Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes

By Chantal Bernier
August 8, 2016
  • Government Information
  • New and Proposed Laws
  • Privacy Rights
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Recent media coverage has brought to light the internal deliberations of the Government of Canada regarding the possible impact of the entry into force in 2018 of the GDPR on Canada’s adequacy status to receive personal data from the European Union (EU).  Ten other countries, and the businesses in those countries, should examine the same question:  Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU-US Privacy Shield, to which U.S. companies may self-certify, has received adequacy status.

Two issues arise: i) since the provisions of the new GDPR are stricter than the current  European regime with which these eleven States have been deemed  adequate,  will adequacy survive the coming into force of the new GDPR? And,  ii) now that adequacy may be repealed, how should governments or business prepare in that regard?

The following seeks to summarize what to watch for and how to weather this significant,  yet still ill-defined legal development.

  1. Why is adequacy status important?

European privacy law prohibits the transfer of personal data outside of the EU, except to states that have been recognized as providing adequate privacy protection (GDPR, Chapter V). “Non-adequate” states may only receive EU data under onerous conditions, namely:

  • Individual consent, and even then this is not valid for employee information as the employer-employee relationship is one of authority which defeats the assurance of “free” consent; or,
  • Standard model clauses, adopted by the European Commission, that bind the parties to the same level as European data protection law and submits the party receiving the data to audits by the party transferring the data; or,
  • Binding Corporate Rules, which apply within “a group of enterprises engaged in a joint economic activity” (Article 43.1) and bind the companies within the group to the European standards of privacy law.

Non-EU states that have been recognized as providing adequate protection for privacy may receive transfers of personal data from Europe without “any specific authorization.” (Article 41.1)

With a European market of 500 million, this is a critical economic advantage.

  1. How is a State considered adequate?

Article 41.2 of the GDPR summarizes the conditions for adequacy:

  • Respect for “the rule of law, human rights and fundamental freedoms, relevant legislation both general and sectoral, data protection rules and  security measures, including rules for onward transfer of personal data to another third country or international organization, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for the concerned data subjects;
  • Existence of an effective data protection authority;
  • International commitment of the State to uphold protection of personal data.
  1. What is the difference between State adequacy and the EU-US Privacy Shield?

Because the U.S. does not have adequacy status for not meeting the criteria above, U.S. companies  require a specific legal instrument to receive EU personal data. That is the EU-US Privacy Shield under which U.S. companies self-certify and commit to:

  • European data protection standards;
  • The new scrutiny of the Ombudsperson to be created in the US as well as of the Department of Commerce and Federal Trade Commission;
  • Stronger requirements on consent ;
  • New Europeans’ access to remedies in the U.S.

It is noteworthy that the EU-US Privacy Shield process is still more burdensome than for companies in States that have adequacy status.

  1. What next for adequacy?

The coming into the force of the GDPR introduces the possibility for an adequacy decision to be “amended, replaced or repealed” (Article 41.3a) by a Commission decision. Moreover, the Commission will “monitor the functioning of decisions”  already adopted in view of adequacy remaining in force, being amended or repealed.

So nothing can be taken for granted.  The maintenance of adequacy will be earned with conformity to European standards on privacy law.

  1. Honing privacy compliance strategies in the context of adequacy

Here are the best practices from our clients transferring or receiving European personal data:

  • Identify legal obligations under the coming GDPR;
  • Perform a gap analysis to address possible compliance issues in advance of the GDPR coming into force;
  • Negotiate with sub-contractors contract clauses compliant with GDPR;
  • Include monitoring provisions in the contract clauses such as the right to audit the sub-contractor to ensure compliance.
  • Establish data centres or hire cloud services in States having adequacy or companies being self- certified under the EU-US Privacy Shield.

Adequacy status is a shared objective by governments and companies.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Chantal Bernier

About Chantal Bernier

Chantal Bernier leads Dentons’ Canadian Privacy and Cybersecurity practice group. She is also a member of the Firm’s Government Affairs and Public Policy group. Chantal advises leading-edge national and international companies as they expand into Canada and Europe, enter the e-commerce space, adopt data analytics and roll out data-based market initiatives. Her clients include ad tech companies, financial institutions, biotech companies, data analytics firms and government institutions.

All posts Full bio

RELATED POSTS

  • Data Breach
  • Enforcement
  • Government Information
  • United States

DHS And FBI Issue Joint Warning – Hackers Have Targeted Critical Sector Industries Since March 2016

By Peter Stockburger
  • Privacy Rights

TCPA Lawsuits Explosion

The number of class-action lawsuits brought under the Telephone Consumer Protection Act (TCPA) against businesses that regularly call consumers for […]

By Todd Daubert
  • New and Proposed Laws

Is the new Regulation back on track?

The Data Protection Regulation is potentially back on track after a major roadblock was resolved. Germany is reported to have agreed […]

By Tristan Jonckheer

About Dentons

Dentons is the world’s largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.

Dentons Digital

Twitter

Categories

  • Accountability
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2021 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site