Following on from our Adequacy Decision: Deep Dive, we observe the data privacy frameworks of the countries who have been granted the greenlight for international data transfers, also known as the adequacy decision.
In 2010, Andorra obtained the recognition of an adequacy decision by the European Union which enables the free flow of data between EU Member States and Andorra.
Its main piece of privacy legislation is the Qualified Act 15/2003 of Personal Data Protection which has led to the implementation of a number of data protection principles and data subject rights akin to those outlined in the GDPR.
Furthermore, the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108) has been ratified by Andorra. This guarantees the rights of data subjects in being able to object to a decision made by automation where this has led to significant and discriminatory effects.
The APDA has published guidance on the processing of personal data across a range of sectors and has initiated and established disciplinary proceedings in relation to data protection where this has been necessary.
Argentina received the grant of an adequacy decision in 2021. It was considered to be adequate on the basis of the protections provided by the Argentinian Constitution as well as the Personal Data Protection Act No 25.326.
Firstly, the Argentinian Constitution goes further than many countries in the fact that the protection of personal data has been outlined as a fundamental right, known as “habeas data”. This seeks to protect the content and purpose of all the data relating to an individual in both public and private spheres.
The Personal Data Protection Act consolidates the recognition of this personal data right through outlining provisions relating to data protection principles, the rights of data subjects, the obligations of data controllers and the sanctions enforced by supervisory authorities.
Additionally, where the Argentinian government may have access to certain types of personal data through public interest, clear limitations and exceptions have been outlined. Further, the Argentinian government has provided guidance on how these principles are too be applied. Judicial remedies exist in the event that the use of “public interest” has been unlawful. This has enabled transparency across the judicial process for Data Subjects and the Supervisory Authority with respect to the protection of personal data.
Following the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada was initially awarded an “adequacy decision” in 2001 and this was later reaffirmed in 2006.
Similar to Argentina, Canada recognises that privacy is considered to be a human right. The PIPEDA in providing protection for this fundamental right enables alignment with the GDPR. This has made it easier for Canadian companies to conduct business in Europe.
Currently, as the Privacy Shield between the US and the EU has not been renewed, it is possible that having a data processing centre or storage mechanism in Canada may be an alternative for US based companies. This will mean that certain contractual or procedural changes will not need to be implemented in order to conduct data processing over the Atlantic. Companies such as DocuSign have already commenced this where two data centres in Toronto and Quebec City.
The Faroe Islands is a self-governing archipelago within the Kingdom of Denmark. In 2010, the European Commission granted the Faroe Islands an adequacy decision.
The Act on Processing of Personal Data was introduced in May 2001 and covers the data protection legislation in the Faroe Islands.
It concluded that the Act covered the basic principles necessary for the protection of data subject’s privacy in the instance of processing personal data. Data subjects have sufficient legal recourse and the Data Protection Commissioner reserves the right to utilise powers of intervention and investigation where necessary.
Although it was established by the Article 29 Working Party that automated individual decisions are not adequately protected by the legislation, as adequacy does not entail complete equivalence with the European regime, the data protection law was considered to be sufficient.
Guernsey is one of the English Channel Islands and is a self-governing British Crown dependency. In 2003, Guernsey was granted an adequacy decision by the European Commission. Its data protection framework has been influenced by the UK’s law. Guernsey’s Data Protection Law was initially implemented in 2001 and was reformed in May 2018 to coincide with the UK’s enforcement of the GDPR.
One of the biggest challenges for the Channel Islands is developing a regime which can match the requirements of the adequacy assessment and Guernsey has been successful in doing so. The Commission concluded that the Data Protection Law has replicated the outcomes and primary features of the GDPR. Post-Brexit, Guernsey continues to benefit from an adequacy decision.
Isle of Man
The Isle of Man is a self-governing British Crown dependency. It was granted an adequacy decision in 2004.
Its legal system sits independently to that of the UK and emulates the standards outlined in the 1995 Data Protection Directive in its Data Protection Act of 2002. In addition to this, as of 1993, the Isle of Man extended the UK’s ratification of the Protection of Individuals with regard to the Automatic Processing of Personal Data to the Isle.
