Do Not Dismiss ‘Adequacy’: European Data Privacy Standards are Entrenched
Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
The ‘adequacy’ mechanism in the EU data protection Directive, and perceptions of it, have been one (but only one) of the means by which the influence of European data privacy standards have been felt outside Europe. The EU’s ‘border control’ approach is to require member states to limit data exports unless ‘adequate protection’ can be demonstrated at the receiving end (EU Directive Articles 25, 26). There are now 81 jurisdictions in the world with data privacy laws, excluding those only covering the public sector (Greenleaf, 2011b), so there are 53 theoretical candidates for adequacy findings. However, the EU has only made adequacy decisions in relation to nine jurisdictions as a whole (Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey), some of which are of relatively little economic or political significance. ‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But this article argues that we should not be too hasty, and outlines a number of reasons why ‘adequacy’ is now so entrenched in legal systems across the world that it will not be easy to remove. The list of countries considered adequate is expanding slowly: Uruguay and New Zealand will soon be added to the list. Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Consideration of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws suggests that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening.As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol to Council of Europe Convention 108. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.There is also, as yet, little indication that the current revisions of the Directive or the Convention will result in Europe abandoning its ‘border control’ approach. The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.013 | 0.001 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.000 | 0.000 |
| Science and technology studies | 0.001 | 0.000 |
| Scholarly communication | 0.000 | 0.001 |
| Open science | 0.001 | 0.000 |
| Research integrity | 0.000 | 0.002 |
| Insufficient payload (model declined to judge) | 0.000 | 0.000 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it