Transfers on the basis of an adequacy decision
Personal data can be transferred out of the European Union and European Economic Area if the European Commission has issued a decision on an adequate level of protection for personal data (‘adequacy decision’, Article 45 of the GDPR). A decision by the Commission takes priority over other bases for transfer. The decision can apply to a country outside the European Union or European Economic Area, a territory or sector within such a country, or an international organisation.
Personal data can be transferred directly by virtue of an adequacy decision. No specific authorisation, such as from the Data Protection Ombudsman, is required. Such transfers must nevertheless comply with all provisions of the applicable data protection legislation. The processing of personal data must be lawful before, during and after the transfer.
The Commission reviews adequacy decisions at least every four years. As a rule, decisions made by the Commission before the entry into force of the GDPR remain valid also after the adoption of the Regulation. However, the Commission is free to review these decisions and make new ones as required.
To date, the Commission has issued adequacy decisions for the following countries (links lead to the EUR-Lex web service):
Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, UK and Uruguay.
Furthermore, the Commission has issued a partial adequacy decision for Canada (commercial organisations).
Adequacy decisions made under the GDPR are not applicable to the transfers of data within the scope of application of the Law Enforcement Directive, and with the exception of the United Kingdom, no adequacy decisions under the Law Enforcement Directive have been made yet. Other transfer instruments in accordance with the Finnish Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security must be used for transfers to third countries.
EU-U.S. Data Privacy Framework
The Court of Justice invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield in its judgement in the so called Schrems II case (C-311/18) in July 2020.
The Court found the decision concerning the adequacy of the personal data protection provided by the Privacy Shield arrangement to be invalid, because interference with fundamental rights in transfers of personal data to the United States has not been restricted in a manner that would essentially correspond to EU requirements. The EDPB adopted a ‘Frequently Asked Questions’ document on the judgement on its website.
The European Commission and the United States came to an agreement in March 2022 on the creation of a new data protection framework between the EU and the United States. The new EU-U.S. Data Privacy Framework is intended to replace the Privacy Shield arrangement annulled by the Schrems II judgment. The letter of intent on the Data Privacy Framework was implemented in US legislation by an implementation order issued by the President of the United States and a supplementary regulation concerning the court of appeal.
The European Commission has drawn up a draft decision regarding the adequacy of data protection in the United States, and the European Data Protection Board issued its statement on the draft in March 2023. The adequacy decision does not permit data transfers until it has been properly adopted. The Office of the Data Protection Ombudsman will follow the progress of the matter and issue more information as it becomes available.
An adequacy decision would permit the transfer of data from the EU and EEA to participating companies in the US without additional safeguards. The adequacy decision would not apply to all transfers of personal data to the US, but only to transfers made to US companies that have committed to implement the safeguards specified in the arrangement. Nor could the adequacy decision be used as an instrument for the transfer of personal data between public sector entities.