Adequacy in the EU Data Protection Directive

The EU Data Protection Directive (95/46/EC) regulates the processing of personal data within the European Union.  The Directive was developed in response to increased threats to informational privacy, as a way of regulating the collection, storage, usage and dissemination of personal data.

The Adequacy Standard

The key purpose of the Directive was to harmonize EU Member States’ laws, so that each Member State could transfer data to other Member States, while still safeguarding the fundamental rights and freedoms of their citizens.  If data controllers in one State transferred data to a third country that failed to protect personal data, the State’s protection of personal data would be lost once the Member State transferred the data to the third country.

Article 25 of the Directive prohibits Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. Article 26 of the Directive outlines exceptions to the requirement that a third country have adequate protection in third countries.

For example, if the laws of a third country (e.g. Canada) fails to provide adequate protection of personal data, then a data controller located in a Member State would be prohibited from transferring personal data to Canada, unless an exception happened to apply. Without this exception, a transfer of data could lead to a data or information embargo.

Data Embargos

A data or information embargo would result in serious consequences on both Member State and third country. The Member State government may be prohibited from sending information to the third country regarding individuals in that country.

For instance, a Member State might prevent a private bank in the Member State from transferring information about its customers to Canadian financial institutions. Or perhaps a Member State might prohibit a European employer from sending information about its employees to its Canadian subsidiaries.

Article 26 outlines a number of exceptions to any such data embargo. Specifically, even if a sector or activity is found to lack adequate private protection, the Directive would still permit the transfer of personal data out of the EU if:

  • The party desiring to send the data has entered into a contract approved by the privacy office in the EU member country (thus committing the party to providing certain protections)
  • The individual has unambiguously consented to the data transfer
  • The transfer is necessary to complete a transaction
  • The data are otherwise public

It’s worth mentioning that the American credit reporting industry’s privacy protections should certainly satisfy the EU Data Protection Directive. The US Federal Credit Reporting Act (FCRA) includes the types of protections that EU Member States have incorporated into their laws, namely notice to consumers and the opportunity for them to correct any incorrect or inaccurate information in their files.

Working Party

Article 29 of the Directive establishes that a Working Party will advise the Commission on data protection matters, as well as contribute to the uniform application of the national data protection measures. Essentially, the Working Party is an independent advisory group, composed of a representative from each Member State’s supervisory authority, a representative of the Community and a representative of the Commission.

The responsibilities of the Working Party include examination of Member States’ data protection laws, as well as consulting with the Commission on the level of protection available in Member States and third countries.

Adequacy and US Data Protection

The United States’ sectoral approach to data protection is derived from the American philosophy that laws should ensure citizens’ access to government, while still protecting them from government. While this enables the US to extensively regulate its public sector, it generally prevents the federal government from limiting interactions between private citizens. As a result, the US commitment to the free flow of information also favors a narrow regulatory approach to data protection.

Essentially, whether the Directive prohibits certain data transfers to the US largely depends upon what constitutes an adequate level of protection. The Directive requires a standard of adequacy that should be assessed in light of all the circumstances surrounding the transfer, yet fails to elaborate about this standard. Earlier data protection measures require a standard of equivalency, rather than adequacy.

For instance, the OECD Guidelines, as well as the COE Convention do not define or use an adequacy standard for data transfers to third countries. In the same vein, the traditional legislation of most European countries establishes a standard of equivalency, rather than adequacy.

However, since the October 2008 enactment of the European Commission’s Directive on Data protection, the Safe Harbor framework has been developed which bridges the gap between some US privacy laws and the EC’s adequacy requirements.


This article takes a look at the European Commission’s Directive on Data Protection (95/46/EC), and the establishment of the adequacy requirement, which prevents Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. The Directive also explores certain related concepts, including the Working Party and data/information embargoes. Finally, the article takes a look at the US data protection approach and its ability to meet the EC’s adequacy standard.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • EU Data Protection Directive – Adequacy (I.C.c.i.4.a.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>