To date, the Trump administration's actions have been swift across many domains, focusing on tariffs, trade, immigration, border control, the Ukraine war and more. While none of the administration's moves have directly affected the core U.S. elements that underpin the EU-U.S. Data Privacy Framework, two recent actions create a concern that the DPF might be susceptible to a Court of Justice of the European Union finding that invalidates the European Commission's DPF adequacy decision.
Overall, our sense is that such an CJEU finding would be unlikely to mature in the short term, given the longer timelines needed for judicial review.
Moreover, when such a case is presented before the CJEU, much will depend on the other actions the Trump administration and the Commission take in the interim. Both the Trump administration and the Commission have a strong interest in continuing to support the DPF as the "trans-Atlantic bridge" for data transfers. More than 2,800 U.S. companies participate in the DPF. Their participation benefits their own commercial interests, as well as those of their European customers and business partners.
All U.S. and EU companies that engage in trans-Atlantic business transactions benefit from the DPF. Specifically, all U.S. companies that receive personal data from European customers or business partners must perform transfer impact assessments that evaluate the privacy risk of U.S. government surveillance and access to data. As long as the laws, regulations and policies on government surveillance in the DPF continue to be deemed adequate, U.S. companies can rely on that DPF adequacy finding for the substantive aspect of the TIA. This is the case regardless of whether the U.S. company participates in the DPF, the parties implement the Commission standard contractual clauses or other solutions are used. Since the value of U.S.-EU trade in services is approximately USD2 trillion annually, both sides have a strong incentive to continue to provide certainty for companies and maintain a high degree of privacy protection.
Legal context for the DPF
In general, Articles 44-49 of the EU General Data Protection Regulation prohibit the transfer of personal data from the EU to a third country, such as the U.S., unless the third country assures a level of protection guaranteed by the GDPR. The U.S. administration and the European Commission worked collaboratively to develop the DPF in the wake of a July 2020 CJEU finding that the DPF's predecessor, the EU-U.S. Privacy Shield, did not provide sufficient protection. The CJEU's finding on the Privacy Shield focused on perceived inadequacies of U.S. law and policy on intelligence surveillance, including apparently insufficient rights of data subjects and the inability to raise complaints.
Among other elements to address the CJEU's concerns, the U.S. administration adopted Executive Order 14086 of October 7, 2022 on Enhancing Safeguards for United States Signal Intelligence, which sets out privacy principles that U.S. agencies must follow when engaging in intelligence surveillance. The U.S. Department of Justice then adopted a final rule implementing the order to establish a Data Protection Review Court to consider applications for review of determinations by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.
The DOJ also designated the EU, Iceland, Liechtenstein and Norway, as well as the U.K. and Switzerland, pursuant to their "companion" DPF arrangements, as "qualifying states" whose citizens can petition the DPRC for redress. The U.S. Federal Trade Commission issued a letter to the European Commission confirming its commitment to enforce the DPF rules pursuant to Section 5 of the FTC Act. The general counsel of the ODNI issued a letter to the Commission explaining how the executive order provides an additional layer of privacy protection on intelligence surveillance, including that the U.S. agencies will follow it when making certifications under Section 702 of the Foreign Intelligence Surveillance Act to the independent, life-tenured judges who serve on the Foreign Intelligence Surveillance Court. Based on these and other circumstances, the Commission followed the consultation process with the European Data Protection Board and EU member states and adopted the DPF adequacy finding.
Trump administration actions
Importantly, the Trump administration has not changed any of the above elements that provide privacy protections related to U.S. signals intelligence and supports the Commission's adequacy decision for DPF. However, the administration has undertaken two more general actions that could be interpreted to create risk for the DPF in the context of a CJEU case or otherwise, as follows.
First, Trump issued the executive order on "Ensuring Accountability for All Agencies" 18 Feb. 2025. The accountability executive order articulates a policy to ensure consistent regulatory policy across federal agencies, including the FTC and at least seventeen other independent regulatory agencies. Among other steps, this executive order requires all federal agencies to submit proposed and final significant regulatory actions for presidential review before publication in the Federal Register. The potential concern with the accountability executive order is that it might infringe on the FTC's ability to be sufficiently independent to enforce the DPF privacy principles in accordance with GDPR Article 44(2)(b).
