Chapter 14: The GDPR and International Privacy Issues

International Transfers and Adequate Countries

Transfers from the EEA to non-EEA countries are prohibited unless supported by an adequacy decision, an appropriate safeguard, or a derogation. Adequate countries have protections deemed essentially equivalent to the GDPR.

The GDPR governs cross-border transfers. Transfers from the EEA (the EU plus Norway, Liechtenstein, and Iceland) to non-EEA countries are prohibited unless one mechanism applies: an Adequacy decision, an appropriate safeguard (e.g., standard contractual clauses, binding corporate rules), or a derogation (e.g., explicit consent).

An Adequacy decision means a country's protections are essentially equivalent to the GDPR, so data flows freely. A threshold appears to involve whether the country upholds democratic principles and the rule of law. Adequacy is subject to periodic review.

Adequate countries (per the chapter)

Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom, the United States, and Uruguay. The U.S. decision relates to organizations participating in the EU-U.S. Data Privacy Framework.

Key terms - quick answers

What is “EEA”?

The European Economic Area - the EU plus Norway, Liechtenstein, and Iceland - from which transfers are regulated.

What is “Adequacy decision”?

An EU determination that a country's protections are essentially equivalent to the GDPR, allowing data to flow freely to it.

← Levels of Fines and Criminal Sanctions Appropriate Safeguards and Derogations →