Home Glossary Adequacy decision

Adequacy decision

By Lucas Brandao · São Paulo · verified 2026-05-04 · edit on GitHub

An adequacy decision is a formal declaration by the European Commission that a non-EU country offers a level of personal-data protection "essentially equivalent" to GDPR. Once a country is on the list, EU-based companies and services can transfer personal data there without a separate legal mechanism — no Standard Contractual Clauses, no Binding Corporate Rules, no Schrems II workaround. It is the legal switch that turns "this analytics vendor is risky" into "this analytics vendor is fine."

Countries currently on the list

As of 2026-05-04, fourteen jurisdictions hold a valid adequacy decision under GDPR:

CountryDate grantedNotes
Andorra2010small jurisdiction, rarely a vendor home
Argentina2003
Canada (commercial sector only)2001covers PIPEDA-regulated entities
Faroe Islands2010
Guernsey2003Channel Islands
Isle of Man2004
Israel2011
Japan2019mutual adequacy with EU
Jersey2008
New Zealand2012
Republic of Korea2021
Switzerland2000
United Kingdom2021post-Brexit decision
United States2023"EU-US Data Privacy Framework" — narrow, vendor must self-certify

The US entry is the unstable one. The 2023 framework replaced the Privacy Shield (struck down by Schrems II in 2020), and the same EU privacy advocates have already filed Schrems III. A future ruling could remove US adequacy again. Analytics vendors that depend on it — Google, Adobe, Mixpanel — are exposed to that risk.

Why this matters for analytics vendors

The lawful basis for processing analytics data outside the EU has two paths:

  1. Vendor is in the EU. No transfer happens. No adequacy needed. Examples: Plausible (Estonia), Matomo Cloud (Germany), Fathom EU isolation tier (Frankfurt).
  2. Vendor is outside the EU but in an adequacy country. Transfer is permitted automatically. Examples: Fathom Canada commercial-sector, any Swiss-hosted tool, UK-based analytics.
  3. Vendor is outside the EU and outside adequacy. You need SCCs, a transfer impact assessment, and a Schrems II analysis. Examples: GA4 before 2023 (and arguably still — the 2023 framework is contested), most US-based analytics SaaS without EU-region routing.

What this means at the vendor level

VendorHeadquartersAdequacy pathPractical risk
PlausibleEstonia (EU)EU-domiciled, no transfernone
MatomoGermany (EU)EU-domiciled, no transfernone
Fathom AnalyticsCanadaCanada commercial-sector adequacylow (stable since 2001)
Fathom EU isolationFrankfurt EU edgeEU-domiciled processingnone
GA4US (Google)EU-US framework 2023medium (Schrems III pending)

A privacy-conscious DPO will accept Plausible and Matomo without conversation, accept Fathom with a one-line note about Canadian adequacy, and require a Transfer Impact Assessment for GA4. The TIA is the friction point most teams hit when they try to keep GA4 after a privacy review.

Gotcha

Adequacy can be revoked. The Privacy Shield was revoked overnight in July 2020, leaving thousands of US-using companies in legal limbo for months. Build your analytics stack assuming the US adequacy line could disappear in any future court ruling. The cheap insurance is to use an EU-domiciled vendor or a Canadian/Swiss/UK one — those four jurisdictions have held adequacy stably for over 20 years and are unlikely to lose it on a single court decision.

Related migrations

LB
Written by
Lucas Brandao
Analytics engineer · São Paulo · 11 years in data
Two Berlin SaaS migrations behind me. I write migrateanalytics.com as a public utility — no product, no affiliate, no consulting. All measurements are reproducible; raw data lives on GitHub.
GitHub LinkedIn Contact
v1 · 2026-05-04 · first publication. · edit on GitHub →