The SECURE Data Act Moves the Needle, Not the Bar

On April 21, 2026, Representative Joyce of Pennsylvania introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the “SECURE Data Act”) in the House Energy and Commerce Committee.¹ If enacted, it would be the most significant federal consumer privacy statute in U.S. history. It would not move the United States materially closer to a general EU adequacy decision.

Since ESPs process EU personal data constantly, both as processors handling their clients’ subscriber files and as controllers of their own operational data, adequacy is an important topic. The current vehicle for that processing is the EU-U.S. Data Privacy Framework, adopted by the European Commission in July 2023, but it is an organization-specific adequacy decision that allows self-certified U.S. companies to receive EU personal data without additional transfer safeguards.² The DPF rests on an adequacy determination that the U.S. provides essentially equivalent data protection to that of the EU. It survived a court challenge in 2025.³ But if that determination collapses, as the two prior frameworks did in 2015 and 2020, every EU-to-U.S. transfer reverts to Standard Contractual Clauses or Binding Corporate Rules. Understanding why the SECURE Data Act improves the commercial picture without solving the underlying problem requires a short trip through how the process actually works.

An EU Adequacy Decision Is Not a Bilateral Agreement

The process is worth knowing. Under Article 45 of the GDPR,⁴ the European Commission alone has the authority to determine that a third country provides an adequate level of protection for personal data. “Adequate” means “essentially equivalent” to EU protections, the standard the Court of Justice first annunciated in Schrems I.⁵ The Commission must assess the third country’s legal order as a whole: its commercial privacy law, its rule of law, its human rights protections, and, critically, the conditions under which public authorities can access personal data.

The process starts when the European Commission sends a proposal to the European Data Protection Board. That board then issues a non-binding opinion. Then the Commission’s draft decision goes through comitology. That is when a committee of national representatives from each EU member state votes on the measure before the Commission adopts it. But, comitology is not a rubber stamp. It is a political process and reflects the views of the committee’s member states.⁶ Any EU country whose relationship with the United States is strained still has a seat at that table and receives the same yes-or-no vote as everyone else. If there is a positive vote, then the Commission can adopt the proposal.

This process means adequacy has never been purely a legal question. It is a legal question answered through a political process, and that is always set against the backdrop of a geopolitical relationship.

The Act Closes Some Real Gaps on the Commercial Side

On the commercial side of the adequacy ledger, the Act is genuinely significant. Several of its provisions address specific gaps identified by the EDPB in Opinion 5/2023.⁷

The Act’s general applicability is its most structurally important feature. Every prior EU-U.S. transfer framework (Safe Harbor, Privacy Shield, the DPF) attached protections only to self-certified organizations. The Act would impose substantive obligations on all data controllers over certain thresholds within the United States. The EDPB flagged voluntary coverage as a structural weakness in every iteration of its opinions on U.S. transfer frameworks. The SECURE Data Act addresses that issue.

The rights catalog maps reasonably onto Articles 15 through 21 GDPR: access, correction, deletion, portability, and opt-outs from targeted advertising and profiling. The Act adds data minimization and purpose limitation obligations, provisions that were notably absent from prior U.S. frameworks and that the EDPB specifically criticized. Processor contracting requirements at Section 6 track Article 28 GDPR closely enough to close a gap the EDPB has flagged for years.

Taken together, this bill represents a meaningful convergence between U.S. commercial privacy law and the GDPR’s framework.

Expect the EDPB to Name the Gaps That Remain

But the SECURE Data Act is incomplete in ways the EDPB would be expected to note. The Act’s sensitive data category omits political opinions, philosophical beliefs, and trade union membership, all categories GDPR Article 9 treats as requiring heightened protection.⁸ The HIPAA exemption at Section 13(b)(13) effectively removes most U.S. health data from the Act’s scope. The automated decision-making provisions apply only to decisions made with no human involvement whatsoever, a definition easily defeated by nominal human review, and cover only an exhaustive list of three categories: denials of healthcare, housing, and employment.⁹ GDPR Article 22 applies to credit, insurance, education, and most platform decisions that similarly significantly affect individuals.

Enforcement goes to the FTC and state attorneys general, with a 45-day cure period before public enforcement begins. The GDPR’s enforcement architecture rests on independent supervisory authorities and immediate individual rights of judicial remedy. The FTC is a competent enforcement agency. It is not structurally independent in the GDPR sense, and a cure period has no analog in GDPR enforcement.

FISA Section 702 Is the Wall

The SECURE Data Act does not touch FISA. It does not touch Executive Order 12333.¹⁰ It does not touch Executive Order 14086.¹¹ It contains no provisions addressing U.S. signals intelligence access to the personal data of non-U.S. persons.

That is the issue Schrems II¹² turned on. In 2020, the Court of Justice held that Privacy Shield failed because U.S. surveillance law, as applied to EU data subjects, did not satisfy the EU principles of necessity and proportionality and did not provide effective judicial redress.¹³ Executive Order 14086 was the executive-branch response. It created the Data Protection Review Court as a redress mechanism and imposed necessity-and-proportionality constraints on signals intelligence collection. The DPF’s adequacy decision rested heavily on EO 14086 and on the Privacy and Civil Liberties Oversight Board’s (PCLOB) oversight role.¹⁴

Section 702 of FISA authorizes the government to conduct surveillance of non-U.S. persons abroad by collecting foreign intelligence information from domestic electronic communications systems, without individualized court warrants. It was last reauthorized in April 2024 for a two-year term.¹⁵ As of this writing, it is operating under a 10-day clean extension passed April 17, while Congress continues reform negotiations ahead of the April 20 sunset.¹⁶ The terms of any reauthorization are sure to be closely watched in Brussels: whether it includes warrant requirements for U.S.-person queries, whether it addresses the data broker loophole, and whether it limits the expanded ECSP definition introduced by RISAA. The EDPB’s first review report on the DPF, issued in November 2024, expressly identified the practical functioning of EO 14086’s safeguards as a continuing concern.¹⁷

A federal commercial privacy statute, however well-drafted, does not move that needle.

