Under the EU’s primary data privacy law, the General Data Protection Regulation (GDPR), for personal data to be transferred from the EU to another country without additional safeguards, an adequacy decision must be made by the European Commission in relation to the level of protection afforded to the information being transferred by the receiving country.
The power of the European Commission to make an adequacy decision is set out in Article 45 of the GDPR, which provides that "a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection."
An 'adequate level of protection' means that the level of protection afforded to the data is essentially equivalent to the level of protection provided to the data within the EU. The effect of an adequacy decision is that personal data may be transferred from the EU to another country without any additional safeguards having to be put in place.
According to our Global Data Privacy and Security team, on 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). US companies that participate in the DPF will be deemed to provide "adequate protection" under Article 45 of the EU General Data Protection Regulation for personal data transfers received from the EU and European Economic Area. In response to the EU’s Schrems II, the US government and the EC worked collaboratively to develop the DPF as a successor to Privacy Shield, and a means to provide greater certainty for transatlantic personal data transfers. Among other activities, the US Administration adopted Executive Order 14086 to establish enhanced privacy protections for personal data in the context of government surveillance and a new process for individuals to seek redress on these issues concerning personal data transfers from a "qualifying state" to the United States.
The adequacy decision eliminates the uncertainty around the transfer of data across borders. This is particularly important for multinational companies that operate in both the EU and the US and allows these companies to continue processing personal data in the manner in which they did prior to the adequacy decision. The adequacy decision ultimately benefits companies and individuals on both sides of the Atlantic.
African multinationals that operate across the EU and the US will also be impacted by this decision with respect to their cross-border data flows, for example, between their group entities in these regions. However, the adequacy of the flow of data in the context of Africa is uncertain. At present, the EU has not made a finding in relation to the adequacy of the data protection legislation of any African country. Over the last few years, there has been a rise in the implementation of data protection laws in African countries. South Africa, Algeria, Eswatini, Tanzania, Botswana, Kenya and Uganda, for example, are among the jurisdictions in Africa that have implemented privacy laws. Although personal data may still be transferred from EU countries to African countries, additional safeguards are still required.
The rapidly increasing flow of data between the EU and other regions, including Africa, means that the EC might in the future focus on launching adequacy decisions to assess data protection laws that have recently been adopted in countries across the continent. Many of Africa’s data privacy and security laws have been modelled, at least to some extent, on the GDPR and its earlier iteration, the EU Data Protection Directive. Data privacy laws in Africa with some similarities to the GDPR include those in Ghana, Kenya, Mauritius, Nigeria and Uganda. Data privacy laws in Rwanda also closely follow the GDPR. Data protection laws in South Africa and Morocco, for example, were modelled on the earlier EU Directive, resulting in laws that are similar but with some differences to the GDPR (notably, and in contrast to the GDPR, South African data protection law protects the personal data of juristic persons in addition to natural persons). This could mean that data flowing from these countries will be more likely to be recognized as having an adequate level of protection.
* * * * *
With thanks to Samantha Whitaker (Trainee, IPTech Practice Group, Johannesburg) for her assistance with this alert. Reference was made to articles by Baker McKenzie’s Global Privacy & Security and IPTech teams.