You Have Been Weighed in the Balance and Found Wanting (Or at Least, Inadequate)

Womble Bond Dickinson
Contact

Womble Bond Dickinson

Article 45 of the GDPR allows the transfer of personal data from the EU to a third country when the third country ensures an “adequate level of protection” (adequacy decision).  In determining “adequacy,” the GDPR provides specific factors to consider including the country’s respect for human rights, the effectiveness of its data protection authority, and the its pre-existing obligations to other countries. Adequacy decisions are subject to periodic review (minimally, every four years) and require ongoing monitoring.

The European Commission adoption of an adequacy decision means that personal data can flow safely from the EU to the other country without being subject to any further safeguards or authorization. The adoption of an adequacy decision involves: (1) a proposal from the European Commission; (2) an opinion of the European Data Protection Board; (3) an approval from representatives of EU countries; and (4) the adoption of the decision by the European Commission.

The European Commission has already recognized Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay in years past as adequate keepers of data. In the wake of the Schrems cases and recent TikTok discussions, there has been significant scrutiny of government access to data around the world.  The ECJU rationalized invalidating the Privacy Shield mechanism of personal data transfers from Europe to the U.S. with the nature of U.S. government access to private sector data. India and the United States has ramped up pressure on TikTok to either be divested of their Beijing based ownership or lose all access to their respective markets. Each nation referred to China’s cybersecurity law which preserves government access to private data. Yet, government demands for data held by the private sector is becoming commonplace.

In the United States, through sections of the FISA law, a special court order can be imposed on certain telecommunications service providers to disclose communications that may impact national security. Similarly, in Germany telecommunication providers are mandated to collect particular data from their customers. These data elements include name, address and telephone number which German law refers to as “inventory information.” This inventory information is sent to the Federal Network Agency, with other agencies having the ability to make requests for that information as well.

The French surveillance law of 2015 goes even further, granting the French government express access to metadata in messaging, authorizing the production and use of algorithms to hunt for suspicious data that the government can capture and review and allowing government access for multiple reasons, including economic espionage. The French law also authorized the government to analyze digital information affecting the national defense, foreign policy interests, major economic, industrial and scientific interests of the French government as well as to prevent terrorism, organized crime, and immediate threats to public order. Somehow the EU finds these to be adequate safeguards for individual privacy.

Under their cybersecurity law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Indian government has developed a central monitoring system that has the means to intercept electronic communications and correspondence including e-mails, text messages, and voice calls.

The Brazilian Communications Agency intended to build technology to connect directly into telecommunication companies’ systems. In an effort gain access to very particular type of data including which numbers were dialed, the time and date the calls took place, and the duration of the calls. Some states like Russia, Thailand and Malaysia simply provide no practical protection from government capture and use of individual data.

With governments around the world enhancing their surveillance capabilities, perhaps we are heading to a perpetual state of inadequacy (at least for GDPR purposes).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Womble Bond Dickinson | Attorney Advertising

Written by:

Womble Bond Dickinson
Contact
more
less

Womble Bond Dickinson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.