However, the key takeaway is that companies based in countries that do not have national privacy laws considered to be on par with the EU (including the US) must still expect a very rigorous assessment and adequacy decision from a Data Protection Authority (DPA) and cannot anticipate passing it based solely on implementation of these new EDPB guidelines. 1