Data Transfers and Adequacy between Non-EU Countries
The European Commission (EC) has the power to determine whether a country outside the European Union (EU) offers an adequate level of data protection, on the basis of article 45 of the Regulation (EU) 2016/679. At any time, the European Parliament and the Council may request the EC to maintain, amend or withdraw the adequacy decision. When a country is deemed adequate, personal data can be transferred freely between EU countries and Non-EU countries without any additional fanfare. And thus, corporations must maintain and update guidelines of these types of transfers in their privacy notices. What countries currently meet these free and open interterritorial transfers of PII?
For a non-EU country to adopt an adequacy decision a country must obtain:
- A proposal from the European Commission
- An opinion of the European Data Protection Board
- An approval from representatives of EU countries
- An adoption of the decision by the European Commission
The European Commission has so far recognized:
- Andorra
- Argentina
- Canada (commercial organizations)
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- Switzerland
- The United Kingdom under the GDPR and the LED
- Uruguay
Let’s take a quick look at two cases:
UK Adequacy and Data Transfers
With UK’s exit from the EU on January 31, 2020 and entrance into a transition period, which ended on December 31, 2020, data transfers and adequacy had to be renegotiated. On June 28, 2021, the EC came to a final adequacy decisions for the United Kingdom – under the GDPR and the Law Enforcement Directive. The final UK adequacy decisions are limited to a four-year renewable period, and adequacy must be monitored throughout in case there is a future divergence between EU and UK laws. Currently, personal data is now allowed to flow freely in both directions.
Swiss Data Transfers
The Swiss data protection authority has approved the use of the revised EU SCCs for cross-border transfers of Swiss personal data as long as specific requirements are met that comply with Swiss law. Under the current law, data transfers are based on contractual guarantees, and must notify the Federal Data Protection and Information Commissioner (FDPIC). A deliberate breach of this notification obligation may lead to prosecution.
What are the main data protection concerns while transferring?
Lawfulness – The collection, storage, and use (processing) of personal information by any organization must be compliant with data protection legislation. Furthermore, any transfer of such data must also have a proper legal basis (for EU institutions, this is Regulation EU 2018/1725) and be consistent with the original purpose of the processing.
Data quality – Organizations wishing to transfer data outside the EEA must respect the principles of purpose limitation (i.e. data should be transferred for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of the transfer), data minimization and ensure the accuracy of the data transferred and time limits for retaining the data.
Right of information – Individuals (data subjects) must be informed about their rights and for what purposes their information is processed both before the transfer (i.e. when data is first collected) and when the transfer takes place.
Rights of access and rectification – Individuals have a right to access the personal information being processed about them and to rectify any inaccurate or incomplete information. Exceptions may apply – for example, investigations into criminal offenses. Deferral of information should be decided on a case-by-case basis and the reasons for any restriction should be documented. Individuals must also be informed on how they may exercise their rights.
Processing of special categories of personal data – Processing of special categories of data, such as data relating to health or revealing racial or ethnic origin, is in principle prohibited under data protection laws, except in specific circumstances. For example, it is possible to process sensitive data if the processing is necessary for the purpose of a medical diagnosis, or with specific safeguards for employment purposes.
With Clarip’s Privacy Impact Assessments, Privacy Intelligence Dashboard, Rules Engine, Vendor Monitor, and Reports Dashboard we can help you track, process, and respond to right to know and delete in a timely manner. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.