New EU Rules for Data Protection and Extra-EU Adaptation

Science and Technology - March 9, 2024

The importance of personal data protection is at the centre of European policies, and on 15 January 2024, the European Commission published a report regarding the adequacy of some non-EU countries.

With the “Report” of January 15th, the European Commission communicated to the Parliament and the Council the results of the review activities regarding a series of adequacy decisions adopted on the basis of Directive 95/46/EC, which was replaced by EU Regulation 2016/679, known as GDPR. These decisions concern 11 third countries that are neither part of the European Union nor the European Economic Area, including Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission clarified that with the advent of the GDPR in May 2018, adequacy decisions already in force would remain valid until they were amended, replaced or repealed. The Commission’s commitment in this field is part of its institutional tasks, with the aim of constantly monitoring the adequacy of data protection laws in the third countries concerned. This monitoring is crucial, especially considering the growing importance of data flows and the digitalization of society.

Transferring data across national borders is common practice for many companies and organizations, and it is critical to ensure that such transfers are to countries that offer an adequate level of protection for personal data. This means that the legal system of the importing country must guarantee respect for human rights and fundamental freedoms, as well as specific provisions on data protection and the presence of an independent supervisory authority. Adequacy decisions, therefore, act as a “license” for the free movement of data, allowing operators to transfer data to these countries without having to take additional security measures. However, it is important to underline that, despite the adequacy being confirmed, operators must still take all necessary measures to ensure data protection in accordance with European laws.

The Commission’s report provides a detailed overview of the main regulatory characteristics of each of the 11 third countries, highlighting any legislative or legal innovations that justify maintaining adequacy. Confirmation of the adequacy of data protection laws in third countries is good news for businesses and organizations operating internationally, ensuring they can transfer data securely and in compliance with European regulations.

Adherence to data protection principles and regulations has become a critical priority in the modern world, where the transmission of information occurs rapidly across national borders and beyond the borders of the European Union. Recognition of the adequacy of data protection systems in third countries is a significant step towards facilitating such data transfers, while ensuring an adequate level of protection of privacy and fundamental rights. Among the countries that have obtained confirmation of their adequacy, there are a variety of jurisdictions, from Israel to New Zealand, from Switzerland to Argentina. This diversity demonstrates the importance of an individualized assessment of data protection regulations in each country, taking into account the regulatory context, practices and institutional guarantees present.

However, it is important to highlight that the concept of “adequacy” is not static and immutable and data protection laws and practices may evolve over time, and as a result, adequacy decisions may also be subject to review. Therefore, it is essential that the European Commission continues to carefully monitor regulatory developments in third countries and update its assessments accordingly. In an increasingly interconnected world, data protection is not just about commercial transactions, but also about national security, the protection of human rights and the privacy of individual citizens. Adequacy decisions therefore play a crucial role in ensuring a balance between the need to facilitate the international flow of data and the need to protect the privacy and security of personal data. For businesses and organizations involved in international transactions, confirmation of the adequacy of data protection systems in third countries represents crucial reassurance, allowing them to conduct their businesses securely and in compliance with European regulations.However, it is essential that these operators continue to be vigilant and take all necessary measures to ensure data security and protection, even beyond adequacy decisions.