We consider, however, much remains to be seen about how the accountability executive order would be applied in practice, particularly considering the FTC retains its statutory authority under Section 5 of the FTC Act to take enforcement actions. It also seems unlikely that the administration would seek to intervene in decisions on individual commercial privacy matters involving the interpretation of the DPF privacy principles.
Second, on or around 23 Jan. 2025, the Trump administration reportedly terminated all three Democratic members of the Privacy and Civil Liberties Oversight Board. The PCLOB was established by federal law as an independent federal agency, 42 U.S.C. § 2000ee, composed of a bipartisan, five-member board appointed by the president for a fixed six-year term with Senate approval. Its mission includes the analysis and review of actions taken by the executive branch in the fight against terrorism to ensure such actions are balanced with the need to protect privacy and civil liberties. With one prior vacancy, this leaves only one member of the PCLOB at present. Lacking its statutory quorum of three members, the PCLOB may have limited functionality.
However, the PCLOB's remaining member has declared it will continue to carry out its oversight work through the publication of staff reports. The Trump administration can also follow the statutorily established process to appoint new members with a key limitation that only three members can be from the same political party.
The potential concern with this second action is that the PCLOB provides privacy-related oversight of the activities of U.S. intelligence agencies generally. In the context of the DPF specifically, the PCLOB has certain designated roles to be consulted on the appointment of judges for the DPRC and the appointment of special advocates to assist the DPRC. The PCLOB is also responsible for conducting an annual review of the DPF redress mechanism for handling signals intelligence complaints.
Whether, or the extent to which, these DPF functions are actually limited will depend on how quickly the Trump administration can appoint new members in accordance with the statutory procedures and whether the remaining staff member has any difficulty in practice carrying out any tasks that may be needed from the board in the meantime.
Practical considerations
The DPF resides in the context of a much broader commercial, political and defense relationship between the U.S. and Europe. Given that any CJEU judicial review of the DPF will take some months to play out, the most immediate DPF questions relate to what happens across these other levels of trans-Atlantic interrelationships in the meantime. If the current storms regarding trade and tariffs, the war in Ukraine, and other matters can be weathered, perhaps more certain relationships can be established. In that setting, the longer-term prospects of retaining the DPF and possibly even stronger arrangements could be envisioned.
However, in this uncertain world, companies on both sides of the Atlantic should consider how to approach these cross-border data transfer issues. Several key issues for consideration include:
- Maintaining an existing DPF certification. U.S. companies that have already invested in certification to the DPF should probably retain the certification. The DPF remains a valid trans-Atlantic data transfer mechanism, and maintenance of DPF status will likely be the simplest means to address the cross-border data transfer restrictions with existing business partners and customers.
- Considering the establishment of "springing" Commission standard contractual clauses. For intracompany group transfers or other situations where the company has reasonably good control over contracting terms, consider whether to implement now, in the calm of day, an SCC solution that would spring into effect if the DPF is ever invalidated. An important step will be developing a description of supplementary terms and TIA that could be utilized if the adequacy finding applicable to the DPF is deemed invalid.
- Considering the development of a playbook. For scenarios where the company cannot establish springing SCCs, consider developing a playbook to activate if the DPF is invalidated. A U.S. company participating in the DPF could develop a list of top EU customers to reach right away with SCCs or alternatives and a plan to reach all affected EU customers. An EU company should develop a priority-ranked list of U.S. data recipients that participate in the DPF, in order to be ready with SCCs or other solutions. The EU company should also develop a preemptive set of supplementary measures and TIA forms, as the DPF elements that provided adequacy for TIA purposes may no longer be available.
As always, there is no one-size-fits-all solution for trans-Atlantic data transfers. Companies need to assess their own data flows, commercial relationships and risk appetites when evaluating how to proceed. However, particularly with the level of uncertainty in the current environment, a little extra planning may be quite helpful.
Brian Hengesbaugh is a partner and chair of global data privacy and security and Lukas Feiler, CIPP/US, is a partner at Baker McKenzie.
