Countries and processes covered by an adequacy decision are clearly defined and documented. At the time of writing these countries are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the
US (limited to the Privacy Shield framework). Transfers to these countries can be made using the same criteria as any EU country. Since July 2020, the US Privacy Shield has been determined invalid for international transfers.
Article 46 sets out a series of safeguards that can be used to permit transfer to a third country or international organisation. These are:
- A legally binding and enforceable instrument between public bodies.
- Binding Corporate Rules.
- Standard data protection clauses adopted by the Commission. The wording for these contracts can be found here.
- An approved Code of Conduct.
- An approved Certification mechanism.
Of these, only the Code of Conduct approach is well used significantly at this point in time in our community. Guidelines are being developed for the use of Binding Corporate Rules and Certification but it may be some time before they can be practically used by organisations.
GÉANT is exploring a Code of Conduct that can be used at international scale. This could be used in conjunction with R&S to support data transfer to third countries and international organisations. As things currently stand, the Dutch Data Protection Authority has declared that it will not be possible to have a Code of Conduct for GÉANT that covers both EU transfers and non-EU transfers.
REFEDS is actively following guidelines on Certification to see if R&S can be consider a certification approach in the future. This is likely to be a lengthy process.
At the time of writing, The Article 29 Working Party have an open consultation on their advice for provide guidelines for the use of derogation under Article 49. The Article lists a series of potential derogations that could be used for transfer, but many of these will not prove adequate for federated access management.