Should the EU’s adequacy criteria for international data transfers be changed? If so, how?

By Sanjana Shikhar, Information Technology and Data Law, Intellectual Property Law LLM Student at The London School of Economics and Political Science

‘When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.’
David Brin

a) Introduction

Twice within ten years, the European Union's (EU) framework for regulating international data transfers has failed under judicial scrutiny.(1) What was initially framed as a solution for enabling seamless data transfers, now exposes a structural tension between fundamental rights protection and the realities of cross-border data exchange. As data flows increasingly underpin the global economy,(2) the instability of the EU’s adequacy criteria suggests that the core problem may not lie in the strictness of standards but in the institutional mechanism by which those standards are put into practice.

The EU’s data transfer regime is based on the dual objective of facilitating free flow of data within the Union, while restricting this flow to third countries based on adequacy criteria. Article 45 of the General Data Protection Regulation (GDPR) gives effect to this objective by empowering the European Commission (EC) to determine whether the third country provides an adequate level of protection for personal data by issuing implementing acts.(3) This standard is based on the principle of ‘essential equivalence’, which requires a system capable of providing substantially the same level of protection as given under EU law.(4)

In practice, however, adequacy decisions are not purely legal determinations but the result of an institutional process which involves political negotiations, economic relations and commercial interests.(5) Although the procedure incorporates consultation with the European Data Protection Board (EDPB) and Member State representatives, the Commission retains significant control over the process.(6) Hence, adequacy is produced through a mechanism where legal standards and geopolitical constraints remain in constant friction, and it is within this context that many of the regime’s tensions emerge.

b) The Institutional Drift of Adequacy Framework

The current framework of producing adequacy decisions is marked by procedural complexity and delay, often taking years to conclude a single decision. One of the primary reasons behind this is the absence of any monitoring and deadlines the Commission needs to meet, which allows decisions to evolve more through diplomatic compromise than regulatory evaluation. This design has drawn sustained criticism; as Kuner observes, “the procedure for having third countries declared “adequate” by the EC is a triumph of bureaucracy and formalism over substance, and has been criticised as inefficient, untransparent, and subject to political influence.”(7)

Although the Commission’s actions can be controlled by Article 93 Committee composed of representatives from each EU Member State,(8) the Commission retains considerable influence over the Committees’ work by chairing and preparing agendas for the meetings. Consequently, the oversight mechanism risks becoming circular with the Commission effectively assisting in the assessment of its own draft. Additionally, each representative in the Committee is accountable to the instructions agreed upon at the national level. Therefore, the members cannot be regarded as entirely independent in their actions, even if they are experts in the field of data protection.(9)

This limitation is intensified by the opacity of adequacy procedure, which significantly limits the supervision of Commission’s decisions. The Commission is neither required to publish any documents nor disclose the methodology it relies on, making it the sole authority in charge of the entire mechanism. This reduces the Commission’s accountability to such a level that becomes unacceptable when considering the potential harms to data subjects’ rights if the assessment is erroneous. The invalidation of two such decisions by the Court of Justice (CJEU), underscores the need for exactly that scrutiny. Therefore, the Commission has been invited to “increase the transparency of its assessment process and present a comprehensive and coherent strategy for future adequacy decisions”.(10)

Transparency, however, is not the only issue. The Commission’s role as an independent assessor is further compromised by the growing influence of commercial and political considerations. The Commission’s 2017 Communication explicitly mentions, ‘commercial relations with a given third country’, and ‘the overall political relationship with the third country in question’ should be considered when determining which countries should be prioritised for an adequacy dialogue.(11) A prime example in this regard is Japan, which received an adequacy decision just before the EU–Japan Economic Partnership Agreement, extending the reach of the EU’s data protection standards in parallel with international trade agreement negotiations.(12)

In the context of political influence, the EU-US Data Transfer Arrangements serves as the best example. The Commission’s original Safe Harbor decision was invalidated by CJEU in Schrems I on the ground that US surveillance practices did not satisfy the requirement of ‘essential equivalence.’(13) Its successor, Privacy Shield, was likewise struck down in Schrems II, where the Court highlighted insufficient safeguards against extensive access to EU personal data.(14) Still, these rulings did not end transatlantic transfers; they sparked further political discussions that resulted in the formation of EU-US Data Privacy Framework 2023.(15) This was preceded by a US Executive Order limiting intelligence activities and establishing a Data Protection Review Court, illustrating that adequacy operates more as a political instrument than a legal determination.

A further limitation lies in the binary structure of this framework. Under Article 45, a third country is either recognised as adequate, or it is not; there is no intermediate status. While Articles 46 and 47 provide alternative mechanisms such as Standard Contractual Clauses and Binding Corporate Rules, they operate as private compliance methods rather than formal recognition of a country’s data protection regime.(16) At the same time, alternative models for cross-border data transfers are gaining prominence. The Asia-Pacific Economic Cooperation Cross-Border Privacy Rules, for instance, offer a more flexible model, and its membership is expanding faster than the EU’s adequacy list,(17) raising concerns about the long-term viability of the Union’s framework.

c) Recalibrating the Institutional Architecture of Adequacy

Taken together, these limitations indicate that the issue does not lie in the principle of ‘essential equivalence’, but in the institutional framework through which it is put into application. Therefore, the target should not be to change the standard itself, but to change the procedure of implementing that standard.

