There are many people in Europe who would rather eat their “chapeau” than admit that non-European countries like the United States might have adequate privacy protection, based on long-standing cultural or ideological bias. In my opinion, it’s the European “adequacy” regime that has become inadequate in today’s world. It’s near the top of my list of things that need to be modernized in European privacy law. It’s a political/bureaucratic fiction that some countries provide “adequate” data protection, while others don’t, because the decision is based on criteria that have almost nothing to do with the level of data protection on the ground, in the real world. A country can’t be deemed “adequate” if it doesn’t have an EU-style data protection authority. But the idea is ludicrous to me that privacy somehow couldn’t be protected in countries without such an agency, and in fact, the vast majority of countries in the world don’t have such an agency. And whatever labels are applied, the reality, in the age of the Internet, is that data is flowing around the globe. To take one topical example, cyber attacks do not respect borders, and take no note of whether or not a target is based in a country with “adequate” data protection.
So, recently, Israel and the Principality of Andorra have been added to the EU list of “adequate” countries. They join other countries already on the list, including: Argentina, Canada, Guernsey, Jersey, the Isle of Man, and Switzerland. Stop to read that list again, and ask yourself, really, this is the global list of “adequate” countries outside the EU? Really?
In privacy terms, what’s the right way forward for the future? As I’ve said before, follow the Canadian model, and make any company/government that collects personal data responsible and accountable for protecting it, regardless of where it happens to process it. If it can’t protect data adequately in a particular country, it shouldn’t send it there. If a company decides it can adequately protect its data in Japan, but not in Bulgaria, so be it, even if EU law would suggest the contrary. Common sense should prevail for the sake of privacy.
At the beginning of each year, I make a resolution to visit at least two new countries a year. If I’m lucky, I’ll have my wish and get to visit Andorra and Israel this year. They’re both on my adequacy list.