Feeling inadequate? Why adequacy decisions are rare (and may get rarer) in Asia-Pacific
Early this year, Japan became the first country in the Asia-Pacific region to be granted an 'adequacy decision' by the European Commission since the implementation date of the General Data Protection Regulation. Despite the significance of this development, Japan remains only the second country in the Asia-Pacific region to be granted an adequacy decision since the concept was introduced by Directive 95/46/EC on Data Protection in 1995, joining New Zealand, which was granted an adequacy decision in 2012. Nicholas Blackmore, Special Counsel at Kennedys, provides insight into the state of play with regard to the potential for more Asia-Pacific countries to be granted adequacy decisions, and the challenges that may deter countries from entering into the process.
The EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') restricts the transfer of personal data outside of the European Economic Area ('EEA'). The restrictions are designed to ensure that businesses cannot circumvent the protections of the GDPR simply by processing personal data in another jurisdiction. They were originally introduced in 1995 as part of Directive 95/46/EC on Data Protection ('the Directive'), and were carried over into the GDPR with only minor changes.
These restrictions are a significant burden for businesses in the age of IT outsourcing, cloud services and international electronic commerce. They affect the many European businesses that have operations, suppliers or partners outside the EEA, and also affect businesses outside Europe that are subject to the GDPR (for example, because they offer goods or services to individuals located in the EU or process personal data on behalf of a European controller).
In an attempt to alleviate this burden, the GDPR provides for the European Commission ('the Commission') to issue 'adequacy decisions' if it decides that a country or territory outside the EEA (‘a third country’) provides an 'adequate level of protection' for personal data. If an adequacy decision is issued in relation to a third country, controllers and processors subject to the GDPR may transfer personal data to any recipient in that country without restriction.
What is the current status of adequacy decisions in Asia-Pacific?
It is nearly 24 years since the Directive, and with it, the concept of adequacy decisions, was introduced. In that time, only 12 countries have managed to obtain an adequacy decision. Of the EU's top 40 trading partners, only Switzerland, Israel and Argentina have been granted a full, unqualified adequacy decision. Canada and the US have been granted qualified decisions: Canada's is limited to the private sector, while the US decision applies only to companies who comply with the voluntary Privacy Shield scheme. The remaining decisions relate to small states that are not major trading partners of the EU, such as Uruguay and New Zealand, and to European micro-states like Guernsey, Jersey, the Isle of Man, the Faroe Islands and Andorra.
At the time of writing, the Commission has adopted adequacy decisions on New Zealand, and more recently, Japan. South Korea is still in adequacy talks with the Commission, although this process appears to have stalled, with no sign of significant progress since late 2017.
Australia was considered for an adequacy decision in 2001. However, the report of the Article 29 Working Party ('WP29') (now the European Data Protection Board ('EDPB')), which provides non-binding opinions on adequacy to the Commission, identified eight areas in which Australian law did not offer adequate protection for personal data. The Australian Government subsequently declined to revise Australia's data protection laws in order to meet the required standard.
This lack of adequacy decisions belies the fact that 11 Asia-Pacific jurisdictions now have some form of national data protection legislation: Australia, China, Hong Kong, Japan, Macau, Malaysia, New Zealand, the Philippines, Singapore, South Korea and Taiwan. Yet of these, it appears that China, Hong Kong, Macau, Malaysia, the Philippines, Singapore and Taiwan have never even attempted to obtain an adequacy decision. Hong Kong in particular has had many years to do so: its Personal Data (Privacy) Ordinance took effect in 1996, before many EU Member States adopted the Directive.
This prompts the question: why haven't more Asia-Pacific countries sought or obtained an adequacy decision? There are several possible explanations.
The standard for an 'adequate level of protection’
The first explanation is that the standard of data protection required before the Commission will grant an adequacy decision is very high.
The Commission's primary consideration when making an adequacy decision is to what extent the law of the third country offers the same protections for personal data and the rights of data subjects as are provided under European law.
The standard required in this respect changed in 2015 due to the ruling of the Court of Justice of the European Union ('CJEU') in Maximillan Schrems v. Data Protection Commissioner (Ireland) ('Schrems'). Prior to 2015, the WP29 took the approach that it was not necessary for a third country to offer the same level of data protection as the Directive; it was sufficient that the country offered a broadly similar level of protection, even if offered a lower level of protection than the Directive in some minor respects. However, the CJEU in Schrems held that, while a country's law does not need to be identical to EU law in order to be considered adequate, it must ensure a level of protection of personal data and the rights of data subjects that is "essentially equivalent" to that guaranteed in the EU by the Directive. This "essential equivalence" standard was subsequently codified in Recital 104 of the GDPR.
EU authorities do not just look at the third country's relevant legislation and case law when making this assessment. The GDPR requires that the Commission take into account a wide range of factors when assessing the protection that a country offers to personal data. This includes:
- the rule of law, respect for human rights and freedoms, and the availability of effective administrative and judicial redress for individuals whose personal data is being transferred;
- the effectiveness of independent supervisory authorities with responsibility for enforcing the data protection rules; and
- the international commitments the country has entered into.
