Skip to main content

Glossary Jurisdictional posture

Data adequacy

Also: adequacy decision, data adequacy decision, GDPR Article 45

Origin: GDPR Article 45 (Regulation (EU) 2016/679); the legal architecture dates to the 1995 Data Protection Directive's Article 25.

A formal determination by the European Commission that a third country, a territory, or a specified sector of a third country ensures an adequate level of protection for personal data. The decision permits free transfer of personal data from the EU to the designated jurisdiction without bespoke contractual or organisational safeguards under GDPR Article 45.

Reviewed

A data adequacy decision is a formal determination by the European Commission that a third country, a territory of a third country, a specified sector within a third country, or an international organisation ensures an adequate level of protection for personal data. The legal authority is GDPR Article 45 (with predecessor authority at Article 25 of the 1995 Data Protection Directive); the substantive test is whether the third-country regime offers protection essentially equivalent to that required under EU law.

The practical consequence of an adequacy decision is that personal data may be transferred from the European Union to the designated jurisdiction without the bespoke contractual or organisational safeguards — standard contractual clauses, binding corporate rules, derogations — that would otherwise be required for a third-country transfer. The transfer is, for legal purposes, treated as if it were intra-EU.

Adequacy decisions are not permanent. The Commission reviews them at least every four years, and the Schrems II ruling demonstrated that an adequacy decision can be invalidated by judicial review of the substantive equivalence claim — the EU-US Privacy Shield framework was struck down on precisely that ground in 2020. The current EU-US Data Privacy Framework, adopted in 2023, faces analogous litigation.

Switzerland holds a long-standing adequacy decision, most recently renewed in 2024 against the revFADP; Iceland is a member of the European Economic Area and is treated as intra-EU for personal-data-transfer purposes (a formally stronger position than adequacy). The United Kingdom holds an adequacy decision adopted in 2021, subject to a sunset clause expiring in 2025; renewal is under review. The United States holds the Data Privacy Framework adequacy with the litigation overhang noted above.

For an offshore-hosting operator the adequacy of the operating jurisdiction is what makes the operator practically usable to an EU-located subscriber whose workload processes personal data. The two OffshorePress operating jurisdictions — Iceland (EEA member) and Switzerland (adequacy-rated since 2000, renewed 2024) — are both unambiguously in the transferable category, and the publication’s Privacy policy sets out the practical posture.