We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.


Visit our debt recovery website

The EU announced on 10 July 2023, that the personal data protections in the US are considered adequate and comparable to those in the EU, subject to certain conditions.

Data adequacy explained

Adequacy refers to countries, territories, sectors, or international organisations that provide a level of protection to personal data that is essentially equivalent to the safeguards offered by the EU.

When a state has an adequacy decision, personal data can be freely transferred to and from that location and the EU without the need for additional safeguards, such as adopting EU Contractual Clauses (SCCs), the Addendum to the SCCs, and Data Transfer Impact Assessments.

For more detailed information on data adequacy and additional safeguards, please refer to our article titled  “The new international data transfer laws.

Implications for EU-based businesses

With this new adequacy decision, EU-based businesses will be able to transfer personal data to the US without restrictions, provided that the recipient company is a member of the Data Privacy Framework (DPF). Companies are enrolled in the DPF if they commit to and comply with specific privacy obligations. However, certain entities such as banks, insurers, and telecommunications companies cannot join the DPF, necessitating the use of additional safeguards.

This decision marks a significant development in data sharing between the EU and the US, which has faced challenges since the abolition of the Data Privacy Shield. Recently, Ireland’s Data Protection Commission imposed a €1.2b fine on Meta for transferring Facebook users’ data to the US. More information on this can be found in our article titled “Meta given €1.2b fine for breach of the GDPR.”

Effective date & potential challenges

The adequacy decision is already in effect, enabling EU companies to transfer personal data to DPF-registered and certified US companies. However, Austrian activist Max Schrems is expected to challenge the decision.

Schrems previously brought the Schrems II case before the Court of Justice of the European Union, leading to increased protections for data transfers to countries without adequacy decisions. He argues that the DPF does not offer significantly different or enhanced protections compared to the previous Privacy Shield. Schrems specifically highlights concerns about US surveillance powers over non-US nationals under section 702 of the US Foreign Intelligence Surveillance Act.

Will the UK follow suit?

Currently, UK businesses cannot rely on this adequacy decision. However, as mentioned in our article titled “UPDATE: The UK & US commit to the free flow of personal data between the two countries | Flint Bishop,” the UK is likely to establish an agreement in the near future to facilitate the free flow of data with the US.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting with one of our legal experts.


Scroll to next section

Scroll back to the top