The European Union refers to the adequacy of countries outside its jurisdiction, meaning the sufficiency of that country’s safeguards to protect personal data. This encompasses the robustness of that jurisdiction’s privacy laws, and the extent to which these provisions can be overruled for p. 6other purposes. For example, opaque and wide-ranging exemptions for law enforcement purposes can be seen as posing a risk to EU data subjects which is incompatible with the rights and freedoms they should expect when their personal information is used by others.

An adequacy decision is thus a formal, legally binding statement from the European Commission that personal data can be shared with a third country without the need for further safeguards, such as standard contractual clauses or binding corporate rules. Although the criteria the Commission should consider are set out in the GDPR, the process leading up to an adequacy decision is not prescribed. This procedural freedom has led some commentators to criticise the opacity and inconsistency of the commission’s decision-making. Its adequacy decisions with respect to the United States have been successfully challenged (twice) in the Schrems litigation.

Further reading:

See also: CROSS-BORDER DATA PROCESSING

Stoddart, J., Chan, B. and Joly, Y. 2016. The European Union’s adequacy approach to privacy and international data sharing in health research. The Journal of Law, Medicine & Ethics, 44(1), 14355. https://doi.org/10.1177/1073110516644205.

  • Search Google Scholar
  • Export Citation
  • Stoddart, J., Chan, B. and Joly, Y. 2016. The European Union’s adequacy approach to privacy and international data sharing in health research. The Journal of Law, Medicine & Ethics, 44(1), 14355. https://doi.org/10.1177/1073110516644205.

    • Search Google Scholar
    • Export Citation
Reference & Dictionaries