“Without such a[n adequate protection] finding businesses must undertake more cumbersome and expensive processes under European law to legitimize such data transfers. A finding will be potentially advantageous to New Zealand from a trading perspective.”1
I(llegally) T(ransmitting) D(ata)
Every day, personal data are transferred across international borders in amounts impossible to quantify. Most companies in the EU/EEA, as in any other region of the world, constantly need to send personal data outside that area for multiple business, administrative and compliance reasons in order to run their day-to-day operations and stay competitive in a market that is a little more global with every day that passes. An Austrian tourism agency that organizes trips to Brazil, for example, needs to send its customers’ data to the Brazilian hotels; the Spanish subsidiary of a US company may need to send personal data of its employees, suppliers or customers to the US headquarters; a Japanese NGO trying to collect donations in Europe to help Japan with the terrible consequences of the recent earthquake may need to send donors’ personal data outside of Europe, etc.
Despite the vital importance of cross-border data transfers, illegally transmitting data outside the EU/EEA is one of the most usual ways in which companies violate local laws implementing the so-called EU Data Protection Directive2 and one more reason for corporate compliance officers to suffer yet another headache.
In fact, article 25.1 of the Directive establishes that data transfers to a third country3 “(…) may take place only if (…) the third country in question ensures an adequate level of protection.” A literal interpretation of this provision, and especially of the use of the word “only,” would imply that either the third country is a “data-safe destination” under EU standards and data can be freely transmitted there or it is unsafe and no data at all can be transferred. Of course, this would make it very complicated to do any business with those “unsafe” jurisdictions which, as we will see, are most of the countries in the world. As a result, the EU developed certain mechanisms that when properly implemented “sanitize” individual data transfers, as opposed to all collective transfers, to “unsafe” jurisdictions. These are chiefly: the US Safe Harbor Certification, the Standard Contractual Clauses, and Binding Corporate Rules.
This article, however, does not focus on these individual mechanisms,4 as its primary goal is to explore the history, evolution and future of the “adequate protection” standard that the EU developed as a starting point to identify certain jurisdictions as “data-safe destinations” to which data can be automatically sent from the EU.
Article 25.6 of the EU Data Protection Directive designates the EU Commission as the institution in charge of determining which countries ensure an adequate level of data protection “by reason of its domestic law or of the international commitments it has entered into.” Once the Commission is satisfied about the protection offered by a jurisdiction, it makes its finding public by adopting a “Commission Decision.” However, before reaching this final step, there is a whole previous process that includes:5
- An initial proposal from the Commission. Often times, the country looking to obtain a positive finding, especially when it does not have a special political or administrative relationship with an EU Member State, will directly request the Commission to start the process through diplomatic channels.6
- A positive opinion from the Article 29 Working Party.7 This is an essential step for any jurisdiction that aspires to obtain a positive finding.
- An opinion from the Article 31 Management Committee8 delivered by a qualified majority of Member States.
- A thirty days right of scrutiny for the European Parliament (EP) to check if the Commission has used its executing powers correctly. The EP may, if it considers it appropriate, issue a recommendation.
- The adoption of the decision by the Commission.
But any avid reader, or country in search of a positive adequate protection finding, would not only want to know about the formal process, and would wonder what the Commission is really looking for in a country in order to make its determination. In its decisions to date, the Commission has offered some general guidance. The decisions usually refer to an analysis of the local data privacy/protection laws and implementing regulations that the country has enacted and the data privacy conventions, guidelines or other international instruments9 the country has entered into to see whether these are “largely based on the standards set out” in the EU Data Protection Directive,10 and “cover all the basic principles necessary for an adequate level of protection for natural persons.”
This, of course, is very broad guidance. The Article 29 Working Party, whose previous opinion, as we have seen, plays a very important role in the process, has provided more specific guidelines. This group has made clear what it is looking for in a candidate:11 the existence in its legal system of certain “data protection ‘content’ principles and ‘procedural/enforcement’ requirements.”
