Should the EU’s adequacy criteria for international data transfers be changed? If so, how?

By Jane Awuor Ombiro, AI and the Law LLM Student at Queen Mary University of London

Adequacy is recognized in Article 45(1) of the GDPR as one of the bases for transferring personal data outside the EU.(1) In assessing adequacy, the European Commission must consider all the factors, enumerated in article 45(2) of the GDPR. Javier argues that these factors are extremely broad and give the Commission enough freedom to decide on granting or refusing adequacy status to specific countries.(2) For this reason, Karen observes that the Commission has granted adequacy to a limited number of jurisdictions while denying others with similar legal frameworks.(3)

Javier and Karen’s sentiments suggest that much needs to be done regarding adequacy. However, the most pressing reform concerns how the commission assesses the independence of third countries’ Data Protection Authorities (DPAs). This is because independence is an essential component of the protection of individuals with regard to the processing of personal data.(4) Without independent DPAs, the effective protection of data subjects cannot be guaranteed.

This essay argues that the Commission should reform its approach to assessing the independence of third countries’ DPAs. The essay proceeds in three parts. The first part distinguishes between formal (de jure) and actual or factual (de facto) independence. The second part contends that, in conducting adequacy assessments, the Commission prioritises formal independence at the expense of actual independence. The third part demonstrates how the adequacy criteria should be revised to better account for actual independence.

1. Formal versus actual independence

Hanretty and Koop contend that formal independence is the grant of independence found in statutes.(5) It is a variable that legislature can alter by drafting a new legislation.(6) De facto independence on the other hand is the extent of regulators’ effective autonomy as they manage their day-to-day regulatory actions.(7)

Research on independent regulatory authorities suggests that there is a causal and statistical link between formal and actual independence.(8) Indeed, regulators with higher degrees of formal independence possess higher degrees of actual independence.(9) For this reason, it can be argued that the Commission’s restrained examination of de facto independence during adequacy assessments is justified by the assumption that strong de jure independence is indicative of effective de facto independence.

Nevertheless, research has indicated that formal legal characterization of regulatory agencies do not automatically equate what occurs in reality.(10) Thus, formal provisions are an unreliable indicator of independence because the practice of the law may depart significantly from the text of the law.(11) Independence can be compromised at many different levels when it comes to regulatory practices and actions.(12) Consequently, for the Commission to obtain an accurate picture of the independence of a third-country’s DPA, it must give equal weight in the assessment of both formal independence and actual independence.

2. Third country assessment

The Republic of Korea will be used as the primary case study to demonstrate the Commission’s limited consideration of actual independence when assessing adequacy of a third country’s DPA. This jurisdiction is non-Western, and its adequacy decision was adopted under the GDPR in 2021,(13) thereby reflecting the Commission’s current approach to adequacy assessments. Additionally, unlike Japan, which was granted a partial adequacy decision,(14) Korea was granted a full adequacy decision.

Magetti, argues that regulators are highly de facto independent when they are old.(15) Similarly, Kristina and Michele acknowledge the length of time a regulatory body has been in operation as an indicator of de facto independence.(16) Additionally, Hanretty and Koop have argued that structural design of these organizations matters for actual independence.(17)

Collectively, these factors constitute important indicators of de facto independence and must be considered when assessing the true independence of a third country’s DPA. The question that follows therefore is to what extent did the Commission take these indicators of actual independence into account when assessing the independence of Korea’s data protection authority?

A granular analysis of the Korean adequacy decision indicates that the European Commission prioritizes institutional independence as formally entrenched in law. The Commission specifically evaluated the composition of the data protection authority, appointment protocols, tenure protections, conflict of interest protocols, and dismissal procedures for data protection commissioners. Additionally, the commission pointed out the fact that the Korean Personal Information Protection Act (PIPA) explicitly mandates the independence of the Personal Information Protection Commission (PIPC).

Beyond structural safeguards, the Commission also scrutinized fiscal autonomy through budgetary allocations and the breadth of the authority’s investigative and enforcement(18) competences as stipulated in the Korean PIPA. This emphasis on legally stipulated safeguards suggests a predominantly formalistic approach to independence, raising questions as to the extent to which the Commission sufficiently interrogates whether these guarantees translate into effective de facto independence.

