EU Adequacy Decisions: Full Country List and 2026 Updates

Under GDPR Article 45, the European Commission issues an adequacy decision when it determines that a non-EU country provides data protection essentially equivalent to EU standards. That designation lets personal data flow freely from the EU to that country without additional safeguards such as Standard Contractual Clauses.

An EU adequacy decision is a formal determination by the European Commission that a country outside the European Economic Area (EEA) provides a level of data protection "essentially equivalent" to that guaranteed within the EU. When a country receives an adequacy decision, personal data can flow freely from the EU to that country without organizations needing to implement additional safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules.

The adequacy framework is established in Article 45 of the GDPR, which sets out the criteria the Commission must evaluate and the procedure for adoption, review, and revocation. Adequacy decisions are among the most consequential instruments in international data protection, since they determine whether seamless cross-border data flows are possible between the EU and its trading partners.

This guide covers how adequacy works, every country and organization that currently holds adequacy status, the 2024 review of the eleven pre-GDPR decisions, the UK's December 2025 renewal, Brazil's 2026 decision, the EU-US Data Privacy Framework and its litigation history, and what adequacy means for your organization.

How Adequacy Decisions Work Under GDPR Article 45

GDPR Article 45 empowers the European Commission to determine that a third country, a territory, one or more specified sectors within a third country, or an international organization ensures an adequate level of protection. The legal standard is not identical protection but "essential equivalence" with EU law.

The Assessment Criteria

When evaluating a country for adequacy, the Commission considers several factors outlined in Article 45(2):

Rule of law and human rights: The country's general legal framework, including legislation on national security, public interest, criminal law, and government access to personal data. The existence of an independent judiciary matters heavily.

Independent supervisory authority: Whether the country has one or more independent data protection authorities with adequate enforcement powers, including the ability to investigate, intervene, and sanction violations. The authority must also provide assistance and advice to data subjects exercising their rights.

International commitments: The country's participation in international data protection instruments, such as the Council of Europe Convention 108 and its modernized Protocol (Convention 108+), bilateral or multilateral agreements, and other legally binding obligations.

Data subject rights: Whether individuals have effective and enforceable rights, including access, rectification, erasure, and restriction of processing, and the right to effective administrative and judicial remedy.

Onward transfer rules: Whether the country imposes conditions on further transfers of data to other third countries, preventing adequacy from becoming a backdoor for data flows to jurisdictions with weaker protections.

The Adoption Process

The adequacy assessment is a lengthy process. The Commission conducts its evaluation, often over several years. The European Data Protection Board (EDPB) issues an opinion on the draft decision. Member State representatives in a comitology committee vote to approve the decision. The European Parliament and Council may request the Commission to maintain, amend, or withdraw a decision.

From initial assessment to final adoption, the process typically takes two to four years. Countries that have ratified Convention 108+, established genuinely independent supervisory authorities with real enforcement power, and enacted comprehensive GDPR-aligned legislation tend to move through the process faster.

Monitoring and Periodic Review

Article 45(3) requires the Commission to monitor developments in adequate countries on an ongoing basis. Article 45(4) requires it to report periodically to the European Parliament and Council on the functioning of decisions. If the Commission finds that a country no longer provides essential equivalence, it may amend, suspend, or repeal the decision.

Countries with EU Adequacy Decisions

As of 2026, the European Commission has issued adequacy decisions for 17 countries, territories, and organizations. The list includes both pre-GDPR decisions (originally adopted under the 1995 Data Protection Directive and continuing in force under GDPR Article 45(9)) and decisions adopted since the GDPR took effect in May 2018.

Pre-GDPR Adequacy Decisions (Directive Era)

These decisions were adopted under Directive 95/46/EC before the GDPR took effect on May 25, 2018. They continue in force as long as they are not repealed or modified.

Andorra (adopted October 2010): Andorra's 2003 Qualified Law on Personal Data Protection and its independent supervisory authority (APDA) underpinned the adequacy finding. The Commission's January 2024 review confirmed adequacy continues to be warranted.

Argentina (adopted June 2003): Argentina's Personal Data Protection Act (Law 25,326) and the Agencia de Acceso a la Información Pública (AAIP) form the basis for adequacy. Argentina remains the only South American country with EU adequacy outside of Brazil.

Canada (adopted December 2001, partial): Canada's adequacy is limited to organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) in their commercial activities. Public sector processing, organizations not subject to PIPEDA, and provincial legislation not recognized as substantially similar to PIPEDA fall outside the scope.

Faroe Islands (adopted March 2010): An autonomous territory within the Kingdom of Denmark with its own data protection legislation.

Guernsey (adopted November 2003): British Crown dependency with data protection legislation that has been aligned with the UK GDPR post-Brexit.

Isle of Man (adopted April 2004): British Crown dependency with an independent data protection regime under the Information Commissioner's Office (Isle of Man).

Israel (adopted January 2011): Israel's Privacy Protection Act 1981 and the Privacy Protection Authority provided the framework. Israel has been working on modernizing its privacy legislation to bring it closer to GDPR standards.

Jersey (adopted May 2008): British Crown dependency with its own data protection legislation and supervisory authority (ODPA).

New Zealand (adopted December 2012): New Zealand's Privacy Act and the Office of the Privacy Commissioner provided the basis for adequacy. New Zealand enacted a significantly modernized Privacy Act in November 2020.

Switzerland (adopted July 2000): One of the earliest adequacy decisions. Switzerland enacted a revised Federal Act on Data Protection (revFADP), effective September 1, 2023, which modernizes its framework to align more closely with GDPR. The Commission has been monitoring whether the revFADP strengthens Switzerland's adequacy position.

Uruguay (adopted August 2012): Uruguay's Data Protection Act (Law 18,331) and the Regulatory and Data Protection Unit (URCDP) supported the adequacy finding.

Post-GDPR Adequacy Decisions

Japan (adopted January 2019): The first adequacy decision adopted under the GDPR. Japan's Act on Protection of Personal Information (APPI) was supplemented by additional safeguards specifically negotiated with the EU, including stricter rules on sensitive data, onward transfers, and individual rights. The Commission completed its first review in April 2023, concluding adequacy remained warranted given continued alignment of the APPI with GDPR principles.

Republic of Korea (South Korea) (adopted December 2021): South Korea's Personal Information Protection Act (PIPA), substantially amended in 2020, and the Personal Information Protection Commission (PIPC) supported the finding. Korea made additional commitments regarding government access to data for law enforcement and national security purposes.

United Kingdom (adopted June 2021, renewed December 2025): The UK adequacy decision is covered in detail in its own section below.

United States (DPF) (adopted July 2023): The adequacy decision applies only to US organizations certified under the EU-US Data Privacy Framework (DPF). There is no general adequacy finding for the United States. Transfers to non-certified US organizations still require SCCs or other safeguards.

Brazil (adopted January 26, 2026): The newest and most comprehensive adequacy decision to date, and the first mutual adequacy arrangement. See detailed section below.

European Patent Organisation (adopted July 15, 2025): The first adequacy decision ever adopted for an international organization. This enables smooth data flows between EU entities and the EPO in support of the digital transformation of the patent-granting process.

The January 2024 Review of Eleven Pre-GDPR Decisions

On January 15, 2024, the European Commission published its Report on the first periodic review of the functioning of the eleven adequacy decisions adopted under Directive 95/46/EC (document SWD(2024) 3 final, accompanying Commission communication COM/2024/7). The eleven decisions reviewed were: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay.

Conclusion: All Eleven Continue to Provide Adequacy

The Commission's overall finding was that all eleven countries and territories continue to provide an adequate level of data protection and that none of the decisions need to be withdrawn or amended at this stage.

Country-Specific Observations

The review was not a blanket rubber-stamp. The Commission identified specific areas warranting continued monitoring:

For Argentina, the Commission noted the need for the country to complete its legislative reform process to modernize its 2000 data protection law, bringing it closer to GDPR standards, and urged the appointment of a new head of the AAIP supervisory authority.

For Israel, the Commission observed ongoing legislative reform to update the Privacy Protection Act and noted that the scope and depth of the reform would be relevant to a future adequacy assessment.

For Canada, the Commission flagged the ongoing PIPEDA reform process (Bill C-27) and noted that implementation of reform would affect future adequacy reviews.

For New Zealand, the Commission noted the positive impact of the 2020 Privacy Act reforms and commended the country's well-functioning independent supervisory authority.

The Commission confirmed that the adequacy decisions for Guernsey, Isle of Man, Jersey, the Faroe Islands, Andorra, Switzerland, and Uruguay continue to operate satisfactorily, while recommending maintenance of close monitoring of regulatory developments in each jurisdiction.

The UK Adequacy Decision: Sunset Clause, Extension, and December 2025 Renewal

The UK adequacy decision has a more complex history than any other adequacy decision, because of the unique sunset clause inserted at the time of the original adoption.

The 2021 Original Decision and Sunset Clause

The Commission adopted the UK adequacy decision on June 28, 2021, just before the bridging arrangement in the EU-UK Trade and Cooperation Agreement expired. Unlike every other adequacy decision, the UK decision contained a four-year sunset clause causing it to expire automatically on June 27, 2025, unless renewed. The clause was inserted because the Commission wanted the ability to reassess the UK's data protection framework as it evolved independently from EU law following Brexit.

The June 2025 Technical Extension

As the June 27, 2025 expiry date approached, the Commission had not yet completed its formal renewal process. On June 24, 2025, the Commission adopted a brief technical extension of both the GDPR-based and LED-based UK adequacy decisions, preserving data flows while the renewal assessment was finalized.

The December 19, 2025 Renewal

On December 19, 2025, the Commission formally renewed the UK adequacy decisions under both the GDPR and the Law Enforcement Directive (LED). The renewed decisions run for six years, expiring on December 27, 2031. The Commission committed to a midpoint review after four years, working closely with the EDPB.

The Commission concluded that the UK continues to provide essentially equivalent data protection despite a number of legislative changes since 2021. Key among these was the UK's enactment of the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on June 19, 2025. The DUAA replaced the proposed Data Protection and Digital Information Bill, which had contained more significant divergences from GDPR standards. The Commission assessed the DUAA and found that the UK's overall framework remained essentially equivalent.

EDPB Opinion and Monitoring Conditions

The EDPB adopted its opinion on the draft UK adequacy decisions in October 2025. While welcoming the renewal, the EDPB called on the Commission to ensure effective monitoring of several areas, including the UK's immigration exemption from data protection rules, the UK-US Data Bridge and its implications for onward transfers of EU data to the US, and the risk of future divergence as the UK's framework continues to develop independently.

The renewal means that for the six-year period to December 2031, organizations can transfer personal data freely between the EU and the UK under the adequacy decisions. Organizations relying on UK adequacy should maintain awareness of the monitoring conditions and keep contingency plans for SCCs should the Commission decide not to renew again in 2031.

Brazil: The Newest Adequacy Decision (January 2026)

On January 26, 2026, the European Commission adopted Implementing Decision (EU) 2026/179, recognizing Brazil's LGPD framework as providing adequate data protection under GDPR Article 45. On the same date, Brazil's national data protection authority (ANPD) adopted Resolution CD/ANPD No. 32, mutually recognizing the EU as providing adequate protection under the Brazilian General Data Protection Law (LGPD).

What Makes the Brazil Decision Distinctive

The Brazil decision stands out from prior adequacy decisions in several ways:

Mutual recognition: Both sides recognized each other's adequacy simultaneously, creating a genuinely bilateral arrangement. Brazil's ANPD Resolution 32 mirrors the EU decision, allowing free data flows in both directions.

Broadest sectoral scope: Unlike Canada (commercial activities only) and the US (DPF-certified organizations only), Brazil's adequacy covers both public and private sector transfers, making it the most comprehensive adequacy arrangement adopted under the GDPR.

Security carve-out: The decision does not apply to transfers carried out exclusively for national defense, state security, or criminal investigation purposes, consistent with the LGPD's own exemptions in those areas.

Review schedule: The decision is subject to a formal review every four years, with the Commission working closely with the ANPD on continuous monitoring.

Background: Brazil's Data Protection Framework

Brazil enacted its Lei Geral de Proteção de Dados (LGPD) in 2018, effective from September 2020. The LGPD closely mirrors the structure and principles of the GDPR, covering lawful basis for processing, data subject rights, data breach notification, and requirements for data protection officers. The ANPD was established as an independent supervisory authority and issued implementing regulations on international data transfer mechanisms and security incident notification that further aligned Brazil's framework with EU standards.

The EU published a draft adequacy decision in September 2025 following an assessment process that began several years earlier. The final decision was adopted January 26, 2026.

The EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) was adopted as an adequacy decision on July 10, 2023, following intensive negotiations between the Commission and the Biden administration. The DPF replaced the Privacy Shield framework that the Court of Justice of the EU (CJEU) had invalidated in Schrems II in July 2020.

How the DPF Works

Unlike country-wide adequacy decisions, the DPF is a self-certification scheme. US organizations voluntarily certify compliance with the DPF Principles through the International Trade Administration (ITA) at dataprivacyframework.gov. Certified organizations agree to the DPF Principles and to submit to FTC and Department of Transportation enforcement. EU individuals may seek redress through a Data Protection Review Court (DPRC) established by Executive Order 14086 for claims regarding US signals intelligence activities.

The October 2024 First Annual Review

On October 9, 2024, the Commission published its Report on the first periodic review of the EU-US DPF (COM(2024) 451 final). The review meeting took place in Washington, D.C. on July 18 to 19, 2024.

Key findings: the Commission found that the DPF was functioning as intended in its first year, with strong SME participation (70% of certified companies are SMEs) and significant representation from the ICT sector (47% of certifications). The US authorities confirmed no relevant changes to the national security or law enforcement legal framework during the first year of the DPF.

Litigation: The Latombe Case (September 2025)

The DPF faced its first judicial challenge in Case T-553/23, Philippe Latombe v. European Commission, before the European General Court. On September 3, 2025, the General Court dismissed the action, confirming that the United States ensures an adequate level of protection for personal data transferred under the DPF. The Court found that US signals intelligence activities are subject to judicial supervision by the DPRC, whose decisions are final and binding, satisfying the essential equivalence standard established in Schrems II.

The decision could be appealed to the CJEU. NOYB (None of Your Business), the privacy advocacy group founded by Max Schrems, has indicated it is monitoring developments and may bring a separate broader challenge.

Ongoing Political Uncertainty

The DPF's longer-term stability faces political risks stemming from the Trump administration's actions in 2025. Key concerns include:

PCLOB: In January 2025, the Trump administration dismissed the Democratic members of the Privacy and Civil Liberties Oversight Board, leaving the Board without a quorum. The PCLOB plays a role in overseeing the US surveillance framework that underpins the DPF's safeguards.

FTC independence: An executive order on agency accountability in February 2025 raised concerns about whether the FTC retains sufficient independence to enforce DPF commitments against certified organizations.

Multiple European data protection authorities, including Norway's Datatilsynet, Germany's DSK, and Denmark's Datatilsynet, issued guidance advising organizations to develop contingency plans for alternative transfer mechanisms. Organizations relying on the DPF should maintain updated SCC arrangements as a backup.

How Adequacy Decisions Are Revoked or Challenged

The history of EU-US data transfer frameworks illustrates the fragility of adequacy-based arrangements and the consequences of revocation.

Schrems I: Safe Harbor (2015)

In October 2015, the CJEU invalidated the Safe Harbor framework (Case C-362/14, Schrems v. Data Protection Commissioner) following revelations about US mass surveillance programs disclosed by Edward Snowden. The Court found that the Commission's Safe Harbor adequacy decision failed to provide essentially equivalent protection, because US law permitted mass access to personal data without adequate judicial oversight.

Schrems II: Privacy Shield (2020)

In July 2020, the CJEU invalidated the Privacy Shield framework (Case C-311/18, Data Protection Commissioner v. Facebook Ireland) on the same essential grounds: US surveillance law did not provide data subjects with enforceable rights or an effective judicial remedy equivalent to EU standards. The Court also confirmed that Standard Contractual Clauses remain valid but that data exporters must conduct Transfer Impact Assessments before relying on them.

