The EU Commission sets the strategic framework for "adequacy decisions" as well as other tools for data transfers and international data protection instruments in its Communication published yesterday, 10 January.
The Commission says that it will ‘actively engage with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, and, depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur [the Latin American equivalent of the European Union] and the European neighbourhood which have expressed an interest in obtaining an adequacy finding. In addition, the Commission welcomes expressions of interest from other third countries that are willing to engage on these issues.’
The Commission states that it can now adopt adequacy decisions also for the law enforcement sector, particular territory of a third country or a specific sector or industry within a third country.
Adequacy does not require a point-to-point replication of EU rules, the document says. The decisions on Canada and the United States are "partial" adequacy findings. Existing adequacy decisions, adopted under the 1995 Directive, will need to be reviewed in case they no longer meet the requirements. Periodic reviews will be held at least every four years.
The Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:
(i) the extent of the EU's (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;
(ii) the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
(iii) the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and
(iv) the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.
A link to the Communication, Exchanging and Protecting Personal Data in a Globalised World, is at http://europa.eu/rapid/press-release_IP-17-16_en.htm
Get an authoritative update on international data transfers, the EU-US Privacy Shield and adequacy by EU Commission speakers and other leading experts at Privacy Laws & Business 30th Anniversary International Conference at St. John’s College, Cambridge, 3-5 July 2017. Early bird registration with 20% discount until 14 February at www.privacylaws.com/annualconference