Crown Dependencies retain EU data protection adequacy status


The UK Crown Dependencies – Guernsey, the Isle of Man and Jersey – were all assessed by the European Commission on 15 January as having maintained ‘EU data adequacy status’, such that data transfers from the EU to these countries or territories can take place without additional requirements.

The Commission said it had successfully concluded its first review of 11 existing adequacy decisions that had been adopted under the previous Data Protection Directive, which has subsequently been replaced by the General Data Protection Regulation (GDPR) when it came into force in May 2018.

In its report, the Commission found that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continued to benefit from adequate data protection safeguards.

It found that the data protection frameworks in these 11 countries and territories had further converged with the EU’s framework and strengthened protection of personal data in their jurisdictions. The GDPR had also inspired positive changes such as the introduction of new rights for individuals, the reinforcement of the independence and powers of authorities responsible for the enforcement of privacy laws or the modernisation of rules on international transfers.

As a result, the Commission considered that their legislative frameworks ensured an adequate level of protection – comparable to that of EU Member States – for the safe flow of data to and from the EU. The existing adequacy decisions therefore remain in place and data can continue to flow freely to these jurisdictions.

The Crown Dependencies are home to many global businesses that rely heavily on the flow of data to and from EU Member States, particularly in the financial services sector. This decision enables their business sectors to continue to transfer data unhindered. In addition to private sector requirements, public authorities routinely share data in areas such as policing and security, healthcare and education.

A negative outcome would have resulted in additional safeguards being required before data could be shared between the Crown Dependencies and EU Member States, as required under the GDPR.

Adequacy decisions are ‘living instruments’, so the Commission will monitor developments in the jurisdictions on an ongoing basis and periodically review its decisions at least every four years. This first review was delayed to consider developing case law on international standards.

Contact Sovereign
Get in Touch

Please contact us if you have any questions or queries and your local representative will be in touch with you as soon as possible.