What is the Communication on international personal data transfers about? Why now?
The reform of EU data protection legislation, adopted in April 2016, puts in place a system that ensures a strong level of protection both inside the EU and for the international exchange of personal data for commercial and law enforcement purposes. The new rules will come into application in May 2018.
They will strengthen consumer trust in the digital economy and make it easier for EU and foreign companies to carry out their business activities in the EU, including through international data exchanges.
Having completed the EU’s data protection rules, the Commission is now setting out a strategy on promoting international data protection standards. The Communication presents the different tools to exchange personal data internationally, based on the reformed data protection rules, as well as the Commission’s strategy for engaging with selected third countries in the future to reach adequacy decisions and promoting data protection standards through multilateral instruments.
What are the tools available for international personal data transfers?
The 2016 General Data Protection Regulation offers a ‘toolkit’ of mechanisms to transfer personal data from the EU to third countries: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct. The primary purpose of these mechanisms is to ensure that when the personal data of Europeans is transferred abroad, the protection travels with the data. While the architecture of international personal data transfers is similar to that under the 1995 Data Protection Directive, the reform simplifies and expands their use and introduces new tools for international transfers (e.g. codes of conduct and certification mechanisms).
What is an adequacy decision?
An adequacy decision is a decision taken by the Commission establishing that a third country provides a comparable level of protection of personal data to that in the European Union, through its domestic law or its international commitments. As a result, personal data can flow from the 28 Member States and the three European Economic Area (EEA) member countries (Norway, Liechtenstein and Iceland) to that third country, without being subject to any further safeguards or authorisations. Adequacy decisions have so far been available only to cover personal data transfers for commercial purposes. A novelty of the reformed EU data protection rules is that the Commission can now adopt adequacy decisions also for the law enforcement sector.
With which country does the EU already have adequacy decisions?
The Commission has adopted adequacy decisions for the following countries and Territories: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (Privacy Shield).
The decisions on Canada and the U.S. are “partial” adequacy decisions. The decision on Canada applies only to private entities falling under the scope of the Canadian Personal Information Protection and Electronic Documents Act. The EU-U.S. Privacy Shield framework is a “partial” adequacy decision, as, in the absence of a general data protection law in the U.S., only the companies committing to abiding by the binding Privacy Shield principles benefit from easier data transfers.
What are the criteria to assess adequacy? With which countries will the Commission engage?
Under EU law, an adequacy finding requires the existence of data protection rules comparable to the ones in the EU. It involves a comprehensive assessment of the third country’s system, both in terms of the substantive protections applicable to personal data and the relevant oversight and redress mechanisms available in the third country. This also includes the review of the limitations and safeguards applicable to access to personal data by public authorities for law enforcement and national security purposes.
The Communication sets out four key criteria that the Commission should take into account when assessing with which countries a dialogue on adequacy should be pursued:
- the extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;
- the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
- the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and
- the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.
The Commission will actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea, and, depending on progress towards the modernisation of its data protection laws, with India, and also with countries in Latin America and the European neighbourhood which have expressed an interest in obtaining an “adequacy finding”.
Is adequacy limited in time?
No. Adequacy decisions are “living” documents that need to be closely monitored and adapted in case of developments affecting the level of protection ensured by the third country. Under the General Data Protection Regulation, the Commission will carry out periodic reviews at least every four years, to address emerging issues and exchange best practices between close partners. This dynamic approach applies also to already existing adequacy decisions that will need to be reviewed in case they no longer meet the applicable standard. The EU-U.S. Privacy Shield is subject to an annual joint review.
What are the other tools available for international personal data transfers in the absence of an adequacy decision?
The General Data Protection Regulation offers a ‘toolkit’ of mechanisms to transfer personal data from the EU to third countries (adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms and codes of conduct).
The different mechanisms are flexible enough to adapt to the needs of specific industries or business models.