The ubiquity and reach of data transfers underpins the ways in which businesses, service providers and individuals interact with one another. Businesses are growing more reliant on the free flow of data to reach customers and service providers alike throughout the world. This is especially true for small to medium-sized businesses that traditionally could not operate on an international scale until the proliferation of the internet and global interconnectivity.
At the same time, growing concerns about data privacy and global conflicts have motivated national governments to restrict data flows leaving their borders and prohibit transfers to countries with data protection frameworks that have not been deemed "adequate." These restrictions can significantly hinder the daily operations of many businesses and stifle innovation needed to drive economic growth.
With the implementation and influence of the EU General Data Protection Regulation, many countries modeled their national data privacy laws to mirror the provisions of the EU's data protection framework. More countries are now implementing their established data privacy laws to align with international standards in an approach toward interoperability that could ease regulators' deliberations in reaching adequacy decisions.
Under the European standard, "adequacy" is a legal status signifying that a foreign jurisdiction has a data protection framework that is equivalent in data protection terms to the protections afforded under the GDPR. Upon receiving an adequacy decision, entities from the EU can freely transfer personal data to the adequate country without additional safeguards, such as standardized contractual clauses between organizations or binding corporate rules for multinational organizations.
In practice, adequacy decisions enable the free flow of personal data cross borders, allowing businesses to seamlessly interact with its subsidiaries, service providers, and consumers while upholding proper safeguards and individual data rights.
Cross-border data transfers and their restrictions pose various challenges to privacy pros because of their importance, complexity and evolving nature. Understanding whether and how policymakers and regulators effectuate their adequacy capabilities informs operational considerations for international data transfers.
Countries issue public adequacy decisions under their cross-border data transfer frameworks
The IAPP identified countries with legislative provisions that empower the issuance of adequacy decisions of foreign jurisdictions through their data protection laws, which was updated in April 2025. Several of these frameworks were modeled after the GDPR and delegated power to their respective data protection authority or relevant government ministry to determine whether a third country is adequate.
However, many countries took time to employ their assessment capabilities under new national data privacy laws, most often due to the need to establish their respective DPAs. For instance, in 2024 at least four countries established new DPAs, with legislative authority to assess and issue decisions for adequacy.
In some cases, adequacy decisions are compiled into a public-facing list or "whitelist."
For example, Botswana and Colombia issued whitelists of their adequacy decisions for 45 and 43 countries, respectively. Another example is Bahrain, which included 83 countries on its public whitelist, whereas Japan has only issued adequacy decisions for the EU and the U.K.
Notably, India's data privacy law takes an entirely different approach, where the DPA may publish a "blacklist." Here, the country permits international data transfers to all third countries, except those named on their published list. India has yet to publish a blacklist of prohibited countries as of March 2025.
These examples highlight the stark variety in regional and national approaches DPAs have taken when making their adequacy designations.
Overlapping adequacy criteria signals movement toward interoperability
Many national data privacy laws and DPA regulations have overlapping criteria to use while deliberating an adequacy decision. As mentioned, these guidelines generally follow the criteria set out in the GDPR.
For instance, DPAs from Albania, Armenia, Qatar, Switzerland and the United Arab Emirates (Dubai International Financial Centre) generally look for the following provisions in a third country's data protection framework. First, a third country is required to have established laws and regulations providing adequate safeguards with equal or more stringent protection as the transmitting country's framework.
Next, regulators must find that a third country has an independent public authority to oversee and enforce the third country's data protection laws. DPAs will also look to see whether the third country has judicial or administrative methods for data subjects to exercise their privacy rights. Finally, DPAs will look to determine whether the third country has demonstrated respect for individuals' freedom and human rights more broadly.
Moreover, states like Argentina and Montenegro have more granular criteria, building upon the previous requirements while also looking at the totality of the circumstances surrounding the data transfer or categories of data transfers. Specifically, these frameworks consider all the following factors related to the data transfer or categories, such as the nature of the data, its intended purpose and the duration of its processing. Other factors include the third country's applicable general or sectoral laws, the final destination of the data, as well as the relevant professional rules, codes of conduct, and security measures implemented in the third country to ensure protection for the data's processing and storage.
This trend follows the general approach of interoperability between national and regional privacy standards and its importance in facilitating trust among governments. A 2021 report from the Organisation for Economic Co-operation and Development defined interoperability in privacy frameworks as the "ability of different privacy and data protection regimes, or legal frameworks, to work together at multiple levels through policy and practical arrangements and thereby bridge any differences in approaches and systems of privacy and personal data protection to facilitate transborder flows of personal data."
As shown above, countries implementing similar data protection frameworks in alignment with international standards may allow regulators to reach adequacy decisions in an efficient manner while promoting trust between nations.
