EU-U.S. Data Privacy Framework (DPF)
U.S. Laws & Regulations

Privacy, Politics, and the Uncertain Future of Transatlantic Data Transfers

The digital relationship between the European Union and the United States stands at a crossroads. After years of legal uncertainty and two transatlantic data deals struck down by the Court of Justice of the European Union (CJEU), a third attempt—the EU-U.S. Data Privacy Framework (DPF)—has emerged as the next chapter in a high-stakes saga. But despite fanfare around transatlantic cooperation and digital trade, recent political developments and legal critiques suggest the new agreement may already be on shaky ground. With U.S. political figures openly challenging the agreement and European privacy advocates sharpening their legal knives, the future of EU-U.S. data flows is anything but certain.

A Third Attempt: The EU-U.S. Data Privacy Framework

In July 2023, the European Commission adopted an adequacy decision for the United States, giving the green light for data to flow freely from the EU to U.S. companies certified under the DPF. This new framework was designed to address shortcomings found in its predecessors, Safe Harbor and Privacy Shield, both of which were invalidated by the CJEU due to concerns about U.S. surveillance laws and the lack of judicial redress for EU citizens.

Key improvements touted by the European Commission include:

  • Stronger limitations on U.S. government access to EU data
  • A new redress mechanism for EU individuals, including a Data Protection Review Court (DPRC)
  • Binding requirements for U.S. companies to comply with privacy principles

Despite these enhancements, critics argue the changes are more cosmetic than structural. Privacy activists like Max Schrems and his organization NOYB (None of Your Business) have already indicated plans to challenge the DPF before the CJEU, calling the framework a “copy-paste” of Privacy Shield with few meaningful changes.

Political Riptides: U.S. Elections and the Trump Factor

While legal challenges pose one threat to the DPF, political developments may prove equally disruptive. Former President Donald Trump’s recent comments attacking the agreement have raised alarm bells across the Atlantic. Trump labeled the new data transfer framework as a “bad deal” for the U.S., vowing to eliminate it if re-elected.

Why does this matter?

  • The DPF depends heavily on executive orders issued by President Biden, particularly Executive Order 14086, which implements safeguards on surveillance and creates the DPRC.
  • These executive orders can be rescinded by a future administration without Congressional approval.
  • If a new U.S. administration dismantles these safeguards, the legal basis for the DPF would collapse.

This looming uncertainty underscores a key vulnerability in transatlantic digital policy: the lack of bipartisan, codified legal guarantees for data privacy protections in the U.S.

Europe’s Growing Skepticism: Legal Challenges on the Horizon

Even before Trump’s comments, European privacy advocates were gearing up for another courtroom showdown. Max Schrems, whose legal actions dismantled the previous two data frameworks, has publicly criticized the DPF, arguing that it fails to meet the standards set by the CJEU in its Schrems II decision.

Among the concerns raised:

  • U.S. surveillance reforms remain superficial, with intelligence agencies still granted broad discretion.
  • The DPRC is not an actual court but an administrative body within the executive branch.
  • There is no true transparency or adversarial process in the redress mechanism.

In a detailed critique, NOYB warned that unless U.S. surveillance practices undergo substantive legislative reform, the DPF is doomed to the same fate as its predecessors.

The Push for a More Durable Transatlantic Framework

Despite these challenges, some voices remain optimistic about the future of EU-U.S. digital cooperation. European Commissioner Michael McGrath, speaking at CSIS, emphasized the broader need for a common regulatory approach to digital trade, AI governance, and cybersecurity.

McGrath outlined areas of strategic alignment:

  • Shared democratic values underpinning digital governance
  • Joint interest in setting global standards for emerging technologies
  • Economic incentives for a seamless digital marketplace

However, McGrath also acknowledged that achieving this vision requires political will on both sides and greater investment in mutual legal understanding.

Cooperation or Collision Course?

The EU-U.S. Data Privacy Framework represents a critical attempt to stabilize the world’s most valuable data corridor, but it is a fragile construct built on legal workarounds and executive promises. With a volatile political climate in the U.S. and a determined privacy movement in the EU, the DPF could soon face the same fate as its predecessors.

Long-term transatlantic digital cooperation will require more than band-aid fixes. It demands robust, legislatively backed reforms that provide genuine protections and legal certainty for individuals and businesses alike. Until then, companies navigating EU-U.S. data flows may find themselves in a constant state of legal limbo, watching as the cloud of uncertainty grows darker once again.


Author

Dan Clarke
Dan Clarke
President, Truyo
March 26, 2025

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today