Home / Blogs

A Template for Adequacy: EU Pitches for Data Protection Gold Standard

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Largely unnoticed by technology and Brussels wonks, the European Commission’s Communication on adequacy for international data flows was released in early January. The primary aim of this document is to promote the EU’s data protection regime as the global gold standard, to which other countries should aspire. In so doing, the Commission wants to remove data protection as a bargaining chip in free trade negotiations, insisting this should instead be dealt with separately, by opening adequacy negotiations with the Commission.

Amongst lofty language on the EU’s approach to data protection lies a clear economic motive. The Communication acts as a sales piece for the General Data Protection Regulation, extoling its virtues in protecting citizens and harmonising the patchwork of national laws under the 1995 Directive. The Commission has evidently realised that if it can guide other countries towards the EU model, not only will doing business with those countries become easier, but the EU will be able to leverage higher data protection standards as a competitive advantage and become “a hub for data services which require both free [data] flows and trust”.

Those in tech companies losing sleep over Brexit—and more specifically over the UK failing to secure an adequacy agreement with the EU once it leaves—will take heart from the fact that the Commission is still open to alternatives to their regime, such as codes of conduct and certification mechanisms. The Commission also advises that such instruments could be struck at the sectoral as well as national level—a model which the UK will probably try and adopt for its hefty financial services sector post-Brexit.

In parts, this is a surprisingly political document. The suggestions for normative criteria before opening adequacy negotiations with third parties include the extent of the EU’s commercial/political relations with a given third country, geographical and/or cultural ties and the role of the third country in promoting and upholding privacy and data protection. Based on these, the Commission will “actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017, and, depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood”; a clear shot over the bows of the Trump administration.

The EU’s pivot to East Asia and overtures to Latin America are a clear attempt to position the EU as the de facto champion of global free trade. The incoming Trump administration leaves the Privacy Shield agreement resting on the fragile foundations of Obama-era assurances, something easily overturned in Trump’s push to bolster US surveillance. It would not be surprising to see the first annual review of Privacy Shield take a critical view on any actions by the Trump administration to bolster US surveillance. At the same time, the Brexit-focused British government’s sweeping surveillance powers granted by the Investigatory Powers Act threaten to scuttle any attempt to demonstrate equivalence with EU data protection rules and thereby gain an adequacy decision.

Should the Commission succeed in persuading other regions to adopt their model and quickly enact adequacy agreements with major economic powers, we will see a divergence in global data protection rules. The EU’s citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK, and trans-Atlantic companies may be forced into difficult choices about which regime best serves their interests.

By Matt Allison, Policy Manager at Access Partnership

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign