EU-US Data Transfers: Adequacy Decision Confirmed

Carla Murray's profile picture

Carla Murray - Partner

4 minutes reading time

The European Commission (the EC) has adopted an adequacy decision on the EU-US Data Privacy Framework. 

The EU-US Data Privacy Framework is the legal mechanism that will now enable the otherwise restricted transfers of personal data from the EU to the US, replacing the defunct predecessor, the EU-US Privacy Shield. 

Contact Our Commercial Solicitors


What is the EU-US data privacy framework, and why is it needed?

Previously, data was shared between the EU and the US under the EU-US Privacy Shield.

However, the landmark ruling achieved by data activist Maximillian Schrems rendered the mechanism defunct in 2020, rendering the transfers of personal data from the EU to the US restricted (and therefore prohibited) unless alternative measures were implemented (see below).

Further information on the Schrems case can be found in our article.

Under the EU GDPR, transfers of EU citizen’s personal data out of the EU are restricted unless:

  • An adequacy decision has been made by the EC for the country or organisation receiving the personal data. An adequacy decision is a decision made by the EC that the country or organisation ensures a level of protection to personal data equivalent to that afforded under the EU GDPR; or
  • Appropriate safeguards are implemented between the sender and the recipient to ensure that the personal data is afforded a commensurate level of protection as is afforded by the EU GDPR. Appropriate safeguards primarily take the form of standard contractual clauses (SCCs) or binding corporate rules (BCRs) and are effectively contractual terms between two entities committing to the protection of personal data; or
  • An exemption applies. The EU-US Privacy Framework, therefore, allows personal data to flow freely from the EU to US companies certified under the EU-US Privacy Framework without the need to put appropriate safeguards in place or rely on an exemption. 

Therefore, US organisations can apply to the US Department of Commerce for certification, and once certified, EU organisations can allow the transfer of personal data to flow freely. 

Get In Touch With Myerson Solicitors

What is the EU US data privacy framework and why is it needed

What about data transfers between the UK and the US?

The UK has not yet adopted an adequacy decision for the US. 

Until such time, transfers of personal data between the UK and the US remain restricted; therefore, measures approved per the UK GDPR should be put into place.

Further information on how to transfer personal data outside of the UK can be found in our article.

Speak With Our Commercial Lawyers

What about data transfers between the UK and the US

Contact Our Commercial Solicitors

Myerson's Commercial and IT / Technology team have extensive knowledge relating to data protection law. Please contact our lawyers if you need advice concerning EU-US data transfers on:


Carla Murray's profile picture

Carla Murray


Carla has over 18 years of experience acting as a Commercial solicitor. Carla is the Head of Myerson’s Technology Sector. She has handled various matters relating to commercial agreements, technology contracts, and data protection.

About Carla Murray >