20.10.2020
The decision of adequacy in International Data Transfers (IDT)
In this article, we will treat the decision of adequacy in the IDT: Who dictates them? What is the adequate level of data protection? Is it the only valid method to comply with the requirements of the GDPR? We proceed to analyze it.
Por
Sanz González , María Introduction
Recently, we have published an article regarding International Data Transfers (TID). These, let us remember, involve the transmission of personal data. Specifically, the person in charge of these, from the EU, sends them to an external country or international organization, among others.
Who dictates the Decision of Adequacy?
It is the European Commission (EC). Responsible for affirming that a State or IO (mainly) complies with the appropriate level of protection. And we say mainly because the GDPR also includes various possibilities regarding who can be subject to that decision. Among others, specific territories or specific sectors of a third State.
But so far the EC has only declared 13 countries with an adequate level of data protection. Among them: Canada, Switzerland, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Andorra, Israel, New Zealand and Uruguay.
Si te ha interesado este artículo no dudes en leer:
Sanctions of the Data Protection Regulation
What is the appropriate level of protection?
A good analysis of this terminology is provided by the Sentence of the ECJ Schrems II of 16 July 2020. Although we have an article on this subject on our website, it is worth mentioning the effects of this briefly. It leaves “Privacy Shield” without effect. This is the agreement that was in force regarding Data Protection between the EU and the USA. Therefore, we see that a Decision of Adequacy can be declared invalid, losing its effects. With the USA it has already happened twice.
The appropriate level of protection is thus required from the third country, IO, territories or specific sectors. Both its internal legislation and its international commitments must be guarantors of certain specific requirements. Mainly, to be able to equate their protection of fundamental rights and freedoms to that carried out by the EU.
Are there other methods of performing IDT?
Yes, there are only thirteen countries that have an Adequacy Decision in their favor. However, as we have seen, the United States is not one of them. We are talking about the world power, with which we constantly exchange data.
This is why in these cases we can turn to alternative solutions that offer guarantees regarding data protection. Such as Model Contract Clauses or MCC (whose validity is being increasingly questioned). Also, the Binding Corporate Rules, Codes of Conduct, Binding Agreements, among others.
Conclusion
From ILP we have already mentioned the logical relevance of the TID. For this reason, it was mandatory to briefly analyze the Decision of Adequacy. As well as to define the “Adequate Level of Data Protection”. Given the scarcity of Suitability Decisions, it is necessary to keep in mind the possible alternative options. They are the mentioned MCC, Binding Corporate Rules, Codes of Conduct, among others. These alternatives will be of vital importance at the time of making TID with the United States, pending a possible new agreement with that country, which for the moment seems distant.
If this article has been of interest, we also suggest you to read the following article published on our website:
What is an appropriate level in international data transfer?
Competition and control of business concentration
Mortgage Lending Directive 2014/17/EU
