On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.

In its review, the Commission considered the development of data protection frameworks in the concerned countries and territories, as well as the evolving interpretation of the adequacy standard under EU law, particularly in light of the EU Court of Justice’s Schrems II judgment.  In that ruling, the Court clarified, among other things, that the GDPR’s “essential equivalence” standard required third country laws to set minimum safeguards preventing public authorities from accessing transferred data beyond what is necessary and proportionate to pursue their legitimate objectives, and to establish effective and enforceable redress rights for individuals.

Moreover, the Commission noted that many of the reviewed countries and territories have modernized and strengthened their data protection legislation through various recent reforms (although in the case of Canada, reform of the federal privacy statute, PIPEDA, is ongoing), and that their frameworks have further converged with the EU’s.  With regards to government access to personal data, the Commission found that the laws of the concerned countries and territories impose appropriate safeguards and limitations and set out adequate oversight and redress mechanisms.

The Commission will continue to monitor the existing adequacy decisions and national developments in those countries.  In April 2023, the Commission announced the successful first review of the Japan-EU mutual adequacy arrangement (see our previous blog post here), while the first review of the Republic of Korea’s adequacy decision is due later this year.

Organizations should welcome the continued stability and legal certainty offered by the retention of the existing adequacy decisions.

To further promote dialogue and the exchange of information, the Commission intends to organize in 2024 a high-level meeting between representatives from the EU and countries benefitting from an adequacy finding.  Moreover, in previous statements, the Commission confirmed it is actively exploring the possibility of launching adequacy talks with other important partners, in particular in Asia and Latin America.

***

Covington regularly advises companies on all aspects of their international transfers. Our team is happy to assist with any inquiries.

(This blog post was drafted with the contribution of Diane Valat.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.