Form Over Substance? Unmasking Regulatory Imperialism and Structural Inequality in the GDPR’s Adequacy Regime: A Global South Perspective

By Samuel Hertz, Economics with Law BCom Student at University of Cape Town

I INTRODUCTION

The EU’s adequacy regime is framed as a neutral safeguard for fundamental rights. Practically, however, it operates as a gatekeeping mechanism that structures global data flows along familiar geopolitical lines. The EU has established the General Data Protection Regulation (GDPR), according to Věra Jourová, European commissioner for justice, as the ‘global standard’ for data governance and privacy.(1)

Article 45 of the GDPR grants third countries privileged access to EU data markets where their legal systems are deemed “adequate”. As of 2025, the European Commission has granted adequacy status to fifteen territories, yet remarkably, not a single African nation appears on this list.(2) This absence is particularly striking considering that South Africa’s Protection Of Personal Information Act (POPIA), operational since 2021, was consciously modelled on GDPR principles.(3) Despite legislative convergence, South Africa remains excluded from the adequacy “club”.

This essay argues that the EU’s adequacy regime suffers from three interrelated flaws. Firstly, the “essential equivalence” standard is applied in an opaque, inconsistently reasoned, formalistic manner. Secondly, by externalising its regulatory model, the EU entrenches structural asymmetries in global digital trade, disproportionately burdening Global South jurisdictions. Thirdly, although the protection of personal data is legitimate and laudable, the current design of adequacy risks undermining the very values of equality and fairness that the EU purports to advance. The adequacy criteria must therefore be reformed among the axes of transparency, contextuality and partnership, to offset these flaws. If the EU wishes to maintain legitimacy as an objective global policy maker, rather than an imperialistic gatekeeper, reforming the criteria and their application is crucial.

II ESSENTIAL EQUIVALENCE, INCONSISTENCY AND OPACITY

The EU adequacy process, governed by Article 45 of the GDPR, evaluates countries on criteria including the rule of law and fundamental rights, the effectiveness and enforceability of data subjects’ rights, the existence of an independent functioning data protection authority, and the state’s relevant international commitments.(4) Third countries must provide protection “essentially equivalent” to that guaranteed within the EU.(5)

In Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), the CJEU confirmed that ‘essential equivalence’ and the adequacy criteria are not mere legislative formalities, but require substantive protection in practice.(6) Superficially, this jurisprudence suggests the European Commission seeks outcomes in data protection. However, the establishment of the EU-US Data Privacy Framework, which sidelines root problems with previous agreements like Safe Harbour and Privacy Shield (s702 of FISA), suggests that amidst geopolitical and economic issues, the Commission is willing to compromise.(7)

Policymakers from the Global South have consistently raised concerns that this process is ‘excessively opaque and appears driven by political and economic considerations, rather than the fitness of a country’s data protection regime.’(8) The Commission provides limited reasoning for delay or refusal, and there are no clear benchmarks. Such opacity creates barriers for developing states seeking equal participation in the digital economy.(9)

South Africa epitomises this structural exclusion. POPIA, promulgated in 2013 and fully effective since 2021, was modelled on GDPR data privacy frameworks.(10)

POPIA mirrors core GDPR principles: lawful processing conditions, data subject rights, mandatory Information Officers, and an independent Information Regulator.(11) It even extends protection to juristic persons, arguably exceeding the GDPR in scope.(12) Yet South Africa has not been deemed adequate, forcing businesses to rely on costly safeguards such as Standard Contractual Clauses under Article 46.(13)

Global South countries like India, Kenya and Brazil have similarly enacted GDPR-aligned frameworks without receiving adequacy.(14) Of sixteen operational decisions, only Argentina and Uruguay represent the Global South.(15) The geographic concentration of adequacy decisions suggests a club dynamic rather than a purely objective assessment of protection standards.

