Commission finds that EU personal data flows can continue with 11 third countries and territories

Today, the European Commission successfully concluded its review of 11 existing adequacy decisions. These decisions had been adopted under the EU data protection legislation that preceded the General Data Protection Regulation (GDPR). In its report, the Commission finds that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continues to benefit from adequate data protection safeguards. Therefore, the adequacy decisions adopted for these 11 countries and territories remain in place and data can continue to flow freely to these jurisdictions. The review has demonstrated that the data protection frameworks in these countries and territories have further converged with the EU’s framework and strengthened protection of personal data in their jurisdictions. The GDPR has inspired positive changes such as the introduction of new rights for individuals, the reinforcement of the independence and powers of authorities responsible for the enforcement of privacy laws or the modernisation of rules on international transfers.

The country reports show that since the adoption of the adequacy decisions under the 1995 Data Protection Directive, the different countries and territories have carried out a comprehensive modernisation of their privacy legislation. They have further aligned their frameworks with the GDPR or introduced specific reforms, which significantly strengthened safeguards for personal data. These reforms reinforced, for example, the independence and enforcement powers of data protection authorities. To bridge certain gaps with the EU privacy framework, some countries put in place specific safeguards to strengthen the protection of data coming from the European Economic Area, including to facilitate the exercise by Europeans of their rights. The review also showed that public authorities in the 11 jurisdictions are subject to appropriate safeguards in the area of access to data by public authorities, notably for law enforcement or national security purposes. This includes effective oversight and redress mechanisms.

The Commission will continue to monitor relevant developments in the countries and territories concerned, in particular, where further legislative reforms are ongoing. The GDPR requires the Commission to periodically review adequacy decisions.

Background

With the entry into application of the GDPR in May 2018, the adequacy decisions adopted under the Data Protection Directive remained in force. At the same time, the GDPR clarifies that adequacy decisions are “living instruments” and requires the Commission to periodically review these decisions.

When carrying out its first review, the Commission evaluated the developments in the countries and territories’ data protection frameworks since the adoption of the adequacy decisions, and also assessed the rules in place on government access to data for law enforcement and national security purposes.

In the event of developments in an adequate country or territory that would negatively affect the level of protection for personal data, the Commission has the power to suspend, amend or withdraw an adequacy decision.

In total there are 16 adequacy decisions in place, respectively for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom (under the GDPR and the LED) , the United States (for commercial organisations certified under the EU-US Data Privacy Framework) and Uruguay.

In 2019, the EU and Japan recognised each other’s data protection systems as ‘equivalent’, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows. In June 2023, the EU adopted adequacy decisions for the United Kingdom and in January 2022 for South Korea. In July 2023, the Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework.

A first review of the arrangement with Japan was concluded with the adoption of a report in April 2023 and the Commission also monitors the enforcement of the arrangements that are in place with the United Kingdom and the United States.