EU-US Data Transfers: Where Things Stand and What to Do Now

If your business uses US-based software, platforms, or cloud services, which most businesses do, you are almost certainly transferring personal data to the United States. For years, the legal basis for those transfers has been anything but stable. Here is where things stand today, and what you can do to protect your business.

A brief history of transatlantic data transfers

Under GDPR, transferring personal data outside the European Economic Area is only allowed under specific conditions. For transfers to the US, the go-to mechanism was for a long time the Privacy Shield framework. That was invalidated by the Court of Justice of the European Union in 2020, following legal action by privacy activist Max Schrems. Companies were forced to fall back on Standard Contractual Clauses (SCCs), a more cumbersome alternative that also came under significant scrutiny.

After years of negotiation between the EU and the US, a new framework was adopted in 2023: the EU-US Data Privacy Framework (DPF). US companies can self-certify under the DPF, and EU businesses can then transfer personal data to those certified companies without needing additional safeguards. A welcome development, and widely used.

Why the DPF came under pressure

The DPF's legitimacy rests on the assumption that the US provides an essentially equivalent level of data protection to the EU. Part of that assurance came from structural safeguards put in place by the US government, including an independent oversight body called the Privacy and Civil Liberties Oversight Board (PCLOB).

In early 2025, three of the five PCLOB members were removed by the Trump administration, leaving the board without enough members to function. That move raised immediate concerns among privacy advocates and legal experts: if one of the key oversight mechanisms underpinning the DPF no longer operates effectively, does the framework still hold up?

Those concerns triggered a legal challenge. A French member of parliament sought to have the DPF annulled before the EU General Court.

Where things stand now

In September 2025, the EU General Court dismissed that challenge and upheld the DPF's validity. Companies relying on the DPF can continue to use it as a transfer mechanism.

But the situation is not fully resolved. The same claimant filed an appeal before the Court of Justice of the European Union in October 2025, which remains pending. The PCLOB has not been restored to full operation. And privacy advocacy organisations, including noyb, have indicated that broader challenges to the DPF may follow.

The DPF is standing, but it is standing under continued scrutiny. Given that the EU has already invalidated two previous transatlantic data transfer frameworks, treating the current one as permanent would be premature.

What this means for you

If your business relies on US-based tools, whether that is a CRM, a cloud storage provider, a marketing platform, or anything else that processes personal data, there are four practical steps worth taking now.

Review your data transfers. Map out which personal data you send to the US, which vendors receive it, and on what legal basis. If you do not have that overview, this is a good time to build it.

Check your data processing agreements. If you rely on SCCs as a backup or as your primary transfer mechanism, make sure they are up to date and correctly implemented.

Ask your providers about EU hosting options. Many major platforms offer the option to store and process data within the EU. It is worth asking, because not all providers make this easy to find.

Consider your risk appetite. If the DPF were to be invalidated again, businesses that have already put alternative safeguards in place will be in a much stronger position than those that have not. Acting now costs less than scrambling later.

For a broader overview of what EU businesses need to know about GDPR compliance, take a look at our post on GDPR for Startups: 3 Things to Focus on First.

Not sure whether your transatlantic data transfers are on solid legal footing? Get in touch and we will take a look together.

We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.