New EU-US Data Transfer Agreement—Are US Vendors GDPR compliant again?

On December 13th, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework. 

Why The Old Privacy Shield Was Invalidated

An adequacy decision (as we previously wrote about) is a formal decision made by the EU which recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU does.  

Japan, Israel, the UK and some others already have an adequacy decision, which means those countries can transfer data to and from the EU freely. But what about the US? 

Previously, there was the EU-US Privacy Shield mechanism, which was invalidated by the EU’s highest court in 2020 in the Schrems II decision. The CJEU (Court of Justice of the European Union) found that the protection of personal data had limitations due to domestic law in the US as well as the access and use by US public authorities of personal data transferred from the EU. 

The disproportionate access of US security services to European bulk data was first revealed by Edward Snowden in 2013, and was one of the key reasons why the transfer of personal data across the Atlantic was deemed illegal. The US legal system (at the time) also did not allow legal challenges such as data processing wrongdoings in court, while legal redress is a core EU principle. 

Since the Schrems II decision, companies that had relied on the Privacy Shield have had to use alternate data transfer mechanisms to comply with the EU GDPR.  

That’s why the European Commission and the US administration have been hurrying to create a new legal framework that would avoid legal uncertainty for the hundreds of companies (AWS, Google, Microsoft, Facebook, LinkedIn, Adobe—essentially all big tech and small tech companies) operating in the trillion-worth (!) transatlantic trade.  

Since there are no viable EU alternatives, nearly every company has been struggling with the legal uncertainties of data transfer, and asking questions like: “Is it legal to transfer customer data to the US or even to an AWS Amsterdam data center?” or “Can the FBI,CIA, &/or NSA access our customer data?” 


Adequacy Decision Update As Of December 2022/January 2023:

Luckily, the Commission deems the new legal framework based on the US Executive Order to be comparable to European data protection standards—this means that the personal data of EU residents can be safely and legally transferred on the other side of the Atlantic.  

President Joe Biden signed this Executive Order on October 7, 2022 and basically, it implements US commitments under the Trans-Atlantic Data Privacy Framework. The new rules provide that: 

  • Access to European data by US intelligence agencies will be limited only to what is necessary and proportionate to protect national security; and
  • EU citizens will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently research and resolve complaints from Europeans, including by adopting binding remedial measures. 


If interested, you can read the full first draft HERE, or the Q&A for a more concise summary.  

Publishing the draft decision is just the first formal step of the process to officially declare that a foreign jurisdiction has an adequate level of data protection. The next step will be for the European Data Protection Board, which gathers all EU data protection authorities, to form an opinion. 

And that’s not it—after the EU Data Protection Board issues an opinion, the decision will then need an approval of a committee formed by member states’ national representatives before the formal adoption. The Commission hopes to achieve this formal adoption by summer 2023. 

In the meantime, the EU Parliament and Council could also dispute the decision if they think the Commission overstepped its powers, so it will be interesting to see how this process plays out. 

Lastly, if confirmed, the data adequacy decision will need to be periodically reviewed to ensure that the relevant elements from the US legal framework have been fully implemented and are functioning effectively. These reviews will start one year after the adoption of the decision.  

In case the data transfer pact DOES get challenged and rejected in court, it will be wise for companies to have a fallback clause in the form of a standard contractual clauses. Many US vendors already offer those in the form of a standardized agreement, which is and will be a legitimate fallback option. And, if you really want to get miles ahead of your competitors in terms of privacy and vendor reviews, then we encourage you to try our new platform, Ubiscore. With the click of a button, you can easily see which vendors offer which privacy controls and evidence such as standard contractual clauses. 

We gather publicly available data on thousands of US vendors, and can give you objective privacy KPIs in terms of how well these vendors fit into your organization. Our platform also lets you see privacy and security controls and certificates for every tool your company uses, all with the click of a button.  

To learn more and get a free Ubiscore today, just sign up for our platform at the link below.  

Thank you for reading and here’s to better privacy protection. We look forward to sharing more content about how to better secure customer data, and how a solid privacy strategy can fuel your company’s growth! 

We’ll also provide further updates about the adequacy decision process as developments emerge.


If you’re curious about how your organization stacks up against industry benchmarks for privacy, test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!