EU–US Data Transfers After Privacy Shield: The New Transatlantic Data Framework

Introduction: The Tension Between Data Flows and Data Protection

In today’s global economy, data flows are essential—to commerce, communications, AI training, and transatlantic cooperation. Yet under the EU General Data Protection Regulation (GDPR), personal data transferred outside the EU must be adequately protected—a condition that has repeatedly clashed with U.S. surveillance laws.

Two previous EU–US data transfer frameworks, Safe Harbor and Privacy Shield, were invalidated by the Court of Justice of the EU (CJEU) in the landmark Schrems I (2015) and Schrems II (2020) rulings. These cases shook global data governance and left companies scrambling for legal alternatives.

In July 2023, the EU adopted the EU–US Data Privacy Framework (DPF). But does it truly solve the underlying legal conflicts? And what should businesses and regulators expect as legal challenges return in 2025?

---

What Is the EU–US Data Privacy Framework (DPF)?

The DPF is the third attempt at creating a legal mechanism for transatlantic data transfers. It builds on the principles of its predecessors but includes key reforms intended to satisfy the CJEU’s concerns about:

U.S. government surveillance practices,

Lack of independent redress mechanisms,

Inadequate oversight and proportionality safeguards.

Under the DPF:

U.S. companies can self-certify to the U.S. Department of Commerce that they meet the framework’s privacy principles,

The U.S. government issued Executive Order 14086, establishing new rules for signals intelligence and creating a Data Protection Review Court (DPRC) for EU individuals,

The European Commission issued an adequacy decision confirming the framework provides an “essentially equivalent” level of protection to EU law.

---

Legal Basis and Safeguards

Key improvements in the DPF compared to Privacy Shield include:

1. Necessity and Proportionality: U.S. intelligence agencies are now bound by principles limiting surveillance to what is necessary and proportionate.

2. Independent Redress: EU individuals can file complaints through their national data protection authority (DPA), which are then routed to a two-tier redress system ending with the DPRC.

3. Binding Commitments: The U.S. government has committed to enforce DPF obligations, and compliance is overseen by the Federal Trade Commission (FTC).

Despite these reforms, some experts and activists—including Max Schrems and NOYB—have argued the framework still lacks:

Effective judicial review, as the DPRC is not a traditional court under U.S. constitutional law,

Strong limits on bulk surveillance and data collection by national security agencies,

Guarantees against future legislative or executive backsliding.

---

Current Transfer Tools Under the GDPR

Even with the DPF in place, organizations may still rely on other mechanisms for transferring personal data outside the EU, including:

Standard Contractual Clauses (SCCs) – the most widely used tool,

Binding Corporate Rules (BCRs) – for intra-group data flows,

Derogations – such as user consent, used sparingly and for specific cases.

The CJEU in Schrems II ruled that SCCs alone are not sufficient unless accompanied by transfer impact assessments and supplementary measures (e.g., encryption, anonymization). This continues to pose practical challenges for legal teams and IT departments managing cross-border operations.

---

Impact on Businesses and Compliance in 2025

For many companies, the DPF offers much-needed clarity. As of 2025:

Over 3,000 U.S. companies have self-certified under the DPF,

Businesses can resume simplified transatlantic data flows, especially in HR, marketing, and cloud services,

EU-based data controllers still need to document their transfer mechanisms and justify the legal basis.

However, organizations should remain cautious:

A legal challenge to the DPF is expected by late 2025, likely returning to the CJEU in the form of a new Schrems III case,

If invalidated, companies may again need to pivot to SCCs or hybrid models, triggering legal and operational uncertainty,

DPAs across the EU may increase enforcement on cross-border transfer documentation and risk assessments.

---

What Should Companies Do Now?

To stay ahead, companies transferring data to the U.S. or other non-EEA jurisdictions should:

1. Monitor certification status of vendors and processors under the DPF,

2. Update contracts to reflect current transfer mechanisms (SCCs, DPF references),

3. Conduct transfer impact assessments (TIAs) for high-risk data flows,

4. Prepare for potential invalidation by keeping fallback measures ready.

Investing in data localization, encryption, and privacy-by-design practices is also becoming a strategic necessity—not just a legal one.

Conclusion: The Future of Transatlantic Data Governance

The EU–US Data Privacy Framework is a legal and political compromise—aimed at preserving transatlantic cooperation while respecting fundamental rights under EU law. Whether it survives judicial scrutiny remains uncertain, but it offers temporary relief and clearer compliance pathways for many businesses.

As digital services, cloud computing, and AI rely more heavily on international data flows, the need for a durable and rights-respecting solution grows ever more urgent. The next chapter in this transatlantic saga will determine not only how data moves—but who sets the rules of the digital world.