-certify and commit to:
- European data protection standards;
- The new scrutiny of the Ombudsperson to be created in the US as well as of the Department of Commerce and Federal Trade Commission;
- Stronger requirements on consent ;
- New Europeans’ access to remedies in the U.S.
It is noteworthy that the EU-US Privacy Shield process is still more burdensome than for companies in States that have adequacy status.
- What next for adequacy?
The coming into the force of the GDPR introduces the possibility for an adequacy decision to be “amended, replaced or repealed” (Article 41.3a) by a Commission decision. Moreover, the Commission will “monitor the functioning of decisions” already adopted in view of adequacy remaining in force, being amended or repealed.
So nothing can be taken for granted. The maintenance of adequacy will be earned with conformity to European standards on privacy law.
- Honing privacy compliance strategies in the context of adequacy
Here are the best practices from our clients transferring or receiving European personal data:
- Identify legal obligations under the coming GDPR;
- Perform a gap analysis to address possible compliance issues in advance of the GDPR coming into force;
- Negotiate with sub-contractors contract clauses compliant with GDPR;
- Include monitoring provisions in the contract clauses such as the right to audit the sub-contractor to ensure compliance.
- Establish data centres or hire cloud services in States having adequacy or companies being self- certified under the EU-US Privacy Shield.
Adequacy status is a shared objective by governments and companies.