In its first review, the EU Commission confirms the adequacy decisions of eleven third countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay have an adequate level of data protection according to the GDPR. Data can therefore continue to be transferred from the EU to these countries without additional data protection guarantees.
What does an adequacy decision mean?
The Commission has the possibility to determine the existence of an adequate level of protection for the processing activities of personal data in a specific third country (i.e. outside the EU and EEA) or an international organisation (Art. 45 GDPR). As part of the necessary review, the national legislation of the country, its supervisory authorities, and the international commitments entered into by the country are taken into account.
If there is an adequacy decision, no further safeguards are required for the transfer of personal data to the third country in question. Personal data can therefore be transferred to the respective third country in the same way as within the EU.
There are currently adequacy decisions for the transfer of personal data to the following third countries (see also the list of the European Commission):
- Andorra
- Argentina
- Canada
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- New Zealand
- Republic of Korea (South Korea)
- Switzerland
- Uruguay
- United Kingdom
- United States of America (applies only to certified U.S. companies)
Why are the adequacy decisions reviewed?
For the countries now under review, the European Commission had issued the adequacy decisions on the basis of Art. 25 para. 6 of Directive 95/46/EC (EU Data Protection Directive). These adequacy decisions remained valid even after the GDPR came into force in May 2018.
According to Art. 45 (4) GDPR, the Commission must continuously monitor developments in third countries in order to ensure the effectiveness of the decisions adopted. In addition, the Commission must review these findings every four years in accordance with Art. 97 GDPR.
The first review was delayed in particular due to the judgment of the CJEU in the Schrems II case. In its judgment, the CJEU made important clarifications on key elements of the adequacy finding that the Commission must take into account when auditing adequacy. This includes, in particular, the CJEU’s explanations on the principle of equivalence. According to this, a third country does not have to guarantee an identical level of protection to that guaranteed in the EU legal order, but a level of protection that is “in substance” equivalent to it. The Commission’s task is therefore to review the entire system of the third country, including the privacy protection measures and their effective implementation and enforcement.
What does the Commission scrutinise in third countries?
In its review (see the report of 15 January 2024), the EU Commission focused on developments in the countries concerned since the last adequacy findings and assessed how these developments have affected data protection frameworks and whether the various policies continue to ensure an adequate level of protection. At the same time, the EU’s data protection regulations, in particular the entry into force of the GDPR, were comprehensively taken into account.
The Commission’s assessment was not limited to the general data protection framework of the third country in question, but also included the rules on access to personal data by public authorities, in particular for law enforcement and national security purposes. The requirements that these rules should fulfil in order to meet the standard of equivalence in substance were comprehensively formulated by the CJEU in the Schrems I and Schrems II judgments. An adequate level of protection is lacking if the additional protective measures do not protect against disproportionate access by the authorities and there is no effective legal protection against this.
What did the audits of third countries reveal?
The EU Commission obtained information from the eleven countries now under review on the development of their data protection policies since the first adequacy assessment. This information also included detailed data on the access of authorities to personal data.
Information was also obtained from authorities and local experts on the functioning of national policies and relevant legal and practical developments. In addition, intensive dialogues were held with each country concerned on the basis of this information. At the same time, the relevant EU institutions and organisations were consulted and the EU Commission also based its decisions on their feedback.
Based on these dialogues, some of the countries and territories have modernised and strengthened their data protection legislation (e.g. Andorra, Canada, Faroe Islands, Switzerland and New Zealand) to ensure the continuity of the adequacy finding. Some countries issued regulations and/or guidelines from their data protection authorities containing new data protection requirements (e.g. Israel and Uruguay) or clarifying certain data protection rules (e.g. Argentina, Canada, Guernsey, Jersey, Isle of Man, Israel and New Zealand).
In some cases, the EU Commission was able to negotiate additional safeguards for personal data transferred from the EU in order to address relevant differences in the level of protection. Canada, for example, extended the right of access and rectification in relation to personal data (processed by public authorities) to all individuals regardless of their nationality or place of residence. The Israeli government, for example, introduced new commitments in the area of data accuracy and data retention, strengthened the right to information and erasure and additionally introduced the category of sensitive data.
Conclusion
With the adequacy decisions, the EU Commission certifies that the eleven countries have an adequate level of data protection measured against the standards of the GDPR. However, this does not mean that the policies of these third countries comply with the GDPR or that the exact same strict standards apply as in the EU.
For companies in the EU and also companies in countries with a positive adequacy decision, this positive decision is of central importance. The respective decisions are the basis for allowing personal data to be transferred between the EU and the respective third countries without additional guarantees.
However, especially with regard to the U.S. and the UK – which were not part of the current review – companies should remain vigilant, as there is a risk of legal proceedings against the currently applicable adequacy decisions, especially the EU-U.S. Data Privacy Framework.
