Exchanging and Protecting Personal Data in a Globalised World

Published On:Wednesday, January 18, 2017

GDPR Euro.jpg

A new Communication was issued by the Commission to the European Parliament and the the Council on 10 January 2017 - "Protection and exchange of personal data in a globalised world".

The reform of EU data protection legislation, adopted in April 2016, puts in place a system that ensures a strong level of protection both inside the EU and for the international exchange of personal data for commercial and law enforcement purposes. The new rules will come into application in May 2018.

The Communication presents the different tools to exchange personal data internationally, based on the reformed data protection rules, as well as the Commission's strategy for engaging with selected third countries in the future to reach adequacy decisions and promoting data protection standards through multilateral instruments.

Adequacy decisions guarantee that a third country provides a comparable level of protection of personal data to that in the EU, through its domestic law and international commitments. As a result, personal data can flow from the 28 EU Member States and the three European Economic Area (EEA) member countries (Norway, Liechtenstein and Iceland) to adequate third countries, such as the Isle of Man, without being subject to further safeguards or authorisations.  This relates to compliance with the eighth data protection principle.

Although the Isle of Man has an adequacy decision in respect of the EU Data Protection Directive 95/46/EC, the Communication states:

"The adoption of an adequacy decision involves the establishment of a specific dialogue and close forms of cooperation with the concerned third country. Adequacy decisions are "living" documents that need to be closely monitored by the Commission and adapted in case of developments affecting the level of protection ensured by the third country in question. To that end, periodic reviews will be held, at least every four years, to address emerging issues and exchange best practices between close partners. This dynamic approach applies also to already existing adequacy decisions, adopted under the 1995 Directive, which will need to be reviewed in case they no longer meet the applicable standard. The third countries concerned are therefore invited to inform the Commission of any relevant change in law and practice that has taken place since the adoption of the adequacy decision relating to them. This is essential to ensure the continuity of these decisions under the new rules of the reform."

The Isle of Man's existing adequacy decision and law will be subject to review within 4 years.  The Isle of Man Government will need to establish a dialogue with the Commission if it wishes to seek adequacy under the GDPR and enact law containing "a level of protection comparable (or "essentially equivalent")" to the one guaranteed in the Union".   The "Programme for Government 2016-2021" approved by Tynwald on 17 January 2017, states that it will "Ensure that Isle of Man law and policy is equivalent in effect to the forthcoming European Union General Data Protection Regulations to give our businesses confidence that they can continue to trade in Europe"  and "Ensure the Island’s legislative position is equivalent to the EU General Data Protection Regulation directive by May 2018" .


The EU Commission "Protection and exchange of personal data in a globalised world" documents are available by following the links: