Adequacy Decision
EU Commission determination that a non-EU country provides data protection essentially equivalent to EU standards
An Adequacy Decision is a formal status granted by the European Commission to a non-EU country acknowledging that its legal framework provides data protection "essentially equivalent" to that of the European Union. Under GDPR Article 45, this decision is the most streamlined mechanism for international data transfers—once a country is deemed adequate, personal data can flow from the EU without further authorization or additional legal safeguards.
For the Commission to grant adequacy, a third country must demonstrate: rule of law with effective judicial protection and redress for individuals, strict limits and oversight on how national security or law enforcement agencies can access personal data, and an active, independent data protection authority with enforcement powers.
Major jurisdictions currently holding adequacy include the United Kingdom, Japan, Canada (for commercial organizations), South Korea, Switzerland, and Israel—approximately 15+ jurisdictions worldwide. The Commission must review and re-confirm adequacy every four years.
The United States has a unique relationship with adequacy, lacking a general determination and instead relying on negotiated frameworks. Two landmark CJEU rulings—Schrems I (2015) and Schrems II (2020)—invalidated previous US-EU agreements (Safe Harbor and Privacy Shield) because US surveillance laws (particularly FISA Section 702) were found to conflict with EU privacy rights. As of July 2023, the EU-US Data Privacy Framework provides adequacy, but only for US organizations that self-certify and adhere to specific principles. The historical pattern suggests ongoing volatility and risk of future invalidation.
When a country lacks adequacy, organizations must use Standard Contractual Clauses (SCCs)—pre-approved contractual terms issued by the Commission. Post-Schrems II, SCCs alone are insufficient; exporters must also perform a Transfer Impact Assessment (TIA) to verify that the destination country's laws do not undermine the contractual protections. This creates significant administrative burden and ongoing compliance obligations.
For liability quantification, data residency in an adequate jurisdiction provides a "safe harbor" that reduces transfer-related risk scores. Conversely, data held in jurisdictions without adequacy (such as China or Russia) carries elevated liability multipliers due to unrestricted state access risks and the complexity of implementing appropriate safeguards. US-based data assets are considered to have "medium volatility"—currently adequate but with demonstrated historical risk of framework invalidation.