Privacy & Data Security Law News

2019 Outlook: EU to Extend Privacy Stance with Bilateral Pacts

Dec. 27, 2018, 4:57 PM

The European Union’s strict data protection standards will continue to go global in 2019, as more non-EU countries ramp up their privacy rules so they can transfer EU citizens’ personal data.

The European Commission, the EU’s executive arm, can declare that a country has essentially equivalent data protection standards as the EU’s General Data Protection Regulation, allowing companies based in the country to transfer data out of the EU without additional safeguards. The international data pacts, or adequacy decisions, are crucial to digital trade and commerce for global companies.

The EU is finalizing an adequacy agreement with Japan—which would make it the largest economy to date to get one—and is negotiating with South Korea. If both reach a deal, Japanese multinational companies like Toyota Motor Corp. and Mitsubishi Corp., and South Korea’s Samsung Electronics Co. Ltd. and Hyundai Motor Corp., would have access to the EU’s data market, which could reach 106.8 billion euro (about $121.7 billion) by 2020, according to a 2017 study published by the commission.

Brazil, Chile, and India also may try to secure adequacy findings with the EU, as multinational companies worldwide feel pressure to comply with the GDPR, privacy attorneys told Bloomberg Law.

“We should expect the EU to ramp up its efforts around the world on data protection in 2019 and to advocate that more countries adopt GDPR or GDPR-like laws,” Norma Krayem, senior policy adviser and chair of Holland and Knight LLP’s global cybersecurity and privacy policy and regulation group, said.

The EU already recognizes data protections in Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay as adequate.

The U.S. also can expect its existing data transfer mechanism, the Privacy Shield framework, to go under the microscope in 2019 during the commission’s annual review.

Japan, South Korea

Securing agreements with Japan and South Korea are top commission priorities in 2019, Giovanni Buttarelli, the European Data Protection Supervisor, told Bloomberg Law in an interview. Buttarelli’s office weighs in on the commission’s adequacy assessments.

Japan had to commit to creating rules to protect sensitive data during its negotiations with EU officials, such as restricting Japanese law enforcement and national security agency access to data and devising a complaint-handling mechanism for EU citizens, according to the commission.

EU leaders kicked off talks in October with South Korean government and corporate sectors, in particular over the country’s oversight mechanisms and surveillance law, EU officials said in a statement.

A potential hurdle for South Korea is the lack of independence of its enforcement bodies, which the EU values, Jörg Hladjk, who leads Jones Day’s cybersecurity, privacy and data protection group in Brussels, said. Other aspects of South Korean law also don’t align with the GDPR, including that it doesn’t distinguish between controllers and processors or define a data breach, Hladjk said.

But if South Korea can fix its enforcement issues, the country’s existing strict privacy standards could help it secure an EU adequacy finding, attorneys said.

The commission didn’t respond to requests for comment on prospects for a deal with Japan or South Korea.

Prospects for U.K., U.S.

Whether U.K. business will be able to transfer personal data freely depends on the outcome of the proposed agreement with the EU.

U.S. companies should keep a close eye on the annual EU-U.S. Privacy Shield review in 2019, attorneys said. Under the that program, U.S. companies that transfer the data of EU citizens agree to abide by privacy standards similar to those in EU privacy law. Some European officials and lawmakers in 2018 said the deal doesn’t provide enough protection, and the U.S. has been slow to appoint officials to privacy oversight positions.

Meanwhile, other non-EU countries are taking their first steps toward striking a deal.

Brazil, India and Chile have enhanced their data privacy rules, joining a growing list of countries moving to fall in line with the EU’s rules, attorneys said.

“The world is becoming more EU and GDPR-centric,” Rafi Azim-Khan, partner and head of European data privacy at Pillsbury Law, said. “Countries that are not currently approaching their laws like the GDPR might find they’re quickly moving into the minority.”

To contact the reporter on this story: Sara Merken in Washington at smerken@bloomberglaw.com

To contact the editor responsible for this story: Keith Perine at kperine@bloomberglaw.com

To read more articles log in. To learn more about a subscription click here.