Christopher Wolf, Delusions of Adequacy? Examining the case for finding the US adequate for cross-border EU-US data transfers

By privacylaw | Posted on

Christopher Wolf, Delusions of Adequacy?  Examining the case for finding the US adequate for cross-border EU-US data transfers

Comment by: Joel Reidenberg

PLSC 2013

Workshop draft abstract:

The Council and the European Parliament have given the European Commission the power to determine, on the basis of Article 25(6) of directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The effect of such a decision is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.  The Commission so far has recognized Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey as providing adequate protection.  The Commission has not recognized the privacy framework of the United States as adequate, although it has accepted the US Department of Commerce’s Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States’ Bureau of Customs and Border Protection.  Despite the elaborate process in the European Union for considering the adequacy of a national privacy framework, the Commission has overlooked essential elements of the US framework that from an objective standard of adequacy should result in a positive finding, and the elimination of burdensome and expensive additional requirements for cross-border transfers of data.  With the possible advent of a new EU General Data Protection Regulation, and the potential for even greater restrictions on cross-border transfers to “non-adequate” nations, this paper reviews the elements of the US framework that entitle the US to a finding of adequacy and shows, with respect to certain data and as to security breaches — one of the most significant threats to privacy — that the US framework is in fact more protective than that in the EU.  The paper acknowledges shortcomings in the frameworks on both sides of the Atlantic, and compares the approaches to improving the frameworks, but concludes that the shortcomings in the US system, real or perceived, are insufficient justification for a refusal by the European Commission to find the US framework adequate.  The paper concludes that the goals of international cooperation, of improving privacy and data protection, of interoperability and of coordinated enforcement will be furthered by the recognition of the US framework as adequate.