III DATA IMPERIALISM

Adequacy enables frictionless data flows equivalent to intra-EU transfers.(16) For ‘adequate’ countries, digital trade has increased as much as 14%.(17) Thus, in seeking compliance, Global South countries have adopted restrictive localisation measures.(18) For South Africa, this restrictiveness in data flows, in attempt at compliance with the EU, resulted in gross output falling by 9.1%, productivity by 3.7% and prices rising by 1.9%, between 2013 and 2018.(19) Yet, by not complying, Global South countries risk losing trade to the EU. For South Africa, in which the EU is a foremost trading partner, accounting for 40 percent of the nation’s e-commerce business, losing out on trade would prove disastrous.(20)

The ‘Brussels Effect’, coined by Columbia Law School’s Professor Bradford, explains the EU’s power to influence external countries to adopt EU regulations.(21) Through ‘bureaucratic tools of dominion’, such as limiting market access, the EU exports its norms beyond its borders.(22) In the adequacy context, this dynamic resembles regulatory imperialism: countries must adopt EU-style frameworks or risk exclusion from global digital trade.(23)

More ominously, this process risks epistemic and governance colonialism.(24) Complying with “essential equivalence” suggests that Southern epistemic frameworks are inferior to Northern ones. The EU positions itself as the ultimate arbiter of “adequate” rights protection, irrespective of divergent constitutional traditions or developmental priorities. Thus, adequacy ceases to be a purely technical standard, instead becoming a hierarchy of normative legitimacy.

IV SECURITY MUST SUCCEED

It would, however, be reductive to portray the EU’s approach as purely imperial. The adequacy regime is rooted in a legitimate commitment to protecting personal data under Article 8 of the EU Charter.(25) The CJEU in Schrems II rightly warned that textual similarity alone does not guarantee effective redress or protection from surveillance.(26) Institutional capacity matters. Kenya’s Data Protection Authority has acknowledged a 76% resource gap.(27) South Africa’s Information Regulator, however strong the POPIA statute is, operated for years in institutional infancy.(28) For adequacy to mean anything substantive, it cannot be entirely indifferent to whether the relevant institutions actually function.

Further, if enforcement capacity is decisive, the EU-US Data Privacy Framework, adopted despite the continuing debate about US surveillance under s702 of FISA, illustrates strategic geopolitical flexibility. The EU cannot remain credible if it does not remain consistent.

Moreover, the lack of resources many Global South countries have in implementing data laws does not mitigate their intention of trying. UNCTAD reported, as of 2026, 57 African countries have enacted some form of data protection legislation.(29) This is a 63% increase from 2022.(30) Regional initiatives, such as the African Union’s Malabo Convention, further demonstrate commitment.(31

Nonetheless compliance with GDPR standards is exorbitant and the weighty financial burden is often the reason for developing countries requiring enactment.(32) Global South countries are making concerted efforts to appease the EU, but are hindered by resource deficiency. Surely some onus should shift onto the EU in recognising that structural inequality rather than normative difference, explains regulatory inefficiency? Without financial and contextualised aid, their one-size-fits-all approach to adequacy entrenches structural inequality. A regime that purports to protect worldwide human rights,(33) must seek to reform their system which encroaches on the right to equality.

V REFORM

To uphold both data protection and commitments to reducing inequality, adequacy should be reformed along three axes: transparency, contextualisation and partnership.

a) Transparency

Adequacy currently relies on broad evaluative criteria without published quantitative benchmarks. The Commission provides limited explanation for delay or refusal. Clear standards, timelines, and publicly reasoned decisions would reduce perceptions of arbitrariness. Transparent reporting and periodic review would enhance procedural fairness and legitimacy.

b) Contextualisation

“Essential equivalence” should prioritise functional outcomes rather than textual mimicry. Japan was required to adopt supplementary rules tailored to EU expectations; the UK’s adequacy decision includes a sunset clause reflecting concerns about divergence.(34) These examples reveal a formalist application of ‘equivalence’: resemblance to the GDPR’s architecture often appears decisive.