First, there is an urgent need for a stronger oversight mechanism. To ensure that the Commission remains accountable, a reasonable deadline must be set for the conclusion of an assessment, with progress reports to the European Parliament. Additionally, Member States should have the power to propose amendments to the draft decisions, not merely to vote yes or no on the final draft. Furthermore, EDPB’s role should be substantially strengthened. Either their opinion on the draft must be made binding, or alternatively, they should be empowered to conduct the initial assessment itself.

Second, the adequacy procedure must be made transparent. The Commission must be required to publish the documents relied upon to reach the decision along with the methodology which was followed. Additionally, the Commission should publish a report which lists all ongoing negotiations, including the stage at which they are and the expected duration for completion. This would prevent countries from disappearing from the agenda, as happened with India and Mercosur.(18) Furthermore, the voting records of the Committee must be made available so that it is possible to know which members raised objections and why.

Third, the effect of external factors must be constrained. Though the influence of trade and political relations is reasonable for prioritisation, such considerations should not affect the substance of the assessment itself. To ensure this, firstly, the Commission must refrain from initiating or concluding an adequacy assessment during ongoing trade negotiations. This would prevent adequacy being granted as a trade bargain. Secondly, European Essential Guarantees,(19) comprising clear legal basis, necessity and proportionality, independent oversight, and effective remedies must be directly included in Article 45. This explicit codification would remove discretion and bind the Commission to a fixed standard that political relations cannot supersede.

Finally, the binary structure of the adequacy model must be recalibrated. The EU should introduce a tiered adequacy framework which provides an intermediate status between full adequacy and none. Such decisions would be renewable only upon significant progress, giving third countries a clear incentive to reform. Additionally, the concept of sectoral adequacy must be developed to permit data transfers subject to lighter requirements, in clearly defined low-risk areas such as technical processing activities. Such calibrated engagement would enhance flexibility while maintaining stringency, ensuring that the EU’s adequacy framework remains robust as well as globally competitive.

d) Way Forward

Initially, adequacy was conceived as a legal evaluation of the third country’s data protection regime. However, over time, it has evolved into a governance instrument shaped by political, economic and strategic considerations, extending beyond the protection of personal data. This evolution has not rendered the standard obsolete, but it has highlighted the fragility of the institutions that implement it. Therefore, the appropriate response is not to weaken the standard, but to discipline the mechanism that produces adequacy decisions. Strengthened oversight, structured transparency, separation from external factors, and calibrated flexibility would restore adequacy to its constitutional function while preserving its credibility in a competitive global data order.

REFERENCES
  1. See Case C-362/14, Maximillian Schrems v Data Protection Commissioner [2015] ECR I-650 and Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems [2020] ECR I-559.
  2. Peng, S, ‘Data Flows as Digital Trade: Privacy and Cybersecurity Governance in a Datafied World’ in International Economic Law in the Era of Datafication (Cambridge University Press 2024) 197.
  3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1, art 45.
  4. Case C-362/14, Maximillian Schrems v Data Protection Commissioner [2015] ECR I-650, para 73.
  5. Greenleaf, G, ‘Safe Harbor’s Low Benchmark for “adequacy”: EU Sells Out Privacy for US$’ (2000) 7 Privacy Law and Policy Reporter
  6. Czerniawski, M, ‘Shrouded in Secrecy – Does the Comitology Procedure for GDPR Adequacy Decisions fit its Purpose?’ (2024) 18 Masaryk University Journal of Law and Technology
  7. Kuner, C, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German Law Journal
  8. GDPR, art 93.
  9. Czerniawski, M, (n 6) 227.
  10. European Commission, ‘Second Report on the Application of the General Data Protection Regulation’ (Communication) COM (2024) 357 final, 25 July 2024, p 19
  11. European Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (Communication) COM (2017) 7 final, 10 January 2017, p 16
  12. Voss, W G, ‘Cross-border Data Flows, the GDPR, and Data Governance’ (2020) 29 Washington International Law Journal
  13. Case C-362/14, Maximillian Schrems v Data Protection Commissioner [2015] ECR I-650
  14. Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems [2020] ECR I-559
  15. Paul Bicknell, Saul Howerton and Mustafa Yurdakul, ‘Transferring personal data under the EU-US Data Privacy Framework’ (Vistra, 4 October 2023)
  16. European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ (2020)
  17. Czerniawski, M, (n 6) 218
  18. European Commission, ‘Exchanging and Protecting Personal Data in a Globalised World’ (n 12) point 3.1.
  19. Article 29 Data Protection Working Party, 'Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)' (WP 237, 13 April 2016)