Old EU adequacy decisions survive scrutiny

The EU Commission announced on 15 January that it has approved as adequate all 11 jurisdictions which received their original decision under the EU Data Protection Directive. This is rather convenient and it makes one wonder why it took such a long time to issue these decisions.

The EU recognises that these countries have made changes to their laws and/or strengthened DPA independence. The decisions can be seen as a positive signpost for other countries striving for adequacy, or “essential equivalence” such as Mexico, or wishing to retain it, such as the UK. However, Canada, which is still in the middle of its law revision, was also approved, as it has shown enough progress at this stage.

The EU Commission is preparing its Report on how the GDPR is applied in Member States and anyone can send feedback until 8 February.(1) Other notable European level developments include the drafting of an AI Convention by the Council of Europe.

Professor Kaori Ishii from Chuo University, Tokyo, reports in this edition about recent discussions regarding the protection of personal information in Japan. Professor Graham Greenleaf analyses the impact of the Dubai Financial Centre adequacy decision on California, and presents his proposal for a way forward for international transfers.

In addition, we bring you the latest AI and data privacy news from the Davos World Economic Forum. Much is happening in this field – the EU AI Act has been adopted at a political level, but technical meetings have resulted in some further details. A leaked document has been circulating and no doubt the “real thing” will be available soon.

All these aspects and more will be covered at our International Conference in Cambridge in July. Join the discussion with regulators, policy influencers, companies, law firms and academics from many regions.

Laura Linkomies
Editor, Privacy Laws & Business

February 2024