18 January 2017

Why the EU Has Issued Relatively Few Data Protection Adequacy Determinations: A Reply


A January 2, 2017 commentary by Ariel Teshuva raises an intriguing question. While the European Commission is vested with the authority under Article 25(6) of the Data Protection Directive to issue data protection adequacy determinations—a declaration that a given jurisdiction outside the EU provides adequate legal protection for personal data—why have so few been adopted?

In reviewing this question, Teshuva finds the content of the current list of 12 adequacy decisions difficult to explain. She also wonders how it is that large technology and banking firms based in countries without an adequacy determination remain able to continue significant trading relationships with Europe.

In this post, I will suggest that while the list of 12 territories that benefit from adequacy decisions is heterogeneous, the membership list remains easy to explain. I will also suggest that it is understandable that many other jurisdictions remain absent from the list. Finally, I will provide some thoughts on how multinationals from third-party jurisdictions that do not benefit from adequacy determinations nonetheless maintain healthy European operations.