European Data Protection Board Issues Recommendations to Guide Data Transfers from European Union to the United States

Photo of Rebekah Glickman-Simon

In July 2020, the European Court of Justice invalidated the use of the Privacy Shield framework, which thousands of companies had been using to transfer data between the European Union (EU) and the United States. The Court reasoned that the Privacy Shield did not provide the required level of protection to the transferred data, as the level of protection required for data in the European Economic Area is not diminished merely because that data is transferred outside of the EU.

In November 2020, the European Data Protection Board issued recommendations, including a six-step process, to guide EU data exporters as to how to transmit data to the United States (and other countries outside of the EU) while still complying with the EU protection requirements. To facilitate better international partnerships, it is important for companies in the United States that may receive such data from the EU to understand the extent of these recommendations. 

Step one: Exporters should “know [their] transfers,” including where the transfers go, and that the data are “adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred” to the receiving country.

Step two: Exporters should verify that their transfer tool complies with those tools approved by the General Data Protection Regulation (GDPR).

Step three: Exporters should assess whether anything in the law or practice of the receiving country impinges on the effectiveness of the safeguards used by the transfer tool on which they rely.

Step four: Exporters should identify and adopt supplementary measures necessary to align the level of protection provided to the transferred data with the level required by EU standards.  If there are no suitable supplementary measures available, they “must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.”

Step five: Exporters should take the formal procedural steps required to adopt any necessary supplementary measures.

Step six: Exporters should, at appropriate intervals, re-evaluate the level of protection provided to the transferred data and monitor whether there have been any developments that may impact the protection.

For more information about Fitch Law Partners LLP‘s international litigation and arbitration practice, please visit our website:


Fitch Law Partners LLP reports news and insights on complex litigation topics. Clients, colleagues and friends may receive The Fitch Briefs by signing up here.