US Data Transfers

US Data Transfers

US Data Transfers


The GDPR places high legal requirements on data transfers to so-called Third Countries, i.e., countries outside the EU and the European Economic Area (EEA). In recent years, transfers of data to the US in particular have been a highly debated topic. With Californian tech trailblazers, New York City’s entrepreneurial spirit, and a large number of global corporations, the USA offers unparalleled economic and technological opportunities. Thus, data transfers to the USA are often a necessity for companies of all sizes. Since summer 2023, the new adequacy decision of the EU Commission promises to make these transfers easier and more secure.

But caution is advised! Even after the introduction of the EU-US Data Privacy Framework, numerous pitfalls lurk. For example, U.S. companies must be certified under the adequacy decision in order to receive EU data. If this is not the case, other solutions should be considered, such as Standard Contractual Clauses (SCCs). Additionally, the current adequacy decision rests on shaky foundations. A large number of issues raised by the ECJ in its Schrems decisions has not been resolved yet. Furthermore, if you are planning to expand your activities to the US, you may have to comply with regulations that may deviate, sometimes significantly, from GDPR standards.

Our data protection team can draw on the expertise of our California-licensed colleague Julian Schneider, LL.M. (University of California College of the Law, San Francisco) to offer you the following services, among others, bilingually in German and English for all US-related activities:


  • – Consulting on certifications and transfer mechanisms
  • – Preparation of international compliance concepts
  • – Support with standard contractual clauses
  • – Consulting on technical and organizational measures (TOMs)
  • – Preparation of transfer impact assessments


  • – Advice on California data protection law (CCPA/CPRA)
  • – Advice on federal data protection law
  • – Representation towards US authorities such as the FTC
  • – Assistance with data breach concepts
  • – Drafting of privacy notices