European commission publishes first review of pre-GDPR EU adequacy decisions

The European Commission has reviewed and reaffirmed the adequacy decisions for eleven countries and territories that were adopted before the GDPR came into force.

Article 45 of Regulation (EU) 2016/679 grants the European Commission the power to determine whether a country outside the EU offers an adequate level of data protection. The Commission took into account the evolution of the data protection frameworks in the countries and territories concerned, but also the evolution in the interpretation under EU law of the adequacy standard itself.

In its report the Commission found that these 11 jurisdictions have maintained an equivalent level of data protection as required for EU countries (and Norway, Liechtenstein and Iceland), and personal data can continue to flow freely to them without additional safeguards. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

The jurisdictions covered by the review were: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

The Commission in particular noted that many of the countries have modernised and strengthened their privacy legislation through comprehensive or partial reforms (identifying in particular: Andorra, Canada, Faroe Island, Switzerland, and New Zealand). Some of these countries have adopted regulations and/or guidance by their data protection authority to introduce new data protection requirements (Israel and Uruguay) or clarifying certain privacy rules (Argentina, Canada, Guernsey, Jersey, Isle of Man, Israel, and New Zealand), building on enforcement practice or case law.

Four other jurisdictions with adequacy decisions (Japan, Republic of Korea, UK and US) were not included in this review as they received their adequacy decisions after the GDPR came into effect. 

Our Views

The review is a positive affirmation of these jurisdictions’ commitment to data protection. It ensures that personal data can continue to flow freely from the EU to these jurisdictions, and that individuals’ personal data are adequately protected even when transferred outside the EU. The review also provides legal certainty to businesses who are reliant upon international data transfers, and allows these business to continue their operations.

Read the other topical articles from our Winter Data Protection Update:

Get in touch

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Related expertise

Get in touch

Contact us today

Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.


Get in touch

For general enquiries, please complete this form and we will direct your message to the most appropriate person.