Module 7 · Adequacy decisions & the Schrems/DPF saga
An adequacy decision is a European Commission finding that a third country's laws provide essentially equivalent protection - so transfers there need no additional safeguards. The course lists adequate countries including Andorra, Argentina, Canada (PIPEDA, commercial), Japan, the UK, Uruguay and US organisations in the EU–US Data Privacy Framework. Two landmark CJEU rulings shaped the US picture: Schrems I (2015) killed Safe Harbor; Schrems II (16 July 2020) killed the Privacy Shield. The Commission's adequacy decision followed on 10 July 2023.
An adequacy decision is the cleanest route: the European Commission examines a third country's laws and, if protection is essentially equivalent, transfers there need no additional safeguards. The decision can be reviewed and revoked.
- Adequate countries (per the course): Andorra, Argentina, Canada (PIPEDA, commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK (GDPR and LED), the US (organisations in the EU–US Data Privacy Framework), and Uruguay.
- Canada's adequacy is limited to PIPEDA / commercial activity.
- US adequacy is limited to organisations that self-certify to the - it is not blanket adequacy for the whole US.
| Date | Event | What happened |
|---|---|---|
| Pre-2015 | Safe Harbor in force | US self-certification framework for EU–US transfers |
| 2015 | Schrems I | CJEU strikes down Safe Harbor - it did not limit US government access for national security |
| 2016 | Privacy Shield adopted | Replacement adequacy framework for EU–US transfers |
| 16 July 2020 | Schrems II | CJEU invalidates Privacy Shield (surveillance not strictly necessary/proportionate, Art 52 Charter; no actionable judicial redress, Art 47 Charter). SCCs remain valid but need a case-by-case assessment |
| March 2022 | DPF announced | EU and US announce agreement in principle |
| 10 July 2023 | adequacy decision | Commission adopts adequacy for US organisations in the DPF |
| 12 Oct 2023 | UK Extension to DPF | UK–US data bridge |
| 15 Sept 2024 | Swiss–US DPF | Switzerland recognises the DPF |
Why Privacy Shield fell (Schrems II): US surveillance was not limited to what is strictly necessary and proportionate (Art 52 Charter), and EU data subjects lacked actionable judicial redress (Art 47 Charter). The answers this by limiting US intelligence access to what is necessary and proportionate, adding oversight, and creating a two-tier redress system including the Data Protection Review Court.
The UK left the EU on 31 Jan 2020 (transition to 31 Dec 2020). The Trade and Cooperation Agreement (24 Dec 2020) bridged transfers; the EU adopted a UK adequacy decision (28 June 2021) under the GDPR and LED - but it excludes immigration-control data. UK GDPR is the GDPR grandfathered into UK law, supplemented by the Data Protection Act 2018.