Global adequacy capabilities
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.
Published: 25 March 2024
Last updated: 17 April 2025
The proliferation of new or updated data privacy laws around the world has resulted in a marked rise in the number of centralized data "adequacy" capabilities.
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having "adequate" data privacy standards.
An "adequate" designation describes instances where a third country has been assessed as providing data privacy standards that are sufficiently comparable to those of the assessing jurisdiction. These unilateral determinations permit the free flow of personal data, without the parties to the transfer being required to implement further safeguards or obtain further authorizations. In some jurisdictions the capabilities go by alternative legislative terms – such as "equivalence," "comparable," and "sufficiently similar" – and in some jurisdictions more colloquial terminology is used such as "whitelists" and "data bridges."
This infographic does not detail whether and how such capabilities have been exercised nor does it show the availability of mechanisms and guidance for transferring personal data to non-"adequate" countries. This will be the subject of further research by the IAPP.
For information on global data transfer contracts, see this companion infographic.
91 jurisdictions vest powers in either a data privacy regulator or government authority to designate other jurisdictions as having “adequate” data privacy standards.
Provided here is a list of jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having "adequate" data privacy standards.
- Abu Dhabi Global Market
- Albania
- Algeria
- Andorra
- Angola
- Argentina
- Armenia
- Bahamas
- Bahrain
- Barbados
- Belarus
- Benin
- Bermuda
- Bosnia and Herzegovina
- Botswana
- Brazil
- Burkina Faso
- Cabo Verde
- Cameroon
- Cayman Islands
- Chad
- Chile
- Colombia
- Congo
- Côte d'Ivoire
- Dubai International Financial Centre
- Egypt
- Equatorial Guinea
- Ethiopia
- European Economic Area
- European Union
- Faroe Islands
- Gabon
- Georgia
- Gibraltar
- Guernsey
- Guinea
- India
- Indonesia
- Isle of Man
- Israel
- Japan
- Jersey
- Kazakhstan
- Kenya
- Kosovo
- Kyrgyz Republic
- Macau
- Madagascar
- Malawi
- Malaysia
- Moldova
- Montenegro
- Morocco
- Monaco
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Panama
- People's Republic of China
- Peru
- Qatar Financial Centre
- Republic of Korea
- Russian Federation
- São Tomé and Príncipe
- Saint Lucia
- Saudi Arabia
- Senegal
- Serbia
- South Africa
- South Korea
- Sri Lanka
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Togo
- Thailand
- Trinidad and Tobago
- Tunisia
- Turkey
- Turkmenistan
- Uganda
- Ukraine
- United Kingdom
- Uruguay
- Uzbekistan
- Zambia
- Zimbabwe
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Global adequacy capabilities
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.
Published: 25 March 2024
Last updated: 17 April 2025
Contributors:
Joe Jones
Research and Insights Director, IAPP
Kayla Bushey
Former Westin Fellow, IAPP
CIPP/US
The proliferation of new or updated data privacy laws around the world has resulted in a marked rise in the number of centralized data "adequacy" capabilities.
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having "adequate" data privacy standards.
An "adequate" designation describes instances where a third country has been assessed as providing data privacy standards that are sufficiently comparable to those of the assessing jurisdiction. These unilateral determinations permit the free flow of personal data, without the parties to the transfer being required to implement further safeguards or obtain further authorizations. In some jurisdictions the capabilities go by alternative legislative terms – such as "equivalence," "comparable," and "sufficiently similar" – and in some jurisdictions more colloquial terminology is used such as "whitelists" and "data bridges."
This infographic does not detail whether and how such capabilities have been exercised nor does it show the availability of mechanisms and guidance for transferring personal data to non-"adequate" countries. This will be the subject of further research by the IAPP.
For information on global data transfer contracts, see this companion infographic.
91 jurisdictions vest powers in either a data privacy regulator or government authority to designate other jurisdictions as having “adequate” data privacy standards.
Provided here is a list of jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having "adequate" data privacy standards.
- Abu Dhabi Global Market
- Albania
- Algeria
- Andorra
- Angola
- Argentina
- Armenia
- Bahamas
- Bahrain
- Barbados
- Belarus
- Benin
- Bermuda
- Bosnia and Herzegovina
- Botswana
- Brazil
- Burkina Faso
- Cabo Verde
- Cameroon
- Cayman Islands
- Chad
- Chile
- Colombia
- Congo
- Côte d'Ivoire
- Dubai International Financial Centre
- Egypt
- Equatorial Guinea
- Ethiopia
- European Economic Area
- European Union
- Faroe Islands
- Gabon
- Georgia
- Gibraltar
- Guernsey
- Guinea
- India
- Indonesia
- Isle of Man
- Israel
- Japan
- Jersey
- Kazakhstan
- Kenya
- Kosovo
- Kyrgyz Republic
- Macau
- Madagascar
- Malawi
- Malaysia
- Moldova
- Montenegro
- Morocco
- Monaco
- New Zealand
- Niger
- Nigeria
- North Macedonia
- Panama
- People's Republic of China
- Peru
- Qatar Financial Centre
- Republic of Korea
- Russian Federation
- São Tomé and Príncipe
- Saint Lucia
- Saudi Arabia
- Senegal
- Serbia
- South Africa
- South Korea
- Sri Lanka
- Switzerland
- Taiwan
- Tajikistan
- Tanzania
- Togo
- Thailand
- Trinidad and Tobago
- Tunisia
- Turkey
- Turkmenistan
- Uganda
- Ukraine
- United Kingdom
- Uruguay
- Uzbekistan
- Zambia
- Zimbabwe
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Governance Law and Policy: Jurisdiction Overviews
US State Privacy Legislation Tracker
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
