No. 99: Key Legal Issues of the EU’s New U.S. Data Protection Adequacy Decision


Publish Date:
February 4, 2023
Publication Title:
TTLF Working Papers
Stanford Law School
Working Paper
  • Mikolaj Barczentewicz, Key Legal Issues of the EU’s New U.S. Data Protection Adequacy Decision, TTLF Working Papers No. 99, Stanford-Vienna Transatlantic Technology Law Forum (2023).
Related Organization(s):


Since the Schrems II decision of the EU Court of Justice (CJEU), lawfulness of transfers of personal data from the EU to the U.S. has been in a precarious position. Aiming to address this situation, the U.S. adopted a new data protection framework for its intelligence collection activities. The European Commission responded by preparing a draft “Adequacy Decision” for the U.S. under Article 45(3) of the General Data Protection Regulation (GDPR). The purpose of this paper is to present and discuss the key legal issues of the European Commission’s draft Adequacy Decision, which are likely to be the subject of litigation, if the Commission adopts the Decision. I begin, in Section 2, by problematizing the issue of the applicable legal standard of an “adequate level of protection” of personal data in a third country, noting that this issue remains largely open for the CJEU to address. This makes it more difficult to assess the chances of the draft Adequacy Decision before the Court and suggests that the conclusive tone adopted by some commentators is premature. I then turn, in Section 3, to the question of proportionality in relation to bulk data collection by the U.S. government. I consider the question whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Secondly, I discuss whether bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR. Section 4 is devoted to the problem of effective redress, which was the key issue that the Court relied on in making its Schrems II decision. I note some confusion among the commentators about the precise role of Article 47 of the EU Charter of Fundamental Rights for a third-country adequacy assessment under the GDPR. I then outline the disagreement between the Commission and some of the commentators on the question whether the new U.S. data protection framework provides redress through an independent and impartial tribunal with binding powers. Finally, I discuss the issue of access to information about data processing by U.S. intelligence agencies.