Asia sits in EU’s sights in renewed privacy ‘adequacy’ push
Originally published on MLex on December 20, 2016. Author: Magnus Franklin
The European Commission is set to target Asia and South America as part of a renewed strategy to certify countries with sufficiently strong privacy rules.
The EU already has 12 adequacy decisions with key partners including Argentina, Switzerland, the US, Canada, Israel and New Zealand, and is now set to look east and south for new opportunities to facilitate data flows, MLex has learned.
The commission is set to unveil a package of measures to improve “data flows” on Jan. 10. These include a new law adapting confidentiality-of-communications rules to the web, and a policy statement aimed at stemming the tide of data-location rules in the EU and shining a light on emerging issues in the data economy, such as ownership rules.
The third will be a strategy on how and when the EU negotiates “adequacy” deals on data protection with other countries.
Adequacy decisions certify that a particular country has privacy safeguards that give European citizens equivalent protection to what they have in the bloc, when their personal data are transferred there. Such decisions vary in size and shape, but they all share the aim of simplifying data transfers to that country.
The most recent adequacy decision was the EU-US “Privacy Shield,” which allows US companies to self-certify compliance with European privacy rules. With that decision now in effect, privacy officials in the commission are turning their eyes to other parts of the world where simplifying data transfers would be attractive.
MLex has now learned that the strategy will be explicitly oriented toward Asia and South America. It will overlap with a move by Washington to “export” to the Pacific Rim the US privacy approach, which is anchored in consumer rights — as opposed to the EU’s rulebook, which is based on the human right to privacy and data protection.
South Korea and Taiwan recently announced their intention to join the US-led APEC Cross-Border Privacy Rules.