Home | Databases | WorldLII | Search | Feedback University of New South Wales Faculty of Law Research Series

Greenleaf, Graham --- "Do not Dismiss ‘Adequacy’: European Data Privacy Standards are Entrenched" [2012] UNSWLRS 5

Last Updated: 9 February 2012

Do not dismiss ‘adequacy’: European data privacy standards are entrenched

Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales

Citation

This paper was published at Privacy Laws & Business International Report, Issue 114, December 2011, pp. 16-18. This paper may also be referenced as [2012] UNSWLRS 5.

Abstract

The EU Commission is intent on expanding the global influence of its standards. Despite criticisms of the 'adequacy' concept, there are numerous reasons, both inside and outside Europe, why it will be difficult to change. Uruguay and New Zealand are likely to be next on the list.

The ‘adequacy’ mechanism in the EU data protection Directive, and perceptions of it, have been one (but only one) of the means by which the influence of European data privacy standards have been felt outside Europe. The EU’s ‘border control’ approach is to require member states to limit data exports unless ‘adequate protection’ can be demonstrated at the receiving end (EU Directive Articles 25, 26). There are now 81 jurisdictions in the world with data privacy laws, excluding those only covering the public sector (Greenleaf, 2011b), so there are 53 theoretical candidates for adequacy findings. However, the EU has only made adequacy decisions in relation to nine jurisdictions as a whole (Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey), some of which are of relatively little economic or political significance.

‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But this article argues that we should not be too hasty, and outlines a number of reasons why ‘adequacy’ is now so entrenched in legal systems across the world that it will not be easy to remove. The list of countries considered adequate is expanding slowly: Uruguay and New Zealand will soon be added to the list. Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Consideration of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws suggests that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening.

As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol to Council of Europe Convention 108. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.

There is also, as yet, little indication that the current revisions of the Directive or the Convention will result in Europe abandoning its ‘border control’ approach. The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.

Introduction

The EU Commission is intent on expanding the global influence of its standards. Despite criticisms of the 'adequacy' concept, there are numerous reasons, both inside and outside Europe, why it will be difficult to change. Uruguay and New Zealand are likely to be next on the list.

The ‘adequacy’ mechanism in the EU data protection Directive, and perceptions of it, have been one (but only one) of the means by which the influence of European data privacy standards have been felt outside Europe. The EU’s ‘border control’ approach is to require member states to limit data exports unless ‘adequate protection’ can be demonstrated at the receiving end (EU Directive Articles 25, 26). In summary ‘[t]he effect of a Commission adequacy finding is that personal data can freely flow from the 27 EU Member States and the three EEA member countries to that third country without any further safeguard being necessary. However, the exact requirements for recognition of adequacy by the Commission are currently not specified in satisfactory detail in the Data Protection Directive’ (EU Commission, 2010, 2.4.1). There are further problems that different EU Member States make different judgments on adequacy, and considerable criticism of whether EU countries live up to their own standards, including assertions of considerable inconsistency and non-enforcement by EU members in relation to the data export provisions (Bygrave 2010, p 197).

There are now 81 jurisdictions in the world with data privacy laws, excluding those only covering the public sector (Greenleaf, 2011b), so there are 53 theoretical candidates for adequacy findings. However, the EU has only made adequacy decisions in relation to nine jurisdictions as a whole (Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey), some of which are of relatively little economic or political significance. ‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But let us not be too hasty.

Adequacy within Europe: Convention 108 as an ‘adequacy substitute’

The small number of adequacy findings is deceptive because 19 of the 53 countries mentioned are European non-EU/EEA countries, such as Serbia and Ukraine, which are not the 30 members of the European Economic Area which includes the 27 EU Member States. For such European countries that have acceded to both Convention 108 and the Additional Protocol, it appears that an adequacy finding is not needed in practice. We can infer this from the fact that no such country has bothered to apply for a adequacy finding, even though they are the most likely countries to be successful. There are a number of reasons for this. A European county that is a party to the Additional Protocol must have a law meets all the key requirements of the Directive, including concerning export prohibitions and existence of a DPA, and must be a party to the European Convention on Human Rights (ECHR), thus giving individual rights of redress. So there are few risks of breaching the Directive in exporting personal data to such countries. Their de facto adequacy is supported by the fact that the criteria for adequacy under Article 25 include the international commitments that countries have entered into. From the perspective of the European non-EU/EEA country, an adequacy finding would not add much, because the Council of Europe Convention 108 requires free flow of personal data between member states. The result is a de facto situation where there is, in practice, simply no need for an adequacy declaration (or significant risk in the absence of one), from either perspective, so none have bothered.

Adequacy outside Europe: Expanding in two ways

Uruguay and New Zealand will soon be added to the list of countries considered ‘adequate’, following positive findings by the increasingly pragmatic Article 29 Working Party (Greenleaf and Bygrave 2011). It is arguable that Colombia, Mexico and Peru also have adequate laws (Palazzi, 2011). South Korea, Taiwan and India could each put forward a case after 2011 (with varying degrees of difficulty), as could Hong Kong and Australia after their legislatures complete their reform processes (see generally Greenleaf, 2011a). The new laws in Africa resemble the EU Directive in their principles, so arguments for adequacy would hinge largely on issues of effective enforcement. There could be significantly more adequacy findings outside Europe if the EU was more pro-active and more transparent about its processes. Where the EU has made positive adequacy decisions it has publicised the reasons, but where it has considered ‘applications’ from other countries but concluded that their protections were not yet adequate, it has not generally publicised the reasons for these negative conclusions. There has therefore been much less information available about what does and does not constitute ‘adequacy’ than is desirable.

Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws, all jurisdictions except four (Japan, Bahamas, Vietnam and Chile) have at least four of the ten most distinctive ‘European’ elements. Nineteen of the 29 have 7 or more elements, and 13 of the 29 have at least nine of the ten elements (Greenleaf, 2011b). It is a plausible (and in my view, correct) hypothesis that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening, partly because of the desire of non-EU countries to have their laws recognised as ‘adequate’, but also because of the their aspiration that their laws should be recognised as providing the highest international standard of privacy protection.

As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.

The strengthening Directive (and Convention)

Sixteen years after 1995, the EU’s promotion of its standards is growing stronger, although it is not without critics. After reviewing the EU’s current data privacy legal framework through conferences, consultations and commissioned reports (including Korff and Brown, 2010), the EU Commission has concluded that ‘the core principles of the Directive are still valid and that its technologically neutral character should be preserved’, although it should be strengthened in various ways (EU Commission, 2010, 1), as discussed in Greenleaf (2011). The European Commission is intent on expanding the global influence of its standards, and in fact seems to see them as ‘universal principles’ (EU Commission, 2011, 2.4.2):

Data processing is globalised and calls for the development of universal principles for the protection of individuals with regard to the processing of personal data. The EU legal framework for data privacy has often served as a benchmark for third countries when regulating data privacy. Its effect and impact, within and outside the Union, have been of the utmost importance. The European Union must therefore remain a driving force behind the development and promotion of international legal and technical standards for the protection of personal data, based on relevant EU and other European instruments on data privacy.

Furthermore, it is intent on strengthening both the Principles and the enforcement mechanisms of EU data privacy (EU Commission, 2010). ‘The Lisbon Treaty provided the EU with additional means to achieve this: the EU Charter of Fundamental Rights - with Article 8 recognising an autonomous right to the protection of personal data - has become legally binding, and a new legal basis has been introduced allowing for the establishment of comprehensive and coherent Union legislation ...’. The aim is to ensure ‘that the fundamental right to data protection for individuals is fully respected within the EU and beyond’ (EU Commission, 2010, 1). The final two words indicate the significance for the rest of the world.

The Council of Europe is also undertaking a process to ‘modernise’ the Convention, (see pages xx). If this ‘modernisation’ were to significantly weaken the standards currently found in the Convention plus Additional Protocol, it would destroy its current rough equivalence with the Directive. This factor mitigates against such changes.

Diverging norms?

Outside Europe, some of the emergent international data privacy norms that the Commission is considering (such as data breach notification in all sectors, the ‘right to be forgotten’ and ‘data portability’), and other innovations, have already started to be incorporated in laws or legislative proposals. The US has to some extent led the way with the development of data breach notification rights, but these are also now incorporated in the data privacy laws of Taiwan and South Korea (Greenleaf, 2011a, 2011c), and in proposed legislation in Australia. South Korea also has an explicit ‘no disadvantage in case of refusal’ rule, requiring provision of services, with no extra costs, where data privacy rights are exercised. Australia has since 2001 had a specific principle requiring the option of anonymous transactions wherever this is feasible, whereas the EU’s proposals for stronger data minimisation are not this explicit. Genetic data is already explicitly protected in India’s new law. These examples are only from the Asia-Pacific, but similar ones may well be found in Latin America and Africa. Because of innovations like these at the national level in APEC economies, the EU Commission’s proposals are unlikely to increase divergence in data privacy standards around the world in the long term. If they widen the gap between EU and APEC principles (which are generally lower standards than are found in Asia-Pacific legislation), that will only make the APEC process less influential in practice.

Conclusions

The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.

References

This article is based on parts of G Greenleaf (2011b), cited below. The full article is available online.

Bygrave, L (2010) ‘Privacy and Data Protection in an International Perspective’, Scandinavian Studies in Law, 56, 165–200; http://www.uio.no/studier/emner/jus/jus/JUR5630/v11/undervisningsmateriale/, accessed 2 September 2011

EU Commission, 2010 ‘A comprehensive approach on personal data protection in the European Union’ (Communication From The Commission To The European Parliament, The Council, The Economic And Social Committee And The Committee Of The Regions), Brussels, 4.11.2010, COM(2010) 609 final

Greenleaf, G (2011) ‘Global data privacy laws: Forty years of acceleration’ in (2011) 112 Privacy Laws & Business International Report, 11-17, September 2011

Greenleaf, G (2011a) ‘Asia-Pacific data privacy: 2011, year of revolution?’ in Kyung Hee Law Journal (forthcoming), available as [2011] UNSWLRS 29 at http://law.bepress.com/unswwps/flrps11/art30/

Greenleaf, G (2011b) ‘The influence of European data privacy standards outside Europe: Implications for globalisation of Convention 108’ to be published in (2012) 2:2 International Data Privacy Law, and available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1960299

Greenleaf, G (2011c) ‘Breach notification and diffused enforcement in Taiwan’s DP Act’ Privacy Laws & Business International Report, Issue 109, 12-13, February, 2011

Greenleaf , G and Bygrave, L (2011) ‘Not entirely adequate but far away: Lessons from how Europe sees New Zealand data protection’ Privacy Laws & Business International Report, 111, 7-8, July, 2011

Palazzi, P (2011) ‘Data protection law in Latin America’ (PPTs), presented at Privacy Laws & Business Annual Conference, Cambridge, July 2011