“Adequacy” seems to be the hardest word.
On the brink of Brexit and the UK becoming a “third country” without a so called “adequacy” status for the cross border transfer of personal data from the European Union — Could California have its own Privacy Shield arrangement separate from the rest of the U.S.?
This question emerged during the third annual review of the data-transfer agreements at the European Parliament. If the Court of Justice of the EU invalidates Privacy Shield, and California applied for an adequacy decision, would the European Commission consider such an application?
“The response from the commission was, in principle: yes. ‘The GDPR provides expressly for the possibility to recognize as adequate a territory at sub-federal level…So the Californian process is ongoing…but in principle, the answer is yes.’”
The harder, and more substantive questions of “Whether the California law would be adequate, whether it would have comparable independent oversight, whether data could be retained within California or whether the state has the constitutional power to ask for such an agreement were not within the scope of the hearing.”