***Schrems II update***
In July 2020, the Court of Justice of the European Union ruled that the Privacy Shield adequacy decision for the USA was invalid because of invasive US surveillance programs. You can read more about the background of the case, the decision and the implications here.
Adopting an Adequacy Decision
Adequacy decisions are how the EU determines if a third country has an adequate level of data protection and there are four main steps involved in adopting an adequacy decision.
When the European Commission assesses whether an adequate level of protection is in place, firstly, they look at things like the rule of law, respect for human rights and fundamental freedoms, access of public authorities to personal data and rules for onward transfer of personal data to another third country or international organisation.
Secondly, they want to see if an effective supervisory authority exists in the country and if that authority has adequate enforcement powers.
Finally, they will look at international commitments the third country has entered into or other legally binding obligations.
Once a third country has an adequacy decision, personal data can travel from the EU to that country without putting any further safeguards in place.
Revoking a Decision?
However, adequacy doesn’t necessarily last forever. At least every 4 years the Commission will review the decision, taking into account relevant developments in the third country. The Commission will also regularly monitor developments in third countries that could affect how the adequacy decision works. They can then appeal, amend or suspend the adequacy decision as necessary.
Lastly, the Commission has to publish a list of sectors, countries, territories and organisations that have adequacy decisions.
Sources and further readings: