“Adequacy is not a requirement of identity. It requires a high level of convergence but we are not expecting that countries’ data protection laws are a photocopy of EU’s rules,” Dr. Ralf Sauer, the Deputy Head of Unit ‘International Data Flows and Protection’ in the Directorate-General for Justice and Consumers at the European Commission (EC), explained in a fireside chat with MediaNama’s founder Nikhil Pahwa at PrivacyNama 2021, a global conference on privacy regulations held on October 6 and 7, 2021.
The two were engaged in a conversation discussing interoperability among legislations of different jurisdictions to enable cross-border data flows, key elements of a data protection legislation that need to align before facilitating data flows, among other things. Data adequacy is a status granted by the EC to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law.
Data adequacy is significant in the context of trade which is increasingly facilitated by cross-border data flows, as personal data about customers is key in offering goods and services. Adequacy is also an important tool for law enforcement agencies to curb cross-border crime, and in enabling scientific research.
Key takeaways from Dr Ralf Sauer’s interview
How does the EU grant adequacy?
What happens first? “Countries approach us (EC) first with an informal request whether we would be willing to engage in a dialogue because adequacy is based on a very thorough assessment and therefore, it requires certain meetings where you go through the rules of the country. Many countries are interested because the free flow (of data) is important to offer services in the EU or to European customers, which in today’s world often requires obtaining personal data from the European Union,” Dr Sauer said.
Conversations are confidential: “We have a confidential conversation because the adequacy finding is not a given as it depends on the country’s data protection rules. We have exploratory talks to see whether it is feasible and then we leave it to the third country to make it public if they wish to do so,” Dr Sauer said. “We keep the talks confidential until we adopt a draft decision at which point, it becomes public but we also leave that for the country to decide so they can protect their interests. Countries do not want a negative finding or an expression that it is not possible unfortunately,” he added.
Does the EU share observations on countries’ data protection laws? “There are instances where we are approached by a country during the process of drafting a law. It’s a good moment because it allows us to discuss whether there are certain elements in the draft law which could become problematic later on for an adequacy assessment. The country can take this into account. It is fully sovereign and has to make its choice whether they want to pursue a certain path or whether they are ready to adopt because it’s important for them to make an adequacy finding possible,” Dr. Sauer replied.
Countries can conduct their own self-assessment: “It is not a formal requirement but some countries conduct a self-assessment around their data protection law and the rules of their system which are relevant. It is not necessary, it just speeds up the process. We also have guidance from our data protection authorities on how to apply the adequacy test. The self assessment is then done typically against that guidance paper,” Dr Sauer said when detailing the formal procedures following informal discussions.
EU’s focus during its assessment: “We go through a process where we have meetings with the country and go through their data protection law. For instance, we need to carry out an assessment on the limitations in safeguards for access to data by criminal law enforcement authorities or by National Security Authorities,” Dr Sauer clarified. “We ask whether they are implementing rules, whether they have guidance papers, anything that illustrates and explains how these rules apply in the country. When we are close to finalizing our assessment, we have a discussion on where we see the gaps. Not every difference is of importance but if there are crucial differences then we discuss whether there is a way to bridge these gaps,” he continued.
Submission to National Data Protection Authorities: “We draft a decision which we share with the country so they can tell us whether we have correctly understood what our conversation has brought out. This draft decision is endorsed by the EC at a high political level and then sent as a draft to our National Data Protection Authorities which come together in the European Data Protection court. They prepare an opinion on our draft decision and when this decision is public, we see whether there is something which needs to be addressed or clarified about the decision,” Dr Sauer responded.
Approval from EU Member States: “The last two steps are— there is a special committee with representatives from the EU member states, with whom we discuss the decision and they vote, a majority vote for the green light, on it,” Dr. Sauer concluded.
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
What needs to be kept in mind while applying for adequacy?
Comparable level of protection: “Certain essential elements like rules on purpose imitation and data security must be there. The country must guarantee rights to individuals, and provide oversight by an independent authority. We have been able to adopt adequacy decisions with a number of countries, with very different systems, which shows you that it is not about point-to-point identity,” Dr Sauer responded.
Inclusion in the legal framework: “Different countries might have different legal bases for grounds for data processing but it is important that they are framed and there is an element of necessity in proportionality that data cannot be processed for whatever reasons. The legal basis does not have to be identical because each country identifies public interest differently for which data can be processed. Not having any rules will be an issue,”Dr Sauer informed the virtual gathering. “There can be differences in how exceptions to certain rights are formulated but they need to be framed. They cannot be unlimited, you cannot undermine individual rights by having broad exceptions,” he added.
What are the grounds on which adequacy gets rejected?
Coverage of the law: “…whether there are big carve-outs for certain economic sectors, or large powers for governments to exempt sectors or processing activities from data protection rules. It is possible to have a partial adequacy finding but it makes it much more difficult to design an adequacy finding that can still work with the type of carve-outs and exemptions possible under the country law,” Ralf Sauer asserted.
Lack of a horizontal data protection law: “Our advice is always to have a horizontal data protection law that covers all sectors including the public sectors and then you can think about exceptions in certain circumstances. It is absolutely normal that some of the absolute rights can have limitations but they should be proportionate and tailored to specific reasons like public interest,” he said.