Adequacy decisions also take account the circumstances of the third country under consideration, and its relationship with, and importance to, the EU. For example, the adequacy decisions made in relation to Argentina, Canada and the US explicitly took into consideration that these countries are important trading partners of the EU. In the case of Argentina, the decision was granted despite the WP29 expressing concerns about weaknesses in Argentinian data protection laws. In the case of the US, the Safe Harbor and Privacy Shield schemes were approved as adequate, despite the fact that they are clearly less restrictive on businesses than the Directive. Another example of this appeared in the WP29's report on New Zealand, which dismissed concerns about deficiencies in New Zealand's onward transfer laws on the basis that, given its geographical distance from Europe, its size and the nature of its economy, it was unlikely that those deficiencies would have much practical effect on EU data subjects.
Finally, adequacy also has a temporal dimension. Adequacy decisions must provide for periodic review, at least every four years, to ensure that the country still offers an adequate level of protection. The European Parliament may request the Commission to maintain, amend or withdraw an adequacy decision at any time.
The process for granting an adequacy decision
Another explanation as to why more Asia-Pacific countries have not obtained an adequacy decision is that the process of obtaining a decision is a lengthy and complex one. The process, which usually takes more than a year, involves several stages:
- the Commission makes a proposal to consider a third country for an adequacy decision;
- the EDPB undertakes a review of the third country's data protection laws and practices, and issues an opinion on whether an adequacy decision should be made;
- a majority of EU Member States must approve the decision; and
- the Commission formally adopts the decision.
In practice, if the EDPB identifies inadequacies in the third country's data protection laws, the Commission will engage in talks with the country's government about how those inadequacies could be rectified. This might involve a change in law or the adoption of practical measures. It might involve increasing protection for all personal data processed in the country or solely for personal data which is subject to the GDPR. It might also involve limiting the scope of the adequacy decision to particular sectors or territories.
The usefulness of adequacy decisions
A final explanation as to why more Asia-Pacific countries have not obtained an adequacy decision is that, given the demanding and lengthy process involved, it is possible that many countries simply do not see the value in obtaining a decision.
When introduced in 1995, one aim of the adequacy decision process was to encourage other countries to adopt similar data protection laws to the EU. At first, it seemed to have the desired effect. Various countries in Asia-Pacific (including Hong Kong, Australia, New Zealand and Japan) introduced their own data protection laws in the decade following the introduction of the Directive, partly out of concern that failing to obtain an adequacy decision would disrupt data flows and trade with the EU.
After nearly a quarter of a century of living without adequacy decisions in place, these concerns seem to have dissipated. While an adequacy decision may make trade with Europe easier, the fact that most major trading partners of the EU still do not have an decision in place suggests that those initial fears about the disruption of data flows were unjustified. Asia-Pacific businesses have gotten used to including data protection clauses in their agreements, or obtaining the consent of individuals, in order to facilitate the transfer of personal data across borders. Asia-Pacific governments may well consider that they, and many other countries, have been fine without an adequacy decision for many years, and so question the need to undergo the major legislative changes that would be required to achieve "essential equivalence" with the GDPR.
Where to from here?
While the GDPR is still in its infancy, it seems likely that it will only make adequacy decisions more difficult to obtain.
Firstly, the GDPR contains a number of novel protections for personal data and rights for data subjects. For example, under the GDPR, businesses which control the processing of personal data are required to:
- notify data subjects of a wide range of information when collecting their personal data, including, for example, the existence of automated decision-making or profiling;
- on request by an individual, provide a copy of their personal data in a "portable" format that they can take to another service provider;
- maintain records of their processing activities;
- notify data breaches to a supervisory authority and to affected individuals; and
- appoint a data protection officer.
Secondly, the GDPR codifies and reinforces the "essential equivalence" requirement of Schrems, which appears to mean that only a country which adopts equivalents of all of the above protections would qualify for an adequacy decision today. These protections have few equivalents in Asia-Pacific data protection laws. For most Asia-Pacific countries, it would require a major overhaul of their existing data protection legislation and a lot of new compliance effort for government and business. Despite the growing importance of personal data protection in the information age, it is hard to see many Asia-Pacific countries having the political or economic motivation to do this.
It is interesting that the 12 adequacy decisions previously made under the Directive have so far been allowed to continue in effect under the GDPR. It seems unlikely that any of those countries, or indeed, any country outside the EEA, would currently meet the standard of essential equivalence with the enhanced protections afforded by the GDPR.
That being the case, it is interesting to consider whether the EU authorities might be forced to soften their approach to adequacy decisions. In 2017, the European Parliament called on the Commission to speed up the decision process with important trading partners.
Clearly, there is a balance to be struck between reducing the administrative burden on businesses and ensuring that individuals' personal data is protected after it is transferred outside the EEA. In their approach, the EU authorities have come down firmly on the side of the latter. The downside of this approach is that the few adequacy decisions that have been issued have done little to reduce the administrative burden for business. There would be very few businesses who transfer personal data solely to countries covered by adequacy decisions. It seems likely that, sooner or later, the EU will need to consider whether it maintains its currently high standards for adequacy decisions, or lowers them and adopts a more flexible approach.