The Political Environment Makes General Adequacy Harder

There is a third problem, and it is more subtle.

The DPF’s adequacy determination rests not only on commercial privacy law but also on the oversight architecture established by President Biden’s executive order. The day after his second inauguration, President Trump requested the resignation of Democratic PCLOB members and then fired them when they refused.¹⁸ If the PCLOB becomes non-functional, losing the quorum necessary to conduct oversight, the legal foundation the Commission relied on when it adopted the DPF adequacy decision is materially weakened.¹⁹ The EU General Court, in dismissing the Latombe challenge in September 2025, was explicit that its ruling covered only the facts and law as they stood at the time of adoption in July 2023, and that the Commission bears an ongoing monitoring obligation.²⁰ Those post-2023 developments don’t overturn the past decision, but they could render it vulnerable when the DPF is reviewed.

Comitology, in this environment, is not a technicality. It requires approval by a committee of national representatives from the EU’s member governments, many of which the Trump administration has strained bilateral relationships with. An adequacy decision for the United States (general commercial adequacy, not the voluntary, organization-specific DPF) would require those governments to collectively conclude that the U.S. legal order, as a whole, provides essentially equivalent protection to EU law. That conclusion has never been reached. The current political environment makes it harder, not easier, to reach.

The Act is Better, Not Perfect

None of this means the SECURE Data Act is unimportant or not useful. If enacted, it at least modestly improves our position in future legal challenges. A (hypothetical) Schrems III before the Court of Justice would find a nation-wide commercial privacy framework with a rights catalog, processor obligations, and purpose limitation requirements that did not exist when Schrems II was decided. That is a harder legal environment in which to argue total inadequacy on the commercial side.

Binding corporate rules and standard contractual clauses, together with transfer impact assessments, remain the foundation when things are as brittle as they are. That was true before April 21, and the Act doesn’t change it. The variables worth watching are what emerges from the Section 702 reauthorization fight and whether the political environment around the DPF’s next review stabilizes enough to keep the existing framework intact.

---

This post does not constitute legal advice. Readers with specific questions about EU-to-U.S. data transfer compliance should consult competent legal counsel.

---

Footnotes

1. Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act), H.R. __, 119th Cong. (2d Sess. 2026) (discussion draft introduced by Rep. Joyce of Pennsylvania, Apr. 21, 2026). ↩︎
2. Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data under the EU-U.S. Data Privacy Framework, 2023 O.J. (L 231) 118. ↩︎
3. Case T-553/23, Latombe v. European Commission (EU Gen. Ct. Sept. 3, 2025). ↩︎
4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 45, 2016 O.J. (L 119) 1. ↩︎
5. Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650, ¶ 73 (Oct. 6, 2015) (archived at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62014CJ0362). ↩︎
6. Michal Czerniawski, Shrouded in Secrecy – Does the Comitology Procedure for GDPR Adequacy Decisions Fit Its Purpose?, 18 Masaryk University Journal of Law and Technology 215 (Sep. 2024) (archived at https://journals.muni.cz/mujlt/article/view/37545) (Advocating that the EUs Adequacy Decision process is political in nature and should be changed.). ↩︎
7. European Data Prot. Bd., Opinion 5/2023 on the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data Under the EU-US Data Privacy Framework (Feb. 28, 2023). ↩︎
8. Compare GDPR, supra note 3, art. 9(1), with SECURE Data Act, supra note 1, § 16(30). ↩︎
9. SECURE Data Act, supra note 1 § 16(13); cf. GDPR, supra note 3, art. 22. ↩︎
10. Exec. Order No. 12333, 46 Fed. Reg. 59941 (Dec. 8, 1981) (United States Intelligence Activities). ↩︎
11. Exec. Order No. 14086, 87 Fed. Reg. 62283 (Oct. 7, 2022) (Enhancing Safeguards for U.S. Signals Intelligence Activities). ↩︎
12. Case C-311/18, Data Prot. Comm’r v. Facebook Ireland Ltd. (Schrems II), ECLI:EU:C:2020:559 (July 16, 2020). ↩︎
13. Id. at ¶¶ 178–185. ↩︎
14. European Data Prot. Bd., supra note 7. ↩︎
15. Reforming Intelligence and Securing America Act, Pub. L. No. 118-49, 138 Stat. 863 (2024). ↩︎
16. H.R. 8322, 119th Cong. (2026) (10-day clean extension of FISA Section 702, passed April 17, 2026). ↩︎
17. European Data Prot. Bd., Report on the First Review of the European Commission Implementing Decision on the Adequate Protection of Personal Data Under the EU-US Data Privacy Framework (Nov. 4, 2024). ↩︎
18. Rebecca Beitsch, Trump Fires All Three Democrats on Privacy Oversight Board, The Hill, https://thehill.com/homenews/administration/5109672-trump-fires-all-three-democrats-on-privacy-oversight-board/ (last visited Apr. 27, 2026). ↩︎
19. See: Threat to EU-U.S. Data Privacy Framework: Analysis & Recommendations, CMS Law-Now (Jan. 28, 2025), https://cms-lawnow.com/en/ealerts/2025/01/is-the-eu-u.s.-data-privacy-framework-in-danger (noting that a non-functional PCLOB would undermine the legal validity of the DPF in EU courts). ↩︎
20. Latombe, supra note 3 at ¶¶ 22, 58. ↩︎