In granting the Isle of Man an adequacy decision in 2004, the Commission recognised that the legislation enables sufficient rights, protections and the independent supervision carried out by an authority to be regarded as adequate. The Isle of Man continues to benefit from this decision post-Brexit.
Israel’s adequacy decision was granted in 2011 by the European Commission. Currently Israel’s legal system has been conferred on the Basic Laws: by the Supreme Court of Israel. The right of privacy has been embedded in the “Basic Law: Human Dignity and Liberty”[i].
The Privacy Protection Act as amended in 2007 is Israel’s main form of data protection legislation. Additional to this Act a number of other legal instruments are recognised as providing regulation for privacy interests in other sectors such as health regulations which provides a framework for the protection of data subjects’ rights.
The Privacy Protection Act establishes processing requirements for personal data as well as a detailed role of investigation and intervention for the supervisory authority, the Israeli Law Information and Technology Authority. This supervisory authority has provided assurances on the interpretation of Israeli law to allow for sufficient legal recourse for individuals and the Commission accounted for this when making their decision.
However, the Act does not apply to the processing of personal data in non-automated, manual databases. In the face of this, the Working Party suggested that the Israeli authorities adopt further provisions which would ensure the same data protection principles across the private sector and further stated that in the event of exclusive non-automated data processing the adequacy decision will not stand as protection.
The Commission thus considered that Israel should be recognised as providing a level of adequate protection for personal data from the EU to Israel where the transfer is carried out through automated means.
As of February 2023 however, the status of Israel’s adequacy decision has come under some scrutiny. The future of Israel’s judicial system is changing, and it is leading the EU bloc to consider whether transfers of personal data from the EU to Israel should be subject to further safeguards. So far, nothing has been set in stone however Tobias Judin, Head of the International Section at the Norwegian Data Protection Authority, has stated that Israeli judges must prove their independence to assure the fundamental right to data protection and sufficient legal recourse for individuals.
[i] The Basic Law: President of the State (1964), passed on June 16, 1964, by the Fifth Knesset.
In January 2019, the European Commission decided to grant Japan an adequacy decision. The APPI (Japan’s Data Protection legislation) ensures an equivalent level of protection for personal data afforded under the GDPR and has been recognised as such.
Prior to the implementation of this EU - Japan adequacy decision, the APPI introduced three new types of safeguards to ensure its equivalency to the GDPR.
Firstly, the Supplementary Rules under the APPI was introduced which offers particular safeguards for sensitive data, the exercise of data subject rights and restrictions on how data from the EEA can be subject to onward transfers from Japan. Importantly, these safeguards have been enforced by the courts.
Secondly, data subjects have been empowered under the APPI through the implementation of certain rights and a complaints mechanism against access to data by Japanese public authorities.
Thirdly, similar to the United Kingdom, the Japanese government can access personal data for law enforcement and national security purposes. However, this has been limited by the principles of necessity and proportionality thus providing sufficient insight and accountability.
For the European Commission, the addition of Japan into the adequacy decision fold has assured its access to the 127 million Japanese consumers and thus further international trade will be facilitated from this decision.
Similar to Guernsey, Jersey is a self-governing dependency of the UK. In 2008, Jersey was recognised as being “adequate” by European Commission standards. The Data Protection (jersey) Law 2005 was similarly modelled on the 1998 UK Data Protection Act.
At the time of judgement in 2007, the Article 29 Working Party found that although some of the provisions outlined differ substantially from the Directive for instance the definition of personal data, on the whole, the DPL encompasses the same rights, protections and principles as in the European Union. It thus did not significantly impact the protections from the EU Member States to Jersey.
Since 2008, Jersey has further introduced other pieces of legislation which serve to augment the DPL framework for example the Jersey’s Freedom of Information Law of 2011. Post-Brexit, Jersey’s adequacy decision continues to be in place.
In 2012, New Zealand was granted an adequacy decision by the European Commission.
The Privacy Act of 2010 acts as New Zealand’s primary legal protection of data alongside a number of regulatory frameworks which deal with privacy issues. Additionally, New Zealand’s position as a former British colony means established English common law principles influence the data protection landscape of New Zealand.
The European Commission considered that the guarantees of administrative and judicial remedies as well as the independent supervision outlined by the supervisory authority are deemed sufficient to meet the standard of legal recourse offered under the GDPR. It was thus held that New Zealand ensured an adequate level of protection for personal data.
