APEC COUNTRIES DEEMED ADEQUATE Flashcards
What is adequacy in the context of the GDPR?
It refers to a status granted by the European Commission to non-EU countries - territories - or specific sectors within a country that provide a level of personal data protection that is essentially equivalent to that offered within the EU.
What is the purpose of granting adequacy status?
To facilitate the free flow of personal data from the EU to these countries without needing additional data protection safeguards.
What does the European Commission assess before granting adequacy status?
The overall legal framework - including data protection laws - implementation - and enforcement mechanisms.
Which APEC countries have been recognized as adequate by the European Commission?
New Zealand - Canada - Japan - and South Korea.
Why is New Zealand recognized as adequate?
For its Privacy Act of 1993 - which aligns closely with GDPR principles - and its independent Office of the Privacy Commissioner (OPC).
What powers does the OPC have in New Zealand?
It can issue compliance notices - refer serious breaches to the Human Rights Review Tribunal - and has strengthened powers under the updated Privacy Act 2020 - including mandatory data breach notifications.
Why is Canada recognized as adequate?
For its Personal Information Protection and Electronic Documents Act (PIPEDA) - providing strong protections in the commercial sector - overseen by the Office of the Privacy Commissioner (OPC).
What enforcement powers does the OPC have in Canada?
It can make recommendations - issue orders - and seek court-enforced compliance. The Federal Court can impose fines and order changes. New legislation (Bill C-11) aims to give the OPC direct enforcement powers - including fines.
Why is Japan recognized as adequate?
For its Act on the Protection of Personal Information (APPI) and the establishment of the independent Personal Information Protection Commission (PIPC).
What powers does the PIPC have in Japan?
It can issue administrative guidance - recommendations - orders - conduct on-site inspections - and refer non-compliance cases for criminal prosecution.
Why is South Korea recognized as adequate?
For its Personal Information Protection Act (PIPA) that mirrors many aspects of the GDPR - overseen by the independent Personal Information Protection Commission (PIPC).
What powers does the PIPC have in South Korea?
It can impose administrative sanctions - including fines - and order corrective measures.