European Commission upholds 11 data protection adequacy decisions

Decision underlines importance of cross-border data flows and boosts convergence in EU.

In a significant move towards maintaining data security, the European Commission has successfully completed its adequacy review for 11 countries.

The Commission’s report found that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay has remained in line with the standards in the the EU’s data protection legislation. Personal data flowing from the EU to these jurisdictions will continue to benefit from strong safeguards and ensure the free and secure flow of data.

Didier Reynders, Commissioner for Justice, European Commission said: “In today’s world, cross-border data flows are an integral part of our economy and daily lives. I very much welcome that all 11 countries and territories concerned by this review have brought their data protection regimes even closer to ours. Our adequacy decisions form the world’s broadest network of safe and free data flows. We will step up our engagement with international partners to develop this network even further.”


The report demonstrates that the data protection frameworks in these countries and territories have further converged with the EU’s framework and strengthened protection of personal data in their jurisdictions. The GDPR has inspired positive changes such as:

  • the introduction of new rights for individuals;
  • the reinforcement of the independence and powers of authorities responsible for the enforcement of privacy laws;
  • the modernization of rules on international transfers.

The country reports show that since the adoption of the adequacy decisions under the 1995 Data Protection Directive, the different countries and territories have carried out a comprehensive modernization of their privacy legislation. They have further aligned their frameworks with the GDPR or introduced specific reforms, which significantly strengthened safeguards for personal data.

To bridge certain gaps with the EU privacy framework, some countries put in place specific safeguards to strengthen the protection of data coming from the European Economic Area, including to facilitate the exercise by Europeans of their rights.

16 adequacy decisions to date

In total there are 16 adequacy decisions in place, respectively for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom (under the GDPR and the LED), the United States (for commercial organizations certified under the EU-US Data Privacy Framework) and Uruguay.

In 2019, the EU and Japan recognized each other’s data protection systems as “equivalent”, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows. In June 2023, the EU adopted adequacy decisions for the United Kingdom and in January 2022 for South Korea. In July 2023, the Commission adopted its adequacy decision for the EU-US Data Privacy Framework. For more about the framework, see New data bridge for UK-US data transfers to help firms.

The EU sets a global standard for data protection. The Commission will continue to monitor relevant developments in the countries and territories concerned, in particular, where further legislative reforms are ongoing. The GDPR requires the Commission to periodically review adequacy decisions. To step up this dialogue and promote the exchange of information, and experience, the Commission intends to organize a high-level meeting in 2024, bringing together representatives from the EU and all countries that benefit from an adequacy decision.