What Are Third-Country Adequacy Decisions?

When transferring personal data outside the European Union (EU), businesses must comply with strict rules under the General Data Protection Regulation (GDPR). Third-country adequacy decisions simplify this process by allowing data to flow freely between the EU and certain non-EU countries. These decisions confirm that a country or organization provides data protection that meets EU standards.

Key Takeaways:

• What is an adequacy decision? It’s an EU ruling that a non-EU country offers GDPR-equivalent data protection.
• Why it matters: Businesses can transfer data to these countries without extra legal measures like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
• Countries with adequacy status (as of April 2026): 16 jurisdictions, including the UK, Japan, Canada (commercial sector only), and the U.S. (limited to certified organizations under the Data Privacy Framework).
• How it helps businesses: Reduces legal costs, speeds up data transfers, and simplifies compliance.

Adequacy decisions are not permanent - they’re reviewed every four years and can be revoked if a country no longer meets EU standards. Businesses should monitor changes and maintain backup safeguards like SCCs.

The Role of Adequacy Decisions in Cross-Border Data Transfers

Data Transfers Without Additional Safeguards

Under GDPR, adequacy decisions simplify international data transfers by removing the need for additional legal measures. When a country is granted adequacy status, data transfers to that location are treated as if they occur within the EU. This eliminates the need for businesses to implement Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or conduct Transfer Impact Assessments (TIAs) for each transaction. The result? Faster vendor onboarding, lower legal expenses, and streamlined privacy documentation and high-converting lead forms.

Take the EU-U.S. Data Privacy Framework as an example. Adopted in July 2023, it allowed over 5,300 U.S.-based organizations that self-certified their compliance to receive EU data without needing extra safeguards. By July 2024, over 2,800 additional companies had joined the framework, with 70% of them being small and medium-sized businesses. This framework has significantly eased the flow of cross-border data for businesses of all sizes.

International Collaboration and Trade

Adequacy decisions do more than simplify operations - they also fuel economic growth by fostering secure and efficient data flows. These decisions enable businesses to work across borders while maintaining strong data protection standards. For instance, the EU-Japan adequacy decision in 2019 created the largest area for free data flows at the time, demonstrating the framework's ability to support seamless international data exchange.

Brazil’s full adequacy status, granted in December 2025, opened up smoother data transfers with Latin America’s largest economy, enhancing trade opportunities. Similarly, the EU’s renewal of the United Kingdom’s adequacy status on December 19, 2025, extended until December 27, 2031, ensured ongoing digital collaboration. Ian Murray, UK Minister for Digital Government and Data, highlighted the importance of this decision:

The EU's renewal of its adequacy decisions for the UK ensures we remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security.

These decisions are particularly beneficial for smaller businesses, reducing the need for extensive legal resources to navigate complex data transfer regulations.

sbb-itb-5f36581

How the European Commission Adopts Adequacy Decisions

The Evaluation Process

The European Commission undertakes a comprehensive, multi-year review to evaluate a third country's data protection framework. This process usually spans two to four years from the initial assessment to the final decision. It’s worth noting that the Commission doesn’t require the third country to have identical laws to the EU. Instead, it looks for protections that are "essentially equivalent" to those offered under EU law.

The evaluation focuses on several key areas: the country’s commitment to the rule of law and human rights (including how national security laws may impact data access), the presence of an independent supervisory authority with powers to enforce compliance, adherence to international agreements like Convention 108+, and safeguards for onward data transfers to prevent data from being sent to jurisdictions lacking protection.

Approval and Final Implementation

Once the evaluation is complete, the Commission follows a structured four-step process to finalize the adequacy decision. First, it submits a draft proposal. Then, the European Data Protection Board (EDPB) provides a formal opinion on whether the third country meets EU data protection standards. Afterward, EU member state representatives vote on the proposal via a comitology committee. Finally, the Commission officially adopts the adequacy decision.

Throughout this process, the European Parliament and the Council maintain oversight. Although they cannot directly block a decision, they can request the Commission to maintain, amend, or withdraw a decision if they believe it has overstepped its authority.

For instance, on February 10, 2026, Commissioner Michael McGrath and Brazil's Agência Nacional de Proteção de Dados Director-President, Waldemar Gonçalves Ortunho Júnior, announced a mutual adequacy decision. This followed the EDPB's Opinion 28/2025, issued in November 2025, and approval by EU member states. Similarly, the European Patent Organisation achieved adequacy status on July 15, 2025, after the EDPB adopted Opinion 07/2025 on May 6, 2025.

Next, we’ll explore the list of countries that have received adequacy decisions and examine how these processes have played out in practice.

Countries with Adequacy Decisions

List of Approved Countries

As of February 2026, the European Commission has recognized 16 jurisdictions and one international organization as meeting its data protection standards. These include:

• Andorra
• Argentina
• Brazil
• Canada (limited to commercial organizations under PIPEDA)
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Republic of Korea (South Korea)
• Switzerland
• United Kingdom
• United States (only for organizations certified under the EU-US Data Privacy Framework)
• Uruguay
• European Patent Organisation.

However, not all adequacy decisions apply universally. For example, Canada’s decision only covers commercial organizations under its PIPEDA framework, leaving out public sector entities. Similarly, in the US, adequacy is limited to around 5,300 organizations certified under the Data Privacy Framework. This means businesses transferring data to the US must confirm that their recipient is certified. If not, they’ll need to rely on Standard Contractual Clauses instead.

