The digital relationship between the European Union and the United States stands at a crossroads. After years of legal uncertainty and two transatlantic data deals struck down by the Court of Justice of the European Union (CJEU), a third attempt—the EU-U.S. Data Privacy Framework (DPF)—has emerged as the next chapter in a high-stakes saga. But despite fanfare around transatlantic cooperation and digital trade, recent political developments and legal critiques suggest the new agreement may already be on shaky ground. With U.S. political figures openly challenging the agreement and European privacy advocates sharpening their legal knives, the future of EU-U.S. data flows is anything but certain.
In July 2023, the European Commission adopted an adequacy decision for the United States, giving the green light for data to flow freely from the EU to U.S. companies certified under the DPF. This new framework was designed to address shortcomings found in its predecessors, Safe Harbor and Privacy Shield, both of which were invalidated by the CJEU due to concerns about U.S. surveillance laws and the lack of judicial redress for EU citizens.
Key improvements touted by the European Commission include:
Despite these enhancements, critics argue the changes are more cosmetic than structural. Privacy activists like Max Schrems and his organization NOYB (None of Your Business) have already indicated plans to challenge the DPF before the CJEU, calling the framework a “copy-paste” of Privacy Shield with few meaningful changes.
While legal challenges pose one threat to the DPF, political developments may prove equally disruptive. Former President Donald Trump’s recent comments attacking the agreement have raised alarm bells across the Atlantic. Trump labeled the new data transfer framework as a “bad deal” for the U.S., vowing to eliminate it if re-elected.
Why does this matter?
This looming uncertainty underscores a key vulnerability in transatlantic digital policy: the lack of bipartisan, codified legal guarantees for data privacy protections in the U.S.
Even before Trump’s comments, European privacy advocates were gearing up for another courtroom showdown. Max Schrems, whose legal actions dismantled the previous two data frameworks, has publicly criticized the DPF, arguing that it fails to meet the standards set by the CJEU in its Schrems II decision.
Among the concerns raised:
In a detailed critique, NOYB warned that unless U.S. surveillance practices undergo substantive legislative reform, the DPF is doomed to the same fate as its predecessors.
Despite these challenges, some voices remain optimistic about the future of EU-U.S. digital cooperation. European Commissioner Michael McGrath, speaking at CSIS, emphasized the broader need for a common regulatory approach to digital trade, AI governance, and cybersecurity.
McGrath outlined areas of strategic alignment:
However, McGrath also acknowledged that achieving this vision requires political will on both sides and greater investment in mutual legal understanding.
The EU-U.S. Data Privacy Framework represents a critical attempt to stabilize the world’s most valuable data corridor, but it is a fragile construct built on legal workarounds and executive promises. With a volatile political climate in the U.S. and a determined privacy movement in the EU, the DPF could soon face the same fate as its predecessors.
Long-term transatlantic digital cooperation will require more than band-aid fixes. It demands robust, legislatively backed reforms that provide genuine protections and legal certainty for individuals and businesses alike. Until then, companies navigating EU-U.S. data flows may find themselves in a constant state of legal limbo, watching as the cloud of uncertainty grows darker once again.