An “adequacy decision” is a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46/EC, which establishes that a third country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.
The effect of such a decision is that personal data can flow from the 27 EU Member States and the three European Economic Area member countries (Norway, Liechtenstein and Iceland) to that third country, without any further safeguards.
The Commission has so far issued seven adequacy decisions recognizing Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's Safe Harbor Privacy Principles, and the transfer of Air Passenger Name Record (PNR) data to the United States' Bureau of Customs and Border Protection as providing adequate protection.
Adequacy decisions are adopted pursuant to the so-called "comitology procedure", which involves the following steps:
- a proposal from the Commission;
- an opinion of the Article 29 Working Party;
- an opinion of the Article 31 Committee delivered by a qualified majority of Member States;
- a thirty-day right of scrutiny for the European Parliament to check if the Commission has used its executing powers correctly; and
- the adoption of the decision by the College of Commissioners.
► Commission Adequacy Decision