The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision involves
- a proposal from the European Commission
- an opinion of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.
With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).
Adequacy decisions Latest
- 17 December 2021
Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea
- 26 October 2021
Joint statement on the first review of the EU-Japan mutual adequacy arrangement
- 30 March 2021