Article 45 of the GDPR allows the transfer of personal data from the EU to a third country when the third country ensures an “adequate level of protection” (adequacy decision). In determining “adequacy,” the GDPR provides specific factors to consider including the country’s respect for human rights, the effectiveness of its data protection authority, and its pre-existing obligations to other countries. Adequacy decisions are subject to periodic review (minimally, every four years) and require ongoing monitoring.
The European Commission adoption of an adequacy decision means that personal data can flow safely from the EU to the other country without being subject to any further safeguards or authorization. The adoption of an adequacy decision involves: (1) a proposal from the European Commission; (2) an opinion of the European Data Protection Board; (3) approval from representatives of EU countries; and (4) the adoption of the decision by the European Commission.
The European Commission has already recognized Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay in years past as adequate keepers of data. In the wake of the Schrems cases and recent TikTok discussions, there has been significant scrutiny of government access to data around the world. The ECJU rationalized invalidating the Privacy Shield mechanism of personal data transfers from Europe to the U.S. with the nature of U.S. government access to private-sector data. India and the United States has ramped up pressure on TikTok to either be divested of their Beijing based ownership or lose all access to their respective markets. Each nation referred to China’s cybersecurity law which preserves government access to private data. Yet, government demands for data held by the private sector are becoming commonplace.
In the United States, through sections of the FISA law, a special court order can be imposed on certain telecommunications service providers to disclose communications that may impact national security. Similarly, in Germany telecommunication providers are mandated to collect particular data from their customers. These data elements include name, address, and telephone number which German law refers to as “inventory information.” This inventory information is sent to the Federal Network Agency, with other agencies having the ability to make requests for that information as well.
The French surveillance law of 2015 goes even further, granting the French government expresses access to metadata in messaging, authorizing the production and use of algorithms to hunt for suspicious data that the government can capture and review, and allowing government access for multiple reasons, including economic espionage. The French law also authorized the government to analyze digital information affecting the national defense, foreign policy interests, major economic, industrial and scientific interests of the French government as well as to prevent terrorism, organized crime, and immediate threats to public order. Somehow the EU finds these to be adequate safeguards for individual privacy.
Under their cybersecurity law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Indian government has developed a central monitoring system that has the means to intercept electronic communications and correspondence including e-mails, text messages, and voice calls.
The Brazilian Communications Agency intended to build technology to connect directly into telecommunication companies’ systems. In an effort to gain access to a very particular type of data including which numbers were dialed, the time and date the calls took place, and the duration of the calls. Some states like Russia, Thailand, and Malaysia simply provide no practical protection from government capture and the use of individual data.
With governments around the world enhancing their surveillance capabilities, perhaps we are heading to a perpetual state of inadequacy (at least for GDPR purposes).