The EU has been a leader in the world when it comes to personal data regulation, and creation of individuals’ rights in data. As part of that, it has a policy to assess the adequacy of the laws of other jurisdictions to determine if they meet the EU standard. This assessment is the heart of what data adequacy means; essentially, the EU is telling us all that if you transfer personal data cross-border with a jurisdiction that has been deemed adequate, you have far fewer legal and regulatory headaches.

The adequacy process is controlled by the EU Commission. The Commission has the power to determine, on the basis of Article 45 of Regulation 2016/679 (which replaced Directive 95/46/EC) (General Data Protection Regulation (GDPR)), whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves the following steps:

  • A proposal from the European Commission;
  • An opinion of the European Data Protection Board;
  • An approval from representatives of EU countries;
  • The adoption of the decision by the European Commission.

At any time, the EU Parliament and the EU Council may request the EU Commission to maintain, amend, or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the GDPR.

Where an adequacy decision is in place and ‘live’, the effect is that personal data can flow from the EU (and Norway, Liechtenstein, and Iceland) to that third country/jurisdiction without any further safeguard being necessary. In essence, the EU then sees transfers to those jurisdictions as assimilated to intra-EU transmissions of personal data, so you do not need the same approach to legal compliance as with places not recognised as adequate.

On 19 December 2025, the European Commission confirmed renewal of the two UK data adequacy decisions – helping us all to be assured of the continued free flow of personal data from the EEA to the UK under both the GDPR and the Law Enforcement Directive. These adequacy decisions will expire on 27 December 2031 – an interesting choice by the EU, as adequacy decisions do not normally have sunset clauses, suggesting the EU wants to keep negotiation options with the UK for the longer term.

Due to this decision, personal data transfers can continue without the need for Standard Contractual Clauses or other GDPR transfer requirements. The EU can amend or change their mind, of course, but the Digital Omnibus which we covered here https://www.keystonelaw.com/keynotes/what-is-the-european-commissions-digital-omnibus-package shows signs that the EU is aligning more with UK attitudes, so there is no immediate expectation of alignment challenges. The renewal of the adequacy decision is good for the UK and EU and business in general, as the statements of both sides show:

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, said: “The renewal of our adequacy decisions benefits businesses and citizens alike on both sides of the Channel. It ensures the free flow of personal data between the EEA and the UK in full compliance with data protection rules while reducing costs and administrative burdens. This continuity allows European companies to keep sharing data seamlessly with their UK partners, supporting innovation, competitiveness and trusted digital cooperation.

UK Minister for Digital Government and Data, Ian Murray, said: “I’m thrilled to welcome the EU’s renewal of its two adequacy decisions for the UK. We remain committed to enabling secure, trusted data flows between the UK and EU to support growth, innovation and security.”

The UK has one advantage over all other jurisdictions with adequacy, because only the decisions with the UK cover law enforcement use, meaning that adequacy decisions with all other jurisdictions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).

The EU Commission, under Article 45 of the GDPR, must publish in the Official Journal of the European Union and on its website a list of the third countries, territories, and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured. Therefore, the EU can recognise data adequacy with a variety of entities.

The EU continues to review existing decisions and to add new ones; there is, for example, a draft decision for agreement with Brazil that could be in force in 2026. The decisions also work with entities that are not countries, such as the European Patent Organisation, and this is all designed to make data flows easier, especially where it can impact the internal EU market.

If you have questions or concerns about adequacy, please contact James Tumbridge and Robert Peake.