Republic of Korea
In 2021, South Korea received an adequacy decision from the European Commission. South Korea also marks the first country which has been granted a UK Adequacy Decision, establishing the UK’s commitment to formally instating data relations with other countries outside Europe.
This follows on from South Korea’s reform of its data protection legislation in 2020 to ensure it had implemented an adequate supervisory authority to oversee and enforce data protection laws internally and externally.
Where supervisory and public authorities can access personal data, there are clear redress mechanisms which protect Data Subjects against unlawful requests. However, the Adequacy Decision excludes certain types of processing such as for missionary activities by religious organisations, nomination of candidates by political parties or processing of personal credit information under the Credit Information Act. This is due to the same protections not being applicable to these kinds of processing.
Switzerland was one of the first countries to have been granted an adequacy decision in 2000. The European Commission contended that the Federal Act on Data Protection (FDAP) assured the protections necessary for Data Subjects.
In cases of intervention via “public interest”, there has been sufficient exceptions and limitations outlined to ensure that the government and public authorities are not utilising this head unlawfully. The Federal Commissioner has assumed strong powers of intervention in this regard to supervise authorities.
In some senses, the FDAP can be seen as going beyond the protections outlined in the GDPR as it recognises both natural and legal persons under the class of “Data Subjects”. This means that businesses operating within the territorial scope of Switzerland must ensure the protection of personal data not only from a B2C perspective but also a B2B perspective.
Additional to this point is the fact that Switzerland has commenced delivering its own adequacy decisions where it feels this is suitable. Under Article 16 of the new Swiss Data Protection Act (entering into force in 2023), a list of “adequate” countries will be able to receive personal data transfers outside the territory of Switzerland. Certainly, some notable differences can be found: Swiss SCCs will need to be implemented for any transfers from Switzerland to Japan or South Korea whereas under the GDPR this is not the case. Furthermore, Australia has been granted an adequacy decision with the caveat of “certain conditions” being enforced. Importantly, this highlights a pragmatic step by Switzerland to integrate so-called, black-listed countries into its fold of adequate countries, ensuring Australia’s access to a number of consumers in Switzerland and the advantage of onward transfers of data.
As a result of Brexit, the European Commission carefully analysed the data protection law established in the United Kingdom. In the past, the United Kingdom’s data protection law and practices had been heavily scrutinised by the European Union.
The European Court of Justice notoriously criticised the UK’s handling of personal data under the Investigatory Powers Act 2016 in stating that it contravened fundamental rights outlined in the Charter. Post-Brexit, certain European states such as the Netherlands have considered whether the UK should be awarded such an adequacy decision after these violations.
Additionally, the UK engages in data transfers with Australia- a jurisdiction which does not have an adequacy decision. This creates a risk of onward transfers from the UK falling outside the protectionary measures established by the Union.
In its post-Brexit conclusion, the European Commission considered the country’s data protection legislation as well as the GDPR adopted by the UK. It concluded that the mechanisms of oversight and redress were “essentially equivalent” to the offering of protection under the GDPR. Importantly, the measures were sufficient in allowing infringements to be identified and for the obtaining of access to personal data by Data Subjects.
The government in the UK continues to have an outstanding right of access to personal data in the circumstances of national security, public interest and law enforcement. However, as this right is not absolute, it must be used in pursuit of a legitimate objective by the government.
After considering these facts, it was decided that both the UK’s domestic regime (independent from the European Union since Brexit) and its international commitments (its European Union commitments) meet the standard outlined by the European Commission when awarding an adequacy decision. Perhaps unsurprising for many, as the UK had adopted and retained much of European Union data protection and human rights law post Brexit. This decision may change if the circumstances of UK data protection or human rights law change.
In 2012, Uruguay’s status as an adequate decision country was confirmed by the Commission.
Uruguay had a particular case where it filed with the European Commission in 2008 in order to obtain the status of an “adequate” country. The provisions outlined in the Article 29 Working Party’s earlier Opinion observes and considers assurances and clarifications provided by Uruguay. Since the official recognition by the European Commission however, Uruguay’s adequate status has been approved and transfers can take place without intergovernmental safeguards.