The Commission's Report on the adequacy decisions adopted pursuant to Article 25(6) of the 1995 Data Protection Directive confirms that the 11 countries and territories in question continue to ensure an adequate level of protection for personal data transferred from the EU.
This means data transfers from the EU to Andorra, Argentina, Canada (for commercial operators), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, can continue to take place without additional requirements.
Since the introduction of the EU GDPR, the legal standards applicable to assessments on whether a foreign system ensures an adequate level of protection have been clarified through case law and guidance from the European Data Protection Board. Schrems I established that the adequacy test required an ‘essentially equivalent’ standard of protection, with Schrems II further elaborating on that standard in respect of rules of access to personal data by public authorities for law enforcement and national security purposes.
Taking these decisions into account, adequacy guidance from the EDPB confirms that 'essential equivalence' does not require a direct application or 'photocopy' of EU law. Instead, a comparable level of protection is required, reflecting that different legal traditions may occur in other systems.
The review addressed developments in the data protection frameworks of the 11 countries and territories. Views were canvassed from the European Parliament, Council, EDPB and GDPR Multi-Stakeholder Expert Group. A number of beneficial developments in privacy legislation for the relevant countries and territories were highlighted:
- Some countries have strengthened their privacy legislation through comprehensive or partial reforms (e.g., Andorra, Canada, Faroe Islands, Switzerland, New Zealand)
- There had been the adoption of regulations and/or guidance by data protection authorities to introduce new data protection requirements (e.g., Israel, Uruguay)
- Clarification of certain privacy rules building on enforcement practice or case law (e.g., Argentina, Canada, Guernsey, Jersey, Isle of Man, Israel, New Zealand),
- The Canadian government extended the rights of access and correction with respect to personal data processed by the public sector to all individuals, regardless of their nationality or place of residence, which was previously a limited right.
- The Israeli government had introduced specific safeguards to reinforce the protection of personal data transferred from the European Economic Area.
The Report concludes "since the adoption of the adequacy decisions, the data protection frameworks in place in each of the eleven countries or territories have further converged with the framework of the EU."
However, future monitoring and co-operation will be required with the countries and territories in question. This adoption of an adequacy decision is not an 'end point', with the Commission expressing an intention to engage in high-level dialogue on these issues during 2024.