Practical Consequences of Revocation

When an adequacy decision is invalidated, the legal basis for transfers disappears immediately. After Schrems II:

• Over 5,300 US companies that had relied on Privacy Shield as their sole transfer mechanism had to implement alternative safeguards on short notice.
• EU organizations discovered they needed to renegotiate contracts with hundreds of service providers.
• Data protection authorities began enforcement actions against transfers to the US that lacked a valid legal basis.

There is no guaranteed transition period when adequacy is revoked. Organizations should treat adequacy as one layer of their transfer strategy rather than the only layer, and maintain current SCC arrangements wherever adequacy decisions affect critical data flows.

Partial and Sector-Specific Adequacy

The GDPR explicitly allows adequacy for "one or more specified sectors" within a country. Two current decisions illustrate how partial adequacy works in practice.

Canada: Commercial Activities Only

Canada's adequacy applies only to organizations subject to PIPEDA in their commercial activities. Processing by government agencies, data processed under provincial legislation not recognized as substantially similar to PIPEDA, and non-commercial processing fall outside the scope of the decision.

Canada's data protection reform efforts have been ongoing for several years. Bill C-27 (the Consumer Privacy Protection Act) would replace PIPEDA with a modernized framework if enacted.

United States: DPF-Certified Organizations Only

The US adequacy decision is the most limited in scope. It covers only organizations that have actively self-certified under the DPF through the ITA. There is no general adequacy finding for the United States as a country. Transfers to non-certified US organizations must rely on SCCs, Binding Corporate Rules, or another mechanism under GDPR Article 46.

Pending Adequacy Assessments

With Brazil's addition in 2026, the queue of near-term candidates for adequacy has narrowed, but several countries remain in various stages of discussion or assessment.

Taiwan: Taiwan's Personal Data Protection Act and its planned amendments have drawn EU interest, particularly in the context of strengthening EU-Taiwan economic and technology ties. An adequacy finding for Taiwan would be politically sensitive given cross-strait dynamics, but its strong legislative foundation makes it a credible candidate.

Kenya: Kenya enacted a comprehensive Data Protection Act in 2019, established a Data Commissioner, and has worked to align its framework with international standards. Sub-Saharan African adequacy remains a longer-term possibility.

India: India enacted the Digital Personal Data Protection Act 2023 (DPDPA), establishing a new supervisory framework (Data Protection Board). India-EU discussions on adequacy are nascent, with government access and national security exemptions representing significant hurdles.

Countries that have ratified Convention 108+, established genuinely independent supervisory authorities with adequate enforcement budgets and track records, and enacted comprehensive legislation with GDPR-comparable principles are best positioned. The scope of national security exemptions has historically been the hardest factor for countries with large intelligence agencies to satisfy.

What Adequacy Means for Businesses

The Benefits

For organizations transferring personal data to adequate countries, the practical benefit is significant simplification. No SCCs, no Transfer Impact Assessments, no Binding Corporate Rules. The exporter need only confirm that the destination is listed as adequate at the time of transfer.

This reduces legal costs, speeds up vendor onboarding, eliminates the need to renegotiate data processing agreements when adding vendors in adequate jurisdictions, and removes the compliance overhead of maintaining SCC libraries.

The Limitations

Adequacy does not override other GDPR requirements. The exporting organization must still have a lawful basis for the processing, comply with data minimization and purpose limitation principles, and respect data subject rights. Adequacy only removes the requirement for an additional transfer safeguard under Article 46.

The receiving organization in the adequate country must also comply with that country's own data protection law. Adequacy decisions do not convert EU GDPR obligations into the law of the destination country.

Managing Reliance Risk

Given that two US adequacy frameworks have been invalidated and the UK decision required renewal with monitoring conditions attached, adequacy decisions should be treated as useful but not unconditional. Organizations should:

• Maintain parallel SCC arrangements for any data flows to countries where adequacy stability is uncertain, particularly the US under the DPF.
• Track the Commission's periodic reviews and EDPB opinions for signs of adequacy being put under pressure.
• Monitor legislative developments in adequate countries that could push their frameworks below the essential equivalence threshold.

This is general legal information, not legal advice. Organizations relying on adequacy decisions for international data transfers should consult an attorney for advice specific to their situation.