Flagrant Denial of Data Protection: Redefining the Adequacy Requirement

POINT OF DEPARTURE Given the reality of the ‘information society’ worldwide, this is an arena in which we must play the game and we have to recognize that others may make the rules. 1 The author of this quote is George B Trubow, well-known US privacy and information law expert, describing the US position in 1992, a time during which EU institutions were draft ing Directive 95/46/EC The latter introduced the adequacy requirement obliging non-Member States to have an adequate level of data protection, without which no personal data exchange with the EU was allowed Trubow recognised that the US data protection system would not pass this adequacy test, in particular regarding the purpose limitation principle known in the US as the secondary use limitation, or function creep. Aft er the entry into force of the EU's first legal instrument on data protection, Directive 95/46/EC – on the protection of personal data processed for activities within the scope of Community law, largely corresponding with commercial activities – the adequacy requirement was copied into the Council of Europe's 2001 Additional Protocol to the Data Protection Convention (2001 Additional Protocol) Later it was also copied into EU Framework Decision 2008/977/JHA on data protection in criminal matters (2008 Framework Decision) This means that both EU and Council of Europe (CoE) Member States may have to assess the adequate level of data protection of a third state requesting for personal data The term ‘Member States’ will in this contribution thus refer to EU or CoE Member States For the sake of argument, abstraction is made of the fact that the adequacy requirement is not applied for all data transfers and that not all CoE Member States have ratified the 2001 Additional Protocol This chapter focuses on the (need for an) adequacy rule itself, and not its application. The adequacy requirement has given rise to a variety of issues in the EU Oft en these concerned issues related to inconsistencies in application Most recently the adequacy requirement was questioned by Austrian national Maximillian Schrems in his complaint against the Irish Data Protection Authority regarding Facebook's transfer of personal data from the EU to its US-based servers.