1 featured image 1
Data Protection Laws

Adequacy Decisions, BCRs, and Whitelists: Understanding Cross-Border Data Transfers in the GDPR Era

December 19, 2018

There is no question that the GDPR has made its mark on business relations around the globe. EU regulators set out to create a standard for data privacy regulation, which they accomplished not only for the EU, but also for the world. The GDPR requires countries seeking seamless cross-border data transfers to have their own privacy regulations that meet the GDPR’s strict requirements, which has spurred a worldwide increase in privacy legislation over the last year.

Article 45 of the GDPR states, “A controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards.”  Therefore, before an organization may transfer EU data subjects’ information to a country outside of the EU, this country’s privacy standards must be approved by the European Commission or binding corporate rules (BCRs) must be set up. BCRs are established between the organization and either the European Commission or an EU DPA. This post looks at the GDPR’s requirements for adequacy agreements, the steps countries must take to receive one, and what has become many organizations’ “Plan B”: binding corporate rules.


Understanding Adequacy Agreements

To continue business relations with the EU under the GDPR, many non-EU countries have sought adequacy agreements over the past few months. Adequacy agreements greatly minimize the regulatory burden on organizations that need to transfer data internationally in order to conduct business. In order to be granted an adequacy agreement, these countries must pass their own privacy regulations that sufficiently match the requirements of the GDPR. Currently, the European Commission has recognized 11 countries or territories, including Argentina, Israel, New Zealand, and Japan, as providing adequate data protection.

How Are Adequacy Decisions Made?

To obtain an adequacy decision, a country must first evaluate whether its data protection framework meets the requirements established in Article 45 of the GDPR. There are two main factors the European Commission uses to determine whether a country has established an adequate level of protection:

  1. Level of Human Security: The Commission examines how similar another country’s regulation is to their own when it comes to its rule of law, human rights law, and the implementation of privacy and security regulations. This is the reason many countries have recently published data privacy regulations that mimic the GDPR when it comes to data subjects requests, data breach notification, and DPO roles (see Brazil, Israel, and South Korea). The EU is open about the fact that it views the GDPR as the data protection “gold standard,” and that their expectation is for others to rise to their level.
  1. Establishment of an Independent Supervising Authority: The Commission also considers whether the country has a supervising authority and this authority’s success in implementing and regulating data privacy laws within the country (resembling Data Protection Authorities in the EU). To assess this, the Commission analyzes the country’s monetary fines for violations of data protection standards. This is why independent federal supervising authorities are becoming a global trend alongside increased global privacy regulation.

After the Commission has determined that a country meets its adequacy standards, it will add that country to its “whitelist,” allowing for the unfettered cross-border transfer of data. Once this relationship has been established, the Commission has the authority to carry out a periodic review of the country’s adequacy agreement every four years, or simply whenever it deems necessary.

Plan B: Binding Corporate Rules

Binding corporate rules (BCRs) are a set of rules for data transfers established between multinational companies and EU governments. Under BCRs, an organization may transfer EU personal data abroad to their facilities outside the EU. Organizations have the ability to construct their own BCRs as long as these rules align with the European Data Protection Board’s (EDPB) standards for data protection.   

How to Receive BCR Authorization

  1. Select an EU DPA to be the lead authority (dependent upon the location of your organization within the EU). The lead DPA circulates your methodologies among other DPAs to ensure agreement among the supervisory authorities.
  2. Receive and address any comments or concerns from the DPAs.
  3. Apply and await approval.

BCRs significantly aid organizations with facilities in countries who do not have an adequacy agreement with the EU. Currently, there are more than 100 large companies with established BCRs – 75% of which are U.S.-based organizations. BCRs are considered the best option for organizations that are GDPR-compliant but are not established within an EU-whitelisted country.


Data is the new gold for businesses, and adequacy agreements allow countries to trade this treasured technological resource. The number of countries seeking an adequacy agreement will continue to increase, with these countries issuing their own variations on the EU’s GDPR. For organizations in countries without an adequacy agreement, building privacy and security programs that align with the GDPR and taking the necessary steps to establish a BCR agreement should be a priority.


Stay On Top of Global Privacy Trends

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.