ARTICLE
8 May 2025

Status Check: Support Is Quickly Eroding For The EU-U.S. Data Privacy Framework

D
Dykema

Contributor

Dykema logo

You should expect more from your law firm than only excellent legal counsel. Delivering for our clients also means holding ourselves to the highest standards of service, performance, and innovation.

Every client has a different vision for success, so we adapt a custom approach for each of them. We help you identify your goals to craft pragmatic, unique, and efficient solutions that deliver value the way you define it.

For nearly 100 years, we’ve served clients around the world from our strategically situated offices in Michigan, Illinois, Texas, Washington, D.C., California, Minnesota, and Wisconsin. Through our practice management structure and our focused Industry Groups, we know and understand the sectors in which our clients compete, from Automotive to Energy, from Gaming to Financial Institutions.

So… how can we deliver success for you today?

Explore Firm Details
After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe.
Worldwide Privacy
Matthew Hays and Michelle L. Mayfield

Takeaways

  • Increased federal deregulation and related actions are further destabilizing the already tenuous foundation of the Data Privacy Framework (DPF). European privacy regulators have been issuing guidance indicating that they expect a European pull-back from the DPF.
  • Businesses that rely on the DPF should maintain their certification, but should move now to prepare to activate alternative data transfer mechanisms, such as the standard contractual clauses, and update lapsed transfer and data privacy impact assessments.
  • Review current cloud-storage arrangements and consider regionalizing European data storage to avoid EU-to-U.S. data transfers, especially if your cloud provider is relying on DPF certification to legitimize GDPR data transfers.

After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe. However, European reaction to the recent changes on the U.S. side of the pond indicates a wavering in the support of the EU-U.S. Data Privacy Framework (DPF) and threatens to send the U.S. back into the data transfer dark ages.

Overview

In July 2023, the European Commission adopted its adequacy decision allowing for easier personal data transfers between the European Union and the United States, with the U.K. Government and Swiss Federal Administration quickly following suit. To participate, U.S. companies must be properly certified and comply with the DPF's principles.

Maintaining certification under the DPF is not easy, but the DPF allowed disclosing European-based companies something akin to a safe harbor that prevented local regulators from peaking over their shoulders and nit-picking transfer impact assessments, while the receiving U.S.-based companies wouldn't have the specter of being dragged into European courts to address data privacy complaints. DPF is a collective "win-win," and more than 2,800 U.S. companies currently participate in the DPF.

But the DPF's foundation was built upon the legal equivalent of sand: the executive order. Executive Order 14086 on "Enhancing Safeguards for United States Signals Intelligence Activities" established additional oversight on intelligence data collection and a mechanism to allow EU data subjects to seek redress in the U.S., both key sticking points with the CJEU's strike down of the previous data transfer frameworks. However, even at the time, many European watchdogs and privacy advocates said the U.S.'s efforts to resolve its data protection issues were a paper tiger and that a challenge was inevitable and invalidation likely.

While the current second Trump Administration has not revoked E.O. 14086 outright, U.S. President Trump removed three of the five members of the U.S. Privacy & Civil Liberties Oversight Board (the "Board"). The European Commission's 2023 DPF adequacy decision placed special importance on the role of the Board in ensuring that U.S. intelligence practices lived up to the DPF's standards. The Board is also responsible for overseeing the newly established Data Protection Review Court, which provides a redress mechanism for European citizens challenging unlawful surveillance in the U.S. The firings halt the Board's work indefinitely since only one member remains. Without a quorum, the Board cannot conduct its oversight of the DPF, including its annual review of the remedies addressing privacy and intelligence complaints.

Further, the new Executive Order 14215, "Ensuring Accountability for All Agencies," requires all federal agencies, including the Federal Trade Commission (FTC), to submit significant regulatory actions for presidential review before publication in the Federal Register. E.O. 14215 sharply questions whether the FTC will be sufficiently independent to enforce the DPF in accordance with GDPR Article 45(2)(b).

