EU adequacy decisions lead “the Brussels effect”

The rigorous process undertaken by the European Commission in its assessment of the 11 jurisdictions declared on 15 January to have retained their “adequacy” status is impressive in its detail. We reported on several of the decisions in the February edition of PL&B International Report.(1) They also have an impact beyond the European Economic Area, known as “The Brussels Effect”.

The international business community is, no doubt, grateful (perhaps a little surprised) that the European Commission has based its decisions on such a rigorous process with between 19 to 31 pages of analysis on developments in small jurisdictions with populations from 53,000 to 103,000.

I expect that many observers consider that the European Commission’s slow rate of progress while maintaining this level of commitment in declaring a jurisdiction “adequate” or “essentially equivalent” is not sustainable. After all, the European Commission has a theoretical target list of an ever-increasing 100+ additional countries with data privacy laws to consider. Progress in sub-national jurisdictions, such as Ontario, Canada, would also demand attention.

In principle, organisations should satisfy themselves that their international transfers of personal data to their business partners in any country should comply with the required standards. But even well-resourced major multinational companies appreciate help in this process.

A change of emphasis by the European Commission

My impression is that the private event the European Commission hosted on 4 March for the adequate countries signalled a change of emphasis towards becoming more involved with the work done by other institutions in facilitating international transfers of personal data to a much wider list of countries.

In the past, the European Commission has tilted towards working with the human rights based Council of Europe, and EU Commissioner for Justice, Didier Reynders, is now standing for election to the post of Secretary-General there.(2) But he referred at the 4 March meeting to working more closely with the OECD which has economically advanced member countries in Europe, the Americas and Asia, some with privacy laws different from those in Europe.

Reynders referred to safe data flows and cited the OECD Declaration on Government Access to Data Held by Private Entities, adopted in 2022. He said:

“while this document was developed in the framework of the OECD, it is also open to non-members …More generally, are there other initiatives carried out in international fora that we, as a group, could help promote?”

European Commission Vice-President for Values and Transparency, Věra Jourová, expanded on his plan by declaring at this meeting:

“I strongly believe we have to work together with our democratic partners on safe and free data flows, promote our cooperation and learn from each other. In [this] digital era where the innovation is often powered by personal data we are facing similar challenges across the globe. This is why it would be mutually beneficial to work towards a ‘network effect' and common understanding of the challenges.”

In contrast with their normal practice, in their published remarks, neither Commissioner referred to data protection as a fundamental right. Instead, Reynders referred to “the opportunity to advance concrete, pragmatic proposals that can resonate in our different countries and continents." He continued “this discussion is solution oriented, and it does not have fixed, pre-determined outcome … I am very interested in … identifying together practical solutions that could be followed-up either at a global, political or technical level.”

Beyond “adequacy” and “essential equivalence”

This goal of working towards a ‘network effect' is leading the European Commission to seek ways of looking beyond its “adequacy” and “essential equivalence” work programme. The toolbox in the GDPR is being developed to facilitate international transfers and seek a degree of “essential equivalence” in specific circumstances rather than a declaration for a whole country. This is the key to including the US, with its patchwork of federal, state and sectoral privacy laws in its list by means of the EU-US Data Privacy Framework.

Countries following this model of approved jurisdictions for international transfers of personal data include the Dubai International Finance Centre(3); and Nigeria which has this process in its law but has not yet produced a list of approved countries.(4) The UK government has a list of priority partners for exploring new data flows relationships: Australia, Brazil, Colombia, The Dubai International Finance Centre, India, Indonesia, Kenya, The Republic of Korea and Singapore.

Valuable Data, Priceless Privacy - PL&B’s 37th International Conference

Initiatives on international transfers will be featured at Valuable Data, Priceless Privacy, the Privacy Laws & Business 37th International Conference 1-3 July at St. John’s College, Cambridge. The full programme is now available with details of the 78 speakers from 16 countries in 30 sessions over 3 days.

Examples of conference sessions on international initiatives which are intended to work across multiple jurisdictions in the EU and elsewhere are:

  • Certification, an instrument developed to provide assurance regarding international transfers of data, will be covered in a session “Can certification help provide a win-win-win for companies, regulators and individuals?” and
  • Standard Contractual Clauses with a comparative review of the Latin American, Asian, EU and UK variants.

The Early Bird registration period ends on 20 May so I encourage you to register to take your place at the conference while some remain.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

  1. PL&B International Report February 2024 - EU retains all existing adequacy decisions
  2. European Commission - Statement on the temporary withdrawal of Commissioner Reynders from the work of the Commission
  3. PL&B International Report February 2024 - Dubai’s California dreamin’: Whitelists for adequacy needed
  4. PL&B International Report December 2023 - Navigating compliance under Nigeria’s Data Protection Act 2023

April 2024

News & Blogs

April 2024 Report Contents