Data adequacy: a flawed concept?

March 4, 2021

Following Schrems and Brexit, international data-sharing and the concept of adequacy has dominated much of the global news on data protection. But is adequacy itself a flawed concept? Marty Abrams explains why he thinks we need a better alternative

When it comes to data protection and privacy there are few, if any, who can boast the experience of Marty Abrams.

In a career spanning nearly 40 years, Abrams has carried out influential work on big data governance, multi-layered privacy notices and much more. He has led the Global Accountability Project, refining principles that have shaped data protection laws and guidance globally. He has given educational seminars around the world, as well as being an advisor to no less than four International Conference of Data Protection and Privacy Commissioners.

He also co-founded the global thinktank Centre for Information Policy Leadership, leading it for 13 years, before starting his current role as executive director and chief strategist at the Information Accountability Foundation.

GRC World Forums catches up with Abrams ahead of his appearance at PrivSec Global later this month, where he will be on a panel talking about the future of international data sharing.

Given Abrams stature in the data protection and privacy world, what he says is taken seriously.

And we certainly sit up and listen during our interview when Abrams throws a spanner in the works by branding the whole concept of data adequacy as ‘stupid’.

Backing up and setting the scene, Abrams says the question of how to control data at a distance has long been a dilemma for privacy regulators.

He says: “It is why the original EU Directive had a limitation that said, ‘data can only flow to places where the laws are adequate.’

“But expectations for how that data will be used, are based on the cultural assumptions about where I was, when that data was collected,” Abrams adds.

He explains that in his view the idea that this is the best way to determine continued data protection is innately flawed.

“Europe originally thought the best way to [protect data] is to make sure that the culture where the data goes to is the same as the culture where it originated and that’s just plain stupid,” he argues.

“The fact is that the culture in northern Germany is different than the culture in Bavaria. There are significant differences, the culture in Spain is different to the culture in France; the culture in the Netherlands is very different to the culture in Poland, where a lot of European data has historically been processed.”

“There has only been a handful of countries outside of Europe, that Europe has deemed to be adequate. So over time, we have come up with other mechanisms to assure that data is processed consistent with those thoughts and ideas of where the data came from and they are all accountability-based systems to some extent,” such as, Standard Contractual Clauses (SCCs) and binding corporate rules.

“Schrems II essentially said that rather than there being a probability that data of European citizens would be interesting to national security mechanisms in other places, they instead focused on the possibility that that would be the case. In other words, it was not that there’s a high likelihood that my data would be interesting to those national security mechanisms. It was, is there any possibility?”

Which, Marty argues, is ultimately driving us towards data localisation.

He says: “When we begin to see data localisation as a methodology for data protection, it creates friction between our digital ambitions and our sense of wanting a safe environment and that friction needs to be resolved. Resolving it requires a lot of steps in different ways.”

These steps, he explains, must ensure that organisations have made the right promises to protect data in a responsible way and that we know how to develop the legal instruments needed to ensure this is done. Lastly, he says, “we need to figure out how you build accountability into this trust around the national security use of data and that requires something different than what we currently have.”

”When we begin to see data localisation as a methodology for data protection, it creates friction between our digital ambitions and our sense of wanting a safe environment and that friction needs to be resolved”

“There is currently a movement at the Organisation for Economic, Co-operation and Development (OECD) to develop principles related to accountability when governments request data. I think that is an incredibly important step,” but he warns that this is not something that will happen over night.

The debate, he says, “has always been about Europe versus the United States and it’s really not about Europe versus the United States. It’s about every place trusting every place else.”

Referencing Quebec as an important example, he argues “there is draft legislation in Quebec which includes an adequacy provision and it’s a very strong adequacy provision. In theory, it requires Quebec to assess the quality of the Canadian national law which governs currently in Ontario, or the provincial laws that exist in Alberta or British Columbia. So not only does it put Quebec as a province, in this position of assessing whether the national law in for example, Mexico is adequate, but in the position of making a judgement about the rest of Canada.

“I mean, think about how nutsy that is.”

“Europe originally thought the best way to [protect data] is to make sure that the culture where the data goes to is the same as the culture where it originated and that’s just plain stupid,”

The question over Britain and adequacy, Marty says, is much less pressing. The European Commission last month issued a draft adequacy decision and Abrams seems confident this will work.

“But remember, the UK law is based on the general data protection regulation. So, the finding that the private sector processing of data is equivalent to Europe is not hard to do,” Marty explains.

On the other hand, Canada is developing its own federal privacy law and the question over whether it will be based on the EU’s GDPR or based on the privacy culture that exists within Canada is at the forefront of the debate.

“I’m less interested in this question, as it relates to the UK, I’m much more interested in it as it relates to Canada,” he says. “I’m much more interested as it relates to parts of Latin America, I’m incredibly interested as it relates to Singapore.”

Vastly different to the EU’s approach to privacy is Singapore, which Marty explains has its own unique structure for data protection.

“The agency that is the Privacy Protection Agency is connected strongly to the agencies whose job it is to encourage digital growth.

”So, you’ve got in the same building across the hall from each other, the Privacy Protection Agency, and the agency to encourage the digital future.

”The person who runs the day to day thought leadership at the privacy agency is an official in the agency to encourage it. So, in terms of a mechanical matching of Singapore to Europe, there’s no way that you could find that Singapore could be adequate, because it doesn’t have this independent Data Protection Agency, as equivalency would require.”

However, at the same time, Marty argues, Singapore has exceeded the EU in regard to polishing the concept of accountability, arguing that “Singapore has done a much better job of socialising and maturing the concept of organisations being responsible and answerable for how they use data.”

“If you were to compare the work done by that agency to encourage responsible data use by the private sector, they’re way ahead of Europe.

“In Europe, we’re having difficulty articulating what the word accountability means, for linguistic reasons, if nothing else. So, in many ways, you’d say Singapore is ahead of Europe; Singapore has amended its national law to make it possible for the concept of legitimate interest to move forward in a trustworthy fashion,” he says.

“Singapore has done a much better job of socialising and maturing the concept of organisations being responsible and answerable for how they use data.”

He adds that while adequacy is part of EU law, “there is no pathway for this permissible use of legitimate interest to move forward. When you’re measuring country to country based on this concept of equivalency, there’s no way that Singapore would be adequate. But if I look at each of the companies in Singapore, who might be recipients of data, they have a regime and a discipline that would be very attractive to European regulators.”

The Information Accountability Foundation aims to encourage policy that assures organisations will use data in a responsible way, which is then answerable to other constituencies. He says, “What we do is try to migrate concepts that will further this ability to use data robustly but do so in a fashion that is responsible to people.”

Marty adds, “Currently, we are working on a couple of what I consider to be really important projects. One is this concept of how is demonstratable, accountability different to plain vanilla accountability. That is really important as we get into things like artificial intelligence and advanced analytics.

“We are also developing model legislation for the United States that has elements that are applicable to other places.

“We are about to publish the second generation of that model legislation that is accountability based, rather than individual rights-based,” he says.

Whether Abrams is right and we ultimately move towards data localisation and accountability-based legislation, remains to be seen. But if it is, you can be sure that Abrams will be at the centre of the debate.

Marty Abrams will be on a panel discussing ‘Data Protection or Data Protectionism? The Future of International Data Sharing’ at PrivSec Global, March 25, 2021.