Adequacy Decisions from the European Union
The EU has granted adequacy to Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay, and now the United Kingdom.
Adequacy is very important for international business. Business runs on data and data doesn’t flow to inadequate countries, at least not very fluidly. Foreign businesses will generally have to rely on standard contractual clauses (SCCs) [which themselves are in some doubt] in the absence of adequacy, which will increase the costs of doing business in the EU.
Recognizing the importance of adequacy, this is a review of the process of being deemed adequate, as well as case studies of Japan and the United Kingdom (who have both achieved adequacy).
Adequacy is addressed in Article 45 of GDPR. The actual formal process of achieving adequacy consists of four steps. The first step is the completion of a draft adequacy decision from the European Commission. This decision suggests how and why an applicant may be or may not be adequate under GDPR. The next step is for the European Data Protection Board to review the draft adequacy decision and render their opinion on the applicant’s adequacy. The third step consists of representatives of EU member states choosing whether or not to approve the applicant as adequate, after reviewing the European Commission’s draft adequacy decision and the EDPB’s opinion. Lastly, the European Commission adopts a final adequacy decision. Adequacy decisions last up to four years and can be renewed if the applicant’s data protection regime is deemed to still be adequate at the time of the renewal determination.
The important considerations for an adequacy determination are that the applicant demonstrates an adherence to the rule of law, especially regarding data privacy, that the applicant has a designated independent supervisory authority with responsibility for ensuring and enforcing compliance with data privacy rules, and that the applicant is bound by international commitments.
To demonstrate rule of law, the applicant needs to be able to show respect for human rights and fundamental freedoms, legislation relevant to data protection, the implementation of that legislation, rules for onward transfer of personal data, and effective and enforceable data subject rights. This can be thought of as a verification that it is feasible that the applicant will observe privacy rights.
To demonstrate independent supervisory authority, the applicant needs to be able to show that there is an independent supervisory authority with responsibility for ensuring and enforcing compliance with the data protection rules. This can be thought of as a verification that it is feasible that the applicant will enforce privacy rights.
To demonstrate sufficient international commitments, the applicant needs to show that it has entered into international commitments or other obligations arising from legally binding conventions or instruments. This can be thought of as a verification that the applicant is a reliable global player.
Case Study – Japan
On September 5, 2018, the European Commission announced that the formal procedure to adopt the EU-Japan adequacy decision was launched in accordance with Article 45 of GDPR.
The specific issues that the European Commission were concerned with regarding Japan’s adequacy were: (Issue 1) the differences between the protections afforded by GDPR and by the Act on the Protection of Personal Information (APPI) [Japan’s data privacy law], (Issue 2) restricting access to the personal data of EU residents as against Japanese public authorities (taking into consideration proportionality and independent oversight and redress mechanisms), and (Issue 3) creation of a mechanism within the APPI for complaints to be investigated and resolved.
Japan’s Rule of Law
Japan is a democratic constitutional monarchy that is widely considered to adhere to the rule of law. It is ranked 15th globally in the World Justice Project Rule of Law Index.
Japan’s most relevant data protection law for GDPR adequacy is the APPI. The APPI grants data subjects with a number of rights similar to those provided in GDPR, including approximate equivalents to access, rectification, erasure, and the right to object to certain processing activities. The APPI also allows for submitting complaints to controllers or consumer centers to trigger a mediation mechanism.
When these mediation mechanisms fall through, a civil action for damages or injunctive relief is possible. If the fear of monetary damages or injunctive relief isn’t enough, violator Personal Information Handling Business Operators (PIHBOs) [similar to controllers] can be subject to criminal sanctions on the prosecutor’s initiative or through a complaint filed by a data subject.
Japan’s Independent Authority
On January 1, 2016, Japan established an independent data protection authority, the Personal Information Protection Commission (PPC). The PPC is charged with the protection of personal information. According to the APPI (Article 62/APPI), the Chairman and Commission Members of the PPC exercise their authority independently.
Japan’s International Commitments
Japan has free trade agreements with numerous countries, including extensive relations with the US. More relevantly, Japan and the EU entered into the EU-Japan Economic Partnership Agreement on February 1, 2019 (this went into effect 9 days after Japan was granted adequacy, but it had been near completion at the time of the granting of Japanese adequacy). This trade agreement removed tariffs and trade barriers and created a platform to cooperate in removing barriers to trade. Symbolically, it helped to shape global trade rules in line with EU and Japan standards and shared values and signaled a mutual rejection of protectionism.
On June 15, 2018, prior to the formal EU-Japan adequacy decision’s commencement, Japan adopted certain supplementary rules in order to more closely align with the requirements of the GDPR. These supplementary rules bring Japanese law closer to the GDPR with respect to treatment of sensitive data, data subject access rights, processing purpose limitation, restrictions on forward transfers of data, and minimum standards of anonymization. These supplementary rules helped to resolve Issue 1, above.
In discussions with the European Commission, the Japanese government represented that they would implement a new redress mechanism to address complaints from EU residents when their personal data was accessed by Japanese public authorities. These representations helped to resolve Issues 2 and 3, above.
With the outstanding issues resolved, the European Commission formally adopted the EU-Japan adequacy decision on January 23, 2019. This allowed for the transfer of personal data from within the EEA to Japanese PIHBOs. This is not a blanket grant of access to EU data to Japanese companies. It specifically applied to PIHBOs, which are a type of organization that are required to comply with the APPI.
