Is the US an Adequate Country Under GDPR?

Yes, the United States is now considered an adequate country under the General Data Protection Regulation (GDPR) following the European Commission's adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. This decision recognises that the U.S. provides an adequate level of protection for personal data transferred from the EU to U.S. companies, comparable to the standards within the EU.

The framework includes several key improvements over the previous Privacy Shield arrangement, particularly in addressing concerns about U.S. government access to EU citizens' data. These improvements include stricter limitations on data access by U.S. intelligence agencies and the establishment of a Data Protection Review Court (DPRC), which provides EU individuals with an independent mechanism to address complaints about data misuse.

Under this new framework, U.S. companies can join by committing to meet specific privacy obligations, such as deleting unnecessary data and ensuring protection when data is shared with third parties. Additionally, the legal safeguards established by the U.S. ensure that data access by U.S. authorities for national security and law enforcement purposes is limited to what is necessary and proportionate.

The framework will be periodically reviewed to ensure its continued effectiveness in safeguarding data protection for EU citizens.