Adequacy Decisions (Article 45)

Adequacy Decisions (Article 45) – A Comprehensive Guide for CIPP/E Exam Preparation

Introduction

Adequacy decisions under Article 45 of the General Data Protection Regulation (GDPR) are one of the most critical mechanisms for enabling the lawful transfer of personal data from the European Economic Area (EEA) to third countries or international organisations. Understanding how adequacy decisions work is essential for any data protection professional and is a key topic in the CIPP/E examination.

Why Are Adequacy Decisions Important?

The GDPR places strict controls on the transfer of personal data outside the EEA. The rationale is straightforward: if personal data could flow freely to any country in the world regardless of its data protection standards, the protections guaranteed by the GDPR could easily be circumvented. Adequacy decisions serve as the gold standard for international data transfers because they provide a blanket authorisation for transfers to a specific country or territory without the need for any additional safeguards.

Key reasons why adequacy decisions matter:

• They provide legal certainty for organisations transferring data to the third country in question.
• They reduce compliance burden because no additional transfer mechanisms (such as Standard Contractual Clauses or Binding Corporate Rules) are required.
• They promote international trade and cooperation by facilitating the free flow of data between the EEA and countries deemed to have adequate protection.
• They ensure that the fundamental rights of data subjects are maintained even when their data leaves the EEA.

What Is an Adequacy Decision?

An adequacy decision is a formal decision adopted by the European Commission that determines that a third country, a territory, one or more specified sectors within a third country, or an international organisation provides an essentially equivalent level of data protection to that ensured within the EU/EEA.

Once an adequacy decision has been adopted, personal data can flow from the EEA to that third country (or territory/sector/international organisation) without any further conditions or authorisations being required. This is set out in Article 45(1) GDPR.

It is important to note the standard: the European Commission does not require a identical level of protection, but rather an essentially equivalent level. This was clarified by the Court of Justice of the European Union (CJEU) in the landmark Schrems I case (Case C-362/14).

How Does the Adequacy Assessment Process Work?

The European Commission conducts a thorough assessment before adopting an adequacy decision. Article 45(2) GDPR sets out the elements that the Commission must take into account:

1. The Rule of Law and Respect for Human Rights
The Commission considers the general and sectoral laws of the third country, including those relating to public security, defence, national security, criminal law, and access by public authorities to personal data. The existence and effective functioning of one or more independent supervisory authorities is also assessed.

2. Relevant Legislation
This includes data protection rules, professional rules, security measures, and rules for onward transfer of personal data to another third country or international organisation.

3. International Commitments
The Commission assesses the third country's international commitments, including participation in multilateral or regional systems relating to the protection of personal data. This includes legally binding conventions or instruments as well as binding agreements.

4. Effective and Enforceable Data Subject Rights
There must be effective administrative and judicial redress available to data subjects whose personal data is being transferred.

5. Independent Supervisory Authority
The third country must have an independent supervisory authority responsible for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers. This authority must provide assistance and advice to data subjects and cooperate with the supervisory authorities of EU Member States.

The Formal Procedure

The adoption of an adequacy decision follows a specific procedure:

• The European Commission prepares a draft adequacy decision.
• The European Data Protection Board (EDPB) issues an opinion on the draft decision.
• A committee composed of representatives of the EU Member States votes on the draft (the examination procedure under Regulation (EU) No 182/2011).
• The European Commission formally adopts the decision.
• The decision is published in the Official Journal of the European Union.

Ongoing Monitoring and Review

Adequacy decisions are not permanent or unconditional. Article 45(3) GDPR provides that the Commission shall, on an ongoing basis, monitor developments in the third country that could affect the functioning of the adequacy decision. The Commission must conduct a periodic review at least every four years. This review takes into account all relevant developments in the third country or international organisation.

If the Commission finds that a country no longer ensures an adequate level of protection, it may amend, suspend, or repeal the adequacy decision (Article 45(5) GDPR). Such actions do not have retroactive effect.

Countries and Territories with Adequacy Decisions

As of the most recent updates, the European Commission has recognised the following countries/territories as providing adequate protection:

• Andorra
• Argentina
• Canada (for commercial organisations subject to PIPEDA)
• Faroe Islands
• Guernsey
• Isle of Man
• Israel
• Japan
• Jersey
• New Zealand
• Republic of Korea (South Korea)
• Switzerland
• United Kingdom (with a sunset clause – initially until June 2025)
• Uruguay
• United States (under the EU-U.S. Data Privacy Framework, adopted in July 2023)

Note: The adequacy decision for Canada is partial – it only covers commercial organisations subject to PIPEDA (the Personal Information Protection and Electronic Documents Act), not the entire country.

Key Case Law: The Schrems Decisions

Understanding the Schrems cases is essential for grasping the dynamics of adequacy decisions:

Schrems I (2015) – The CJEU invalidated the EU-U.S. Safe Harbor framework, finding that the U.S. did not provide an essentially equivalent level of protection. The Court established that the standard for adequacy is essential equivalence, not identical protection. The Court also confirmed that national Data Protection Authorities (DPAs) retain the power to examine claims about the validity of adequacy decisions and refer matters to the CJEU.

Schrems II (2020) – The CJEU invalidated the EU-U.S. Privacy Shield adequacy decision, primarily due to concerns about U.S. government surveillance programmes (particularly Section 702 of FISA and Executive Order 12333) and the lack of adequate redress mechanisms for EU data subjects. This led to the U.S. issuing Executive Order 14086 and establishing a Data Protection Review Court, which formed the basis for the new EU-U.S. Data Privacy Framework adopted in 2023.

