A new wave of adequacy decisions? Spotlight on!

In 2016 the number of countries that had enacted data privacy laws stood at 109, a significant increase in mid-2011 according to the EU Commission. However, only 11 out of these 109 countries have received an adequacy decision by now. Leaving aside arguably less relevant micro or island states such as Guernsey or the Faroe Islands as well as countries from the European Free Trade Area basically only 6 have been accredited the often so-called “golden standard”: Canada, New-Zealand, Argentina, Israel and Uruguay.” Thus, personal data can be transferred from the EU to these states without additional guarantees such as standard contractual clauses or corporate rules (more information on data transfers in Bitkom’s Guidelines on International Data Transfers which are currently updated).

It seems that after the adoption of the GDPR and the Privacy Shield the EU Commission has more time and capacity to deal with international data transfers. This is not only reflected in the new organizational structure of DG Justice, which now has its own “International data flows and protection unit” led by Bruno Gencarelli but also in the Commission’s new Communication on Exchanging and Protecting Personal Data in a Globalized World published in January.

Specifically relevant for the digital industry was the announcement that countries like Japan and South Korea have been put in the spotlight and will be examined for adequacy decisions as they might have similarly high data protection standards as the EU. Both countries recently issued new data protection laws and strengthened the protection of privacy. Data transfers to these countries could then be considerably facilitated.

One important step has been made last week at CeBIT where the European Commission and the Japanese Government officially launched a dialogue on data protection and data flows to strengthen the EU-Japan bilateral cooperation on the data economy. The official statement can be found here. Interestingly, Japan’s new Act on the Protection of Personal Information (APPI) has similar adequacy provisions as the EU data protection law. This basically means that both countries have to share information on their data protection regime and ideally both countries declare each other adequate simultaneously during the assessment process.

This year’s Privacy Conference will also focus on data transfers on a global level. Bitkom is especially happy to announce that the Japanese Data Protection Authority has confirmed to speak about the topic at our conference.