A genuinely contextualised approach would instead question whether legal systems provide meaningful remedies for data subjects whose rights are violated. This would enable countries to maintain their own governmental and epistemological autonomy. They could strive toward sound data protection laws but adapt them to be most beneficial to their own country – not simply transplanting regulations from the North.

c) Partnership

High standards are defensible; unilateralism is not. Excluding Global South jurisdictions concentrates digital trade among already powerful economies.(35) If the EU is committed to reducing global inequality, adequacy must involve institutional partnership. This could include twinning supervisory authorities, technical assistance in enforcement, and phased, outcomes-based pathways toward adequacy rather than binary determinations. This is not charity. It is the minimum condition of credibility for an institution that presents itself as a global rights-protector. If you design a race inviting others to run it, but don’t reveal the finish line, you have not conducted a race. You have conducted a demonstration of power.

VI CONCLUSION

The EU’s GDPR adequacy regime stands at a crossroads. It can continue to operate as a formally neutral but substantively uneven system: one that rewards geopolitical allies, dictates European norms as universal and places financial burdens on developing nations; or it can reform itself to be transparent, contextual and partner-building.
This essay demonstrates that the problem is not the ambition of high data protection standards. Nor is it the commitment to fundamental data protection rights under Article 8 of the Charter. The issue lies in process: an “essential equivalence” test applied rigidly to some, flexibly to others; a process opaque to those most affected; and a system that entrenches the Global South in inequality. When countries, like South Africa, enact legislatively robust and GDPR-based protection laws, yet are still excluded, the adequacy criteria feel vague and elusive.

If adequacy is to retain legitimacy, it must move from form to substance. This requires clear benchmarks, contextual evaluation of outcomes rather than textual mimicry, and institutional partnerships that recognise structural inequality rather than penalise it. A regime that controls market access based on the protection of rights, must reflect the values it aims to defend: equality, transparency and fairness.