The EU-U.S. Data Privacy Framework (DPF)

Adopted on 10 July 2023, the EU-U.S. DPF is the successor to the Safe Harbor and Privacy Shield frameworks. Key features include:

• U.S. organisations must self-certify with the Department of Commerce and commit to comply with the DPF Principles.
• The U.S. introduced new safeguards through Executive Order 14086, limiting U.S. intelligence agencies' access to data to what is necessary and proportionate.
• A new Data Protection Review Court (DPRC) was established to provide redress to EU individuals.
• The adequacy decision only covers transfers to organisations that have self-certified under the DPF (it is a partial adequacy decision).
• The Commission committed to conducting the first review within one year of adoption.

Relationship Between Adequacy Decisions and Other Transfer Mechanisms

The GDPR establishes a hierarchy for international data transfers:

1. Adequacy decisions (Article 45) – the simplest and most comprehensive mechanism.
2. Appropriate safeguards (Article 46) – including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct, and certification mechanisms.
3. Derogations (Article 49) – applicable only in specific situations and generally for occasional, non-repetitive transfers.

If an adequacy decision exists, there is no need to rely on Article 46 or Article 49 safeguards for transfers to that country/territory/sector. However, if an adequacy decision is repealed or suspended, organisations must then rely on one of the other transfer mechanisms.

Practical Implications for Organisations

• Organisations should verify whether an adequacy decision covers their specific transfer scenario (e.g., for Canada, only transfers to PIPEDA-covered organisations are covered).
• Even with an adequacy decision in place, organisations must still comply with all other GDPR requirements (e.g., having a lawful basis for processing, complying with data subject rights, etc.).
• Organisations should monitor the status of adequacy decisions, as they can be amended, suspended, or repealed.
• Where an adequacy decision is subject to a sunset clause (as with the UK), organisations should prepare contingency plans.

Summary of Key Points

• Adequacy decisions are adopted by the European Commission, not the EDPB or national DPAs (though the EDPB provides an opinion).
• The standard is essential equivalence, not identical protection.
• Adequacy decisions must be reviewed at least every four years.
• They can be partial (covering specific sectors or types of organisations).
• They can be amended, suspended, or repealed.
• The CJEU can invalidate adequacy decisions (as demonstrated in Schrems I and Schrems II).
• National DPAs retain the power to examine and challenge the validity of adequacy decisions by referring questions to the CJEU.

---

Exam Tips: Answering Questions on Adequacy Decisions (Article 45)

Tip 1: Know WHO Makes the Decision
Always remember that adequacy decisions are made by the European Commission. A common exam trap is to attribute this power to the EDPB, national DPAs, or the European Parliament. The EDPB provides an opinion, but the decision itself is the Commission's.

Tip 2: Remember the Standard – Essential Equivalence
The standard is not identical or adequate protection in a vague sense. The precise legal standard established by the CJEU is essentially equivalent protection. If an exam question uses the word 'identical' as the standard, it is likely incorrect.

Tip 3: Know the Review Period
Adequacy decisions must be reviewed at least every four years. This is a frequently tested detail.

Tip 4: Understand Partial Adequacy Decisions
Be aware that adequacy decisions can cover a specific sector within a country (e.g., Canada's PIPEDA-covered organisations, or U.S. organisations certified under the DPF). Not all adequacy decisions cover the entire territory of a country.

Tip 5: Be Familiar with the List of Adequate Countries
You do not need to memorise every country, but you should know the major ones (especially Japan, South Korea, the UK, and the U.S. under the DPF) and be aware that some countries that might seem like obvious candidates (such as Australia, China, India, or Brazil) do not have adequacy decisions.

Tip 6: Understand the Schrems Cases
The Schrems I and Schrems II cases are extremely likely to appear on the exam. Know that Schrems I invalidated Safe Harbor, Schrems II invalidated Privacy Shield, and both centred on U.S. surveillance laws and the lack of adequate redress for EU data subjects.

Tip 7: Know What Happens When Adequacy Is Revoked
If an adequacy decision is repealed or suspended, transfers cannot continue on the basis of that decision. Organisations must then rely on Article 46 safeguards (such as SCCs or BCRs) or, in limited circumstances, Article 49 derogations.

Tip 8: Don't Confuse Adequacy with Other Obligations
An adequacy decision removes the need for additional transfer safeguards, but it does not remove other GDPR obligations. Organisations still need a lawful basis for processing, must comply with data minimisation principles, must respect data subject rights, and so on.

Tip 9: Pay Attention to the Assessment Criteria
If asked what the Commission considers when assessing adequacy, remember the key factors: rule of law, relevant legislation, existence of an independent supervisory authority, international commitments, and effective and enforceable data subject rights.

Tip 10: Read Questions Carefully for Nuance
Exam questions on adequacy decisions often include subtle distinctions. Watch for phrases like 'without any additional safeguard' (correct for adequacy), 'with prior authorisation from a DPA' (not required for adequacy), or 'only for specific transfers' (not correct – adequacy allows general transfers to the covered country/sector). Eliminate answers that add unnecessary conditions to adequacy-based transfers.

Tip 11: Understand the Role of National DPAs
Even though adequacy decisions are Commission decisions, national DPAs can still investigate complaints about transfers to adequate countries. Following Schrems I, DPAs have the power to examine whether an adequacy decision remains valid and, if they have doubts, must refer the matter to the CJEU. They cannot independently invalidate an adequacy decision.

Tip 12: Practice Scenario-Based Questions
The CIPP/E exam frequently uses scenario-based questions. If a scenario describes a transfer to a country with an adequacy decision, the correct answer will typically state that no additional safeguard is needed. If the scenario describes a transfer to a country without an adequacy decision, look for answers involving SCCs, BCRs, or Article 49 derogations.