- The Content Principles: The privacy laws or regulations of a country that may be considered to have adequate data protection need to include the following principles: the purpose of limitation principle; the data quality and proportionality principle; the transparency principle; the security principle; the rights of access, rectification and opposition; and restrictions on onwards transfers.
- The Procedural/Enforcement Mechanisms: The candidate’s data protection procedural system must ensure the following objectives: to deliver a good level of compliance with the rules; to provide support and help to individual data subjects in the exercise of their rights; and to provide appropriate redress to the injured party where rules are not complied with. Complying with these objectives might be easier if there is a supervisory authority, a so-called data protection authority, in charge of enforcing the rights and obligations under the domestic privacy laws.
The Chosen 9
As of March 2011, only nine jurisdictions have received an adequate data protection finding: Switzerland (Commission Decision of 7/26/2000), Canada (12/20/2001), Argentina (6/30/2003), Guernsey (11/21/2003), Isle of Man (4/28/2004), Jersey (5/8/2008), Faroe Islands (3/5/2010), Andorra (10/19/2010), and Israel (01/31/2011).12
Switzerland, a historic EU business partner completely surrounded by EU countries and that has a comprehensive data privacy law predating the EU Data Protection Directive by more than three years, was the perfect candidate to be the first country recognized by the Commission as having adequate protection. This happened in July 2000.
At the end of 2001, Canada, another important EU business partner, was the second country to be issued an adequate protection finding just a little over a year after its federal data privacy law, PIPEDA, was enacted. The finding is limited to "recipients subject to" PIPEDA. Canada is, to date, the only North American country that forms part of this privileged club. Mexico, based on its recent enactment of an omnibus data protection law, the Federal Law on Protection of Personal Data Held by Private Parties,13 is the logical candidate to be the next country to enlarge North America’s presence in this "data-safe destination" group.
We had to wait until mid 2003 for a South American country, Argentina, to secure a positive decision from the Commission. Argentina’s recognition was primarily due to the similarities between its data privacy law and the Directive. Uruguay may probably soon join Argentina as the second South American country with a positive determination.
After these first three decisions validating the data protection standards of three trading partners of a considerable size, more than seven years had to pass until another economically and politically significant jurisdiction, Israel, obtained the Commission’s approval at the beginning of 2011. During those seven years only five jurisdictions, all of a considerably smaller size than the first three in terms of population, extension and economic power, were anointed by the Commission as having adequate protection: the three British Crown Dependencies (Guernsey in November 2003, Isle of Man in April 2004 and Jersey in May 2008), the Faroe Islands in March 2010 and Andorra in October 2010. All of these have in common being smaller jurisdictions located in the European continent and having very tight political, administrative and economic relationships with certain EU Members (UK; Denmark; and Spain and France, respectively).
As of March 2011, the Commission has not issued any adequate protection decisions in favor of countries from Africa, Asia or Oceania. The Article 29 Working Party, however, did issue an opinion with regard to Australia’s adequacy.14 This opinion stated that Australia’s regime could only be regarded as adequate “if appropriate safeguards were introduced to meet” the specific concerns expressed by the Working Party in the opinion. With this the Working Party was basically telling the Australian government that it needed to improve and strengthen its data privacy regime in order to obtain a positive finding from the Commission.
For an array of reasons, Uruguay is, without a doubt, the number one candidate, and probably the only real candidate for some years to come, to be the next jurisdiction to obtain an adequate protection finding. Uruguay’s data protection law is very similar to Argentina’s, a legal regime already approved by the Commission, and the Article 29 Working Party already issued its affirmative opinion in October 2010.15 Therefore, everything indicates that the Commission decision in favor of Uruguay could be issued sometime during 2011.
Other potential candidates include countries that have recently enacted or amended comprehensive data privacy laws such as New Zealand,16 Mexico and Ukraine. Malaysia and Taiwan may also become candidates once their recently passed law and amendment (respectively) enter into force.17 However, as we will explain, it might take more time than usual for these countries to have a chance, if any, to obtain such recognition due to the privacy regime reform process that the EU is currently undertaking.