Adequacy assessments as technical, diplomatic and closed
Although national data privacy laws outline the criteria for DPAs to use when making their determinations, many of these assessments take place confidentially, in-house and often in diplomatic negotiation and engagement with foreign partners. Aside from the European Commission and U.K., adequacy assessments and analyses generally have not been released publicly.
Being able to understand the method and analysis behind an adequacy decision may assist privacy pros in trying to understand a DPA's approach in making its adequacy assessments. For example, a Nigerian nonprofit filed a federal lawsuit in 2022 against the country's previous DPA, the National Information Technology Development Agency, alleging it failed to comply with the Nigeria Data Protection Regulation after its published whitelist included countries that lacked the required data protection laws and independent authorities.
A Federal High Court of Nigeria decision from November 2023 found that the NITDA failed to comply with the NDPR, required regulators to stringently follow criteria established in the regulation and invalidated portions of the list. However, the new Nigeria Data Protection Act had already passed in July 2023 and replaced the NDPR. The NDPA created a new DPA but also incorporated the whitelist issued by the former NITDA. The Nigeria Data Protection Commission has yet to update and correct its whitelist to adhere to the court's 2023 decision.
Some authorities have provided detailed guidance on their approach to reaching adequacy decisions. The U.K. and Dubai International Finance Centre also provide templates for third countries to use when applying for an adequacy designation in a likely effort toward transparency.
Adequacy criteria as informing standards for independent DPAs
The composition of DPAs varies between countries due to the diversity in how national governments are structured and when national data privacy laws were passed. For example, Latin American countries that adopted data protection laws in the 2000s and 2010s, like Argentina and Colombia, followed the pre-GDPR European model. As such, their DPAs were established within various interior ministries to oversee their data privacy law.
However, Argentina restructured its DPA after receiving criticism for the prior DPA's apparent lack of independence. The EU has designated Argentina as adequate since the early 2000s under the GDPR's predecessor. Uruguay established its independent DPA in 2009 after its national data privacy law was passed a year earlier and received an EU adequacy decision in 2012.
Colombia's authority is responsible for overseeing and enforcing both competition and data privacy laws. It maintains the ability to promulgate regulations to enhance the law's adequacy criteria. The DPA sits under the Ministry of Trade, Industry, and Tourism in the executive branch of government. The country has not received an EU adequacy decision.
Japan's regulatory authority underwent a similar evolution to Argentina, when the Personal Information Protection Commission was established in 2016 after significant amendments were made to the country's national data privacy law from 2003. The 2017 amendments to the law established the PPC as an independent authority. Japan received an adequacy decision from the EU in 2019 after a long negotiation period.
Since international standards generally require one or more independent public authorities as a factor in the adequacy criteria, countries are incentivized to ensure their new DPAs remain independent.
Piecing together the web of unilateral adequacy decisions
Since international data transfers invariably require complex, contextual and cultural analysis of and engagement with foreign jurisdictions, adequacy assessments as unilateral legislative constructs often take time and are jurisdictionally contained.
Some jurisdictions have leveraged international agreements, such as Israel's recognition of signatories to the Council of Europe's Convention 108, and regional networks in their laws to find scale and efficiency compared to individualized third country assessments. Most data protection laws allow for transfers to third countries without prior authorization if done pursuant to relevant international acts and treaties.
Another trend is countries' reliance on EU adequacy decisions. Albania's and Montenegro's data privacy laws explicitly state that data transfers to the EU, the European Economic Area, and any third country that receives an EU adequacy decision does not need prior authorization. Colombia's regulation on cross-border transfers also extends adequacy decisions to countries deemed adequate by the EU. In Uruguay, its DPA expanded its list of adequate countries after the EU issued new designations to South Korea and the U.S.
These approaches are noteworthy because if the EU continues to issue adequacy designations to countries that adopted frameworks similar to the GDPR, which several African countries have done since 2017 and before, this could quickly expand permitted international data flows.
Comparatively, Switzerland's DPA has issued an adequacy decision for EU and EEA countries, but third countries with adequacy decisions from the EU may not have an adequacy decision for Switzerland. The Swiss DPA is explicit in stating that only countries included on its public list are considered adequate and this does not include Japan or South Korea, both of which maintain EU adequacy decisions.
Conclusion
The global economy continues to rely on international data flows to support business transactions and the free flow of information. Simultaneously, more countries are passing national comprehensive data privacy laws and others are amending their criteria on cross-border data transfers to meet international standards. This approach toward interoperability can help alleviate obstacles regulators might face when considering a third country's adequacy and potentially streamline the deliberation process.
Joe Jones is the research and insights director for the IAPP. Kayla Bushey is a Westin Research fellow for the IAPP.
