The Norwegian Data Protection Authority is currently receiving a number of questions about the rules for transfers of personal data to the US. In this article we attempt to answer some of them.

1. What rules apply to the transfer of personal data to the United States, and what is an adequacy decision?

In principle, it is not permitted to send personal data outside the EEA, but there are a number of exceptions. For example, you can transfer personal data to countries, territories and sectors that the European Commission has “approved” through a so-called adequacy decision .

There is an adequacy decision for the United States that states that you can transfer personal data to US entities listed on this list: Data Privacy Framework List (dataprivacyframework.gov) .

You can read more about the adequacy decision in a previous article on our website . It also explains what the rules say about transferring personal data to US entities that are not on the list. 

Although the transfer rules do not set specific limits, you must of course always follow the other rules in the General Data Protection Regulation ( GDPR ).

2. Several members of the Privacy and Civil Liberties Oversight Board (PCLOB) have been removed. What is the PCLOB, and what does this development mean for the adequacy decision for the United States?

When the European Commission adopts an adequacy decision, they look at many different factors to ensure that personal data will be processed similarly in the country in question as in the EEA.

In the adequacy decision for the US, the European Commission highlights the PCLOB (pclob.gov) . The PCLOB monitors US intelligence agencies to ensure that individuals’ rights are not violated. This is an important element in ensuring that personal data transferred to the US is processed in a satisfactory manner.

The US President has recently removed several of the PCLOB board members, and as a result, only one board member remains at the time of this article’s publication. This means that the PCLOB is currently unable to form a quorum.

The Danish Data Protection Agency understands that the intention is to appoint new board members to the PCLOB. Furthermore, we also understand that the PCLOB can perform some of its tasks in the meantime even if the body is not fully constituted. Therefore, a replacement of board members does not necessarily have to be a problem. This only becomes a challenge if it takes a very long time to get new board members in place.

The adequacy decision for the United States still applies.

Otherwise, the US laws that are supposed to protect our personal data in the US still apply.

3. What if there are other changes in the US?

The European Commission decides whether a country should receive an adequacy decision. The European Commission also monitors changes in laws or practices in countries that already have an adequacy decision and assesses whether the changes mean that our personal data is no longer sufficiently protected. If the level of protection for personal data is no longer sufficient, the European Commission may withdraw adequacy decisions.

An adequacy decision remains in force until it is revoked by the European Commission or the Court of Justice of the European Union.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. However, the European Commission will monitor such changes and assess them thoroughly.

An adequacy decision is also binding on the data protection authorities. The Data Protection Authority cannot overturn an adequacy decision or prohibit transfers that occur pursuant to an adequacy decision.

4. What should your business think about?

Although we currently have rules that make it easy to transfer personal data to the US, we expect that these rules will sooner or later be challenged in the European Court of Justice. The situation in the US has also contributed to uncertainty. It is important to be aware of this when purchasing US services.

The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. Also note that the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. Read our guidance on this . 

If an adequacy decision is revoked, there will most likely not be a transition period. In that case, we will provide more information.

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/informasjon-om-overforinger-til-usa