The following section evaluates the indicators of actual independence and analyses them vis-à-vis the Commission’s assessment of the PIPC’s independence.

2.1. Institutional maturity

Supervisory authorities tend to exhibit a higher degree of actual independence as they mature institutionally. Karen acknowledges that adequacy decisions were not adopted for Burkina Faso, Mauritius, Morocco and Tunisia and the cited reasons included lack of case law or decisions to assess the operational effectiveness of their national DPAs.(19)

On the contrary, Korea was granted an adequacy decision despite significant reforms on its data protection supervisory framework. On 9th January 2020 a major amendment streamlining Korea’s data protection regulatory authorities was adopted.(20)

While personal data protection had previously been overseen by multiple agencies, the consolidation of the authority within PIPC significantly altered the country’s oversight framework. Because the amendments entered into force in August 2020, the restructured authority had limited opportunity to demonstrate its operational independence in practice before the adoption of the adequacy decision. Consequently, the Commissions assessment of Korea’s data protection regulator appeared to prioritize de jure structural changes as opposed to de facto independence.

However, this approach is not unprecedented. The commission found Argentina adequate at a time when its DPA had not issued substantial guidance, pursued enforcement, or imposed sanctions.(21) This suggests a recurring tendency by the Commission to overlook deficiencies in actual evidence, where a country has existing deep trade relationship with the EU(22) or anticipated trade relationships. In fact, Professor Hiroshi, acknowledged the coincidence between a trade agreement and the Japan adequacy decision.(23)

2.2. Structure of the supervisory authority

Schulz contends that placement of a regulator within a government ministry could result in ‘administrative supervision’ by the ministry consequently leading to ‘anticipatory obedience’ by the regulator.(24) DPAs should ideally be independent from ministers, like the Polish DPA which has no attachment to any ministry or government agency.(25)

However, some supervisory authorities may prefer to be situated within government ministries as opposed to outside because it gives them more ‘clout’ and result in them being taken more seriously(26) by the regulatees. But as noted earlier this leads to anticipatory obedience because DPAs administratively linked and accountable to the political executive are more at risk of being held in check by governments.(27) Having said this, the commission found that PIPC was independent even though it was established under the prime minister a structural feature that raises a significant risk of anticipatory obedience in practice.

3. Proposed reform

It has been established that the commission priorities de jure independence during adequacy assessment. This may be attributable in part, to EU’s own difficulty in ensuring independence among its own DPAs,(28) which in turn constrains the Commission’s ability to demand higher standards from third countries when similar shortcomings persist within the EU. Nevertheless, independence lies at the core of effective protection of data subjects and must therefore be accorded significant weight both within the EU itself and in the context of adequacy assessments.

While some scholars have contended that adequacy decisions are political either because the countries, which have such decisions, are trade partners of the EU, or they have other close relationships apart from trade.(29) Its essence remains the preservation of EU data protection standards in third countries to which personal data are transferred, in accordance with the requirement of essential equivalence.

Accordingly, for the Commission to determine the true status of the independence of third-country DPAs, it must look beyond formal (de jure) independence and assess the level of actual (de facto) independence. Only then can it arrive at an accurate evaluation of their independence. To address this gap, the EDPB should update the Adequacy Referential to include specific, empirical criteria for evaluating actual independence. Such detailed guidance is essential to standardizing how the Commission scrutinizes the real-world autonomy of third-country DPAs.

Conclusion

To conclude, it is apparent that the Commission sometimes overlooks some deficiencies during adequacy assessments. Such omissions prevent a comprehensive assessment of how third country DPAs function in practice, ultimately resulting in what Karen McCullagh refers to as ‘deficient adequacy decisions.(30) To mitigate the risk of ‘deficient adequacy decision’, in assessing adequacy the commission should accord equal weight to both formal indicators of independence and the level of actual independence among other things.

