The Fragility of Transatlantic Data Transfers

The EU-U.S. Data Privacy Framework (DPF) operates on a foundation of executive orders rather than legislation, making it susceptible to changes between administrations. Recent developments suggest businesses should prepare for potential adjustments to the legal framework governing transatlantic data flows.

Background: The Evolution of EU-US Data Transfer Frameworks

The current data transfer agreement has evolved through several iterations, each shaped by legal challenges:

• In 2015, the Safe Harbor framework was invalidated following Max Schrems' complaint (Schrems I) regarding US surveillance practices revealed by Edward Snowden.

• In 2020, the Privacy Shield was struck down in the Schrems II case when the CJEU ruled it didn't provide adequate protection for EU citizens' data.

• In 2023, the current EU-US Data Privacy Framework was established, underpinned by Executive Order 14086 signed by President Biden in 2022, which implemented new safeguards for US intelligence activities.

Recent Developments

Two recent developments have raised questions about the stability of the current framework:

1. Changes to the Privacy Oversight Board

In January 2025, the administration requested the resignation of three members of the Privacy and Civil Liberties Oversight Board (PCLOB). This has temporarily left the board without the quorum necessary to function.

The PCLOB plays an important role in overseeing US intelligence practices and was referenced as a safeguard in the EU's adequacy decision for the DPF.

2. Review of Executive Order 14086

Following standard practice during presidential transitions, the administration is conducting a review of previous National Security Memoranda, including those underpinning EO 14086. This review process is expected to determine whether any modifications will be made to the order that forms the legal basis for the EU-US data adequacy decision.

Potential Implications for Data Transfers

If significant changes are made to EO 14086, several consequences could follow:

Legal Framework Uncertainty

The European Commission's adequacy decision for US data transfers is specifically predicated on the protections established in EO 14086. Material changes to these protections could prompt a reassessment of that adequacy decision.

Regulatory Response

The European Commission has mechanisms to suspend or revoke adequacy decisions if it determines that a third country no longer ensures adequate protection. EU data protection authorities have indicated they are monitoring the situation.

Impact on UK Data Transfers

The UK's Data Bridge agreement with the US is built on the same foundation as the EU-US DPF. Changes to EO 14086 could potentially affect UK-US data transfers as well.

Business Compliance Challenges

If the DPF framework becomes unavailable, organizations would need to implement alternative transfer mechanisms such as Standard Contractual Clauses (SCCs), which involve additional compliance requirements and risk assessments.

Prudent Preparation Steps for Businesses

Given the potential for changes, companies relying on the DPF should consider proactive measures:

• Audit Current Data Transfers – Identify what data you are transferring from the EU/UK to the US and ensure there are backup legal mechanisms in place.

• Implement Standard Contractual Clauses (SCCs) – The Schrems II ruling confirmed that SCCs could be relied upon for transfer of personal data to those countries without an adequacy decision. These will likely become the fallback option if the DPF is invalidated.

• Consider EU-Based Data Solutions – Reducing reliance on US processing may help avoid regulatory scrutiny.

• Stay Updated – Monitor EU Commission statements, legal challenges, and any new executive actions that may alter the landscape.

Conclusion

While it's premature to predict specific outcomes, history suggests that EU-US data transfer mechanisms can face legal challenges when regulatory frameworks change. Organizations handling transatlantic data flows should prepare contingency plans while monitoring developments in this evolving regulatory landscape.

Rather than waiting for potential disruption, forward-thinking businesses will use this period to strengthen their data governance frameworks and ensure they have multiple compliant pathways for essential data transfers.