EU Adequacy Decisions: Which Countries Qualify (2026)
An EU adequacy decision is a formal determination by the European Commission that a country outside the European Economic Area (EEA) provides a level of data protection "essentially equivalent" to that guaranteed within the EU. When a country receives an adequacy decision, personal data can flow freely from the EU to that country without organizations needing to implement additional safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules.
The adequacy framework is established in Article 45 of the GDPR, which sets out the criteria the Commission must evaluate and the procedure for adoption and review. Adequacy decisions are among the most consequential instruments in international data protection, since they effectively open or close the door to seamless data flows between the EU and major trading partners.
This guide covers how adequacy works, which countries currently have adequacy status, how the Commission conducts its assessments, the significance of periodic reviews, and the practical implications for businesses.
How Adequacy Decisions Work Under Article 45
GDPR Article 45 empowers the European Commission to determine that a third country, a territory, one or more specified sectors within a third country, or an international organization ensures an adequate level of data protection. The legal standard is not identical protection but "essential equivalence" with EU law.
The Assessment Criteria
When evaluating a country for adequacy, the Commission considers several factors outlined in Article 45(2):
Rule of law and human rights: The country's general legal framework, including legislation on national security, public interest, criminal law, and government access to personal data. The existence and effective functioning of an independent judiciary matters heavily.
Independent supervisory authority: Whether the country has one or more independent data protection authorities with adequate enforcement powers, including the ability to investigate, intervene, and sanction violations. The authority must also provide assistance and advice to data subjects exercising their rights.
International commitments: The country's participation in international data protection instruments, such as the Council of Europe Convention 108 and its modernized version (Convention 108+), bilateral or multilateral agreements, and other obligations arising from legally binding conventions.
Data subject rights: Whether individuals have effective and enforceable rights, including the right to access, rectification, erasure, and restriction of processing, and the right to an effective administrative and judicial remedy.
Onward transfer rules: Whether the country imposes conditions on further transfers of data to other third countries, preventing adequacy from becoming a backdoor for data flows to jurisdictions with weaker protections.
The Adoption Process
The adequacy assessment is a lengthy process. The Commission conducts its evaluation, often over several years. The European Data Protection Board (EDPB) issues an opinion on the draft decision. Member State representatives in a comitology committee vote to approve the decision. The European Parliament and Council can request the Commission to maintain, amend, or withdraw a decision, though they cannot formally block it.
From initial assessment to final adoption, the process typically takes two to four years.
Countries with Full Adequacy Decisions
As of 2026, the European Commission has issued adequacy decisions for the following countries and territories. Several of these were originally adopted under the 1995 Data Protection Directive (95/46/EC) and remain valid under the GDPR by virtue of Article 45(9).
Pre-GDPR Adequacy Decisions (Adopted Under the Directive)
These decisions were adopted before the GDPR took effect on May 25, 2018, and continue in force:
Andorra (adopted October 2010): Andorra's data protection framework, based on its 2003 Qualified Law on Personal Data Protection, was found adequate. The country's data protection authority (APDA) provides independent oversight.
Argentina (adopted June 2003): Argentina's Personal Data Protection Act (Law 25,326 of 2000) and its supervisory authority (AAIP) formed the basis for adequacy. Argentina is the only South American country with EU adequacy.
Canada (adopted December 2001, partial): Canada's adequacy is limited to organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) in their commercial activities. Provincial privacy laws recognized as substantially similar to PIPEDA also qualify. The adequacy does not cover data processing by government agencies or organizations not subject to PIPEDA.
Faroe Islands (adopted March 2010): An autonomous territory within the Kingdom of Denmark with its own data protection legislation.
Guernsey (adopted November 2003): British Crown dependency with data protection legislation modeled on the UK Data Protection Act.
Isle of Man (adopted April 2004): British Crown dependency with an independent data protection regime.
Israel (adopted January 2011): Israel's Privacy Protection Act of 1981 and the Privacy Protection Authority formed the basis for adequacy.
Jersey (adopted May 2008): British Crown dependency with its own data protection legislation and supervisory authority.
New Zealand (adopted December 2012): New Zealand's Privacy Act and the Office of the Privacy Commissioner provided the framework. New Zealand subsequently enacted a modernized Privacy Act in 2020.
