In politically uncertain times, is your organisation’s data transfer compliance unquestionable?

The EU-U.S. Data Privacy Framework (DPF) serves as a useful mechanism for transatlantic data transfers, and it can assist organisations in meeting the compliance requirements of the European Union’s General Data Protection Regulation (GDPR). However, recent actions by the Trump administration have raised concerns about the framework’s stability and triggered doubts regarding the DPF adequacy decision by the European Commission and its future.

Quick Hits

• Staying up to date with regulatory change will remain key; currently, more than 2,800 U.S. companies rely on the EU-U.S. Data Privacy Framework.
• Operating on an invalid or outdated mechanism may cause significant operational interruptions for organisations.
• Organisations that fail to protect personal data being internally transferred are being actively penalised by European (and UK) regulators.

The DPF, which was developed collaboratively by the Biden administration and the European Commission (EC), addresses the requirements under GDPR Articles 44–49 regarding data transfers to the United States, allowing participating organisations to rely on this as a valid transfer mechanism without the need to identify and implement additional safeguards to protect data. Key to the DPF’s functionality, and its EC adequacy status, is the involvement of independent oversight agencies and their respective powers, including advisory and audit rights, regarding actions of the U.S. government and how these impact individuals’ rights.

Although to date, none of the current administration’s decisions have directly referred to the DPF, there are increasing concerns that U.S. actions might lead to a situation in which the Court of Justice of the European Union (CJEU) invalidates the EC’s DPF adequacy decision, mirroring the fate of the DPF’s predecessors.

One such action was taken on February 18, 2025, when the Trump administration issued Executive Order 14215, “Ensuring Accountability for All Agencies,” an order that aims to harmonise regulatory practices across federal agencies, including the Federal Trade Commission (FTC), an agency that plays a crucial role in enforcing the DPF. A key provision of this order is that there will be presidential review of all significant regulatory actions proposed by federal agencies, including the FTC. Concerns have been raised that the requirements of this order could potentially compromise the FTC’s independence, which is integral to the operation of the DPF.

In addition, in January 2025, the administration terminated all Democratic members of another independent agency, the U.S. Privacy and Civil Liberties Oversight Board (PCLOB). Again, the DPF agreement requires the PCLOB to operate independently when providing privacy-related oversight of U.S. counterterrorism activities, including how those activities are balanced against the privacy rights of individuals, and when conducting annual reviews of the DPF’s redress mechanism. Both the independent nature and the functionality of the PCLOB are being called into question, raising concerns for the future of the DPF.

The evolving political landscape means that organisations will likely want to carefully and continuously monitor for potential changes and possibly adapt their approach when transferring personal data internationally. The CJEU’s previous invalidation of international data transfer mechanisms, such as the EU-U.S. Privacy Shield, highlights the potential risks and the severity of the actions taken by the CJEU to ensure the safeguarding of EU data.

In the event that the DPF were invalidated, all transfers taking place by way of the DPF would be required to cease with immediate effect, and any subsequent transfers operating under an invalid DPF would be found to be illegal. It would be necessary for organisations to identify, and implement, alternative transfer mechanisms, such as EU-approved Standard Contractual Clauses (SCCs) (and UK Addendum or International Data Transfer Agreements) for all international transfers, even if a transfer occurs between different entities of the same organisation.

When relying on SCCs, organisations are legally required to carry out transfer impact assessments (TIAs), which assess the laws and practices of the country where the EU data will be transferred. Organisations may want to stay informed of regulatory developments and undertake periodic reassessments of potential risks. More information on international data transfers and identifying the most appropriate international transfer mechanisms can be found in our previous article.

Organisations may want to assess the scope and types of data transfers that they carry out in the course of their business operations and identify which transfer mechanism is most sensible from a commercial and business continuity perspective.

Failure to comply with up-to-date data protection laws and data transfer rules can lead to commercial and reputational damage. If appropriate measures are not taken, corrective sanctions can be enforced, such as orders to cease transfers of personal data and significant financial penalties.

Lorraine Matthews contributed to this article