Last Updated: April 2023
The proliferation of new or updated data privacy laws around the world has resulted in a marked rise in the number of centralized data “adequacy” capabilities.
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.
An “adequate” designation describes instances where a third country has been assessed as providing data privacy standards that are sufficiently comparable to those of the assessing jurisdiction. These unilateral determinations permit the free flow of personal data, without the parties to the transfer being required to implement further safeguards or obtain further authorizations. In some jurisdictions the capabilities go by alternative legislative terms – such as “equivalence,” “comparable,” and “sufficiently similar” – and in some jurisdictions more colloquial terminology is used such as “whitelists” and “data bridges.”
This infographic does not detail whether and how such capabilities have been exercised nor does it show the availability of mechanisms and guidance for transferring personal data to non-“adequate” countries. This will be the subject of further research by the IAPP.
For information on global data transfer contracts, see this infographic.
The IAPP Resource Center additionally hosts an "International Data Transfers" topic page, which updates regularly with the latest news and resources.
74 jurisdictions vest powers in either a data privacy regulator or government authority to designate other jurisdictions as having “adequate” data privacy standards.
Abu Dhabi Global Market
Bosnia and Herzegovina
Dubai International Finance Centre
European Economic Area
Isle of Man
People’s Republic of China
Qatar Financial Centre
Republic of Korea
Sao Tome and Principe
Trinidad and Tobago