There have been no official actions or changes yet. However, data points are signaling a shift against the ongoing viability of the DPF:

  • Initial reaction from Europe was cautious, with European Commissioner Michael McGrath committing to fully enforcing and implementing the Data Privacy Framework.1 However, McGrath's comments came before the escalating trade war between the U.S. and Europe and the general souring of Europe's cooperative attitude toward the U.S.
  • In April 2024, FISA Section 702, a major complaint of European privacy regulators, was reauthorized with an expanded scope for an additional two years.2
  • In late 2024, the European Data Protection Board adopted a report that highlighted issues with the EU-U.S. Privacy Framework and called on the European Commission to reevaluate the DPF adequacy decision within the next three years.3
  • Privacy advocate Max Schrems, chief architect of the efforts that invalidated the previous two U.S. data transfer frameworks, has publicly stated that he believes the second Trump Administration's actions themselves could invalidate the DPF, making a formal legal challenge unnecessary.4
  • In February 2025, Norway's Data Protection Authority (Datatilsynet) advised European businesses to implement "exit strategy[ies]" in light of an inevitable challenge to the DPF.5 Denmark's Ministry for Resilience and Preparedness6 and Germany's Federal Ministry of the Interior7 have issued similar warnings.
  • A group of technology lobbyists has formally petitioned the European Commission to take action to reduce the EU's reliance on U.S. digital services and infrastructure "in light of the stark geopolitical reality Europe is now facing."8
  • The Swedish Data Protection Authority has publicly disclosed concerns about the reliability of the DPF adequacy decision in light of the dismantling of the U.S. Privacy & Civil Liberties Oversight Board.9
  • The Belgian Data Protection Authority has recently held that data transfers under the U.S. Foreign Account Tax Compliance Act breach EU privacy rights due to the IRS's use of tax data for immigration purposes.10

Footnotes

1. Center for Strategic & International Studies, The Future of Transatlantic Digital Collaboration with EU Commissioner Michael McGrath (transcript), March 13, 2025, available at https://www.csis.org/analysis/future-transatlantic-digital-collaboration-eu-commissioner-michael-mcgrath.

2. Lawfare, FISA Section 702 Reauthorized for Two Years, Preston Marquis, April 30, 2024, available https://www.lawfaremedia.org/article/fisa-section-702-reauthorized-for-two-years.

3. EDPB, EDPB adopts its first report under the EU-U.S. Data Privacy Framework and a statement on the recommendations on access to data for law enforcement, November 5, 2024, available at https://www.edpb.europa.eu/news/news/2024/edpb-adopts-its-first-report-under-eu-us-data-privacy-framework-and-statement_en.

4. TeachPrivacy, GDPR Enforcement, Trump 2.0, and Max Schrems Blog (webinar), March 25, 2025, available at https://teachprivacy.com/webinar-gdpr-enforcement-trump-2-0-and-max-schrems-blog/.

5. Datatilsynet, Information about transfers to the United States, February 26, 2025, available in Norwegian at https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/informasjon-om-overforinger-til-usa/.

6. DR, Minister urges: We must be ready for the Americans to pull the data plug, August Olaf Jersild, April 14, 2025, available in Danish at https://www.dr.dk/nyheder/indland/minister-med-opfordring-man-skal-vaere-klar-til-amerikanerne-traekker-datastikket.

7. Handelsblatt, Faeser insists on compliance with US promises on espionage protection, Dietmar Neuerer, April 16, 2025, available in German at https://www.handelsblatt.com/politik/deutschland/datentransfer-faeser-pocht-auf-einhaltung-von-us-zusagen-zu-spionageschutz/100120631.html.

8. The Register, Euro techies call for sovereign fund to escape Uncle Sam's digital death grip, Dan Robinson, March 17, 2025, available at https://www.theregister.com/2025/03/17/european_tech_sovereign_fund/.

9. Swedish Authority for Privacy Protection (IMY), March 5, 2025, available here.

10. TaxNotes, Belgian Decision on FATCA Sparks Fear of New Tax Clash With U.S., Elodie Lamer, Apr. 28, 2025, available at https://www.taxnotes.com/featured-news/belgian-decision-fatca-sparks-fear-new-tax-clash-u.s/2025/04/25/7s3ym; Autorité de protection des données, DOS-2021-00068, April 25, 2025, available in French at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n0-79-2025.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matthew Hays
Matthew Hays
Photo of Michelle L. Mayfield
Michelle L. Mayfield
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More