Switzerland (adopted July 2000): One of the earliest adequacy decisions. Switzerland has since enacted a revised Federal Act on Data Protection (revFADP), effective September 1, 2023, which modernized its framework to align more closely with the GDPR.
Uruguay (adopted August 2012): Uruguay's Data Protection Act (Law 18,331) and the Regulatory and Data Protection Unit (URCDP) supported the adequacy finding.
Post-GDPR Adequacy Decisions
Japan (adopted January 2019): The first adequacy decision adopted under the GDPR. Japan's Act on Protection of Personal Information (APPI) was supplemented by additional safeguards specifically negotiated with the EU, including stricter rules on sensitive data, onward transfers, and individual rights. The decision created the world's largest area of free data flows at the time. The Commission completed its first review in April 2023, concluding adequacy remained warranted.
Republic of Korea (South Korea) (adopted December 2021): South Korea's Personal Information Protection Act (PIPA), amended in 2020 to strengthen its framework, and the Personal Information Protection Commission (PIPC) supported the adequacy finding. Korea made additional commitments regarding government access to data for law enforcement and national security purposes.
United Kingdom (adopted June 2021): The UK adequacy decision was adopted following Brexit and contains a unique four-year sunset clause (see detailed section below).
United States (DPF) (adopted July 2023): The adequacy decision applies only to US organizations certified under the [EU-US Data Privacy Framework (DPF)](/world-laws/world-data-privacy-laws/eu-us-data-privacy-framework). It is not a country-wide adequacy finding. Transfers to non-certified US organizations still require SCCs or other safeguards.
Partial and Sector-Specific Adequacy
Not all adequacy decisions cover an entire country's legal framework. The GDPR explicitly allows adequacy for "one or more specified sectors" within a country.
Canada: Commercial Activities Only
Canada's adequacy applies only to organizations subject to PIPEDA in their commercial activities. Public sector data processing, data processed under provincial legislation that is not substantially similar to PIPEDA, and non-commercial activities fall outside the scope.
United States: DPF-Certified Organizations Only
The US adequacy decision is the most limited in scope. It covers only organizations that have actively self-certified under the EU-US Data Privacy Framework through the International Trade Administration. There is no general adequacy finding for the United States. EU organizations transferring data to non-certified US entities must use SCCs, Binding Corporate Rules, or another approved transfer mechanism.
The UK Adequacy Decision and Sunset Clause
The UK adequacy decision deserves particular attention because of its unique structure and impending expiration.
Background
After the UK left the EU on January 31, 2020, a transition period preserved data flows until December 31, 2020. A bridging mechanism in the EU-UK Trade and Cooperation Agreement extended this until June 30, 2021. The Commission adopted the adequacy decision on June 28, 2021, just before the bridge expired.
The Four-Year Sunset Clause
Unlike all other adequacy decisions, the UK decision contains a sunset clause. It automatically expires on June 27, 2025, unless the Commission renews it. This clause was included because the Commission wanted the ability to reassess the UK's data protection landscape as it evolved independently from EU law post-Brexit.
Renewal Considerations
The Commission is evaluating whether to renew UK adequacy based on several developments:
The Data Protection and Digital Information Act (DPDI Act): Enacted in 2024, this law amends the UK GDPR and Data Protection Act 2018 in ways that diverge from EU standards. Changes include relaxed rules for recognized legitimate interests (removing the requirement for a balancing test in certain cases), reduced obligations for international transfers (allowing transfers based on a broader "data protection test"), and modifications to automated decision-making provisions. The Commission must determine whether these changes bring the UK below the essential equivalence threshold.
UK immigration exemption: The UK maintains a broad national security and immigration exemption from data protection rules, which has drawn scrutiny from privacy advocates and the EDPB.
UK-US Data Bridge: The UK's establishment of its own data transfer mechanism with the US demonstrates regulatory independence but also creates questions about onward transfers of EU data through the UK to the US.
As of early 2026, renewal discussions remain ongoing. If the Commission does not renew the decision, organizations transferring data from the EU to the UK would need to fall back on SCCs, Binding Corporate Rules, or other Article 46 mechanisms. See our GDPR vs UK GDPR guide for more on post-Brexit data transfer implications.
