What progress has been made on global and regional data privacy agreements in the last two years (2023-24)? The previous biennial review (2021-22)(1) concluded that development of international standards had largely stalled, subject to some post-Brexit disruption by the UK. The last two years – the subject of this current review – see only halting progress resuming.

EU adequacy – back to the future

The European Commission had been preoccupied with bringing the past history of “EU adequacy” decisions made under the 1995 Data Protection Directive (DPD) up to date with the requirement that the countries affected by those decisions be reviewed in light of the requirements of adequacy under the GDPR (including the Schrems decisions). In January 2024 the Commission concluded its review of 11 existing adequacy decisions made under the DPD, deciding(2) that personal data transferred from the European Union to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, “continues to benefit from adequate data protection safeguards”. “Therefore”, it holds “the adequacy decisions adopted for these 11 countries and territories remain in place and data can continue to flow freely to these jurisdictions.”(3) There is also a much longer report examining the functioning of adequacy in each of these countries.(4)