European UnionA company transferred my data to the US without adequate safeguards. Is this legal?
No, it is generally illegal for a company in the EU to transfer your personal data to the US without adequate safeguards, such as an adequacy decision, appropriate safeguards (e.g., SCCs), or a valid derogation.
What the Law Says
The General Data Protection Regulation (GDPR) strictly regulates international transfers of personal data from the EU to third countries like the United States.
Under GDPR Article 44, any transfer of personal data to a third country or international organisation is prohibited unless it meets one of the conditions set out in Chapter V. This includes ensuring an 'adequate level of protection' for individuals’ rights.
The European Commission may issue an 'adequacy decision' if it finds that a third country provides essentially equivalent protection to that guaranteed in the EU. As of 2024, the EU–US Data Privacy Framework (DPF) has been adopted as an adequacy decision — but only for certified US organisations.
If no adequacy decision applies, transfers may still occur using 'appropriate safeguards', such as Standard Contractual Clauses (SCCs) under GDPR Article 46, provided they are supplemented by case-specific assessments and additional measures where necessary.
GDPR Article 49 allows limited derogations (e.g., explicit consent or necessity for contract performance), but these cannot be relied on for repetitive, large-scale transfers.
Statutory TextAny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if… the conditions laid down in this Chapter are complied with.
— Regulation (EU) 2016/679, Art. 44 — General principle for transfers
Statutory TextThe Commission may decide… that a third country… ensures an adequate level of protection.
— Regulation (EU) 2016/679, Art. 45(1) — Transfers on the basis of an adequacy decision
Statutory TextIn the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country… only if the controller or processor has provided appropriate safeguards…
— Regulation (EU) 2016/679, Art. 46(1) — Transfers subject to appropriate safeguards
What Courts Have Said
The Court of Justice of the European Union (CJEU) has repeatedly affirmed strict requirements for EU–US data transfers.
The CJEU invalidated the EU–US Privacy Shield, finding US surveillance laws (e.g., FISA 702) do not offer essentially equivalent protection to EU fundamental rights, and required exporters to assess whether SCCs can be effectively enforced in the recipient country.
What to Do
Check if the US recipient is certified under the EU–US Data Privacy Framework (DPF) at https://www.dataprivacyframework.gov/
Ask the company for documentation of their transfer mechanism (e.g., SCCs, DPF certification, or derogation used)
File a complaint with your national Data Protection Authority (e.g., CNIL in France, ICO in UK pre-Brexit, or supervisory authority in your Member State)
Request erasure or restriction of processing if the transfer was unlawful (GDPR Articles 17 & 18)
Sources
Same Question, Other Jurisdictions
Canada
Australia
Ireland
Singapore
India
South Korea
UK
JapanNot legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.