.svg)
.avif)
For years now, and especially since the European Union introduced the GDPR and its stringent data privacy requirements, data transfers between Europe and the United States have been a subject of tension between both parties and a logistical concern for international organizations.
With a new administration in the White House and amidst growing discussions of a possible end to the EU-U.S. Data Privacy Framework (DPF), many are concerned about the future of cross-Atlantic data transfers, and what it could entail for companies.
Let’s revisit the context behind this topic, what we anticipate could happen in the coming days and weeks, and what an end to the DPF could mean for you and your organization.
Recent history of data transfer between the European Union and the United States
%20-%20timeline.avif)
Recent history on the topic of EU-U.S. data transfers can be traced back to 2000 and the Safe Harbor Agreement, which enabled organizations to transfer data between the two regions legally, under the guarantee of adequate data protection from U.S. companies to comply with EU standards.
Privacy activist Max Schrems challenged this agreement and eventually invalidated in 2015 by the Court of Justice of the European Union (CJEU) in the Schrems I case, based on concerns over U.S. government surveillance (see Edward Snowden and his revelations on NSA mass surveillance).
From the ashes of the agreement, the Privacy Shield Framework was born in 2016, including enhanced commitments to privacy protection and additional commitments to limiting surveillance. This was also challenged and struck down in 2020, in the Schrems II case, ruling that U.S. surveillance programs still do not provide adequate protection.
The current solution in place: The EU-U.S. Data Privacy Framework (DPF)
The Data Privacy Framework (DPF) is an agreement between the United States and the European Union that enables the legal transfer of personal data between these two territories.
Based on an executive order signed by Joe Biden, it introduces oversight mechanisms and redress processes to protect Europeans' data from excessive surveillance and was adopted by both parties on July 10, 2023.
The framework was immediately challenged by Max Schrems and NOYB who expressed their intention to challenge the framework as soon as it was announced.
What’s next for the DPF in 2025?
We have reasons to think that the DPF is very likely to be at risk of collapse. In a context where data transfer regulations are becoming a strategic geopolitical tool, the collapse of the DPF could become another lever in the ongoing EU-U.S. trade tensions:
- President Trump has previously systematically repealed measures put in place by his predecessors.
- The “bureaucratic burden” introduced by Joe Biden with the DPF, including oversight bodies and accountability mechanisms, contradicts the current administration’s broader deregulation agenda.
- The Department of Government Efficiency (DOGE), an entity influenced by Elon Musk’s vision of governance, could easily justify dismantling these protections under the guise of cutting red tape and enhancing national security.
- The DPF is already under legal challenge in Europe with Max Schrems and NOYB.
Max Schrems appears to also believe the DPF is at risk of being repelled, and shared his views in a recent NOYB press release:
I can hardly imagine that a Biden Executive Order that was forced on the US by the EU and that regulates US espionage abroad could survive Trump's 'America First' logic. The problem is, that not just US Big Tech, but especially normal EU businesses all rely on this system of unstable executive orders to argue that using US cloud systems is legal in the EU.
- Max Schrems, privacy lawyer and chairman of noyb (source: noyb)
While it’s very likely that the DPF will be struck down under Donald Trump’s administration, what could be the consequences for organizations relying on cross-Atlantic data transfers to maintain their operations?
What would be the consequence of an invalidation of the DPF, and how to prepare?
The potential invalidation of the DPF between the United States and the European Union presents a complex and delicate scenario, with significant consequences on both sides of the Atlantic.
While this issue is often framed as a problem primarily for European businesses, the reality is far more nuanced:
- European companies would face immediate regulatory uncertainty, as GDPR-compliant data transfers to the U.S. will once again become legally questionable. To limit exposure, they will be required to reassess their technological infrastructures, consider alternative hosting solutions, and potentially move to server-side solutions or localized data storage.
We saw a glimpse of this after the Privacy Shield’s collapse, when several European businesses faced regulatory scrutiny for using services like Google Analytics due to non-compliant data transfers. The repercussions could be even broader this time, affecting not only marketing tools but entire operational and cloud-based infrastructures. - U.S. companies would also be significantly impacted. While many will continue providing services as usual, they will face heightened legal risks, including potential fines and growing compliance burdens from European regulators.
Moreover, Europe remains a critical market for U.S. tech firms, and continued uncertainty over legal data flows could push some European businesses to favor sovereign cloud providers or alternative software providers that minimize exposure to U.S. jurisdiction.
Besides, a key issue at stake is the importance of data access for AI models and other advanced digital services. While most companies contractually limit how data is used, the increasing reliance on large datasets for training machine learning models means that restricted data flows could create additional friction.
Our Chief Privacy Officer, Thomas Adhumeau, issues his recommendations for EU-based businesses ahead of this likely event:
It would be naïve to think that the Data Privacy Framework will stand. Businesses must start preparing now, rather than waiting for the official announcement that will, as always, trigger a wave of panic. The time to act is now.
This means legal measures, contract updates, and compliance efforts, of course, but more importantly, it requires transitioning to technical solutions that either reinforce sovereignty or simply have the power to limit the transfer of data to the U.S. Server-side implementation, for example, offers a concrete way to regain control over the data being shared with third parties.
- Thomas Adhumeau, Chief Privacy Officer at Didomi
Preparation is key. European businesses should immediately start evaluating their data flows and assess whether they are overly dependent on U.S.-based services. Solutions such as data localization strategies, server-side tagging, privacy-enhancing technologies (PETs), and hybrid cloud infrastructures should be considered.
Likewise, U.S. companies operating in Europe must anticipate increased regulatory pressure and prepare legal fallback mechanisms to ensure continuity in case of abrupt regulatory shifts.
While the full consequences of a DPF invalidation remain uncertain, what is clear is that this is not just a compliance issue. It is a broader economic and technological challenge that will shape the future of digital sovereignty and global data governance.
What's next?
Over the next few weeks, we will publish additional content following the evolution of this topic and share actionable recommendations on how organizations can prepare for a potential invalidation of the DPF. What will the consequences be for specific industries? What concrete actions and steps can you take to minimize the impact on your operations? What are some of the solutions and alternatives you should consider?
Watch this space, sign up to our newsletter, and follow us on LinkedIn to stay in the loop.
.avif.avif){kind=tracking}