Case Study – United Kingdom
The United Kingdom has just been granted adequacy status as of June 28, 2021. This is the case even though things did not start auspiciously for their application. On February 5, 2021 the Civil Liberties, Justice, and Home Affairs (LIBE) Committee of European Parliament rendered an opinion opposed to granting adequacy to the United Kingdom. Of major concern to the LIBE were concerns about UK agencies engaging in bulk data collection for intelligence purposes.
Two weeks later, February 19, 2021 the European Commission rendered its draft adequacy decision and came to a significantly different conclusion. The European Commission recognized that the UK data privacy laws were nearly identical to the EU GDPR and had to conclude that EU citizens would receive the same level of protection under UK law as they would under EU law. There was a second draft adequacy decision, specifically reviewing the UK’s data protection in relation to the Law Enforcement Directive (LED). This draft adequacy decision also favored the UK after reviewing the UK’s standards regarding data privacy in policing and judicial cooperation.
More recently, on April 14, 2021, the European Data Protection Board (EDPB) adopted both of the European Commission’s generally favorable opinions towards UK adequacy.
Below is an assessment of the UK’s adequacy based on the parameters used in making an adequacy determination.
United Kingdom Rule of Law
The United Kingdom is a democratic constitutional monarchy that is widely considered to adhere to the rule of law. It is ranked 13th globally in the World Justice Project Rule of Law Index.
In the context of data privacy, the UK operates under the UK GDPR. It closely matches the EU GDPR, even though there have been some changes to accommodate domestic areas of UK law. The material and territorial scope, definitions of personal data, concepts of controller and processor, safeguards, rights, obligations, oversight, and enforcement of the UK GDPR were all found to be very similar to the EU GDPR.
United Kingdom Independent Authority
The Information Commissioner’s Office (ICO) is the UK’s independent data protection authority. It upholds information rights in the public interest. It is the body primarily responsible for enforcing the UK GDPR.
United Kingdom International Commitments
The EU and UK used to be one. Since their separation, they have made binding international commitments together. For example, the EU-UK Trade and Cooperation Agreement sets out preferential arrangements in many commercial and societal areas between the EU and the UK. It includes a free trade agreement, partnership on citizens’ security, and an overarching governance framework. The overarching governance framework includes binding enforcement and dispute settlement mechanisms that will ensure that rights of businesses, consumers, and individuals are respected.
United Kingdom Adequacy Status
The UK has demonstrated that it observes the rule of law and particularly preserves data privacy, has an independent supervisory authority for data privacy regulation, and that it is bound by international agreements.
Nonetheless, the first feedback they got regarding adequacy was negative from the LIBE. Since then, the UK got favorable draft adequacy decisions regarding its alignment with GDPR and with the LED. This was further confirmed by the EDPB’s general support for UK’s adequacy. In their confirmation of support, the EDPB did call attention to a few issues of concern, which they indicated merited further review: (Issue 1) the UK GDPR’s immigration exception, (Issue 2) UK’s rules regarding forward transfers of personal data, and (Issue 3) the interception of communications by UK law enforcement and intelligence services.
This last area of concern, interception of communications by UK law enforcement and intelligence services is a hot topic in adequacy discussions. It is such an area of concern that during their May 10, 2021 meeting, the LIBE Committee of European Parliament decided to revisit the UK’s adequacy on this issue. This is a point that they had already brought up on February 5, 2021, but having seen the way the wind was blowing on this issue more recently (support for adequacy from both the European Commission and the EDPB), the LIBE Committee re-inserted itself and strenuously urged the European Commission to reconsider.
Notwithstanding the concerns in their application, the UK has earned adequacy status. What should stand out for future adequacy applicants is Issue number 3, the privacy implications of national law enforcement and intelligence agencies intercepting bulk data. This issue was responsible for the end of the EU-US Safe Harbor and the EU-US Privacy Shield. See our article on intelligence gathering asymmetry post Schrems II for more info. For the European Commission’s UK adequacy decision, please review it here.
There is a significant economic value for a country or a sector of a country to achieve adequacy. There is a well-publicized process for achieving adequacy. Even the expectations of what is expected of an applicant to be considered adequate are very well-known and understood. Nonetheless, achieving adequacy is no small task.
Japan is a country well-regarded for its adherence to the rule of law, which already had national data privacy legislation. Japan also has a well-established independent supervisory authority regulating and enforcing data privacy laws. Further, Japan observes numerous international agreements, including with the EU. Yet, Japan still had to make additional “concessions” in order to be deemed adequate under the GDPR.
The UK is a country that was until very recently a part of the EU. Accordingly, their standards of adherence to the rule of law and data privacy rights are on par with the EU. They, just like EU countries have their own independent supervisory authority regulating and enforcing data privacy domestically. They observe numerous international agreements, including with the EU. Yet, the UK’s attainment of adequacy was far from certain. Their adequacy journey was a bumpy road, but they managed to surpass the most difficult hurdle: discord between EU data privacy ideals and real-world gathering of bulk data for law enforcement and intelligence reasons by UK public authorities.
The resolution of the UK adequacy determination is very instructive for future adequacy applicants. Until then, companies can count on SCCs to facilitate cross-border data flows and can count on Clarip to provide Data Flow Intelligence to make sure your organization isn’t transferring data across any borders that it shouldn’t be. Clarip helps organizations with data mapping, DSAR fulfillment, cookie compliance, and risk management. To learn more, contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.