Personal data transfer from the EU can continue to 11 jurisdictions
Robust data protection safeguards found in place
The European Commission has concluded its review of 11 existing adequacy decisions, initially adopted under the EU data protection legislation preceding the General Data Protection Regulation (GDPR).
The commission’s report, released on January 15, 2024, affirms that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay continues to benefit from robust data protection safeguards.
The comprehensive review indicates that the data protection frameworks in these 11 countries and territories have not only maintained but further converged with the EU’s framework, enhancing personal data protection within their jurisdictions.
The adequacy decisions, crucial for facilitating the seamless data flow to these jurisdictions, remain in place, highlighting the continued commitment to protecting EU-based individuals’ privacy.
The GDPR has been pivotal in inspiring positive changes, including introducing new rights for EU individuals, reinforcing the independence and powers of authorities responsible for privacy law enforcement, and modernising rules on international data transfers.
Country-specific reports reveal a comprehensive modernisation of privacy legislation since adopting adequacy decisions under the 1995 Data Protection Directive.
The different countries and territories have aligned their frameworks with the GDPR or implemented specific reforms, significantly strengthening safeguards for personal data. These reforms have notably reinforced data protection authorities’ independence and enforcement powers.
In bridging gaps with the EU privacy framework, some countries have implemented specific safeguards to strengthen data protection from the European Economic Area, ensuring the facilitation of Europeans exercising their rights.
The review also highlights that public authorities in the 11 jurisdictions are subject to appropriate safeguards concerning access to data for law enforcement or national security purposes. This includes effective oversight and redress mechanisms, ensuring accountability and transparency.
The European Commission asserts its commitment to ongoing monitoring of developments in the countries and territories concerned, mainly where legislative reforms are underway. The GDPR mandates periodic reviews of adequacy decisions to ensure continuous compliance with evolving standards.
With the GDPR coming into effect in May 2018, adequacy decisions adopted under the Data Protection Directive continued to be enforced. The GDPR recognises adequacy decisions as ‘living instruments’, necessitating periodic reviews by the European Commission.
The first review evaluated developments in the countries’ and territories’ data protection frameworks since adopting adequacy decisions. It also assessed the rules governing government access to data for law enforcement and national security purposes.
The European Commission retains the power to suspend, amend, or withdraw an adequacy decision if developments in an adequate country or territory negatively affect the level of protection for personal data.
In total, 16 adequacy decisions are in place for various countries and territories, with ongoing monitoring and periodic reviews to ensure the highest data protection standards.
Notably, the EU and Japan recognised each other’s data protection systems as ‘equivalent’ in 2019, creating the world’s largest area of free and safe data flows.
Adequacy decisions for the United Kingdom, South Korea, and the EU-US Data Privacy Framework have been adopted recently, with continuous monitoring and periodic reviews to ensure continued compliance.
Featured image: Some countries have implemented specific safeguards to strengthen data protection from the European Economic Area, ensuring the facilitation of Europeans exercising their rights. Image: John Schnobrich