Monday, January 18, 2010

The "adequacy" regime is inadequate

There are many people in Europe who would rather eat their “chapeau” than admit that non-European countries like the United States might have adequate privacy protection, based on long-standing cultural or ideological bias. In my opinion, it’s the European “adequacy” regime that has become inadequate in today’s world. It’s near the top of my list of things that need to be modernized in European privacy law. It’s a political/bureaucratic fiction that some countries provide “adequate” data protection, while others don’t, because the decision is based on criteria that have almost nothing to do with the level of data protection on the ground, in the real world. A country can’t be deemed “adequate” if it doesn’t have an EU-style data protection authority. But the idea is ludicrous to me that privacy somehow couldn’t be protected in countries without such an agency, and in fact, the vast majority of countries in the world don’t have such an agency. And whatever labels are applied, the reality, in the age of the Internet, is that data is flowing around the globe. To take one topical example, cyber attacks do not respect borders, and take no note of whether or not a target is based in a country with “adequate” data protection.

So, recently, Israel and the Principality of Andorra have been added to the EU list of “adequate” countries. They join other countries already on the list, including: Argentina, Canada, Guernsey, Jersey, the Isle of Man, and Switzerland. Stop to read that list again, and ask yourself, really, this is the global list of “adequate” countries outside the EU? Really?

In privacy terms, what’s the right way forward for the future? As I’ve said before, follow the Canadian model, and make any company/government that collects personal data responsible and accountable for protecting it, regardless of where it happens to process it. If it can’t protect data adequately in a particular country, it shouldn’t send it there. If a company decides it can adequately protect its data in Japan, but not in Bulgaria, so be it, even if EU law would suggest the contrary. Common sense should prevail for the sake of privacy.

At the beginning of each year, I make a resolution to visit at least two new countries a year. If I’m lucky, I’ll have my wish and get to visit Andorra and Israel this year. They’re both on my adequacy list.


Anonymous said...


Yes you're right that the Data Protection Directive's concept of 'adequacy' is ludicrous, and that european DP Authorities are deluding themselves if they think they can control or regulate transfers in any meaningful way. You're also right that the Art.29 WP is a non-transparent, unaccountable cabal whose 'opinions' often reveal profound legal or technical misunderstanding and a deep anti-commercial instinct. Many DP experts, and an increasing number of DPA's, recognise this. The question for privacy professionals is how do you do anything about it? How do you foster the sorts of changes you'd like - and about which there is a (slowly) growing consensus? Some DPA's will be perfectly happy to wage their self-deluding and ineffective rear-guard action against Google, the Internet, and other such wickedness, until the end of time. You've got to try to engage positively and understand the historical and cultural factors that have given european data protection the characteristics it has today. You've also got to accept the glacial movement of the EC institutions. Just criticising won't get you anywhere. In fact it will make things worse. It will also make it harder for the more pragmatic DPA's - like the ICO in the UK - to work with the industry to develop the kind of regulation that individuals and industy sorely need in the 21st century.

Regards, Michael-the-Cat

Unknown said...

I suppose the "adequacy" label as a starting point isn't a bad thing. In other words, "adequate" as a minimum standard, not as an aspirational level of protection.

I quite agree that organizations controlling and owning data need to take full responsibility to protect that data completely, not matter what jurisdiction in which it is processed

Anonymous said...

Agree with your thoughts on adequacy. Some questions into the mix:

1. Who declared the EU adequate?
2. How is data tranferred from the EU to the world's three largest economies (US, Japan, and China) even though none of them are adequate? (SH only covers a specific sector of com'l info).
3. Where is the transparency to adequacy?
4. Can there only be one way to protect personal data?
5. Is sitting in judgment of another country's legal framework contrary to int'l relations?

Álvaro Del Hoyo said...

I agree completely.

Notwithstanding, am not agree with your view of making user responsible, APEC framework approach.

People could not digest all privacy application management PETs every visited site on Internet is providing. And, as you said in previous post, there are many private data treated on Internet without our knowledge.

What about a centralised model Creative Commons style rules of private data treatment rules. Or will it finish our anonymous web surfing navigation?

This comment is all right reserved - copyright ;-p


David Bender said...

I happened quite belatedly to read Peter's comments. In 2004 Ponemon Institute published a survey comparing actual privacy levels as between Canada and the US, concluding that actual levels were higher in Canada. Some time later, I read that survey and on behalf of my firm, commissioned Ponemon to conduct a similar survey comparing actual levels of privacy in the EU with those in the US. That survey was released in April 2006, and concluded that actual levels were higher in the US, confirming Peter's view that "on the ground" in the privacy arena, the EU approach may not be superior to the US approach.