Mixed Signals Around the Status of EU-US Data Transfers

Last week at the UN General Assembly, President Trump declared, amongst other things, that Europe was "going to Hell." Given the current US administration's consistent disregard for Europe and its laws, perhaps it's unsurprising that observers (and a few of us over at Lucid HQ) are increasingly worried about the fragility of the US-EU Data Privacy Framework (DPF).

Since January 2025, the US administration has systematically undermined DPF safeguards. Most critically, the White House removed all Democratic members from the Privacy and Civil Liberties Oversight Board (PCLOB) in January 2025, eliminating its independence as a key DPF oversight mechanism. Executive Order 14215 'Ensuring Accountability for All Agencies' then expanded presidential control over independent regulatory agencies more broadly, further weakening federal enforcement.

Why is This Important?

The DPF, introduced in 2023, represents the third attempt at creating a stable transatlantic data transfer mechanism between the two superpowers. After the US-EU Safe Harbor was invalidated in 2015, and the EU-US Privacy Shield fell in 2020,  politicians rallied to develop some framework that could ensure seamless and legal data transfers across the Atlantic. But now, even the DPF faces new pressures.

The DPF and US adequacy more broadly, supports €7.1 trillion in annual transatlantic trade, with over 3,000 certified US companies across tech, finance, and healthcare relying on the framework for data transfer activities. Without stable data transfer mechanisms, businesses face operational challenges, consumers lose access to integrated digital services, and the global digital economy risks fragmenting along jurisdictional lines.

The seemingly deliberate dismantling of the transfer oversight mechanism that took years to negotiate and implement is significant. The EU's Adequacy Decision places great importance on the role of the PCLOB and the Data Protection Review Court in ensuring that US data practices align with EU protection standards under the framework. If that independence and oversight goes away, there's not much else that distinguishes the DPF from its failed siblings.

Earlier, responding to the January 2025 PCLOB firings, Max Schrems suggested that the DPF was doomed: 

I can hardly see that a Biden executive order that was forced upon the U.S. by the EU and regulates U.S. espionage abroad would survive in Trump's logic. There were long discussions as to the functioning and independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump presidency. This is the difference between solid legal protections and wishful thinking — the European Commission has solely relied on wishful thinking.

In response to all the political chaos, European regulators have increasingly begun echoing Schrems’ warnings – and intensifying their scrutiny. The CNIL in France issued comprehensive Transfer Impact Assessment guidance in January 2025, emphasizing that companies cannot rely on Standard Contractual Clauses alone.  In February, Norway's Datatilsynet urged businesses to develop 'exit strategies' for US transfers, warning that restrictions could take effect immediately without transition periods. Denmark and Sweden have also issued similar warnings, with Danish officials warning businesses and individuals that it has “never been more important to have a real plan B” when it comes to ditching Big Tech.   

Additionally, the enforcement landscape is tightening. Meta received the largest-ever GDPR fine of €1.2 billion in 2023 for unlawful data transfers between the EU and US, and enforcement has continued to intensify, with Ireland imposing a €345 million fine on TikTok in 2024 for data privacy violations.

Contrasting Outlooks

Unfortunately, despite dire warnings from regulators, contrasting political signals make it nearly impossible for businesses to reasonably predict what’s to come: 

Judicial victory: In early September, the EU General Court dismissed a challenge to the Data Privacy Framework in Latombe v Commission.  French MP Philippe Latombe argued the framework violated, amongst other things, the EU Charter of Fundamental Rights and the GDPR, due to inadequate safeguards & guarantees  against US bulk data collection. The court rejected these claims, confirming the US provides "essentially equivalent" protection.

Security screening concern: But two weeks later, the European Data Protection Supervisor (EDPS) warned about a proposed EU-US framework for sharing EU citizens’ personal data with US agencies including the Department of Homeland Security to facilitate participation in the US Visa Waiver Program. This proposal came about as a result of an “informal meeting” (read: barely reported) held by the Commission at the end of July. 

These developments reveal fundamental contradictions within Europe: courts validate the US adequacy position and the DPF, believing that the core foundations still hold, while EU policymakers and the Trump administration systematically undermine the integrity of that foundation by eroding oversight and independence mechanisms, and flirting with bulk data sharing. No wonder the regulators are sounding alarms and preparing for the worst.

Planning for an Uncertain Future

The familiar cycle of framework creation, political erosion, and potential invalidation signifies a tricky issue for businesses to navigate.  

Lucid Privacy advises that businesses transferring data should consider:

• Having a Data Transfer Backup: Maintain your DPF certification, but also prepare alternative mechanisms that can kick in immediately. Focus on Standard Contractual Clauses (SCCs) with supplementary safeguards that provide more resilient protections against political volatility. Firms with alternative arrangements will have competitive advantages if adequacy goes away.
• Bringing Data Home: While it’s probably overkill to go through the arduous task of undertaking a new Transfer Impact Assessment, organizations transferring data between the EU/UK/US should start looking into data localization strategies and consider keeping more EU/UK data in the EU/UK, particularly when processing sensitive personal data. 
• Don’t Forget the PETs: While contractual guarantees only survive if everyone buys in, technical measures can provide practical protections that may be robust enough to withstand political uncertainties. Privacy-Enhancing Technologies (PETs) have matured considerably over the last ten years, and techniques like homomorphic encryption, trusted execution environments, and secure enclaves have moved from the theoretical to the practical. Even regulators like the UK ICO have suggested that PETs can be a viable data safeguard.
• Don’t Panic. We’ve been here before, and while the political volatility is greater now than it was a year ago, it’s worth remembering that even if the EU changes its mind on adequacy, other options exist or will be discovered. As always, we’re here to help guide our clients along the way.