REFERENCES
  1. Regulation (EU)2016/679 (2016) OJ L 119, art 45(1)
  2. Jan Xavier Dhont ‘Schrems II. The EU adequacy regime in existential crisis?’ Maastricht Journal of European and Comparative Law 2019, Vol. 26(5) 597–601
  3. Karen Mc Cullagh.’ Eu Adequacy Assessments: Evolving Criteria, Political Tensions, and the Push for a Global Data Standard’ Common Market Law Review 62: 879–912, 2025.
  4. Schrems v Data Commissioner (C-362/14) EU:C: 2015:650
  5. Chris Hanretty and Christel Koop ‘Shall the law set them free? The formal and actual independence of regulatory agencies’ Regulation & Governance (2013) 7, 195–214
  6. Mattia Guidi ‘Explaining and Assessing Independence: National Competition Authorities in the EU Member States’
  7. Fabrizio Gilardi and Martino Maggetti ‘The independence of regulatory authorities’ in, Chapters, Edward Elgar Publishing, 2021
  8. Philip Schütz ‘Assessing Formal Independence of Data Protection Authorities in a Comparative Perspective’ Fraunhofer Institute for Systems and Innovation Research, Karlsruhe, Germany
  9. INDIREG ‘Indicators for independence and efficient functioning of audiovisual media services regulatory bodies’ https://indireg.eu/ accessed 24th January 2026
  10. Camilo Ignacio González Becerra ‘How Are Regulatory Decisions Produced? From delegation to formal and de facto regulatory decision-making processes’
  11. Chris Hanretty and Christel Koop ‘Shall the law set them free? The formal and actual independence of regulatory agencies’ Regulation & Governance (2013) 7, 195–214
  12. Ahmed Badran ‘Revisiting regulatory independence: The relationship between the formal and de-facto independence of the Egyptian telecoms regulator’ Public Policy and Administration 2017, Vol. 32(1) 66–84
  13. Thomas Wahl ‘Commission Adopted Adequacy Decision for South Korea’ eucrim (22 December 2021) 
  14. Hiroshi Miyashita ‘Eu-Japan Mutual Adequacy Decision’
  15. Martino Maggetti ‘De facto independence after delegation: A fuzzy-set analysis’ Regulation & Governance (2007) 1, 271–294 Institut d’Etudes Politiques et Internationales (IEPI), University of Lausanne, Lausanne, Switzerland
  16. The Independence of the Media and Its Regulatory Agencies. Shedding New Light on Formal and Actual Independence Against the National Context, W. Schulz, P. Valcke & K. Irion (eds.), Bristol UK/ Chicago USA: Intellect 2013, p. 139-184.
  17. Chris Hanretty & Christel Koop ‘Shall the law set them free? The formal and actual independence of regulatory agencies’ 
  18. Commission Implementing Decision (Eu) 2022/254 Official Journal of the European Union
  19. Karen Mc Cullagh.’ Eu Adequacy Assessments: Evolving Criteria, Political Tensions, and the Push for a Global Data Standard’ Common Market Law Review 62: 879–912, 2025.
  20. Kwang Bae Park, Hwan Kyoung Ko and Sunghee Chae ‘Korea amends Personal Information Protection Act in South Korea explain the changes to the three main privacy laws in Korea and what they mean for business.’
  21. Ibid n19.
  22. Ibid
  23. Hiroshi Miyashita ‘Eu-Japan Mutual Adequacy Decision’ 
  24. P Schütz, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU Member States’, Conference paper for the 4th Biennial ECPR Standing Group for Regulatory Governance Conference 2012, p 13.
  25. Ibid
  26. C Kuner et al, ‘The Intricacies of Independence’ (2012) 2(1) International Data Privacy Law 1, p 1.
  27. Schütz, Philip (2022): Data Protection Authorities under the EU General Data Protection Regulation. A new global benchmark (extended version). Eds.: Michael Friedewald et al., Forum Privacy and Self-determined Life in the Digital World, Karlsruhe: Fraunhofer ISI.
  28. Ibid n26
  29. Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final, 7.
  30. Ibid