Rules for data transfers: “We often see that rules on international data transfers are rudimentary. They are quite strict sometimes which is not good. It is not a problem from an adequacy point of view but it is not helpful for the country. I think you should also allow data flows with protections. They are also undefined sometimes and it’s not clear what sort of limits have to be in place for international data flows. We have to not just look at how the data will be protected in the third country but also if it could be then transferred to yet another country without protections because then the protection is incomplete in a world where data flows easily,” Ralf Sauer spelled out.
No oversight or independent authority: “When there is an authority, it has to be independent. It Is helpful because it can be a neutral arbiter between different interests at stake only then. It is particularly important when the public sector is covered by data protection rules because how can a body supervise if it is a part of the executive itself? They can be part of the executive branch but if it is under the executive hierarchically then it creates issues. Powers might be too limited. The supervisory authority has to be effective in what it can investigate, tools it has for the investigation and measures it can impose at the end. It doesn’t only have to be sanctions but other instruments such as an interjection or a warning. It is important to not have a law on paper but compliance of the law in practice,” he said at the end.
How does the EU reassess adequacy requirements?
- “Our rules require three things—ongoing monitoring of the situation and then regular reviews. The requirement is to have this review at least every four years”.
- “This is a joint review in which we have the country update us on legal developments. They should do that normally on an ongoing basis if there is a relevant development. We would expect the third country to inform us if there is anything major that changes what we had assessed as an essential element,” Dr Sauer said.
What are the other ways to enable free flow of data between borders?
They are Model Data Protection/ Standard contractual clauses: “…preapproved contractual clauses that only deal with data protection safeguards. One of the contractual parties (data importer) has to comply with these clauses and they can be added or plugged into a commercial contract, which then regulates other things like what service you request, what money, fee and so forth.” Dr Sauer said.
What do they do? This set of clauses are designed in a way that guarantees rights for the individuals whose data is transferred. It creates so-called third party beneficiary rights and it requires that the parties submit themselves to the jurisdiction of a certain court where these clauses can be invoked. It is one of the most cost efficient tools in my view because these clauses are fixed,” he explained.
Are they capable of overriding the law of the land? Dr Sauer said that a contract cannot go against the public authorities of a country. “It’s an obligation on the parties to assess whether there are real problems in the country of destination and think about additional safeguards like encryption of data or to challenge requests which they consider as unlawful.” He added that the EU is working on the case of excessive, abusive, and disproportionate interference by public authorities. For now, he said that companies can commit to doing more under the contract even if the country of destination does not have a data protection law.
Are they mandatory? “It is a voluntary instrument; you don’t have to use it. When you plug it into your contract, you have to sign it and you are bound by it and you are liable in case of damages for compensation. They have certain conditions like safeguards and a certain scope of application,” Dr Sauer said.
What kind of transfers do they cover? “We have designed them broadly so they cover 98 percent of all transfer scenarios. They cover the situation where data is transferred from a fiduciary to what we call a processor, someone who acts on behalf of the data fiduciary like an outsourcing or service contract. We have different modules in these clauses to address various transfer scenarios because they are different in terms of safeguards,” he described.
Sticky points from India’s draft data protection law
“It is a sensitive thing, I am not going to pronounce myself in detail on something which is a sovereign process in India. We have been in contact with the Indian Parliament and shared certain observations. The other constraint I have is that I only know the draft that was submitted by the government to the Parliament a while ago. I don’t know to what extent it has evolved further,” Dr Sauer declared.
Grounds for processing: “We had some question marks on some of the grounds for processing for public authorities, and whether they were always sufficiently framed. The corollary to this is that there was a clause at some point that allowed for broad exceptions from the data protection rules which put a shadow over the law. There are certain safeguards that would be limited or completely restricted on grounds of public interest or public policy,” he added.
Data transfers: “The law on data transfers is quite strict in terms of not allowing data flows or data localization. We are concerned about their impact on trade and fragmentation of the internet as a partner of India. We had the impression that when there is no data localization, there weren’t very strict rules on how to protect data when it can flow. The transfer laws are too narrow or too broad,” Dr Sauer observed during the webinar.
Data Protection Authority: “We believe that the supervisory body is meant to be independent but from what we saw there were some provisions which may put us into doubt in terms of the government being able to give directions through the authority. It is better not to have them and trust that such an authority can function and will do very good for India without a need for the government to keep control over it,” he advised.
MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, Centre for Internet and Society, and Centre for Communication Governance (NLU Delhi).
Comments have been edited for the purposes of clarity and brevity.
- What Makes An Effective Data Protection Authority Tick? #PrivacyNama2021
- How To Be A Chief Privacy Officer – #PrivacyNama2021
- Digital Sovereignty: Will it actually drive economic value and will that compromise privacy? #PrivacyNama2021
- The chasm between passing a data protection law vs actually implementing it – #PrivacyNama2021
- How is China’s data protection law different from EU’s GPDR? #PrivacyNama2021
Have something to add? Subscribe to MediaNama here and post your comment.