On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

The adequacy decision followed the adoption of Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ by US President Biden on 7 October and a Regulation issued by the US Attorney General. These instruments introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020, ensuring that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and establishing an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.

The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanims used. These safeguards therefore also faciliate the use of other tools, such as standard contractual clauses and binding corporate rules.