Reviews and Status Updates

The European Commission reviews adequacy decisions on a four-year cycle to ensure jurisdictions continue to meet EU data protection standards. Beyond these periodic reviews, the Commission also keeps an eye on legal and practical changes in these regions.

Adequacy status isn’t permanent - it depends on maintaining compliance. For instance, on January 15, 2024, the Commission reaffirmed that 11 jurisdictions, including Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay, still meet adequacy standards. The UK’s adequacy decision, initially set to expire in June 2025, was extended on December 19, 2025, following a temporary extension earlier that year.

Some countries, like Switzerland, New Zealand, and South Korea, have updated their domestic laws to align more closely with GDPR requirements, ensuring they maintain their adequacy status. These ongoing reviews highlight the evolving nature of adequacy decisions and their practical significance for businesses handling international data transfers.

EU-Brazil Adequacy Decision Explained: Practical Insights from Brazil, Japan & the EU

How Adequacy Decisions Affect Businesses

Reduced Compliance Requirements

Adequacy decisions simplify compliance by removing the need for additional legal safeguards. This means businesses can avoid the hassle of preparing SCC paperwork and going through the lengthy approval process for BCRs.

With adequacy-based transfers, there’s no need for TIAs, which speeds up vendor onboarding, lowers administrative costs, and makes privacy assessments less burdensome. However, it's worth noting that some adequacy decisions only apply to specific sectors or circumstances, as previously discussed.

Adequacy Decisions vs. Other Transfer Mechanisms

The real-world stakes of these mechanisms are clear. For example, in May 2023, Meta faced a €1.2 billion fine for using SCCs to transfer EU Facebook user data to the US without adequate safeguards against US surveillance laws. Similarly, TikTok was fined €530 million in May 2025 for transferring EEA user data to China without conducting the required TIA for SCC-based transfers.

"Adequacy decisions are the simplest international transfer mechanism available, but they're also the most fragile."

• Elena Vasquez, GDPRScoreCheck

This comparison underscores how adequacy decisions offer unmatched simplicity, making them an attractive option for data transfer strategies.

How to Use Adequacy Decisions in Your Data Transfer Strategy

To make the most of the reduced compliance requirements, start by mapping all data flows leaving the EEA. This includes identifying third-party scripts, cookies, analytics tools, and CRM integrations. Once mapped, check whether the destination country has an adequacy decision in place.

For transfers to the US, confirm that the recipient is certified under the Data Privacy Framework at dataprivacyframework.gov. Keep in mind that certifications must be renewed annually.

As a precaution, maintain SCCs as a backup. Adequacy decisions can be revoked by the Court of Justice of the European Union or withdrawn if a country’s laws no longer meet EU standards. Update your privacy notices to clearly identify destination countries and the safeguards in use, as required under Article 13(1)(f) of the GDPR. For critical data flows, document your reliance on adequacy decisions and keep an eye on the European Commission’s review schedules to stay ahead of any regulatory shifts.

Conclusion

Adequacy decisions offer a straightforward and effective solution for cross-border data transfers. They eliminate the need for additional legal tools like SCCs or BCRs, allowing businesses to handle data transfers to approved countries as seamlessly as those within the EU. This simplifies compliance efforts, reduces paperwork, and speeds up vendor onboarding.

However, these decisions come with risks. The Court of Justice of the European Union has the authority to invalidate them, and the European Commission can withdraw an adequacy decision if a country's data protection standards fall short. Recent hefty fines highlight the financial stakes involved.

For businesses, staying prepared is critical. Confirm vendor certifications and keep an eye on regulatory updates to quickly adapt your data transfer policies. Maintaining SCCs as a fallback option ensures continuity if an adequacy decision is revoked. To strengthen compliance, document your reliance on adequacy decisions, and update privacy notices to include destination countries and safeguards as required under Article 13(1)(f).

As more organizations adopt these decisions, their role in facilitating efficient international transfers continues to grow. By regularly reviewing and refining your data transfer strategy, you can ensure compliance while maintaining smooth and efficient operations.

FAQs

How do I know if a vendor in an “adequate” country is actually covered?

To verify if a vendor in an "adequate" country is covered, check if that country has an EU adequacy decision. An adequacy decision indicates that the European Commission has recognized the country’s data protection laws as meeting GDPR standards. This allows data transfers to occur without needing additional safeguards. Ensure compliance by confirming the adequacy decision through official sources.

What should I do if an adequacy decision gets revoked?

If an adequacy decision is withdrawn, you must stop depending on it for data transfers. To stay compliant, switch to other safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Without these alternatives in place, your data transfers could breach legal obligations.

Do adequacy decisions cover onward transfers to other countries?

Adequacy decisions primarily focus on data transfers from the EU to non-EU countries. They may also extend to onward transfers, provided the receiving countries are either part of the adequacy decision or adhere to additional safeguards that align with required data protection standards.

Related Blog Posts

• SCC Challenges After Schrems II: What to Know
• How to Navigate Global Data Transfer Laws
• Key Compliance Requirements for Vendor Data Transfers
• EU Court Cases on Data Transfer Violations: Lessons