The data transfer shake-up: legal uncertainty and the new US administration’s challenge

Data transfers remain one of the most complex aspects of global data protection compliance. Since November 2024, regulatory shifts, court rulings, and political changes have further complicated the landscape. The European Union (EU) continues to refine its stance on Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and adequacy decisions. Meanwhile, the biggest uncertainty comes from the new US administration’s approach to transatlantic data flows.

This article examines the latest GDPR developments on international data transfers (Section 1) before assessing how the new US administration could impact the EU-US Data Privacy Framework (DPF) and broader cross-border data transfers (Section 2).

1. Latest GDPR data transfer developments

The EU continues to impose strict scrutiny on data transfer rules, with new guidance, enforcement actions, and legal rulings creating additional compliance challenges for businesses relying on SCCs and other transfer mechanisms.

New EDPB guidance

On 3 December 2024, the EDPB published new guidelines on Article 48 of the GDPR, clarifying how EU-based organisations can lawfully respond to data transfer requests from foreign public authorities.  Key takeaways include:

• Transfers based on foreign authority requests require a valid GDPR legal basis. Companies cannot simply comply with foreign subpoenas or regulatory demands unless an international agreement (e.g., a mutual legal assistance treaty or MLAT) is in place.
• A “Two-Step Test” applies as businesses must identify a legal basis under Article 6 of the GDPR (e.g., legal obligation or public interest) and ensure compliance with Chapter V of the GDPR.
• Controllers cannot use legitimate interest to justify pre-emptively storing data for potential foreign authority requests.
• Transfers without an international agreement are high-risk. A foreign legal request alone does not justify a transfer unless it meets adequacy, SCC, or derogation requirements under GDPR.

Latest regulatory updates and case law 

European Data Protection Authorities (DPAs) are increasingly scrutinising Transfer Impact Assessments (TIAs), demanding detailed risk assessments beyond SCCs.

On 31 January 2025, France’s CNIL, for instance, reinforced its stance on TIAs by issuing detailed guidance which emphasises that data exporters must thoroughly assess third-country risks and implement supplementary measures where necessary. CNIL’s latest recommendations stress that companies cannot rely on SCCs alone and must document specific risk-mitigation steps based on the laws and surveillance practices of recipient countries.  

On 8 January 2025, the General Court of the CJEU ruled in Bindl v Commission (Case T-354/22) that the European Commission must pay damages (€400) to Mr. Thomas Bindl, a German citizen, for the non-material damage which he claims to have sustained because of the transfers of his personal data to Meta without adequate safeguards. ​He alleged that the European Commission's website facilitated unauthorised transfers of his personal data to US based companies, including Meta Platforms, Inc. This judgment highlights the necessity for EU institutions and organisations to ensure robust compliance with GDPR data transfer requirements when engaging with third-country service providers.

2. The US administration and the future of EU-US data transfers

With a new US administration since January 2025, transatlantic data flows face renewed uncertainty. The DPF is increasingly vulnerable to legal and political attacks.

The DPF under fire: will it survive?

A Schrems III moment may be approaching. On 10 July 2023 privacy advocacy group NOYB led by Max Schrems, announced its intent to challenge the DPF before the CJEU, arguing that it fails to protect EU citizens from US mass surveillance and lacks enforceable rights.

Additionally, in September 2023, French Member of Parliament Philippe Latombe filed a legal action against the DPF (in Latombe v European Commission (Case T-553/23), asserting that it does not adequately safeguard the rights of EU citizens regarding personal data protection.  Although his request for interim measures to suspend the DPF was denied on 12 October 2023, the case remains pending.

Despite these legal challenges, the DPF remains legally valid with the European Commission defending its adequacy decision by pointing to US oversight mechanisms such as the Privacy and Civil Liberties Oversight Board (PCLOB) and the Data Protection Review Court alongside the safeguards in Executive Order 14086.  However, the Trump administration’s dismissal of multiple PCLOB members, leaving it with just one member: Beth Ann Williams, has left the board without a quorum, weakening its ability to oversee US intelligence agencies.

On 5 March 2025, the Swedish DPA warned that the lack of PCLOB quorum does not immediately invalidate the EU-US adequacy decision. The European Commission is monitoring these developments and retains the power to withdraw, amend, or repeal the adequacy decision. The CJEU  may also annul an adequacy decision.  However, it would be prudent for EU businesses to prepare contingency plans should the decision be overturned, and to devise an exit strategy as the Norway’s DPA recommends.

Risks of a US crackdown on EU data transfers

A key weakness of the DPF remains unchanged: US intelligence agencies retain broad data access powers under FISA 702. Congressional deadlock on surveillance reform makes it unlikely that significant privacy improvements will be enacted before the next CJEU ruling.

If NOYB’s challenge succeeds, a CJEU ruling in late 2025 or early 2026 could invalidate the DPF (and consequently the UK extension), forcing companies to revert to SCCs. This raises key concerns:

• There is likely to be stronger regulatory scrutiny on SCCs: if the DPF collapses, SCCs will face tighter enforcement, requiring additional encryption, localisation, and risk assessments.
• They could be a potential impact on US cloud services in the EU: the revocation of adequacy may increase legal risks for US owned cloud providers operating in the EU.
• The US may impose retaliatory measures on European companies processing US citizen data, such as new data localisation requirements and/or reciprocal restrictions, mirroring GDPR provisions.

Comment

The post-Schrems II world remains unpredictable, marked by stricter enforcement, ongoing legal challenges, and regulatory uncertainty surrounding data transfers based on the DPF and on existing and new SCCs. While the EU DPAs continue to raise the bar for compliance, the long-term viability of transatlantic data flows hinges on the U.S. government's approach to surveillance reform and data privacy diplomacy.  In March 2025, Max Schrems publicly indicated that changes to key oversight agencies like the PCLOB and FTC may compel the European Commission to suspend the DPF independently, without waiting for a fresh CJEU ruling. According to Schrems, the European Commission may be forced to suspend the DPF on its own initiative.

Businesses should prepare for all scenarios, whether it's DPF 2.0, a stricter SCC regime, or another round of legal uncertainty.  Developing contingency plans, particularly for customers and suppliers of U.S. cloud services in the EU and the UK, is critical in mitigating risks associated with a potential DPF collapse.”

Related items: 

• Bindl v European Commission: a catalyst for collective redress and the future of EU data transfers
• International data transfers for Data Importers subject to the EU GDPR: EU Standard Contractual Clauses – Second Wave