What Happens When Adequacy Is Revoked
The CJEU has twice invalidated adequacy-adjacent frameworks for the United States (Safe Harbor in 2015, Privacy Shield in 2020). These cases illustrate the consequences of losing adequacy status.
Immediate Impact
When an adequacy decision is invalidated or revoked, the legal basis for data transfers disappears instantly. Organizations that relied solely on the adequacy decision must immediately implement alternative transfer mechanisms or halt transfers.
Transition Periods
In practice, regulators have provided informal grace periods. After the Schrems II ruling invalidated Privacy Shield in July 2020, data protection authorities acknowledged that organizations needed time to implement SCCs and conduct Transfer Impact Assessments. However, there is no guaranteed grace period; legally, transfers become unlawful upon invalidation.
Business Impact
The invalidation of Privacy Shield affected over 5,300 certified US companies and thousands of EU organizations that relied on Privacy Shield for transatlantic transfers. Organizations scrambled to implement SCCs, often discovering they needed to renegotiate contracts with hundreds of service providers simultaneously.
Pending and Potential Adequacy Decisions
Several countries are at various stages of the adequacy assessment process or are considered potential candidates.
Countries in Discussion
Brazil: Brazil's Lei Geral de Protecao de Dados (LGPD), effective since 2020, and its supervisory authority (ANPD) have drawn comparisons to the GDPR. Brazil has expressed interest in pursuing adequacy, and initial discussions with the Commission have taken place. Brazil's participation in Convention 108+ would strengthen its candidacy.
Taiwan: Taiwan's Personal Data Protection Act and its planned amendments have positioned it as a potential adequacy candidate, particularly given the EU's interest in strengthening economic ties.
Kenya: Kenya enacted a comprehensive Data Protection Act in 2019, established a Data Protection Commissioner, and has worked to align its framework with international standards. East African adequacy remains a longer-term possibility.
Factors Accelerating or Delaying Adequacy
Countries that have ratified Convention 108+, established independent supervisory authorities with real enforcement power, and enacted comprehensive data protection legislation aligned with GDPR principles are better positioned for adequacy. Government surveillance practices, rule of law concerns, and the scope of national security exemptions are the primary factors that delay or prevent adequacy findings.
Practical Implications for Organizations
Adequacy decisions have significant practical consequences for how organizations structure their international data operations.
Benefits of Adequacy
Data transfers to adequate countries require no additional safeguards. No SCCs, no Binding Corporate Rules, no Transfer Impact Assessments. This dramatically simplifies compliance for both the EU data exporter and the receiving organization. It reduces legal costs, accelerates vendor onboarding, and removes contractual complexity.
Limitations
Adequacy does not override other GDPR requirements. Organizations receiving data under an adequacy decision must still comply with the destination country's data protection law. EU data subjects retain their rights under the GDPR, and the destination country's supervisory authority must provide effective enforcement.
Reliance Risk
Given that two US adequacy frameworks have been invalidated and the UK's decision faces an uncertain renewal, organizations should consider adequacy as one element of their transfer strategy rather than the sole basis. Maintaining the ability to activate alternative transfer mechanisms (particularly SCCs) provides resilience against future changes.
Monitoring Obligations
Organizations should track the periodic reviews of adequacy decisions that affect their data flows. The Commission's review schedule, EDPB opinions, and relevant legislative developments in adequate countries all provide early indicators of potential changes.
This is general legal information, not legal advice. Organizations relying on adequacy decisions for international data transfers should consult an attorney for advice specific to their situation.
Sources and References
Sources and References
- GDPR Article 45 - Full Regulation(eur-lex.europa.eu).gov
- European Commission - Adequacy Decisions(commission.europa.eu).gov
- EDPB Adequacy Referentials(edpb.europa.eu).gov
- Commission Review of Japan Adequacy(commission.europa.eu).gov
- Council of Europe Convention 108(coe.int).gov
- Data Privacy Framework(dataprivacyframework.gov).gov
- EU-US Data Transfers(commission.europa.eu).gov
- Japan Adequacy Decision 2019/419(eur-lex.europa.eu).gov
- Korea Adequacy Decision 2022/254(eur-lex.europa.eu).gov
- UK Adequacy Decision 2021/1772(eur-lex.europa.eu).gov
- US DPF Adequacy Decision 2023/1795(eur-lex.europa.eu).gov