The ‘adequacy’ mechanism in the EU data protection Directive, and perceptions of it, have been one (but only one) of the means by which the influence of European data privacy standards have been felt outside Europe. The EU’s ‘border control’ approach is to require member states to limit data exports unless ‘adequate protection’ can be demonstrated at the receiving end (EU Directive Articles 25, 26). There are now 81 jurisdictions in the world with data privacy laws, excluding those only covering the public sector (Greenleaf, 2011b), so there are 53 theoretical candidates for adequacy findings. However, the EU has only made adequacy decisions in relation to nine jurisdictions as a whole (Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey), some of which are of relatively little economic or political significance.
‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But this article argues that we should not be too hasty, and outlines a number of reasons why ‘adequacy’ is now so entrenched in legal systems across the world that it will not be easy to remove. The list of countries considered adequate is expanding slowly: Uruguay and New Zealand will soon be added to the list. Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Consideration of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws suggests that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening.
As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol to Council of Europe Convention 108. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.
There is also, as yet, little indication that the current revisions of the Directive or the Convention will result in Europe abandoning its ‘border control’ approach. The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.
Computer Law | Cyberspace Law | Human Rights Law
Date of this Version
Graham Greenleaf, "Do not Dismiss ‘Adequacy’: European Data Privacy Standards are Entrenched" (February 2012). University of New South Wales Faculty of Law Research Series 2012. Working Paper 5.