Why Does It Matter or Why Does It Not?
The words from New Zealand’s Privacy Commissioner reproduced at the beginning of this article are the best answer to the first of these questions: “Without such a[n adequate protection] finding businesses must undertake more cumbersome and expensive processes under European law to legitimize such data transfers. A finding will be potentially advantageous to New Zealand from a trading perspective.” That is to say, obtaining such recognition from the Commission should be, in principle, economically advantageous for a jurisdiction as, once anointed, companies based in the EU/EEA would be able to freely send personal data to such jurisdiction as if sent within the EU/EEA area (e.g., a transfer from Spain to Argentina is considered the same as a transfer from Spain to Denmark) without having to use model contractual clauses, binding corporate rules, etc. This, of course, simplifies the transfer, makes it cheaper and makes the jurisdiction a more appealing destination for EU/EEA-based businesses to grow there either directly by opening new subsidiaries or branches or indirectly through the outsourcing of part of their business.
This appears to be the rationale shared by the countries that decided to jump onto the EU comprehensive data protection regime wagon, as the information published by “Uruguay XXI,” the Uruguayan Investment and Export Promotion Institute, also evidences: “The EU recognition will open the possibility for major European investments, in particular it will help Uruguay boost its outsourcing industry (call centers, data centers, technology parks) and attract more EU-based companies looking for providers of administrative, financial and other data processing services in Latin America.”18
That being the case, why have only a very limited number of countries tried to obtain adequate protection recognition? As we have seen, only nine jurisdictions, five of which have a population of less than 100,000, out of the more of one hundred ninety countries in the world, have been anointed by the Commission, and only one more jurisdiction, Australia, has apparently been under serious consideration. We can all agree that this is not a significant turnover for the more than fifteen years that the Directive has been in force.
The explanation to this might be twofold:
- Implementing an EU-style data protection regime is a lengthy, expensive, burdensome and potentially contested undertaking from the political, legislative, administrative and enforcement perspectives. Legislators from many jurisdictions may consider this task daunting and maybe also unnecessary as individual data controllers have other mechanisms (e.g., US Safe Harbor Certification, Standard Contractual Clauses, Binding Corporate Rules) they can effectively use to privately comply with the EU international data transfer requirements without the specific data importing jurisdiction having to make the effort to adjust to the strict EU data protection parameters to obtain adequate data protection recognition.
- The implementation by a country of an omnibus data protection regime that may be deemed as offering adequate data protection by the European Commission may act as a deterrent for new businesses to start operations. It is arguably cheaper for companies to operate in a less-privacy-regulated environment where they do not have to allocate resources to, for example, notifying data subjects, differentiating the treatment of sensitive data from regular data, transferring data abroad, purging obsolete data, etc. That is to say, the same economic/trading analysis that may make a country consider it beneficial to implement a robust data privacy regime in order to be anointed by the Commission may be used to argue that less regulation makes more business sense.
As is widely known, the Commission is currently embarked on a process to reform the EU data privacy legal framework. As part of this reform, the Commission19 has already declared that it intends to “improve, strengthen and streamline the current procedures for international data transfers, including the so-called 'adequacy procedure.'"
Based on the information released so far, the reform will not only be limited to new requirements or limitations concerning international data transfers; it is conceived as a global reform of the EU privacy legal system. The Article 29 Working Party20 and the Commission’s positions appear to suggest the EU might be moving towards an even less business-friendly data privacy regime with the proposed inclusion of new individual rights for data subjects, such as the “right to be forgotten” or a data breach notice right.
Therefore, it is within the realm of possibilities that no new countries, with the possible exception of Uruguay as it has already been vetted by the Article 29 Working Party, will obtain an adequate data protection finding until the reform process is completed which may well take several years. It would not make much sense for the Commission to use the “adequate protection” process when it is currently under scrutiny and likely to be somewhat reformed to approve jurisdictions whose data protection level may be “adequate” under current EU standards, but deficient once the reform has been completed.