REFERENCES
  1. European Commission, ‘Statement by Vice-President Ansip and Commissioner Jourová ahead of the Entry into Application of the General Data Protection Regulation’ (European Commission, 2018)
  2. European Commission, ‘Adequacy decisions’
  3. Anas Baig and Maria Khan, ‘GDPR vs POPIA: Comparing South African Version’ (Securiti, 21 September 2021)
  4. European Data Protection Board, ‘International Data Transfers’ (edpb.europa.eu, 2021)
  5. ibid.
  6. Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems EU:C:2020:559; Róisín Áine Costello, ‘Schrems II: Everything Is Illuminated?’ (2020) 5(2) European Papers 1045, 1057.
  7. European Digital Rights (EDRi), ‘Promises Unkept: The EU-US Data Privacy Framework under Fire’ (EDRi, 4 December 2024); Haoyang Qin, ‘Regulatory Conflict and the Struggle for Digital Sovereignty: A Critical Analysis of the EU-U.S. Data Privacy Framework’ (2025) 4(1) Studies in Law and Justice 46.
  8. Teki Akuetteh and Michael Pisa, ‘Upgrading the Africa-EU Digital Relationship’ (Center for Global Development, 15 February 2022)
  9. Michael Pisa and Ugonma Nwankwo, Do Evolving Digital Trade Rules Create an Uneven Playing Field? Understanding Global Perspectives Roundtable Summary (Center for Global Development 2021)
  10. Baig and Khan (n 3).
  11. Cookiebot, ‘POPIA: Compliance with South Africa’s Data Protection Law’ (Cookiebot, 15 July 2024)
  12. Baig and Khan (n 3).
  13. European Data Protection Board (n 4).
  14. Ayesha Bhatti, How the Brussels Effect Hinders Innovation in the Global South (Data Innovation, 26 January 2026) 6
  15. European Data Protection Board (n 4).
  16. Martina F Ferracane and others, ‘The Trade Effects of EU Adequacy Decisions’ (CEPR, 6 July 2023)
  17. ibid.
  18. Bhatti (n 14) 7.
  19. ibid 8.
  20. Cara Mannion, ‘Data Imperialism: The GDPR’s Disastrous Impact on Africa’s E-Commerce Markets’ (2020) Vanderbilt Journal of Transnational Law 687.
  21. Anu Bradford, ‘The Brussels Effect’ (2012) 107 Northwestern University Law Review 1.
  22. ibid 36.
  23. Mannion (n 20) 693.
  24. Samar A Ahmed, ‘Algorithmic Dependence and Digital Colonialism: A Conceptual Framework for Artificial Intelligence in Education and Knowledge Systems of the Global South’ (2026) 11 Frontiers in Education.
  25. European Union Agency for Fundamental Rights, ‘Article 8 – Protection of Personal Data’ (FRA, 25 April 2015)
  26. Costello (n 6) 1059.
  27. Bhatti (n 14) 10.
  28. Mannion (n 20) 698.
  29. UNCTAD, ‘Data Protection and Privacy Legislation Worldwide’ (UNCTAD, 14 December 2021)
  30. Yohannes Eneyew Ayalew, ‘The African Union’s Malabo Convention on Cyber Security and Personal Data Protection Enters into Force Nearly after a Decade’ (EJIL: Talk!, 15 June 2023)
  31. ibid.
  32. Mannion (n 20) 687.
  33. European Union, ‘Human Rights and Democracy’ (Europa, 2025)
  34. Bhatti (n 14) 4–5.
  35. Ferracane and others (n 16).
  • Ahmed SA, ‘Algorithmic Dependence and Digital Colonialism: A Conceptual Framework for Artificial Intelligence in Education and Knowledge Systems of the Global South’ (2026) 11 Frontiers in Education.
  • Akuetteh T and Pisa M, ‘Upgrading the Africa-EU Digital Relationship’ (Center for Global Development, 15 February 2022) 
  • Ayalew YE, ‘The African Union’s Malabo Convention on Cyber Security and Personal Data Protection Enters into Force Nearly after a Decade’ (EJIL: Talk!, 15 June 2023)
  • Baig A and Khan M, ‘GDPR vs POPIA: Comparing South African Version’ (Securiti, 21 September 2021)
  • Bhatti A, How the Brussels Effect Hinders Innovation in the Global South (Data Innovation, 26 January 2026)
  • Bradford A, ‘The Brussels Effect’ (2012) 107 Northwestern University Law Review 1.
    Cookiebot, ‘POPIA: Compliance with South Africa’s Data Protection Law’ (Cookiebot, 15 July 2024)
    Costello RÁ, ‘Schrems II: Everything Is Illuminated?’ (2020) 5(2) European Papers 1045.
  • European Commission, ‘Adequacy Decisions’
  • European Commission, ‘Statement by Vice-President Ansip and Commissioner Jourová ahead of the Entry into Application of the General Data Protection Regulation’ (European Commission, 2018)
  • European Data Protection Board, ‘International Data Transfers’ (2021)
  • European Digital Rights (EDRi), ‘Promises Unkept: The EU-US Data Privacy Framework under Fire’ (EDRi, 4 December 2024)
  • European Union, ‘Human Rights and Democracy’ (Europa, 2025)
  • European Union Agency for Fundamental Rights, ‘Article 8 – Protection of Personal Data’ (FRA, 25 April 2015) 
  • Ferracane MF and others, ‘The Trade Effects of EU Adequacy Decisions’ (CEPR, 6 July 2023) 
  • Mannion C, ‘Data Imperialism: The GDPR’s Disastrous Impact on Africa’s E-Commerce Markets’ (2020) Vanderbilt Journal of Transnational Law 687.
  • Pisa M and Nwankwo U, Do Evolving Digital Trade Rules Create an Uneven Playing Field? Understanding Global Perspectives Roundtable Summary (Center for Global Development 2021) 
  • Qin H, ‘Regulatory Conflict and the Struggle for Digital Sovereignty: A Critical Analysis of the EU-U.S. Data Privacy Framework’ (2025) 4(1) Studies in Law and Justice 46.
  • UNCTAD, ‘Data Protection and Privacy Legislation Worldwide’ (UNCTAD, 14 December 2021)