ADL #69: EU-US Data Privacy Framework: A Critical Juncture in 2025

3 Recommendations about Transatlantic Data Transfers for Organizations

Intro

I know what you’re thinking. “How did Trump and the US screw up this time?” We’re talking about this later in this issue, so scroll down if you need to. But I’ll appreciate, of course, if you read the entire thing, just because the evolution of the whole Data Privacy Framework and the collaboration between the US and EU is important and worth a read – and possibly something we will not be able to see again in the near future.

That being said, in this issue we’ll talk about transatlantic data transfers and how to protect your business when working with US based companies. Enjoy!

---

Quick Tips: 3 Recommendations for Organizations in consideration with Transatlantic Data Transfers

1. Comprehensive Data Mapping

   • Conduct a thorough audit of all EU-US data transfers of your organization

   • Identify critical data flows and potential alternative solutions

2. Legal and Technical Preparedness

   • Consider adopting (or preparing for adopting) standard contractual clauses with your US partners

   • Explore data localisation strategies: consider storing and processing data within your national or EEA jurisdiction

   • Implement more privacy-enhancing technologies (if you haven’t already)
     

3. Scenario Planning

   • Prepare contingency plans for potential framework invalidation

   • Consider EU-based cloud and service providers as alternatives

     ---

Background and Historical Context

The relationship between the European Union and the United States regarding data protection has been complex for over two decades. Since the early 2000s, multiple frameworks have emerged and subsequently collapsed, reflecting the ongoing tension between EU data privacy standards and US national security considerations.

The Evolution of Transatlantic Data Transfer Mechanisms

1. Safe Harbor Agreement (2000-2015): The initial mechanism for legal data transfers between the EU and US, invalidated by the Court of Justice of the European Union (CJEU) in the Schrems I case due to concerns over U.S. government surveillance.

2. Privacy Shield Framework (2016-2020): Introduced with enhanced privacy protections, this framework was also struck down in the Schrems II case, again highlighting fundamental conflicts in data protection approaches.

3. EU-US Data Privacy Framework (2023): This was the most recent attempt to create a stable data transfer mechanism, adopted on July 10, 2023. It includes significant oversight mechanisms and redress processes designed to address previous legal challenges.

How Do Businesses Apply the EU-US Data Privacy Framework - What We Have Today

The EU-US Data Privacy Framework, adopted on July 10, 2023, represents a sophisticated mechanism designed to facilitate secure personal data transfers between the European Union and the United States while protecting individual privacy rights. However, the framework isn't simply about ticking compliance boxes. It represents a fundamental shift in how businesses handle cross-border data transfers.

Certification by US companies

The framework operates through a sophisticated administrative structure administered by the US Department of Commerce. Participating US companies must undergo a rigorous certification process that demands a holistic commitment to data protection principles. The US Federal Trade Commission serves as the primary enforcement body, ensuring strict adherence to the established guidelines.

Companies seeking certification must demonstrate comprehensive compliance across multiple dimensions. This isn't a one-time event but an ongoing commitment. The US company which seeks certification will need to demonstrate:

• Precise data management protocols

• Clear purpose for data collection

• Strict minimization of collected data

• Robust security mechanisms

• Transparent third-party data sharing practices

Limitations of Intelligence Data Access

This mechanism was interesting because, signed by President Biden in October 2023, the framework introduces unprecedented limitations on intelligence agency data access. The executive order establishes a groundbreaking approach that constrains data collection to only what is strictly necessary and proportionate for national security purposes. Enhanced oversight mechanisms ensure that surveillance activities remain within carefully defined boundaries.

Novel Redress System

The framework's most revolutionary aspect is its two-tier complaint resolution system.

The first tier involves the Civil Liberties Protection Officer, an internal investigative role within the US intelligence community focused on ensuring privacy and fundamental rights compliance.

The second tier introduces the Data Protection Review Court (DPRC), which stands out as a unique judicial mechanism. Composed of external members with specific qualifications, the court can investigate complaints, obtain critical information from intelligence agencies, issue binding remedial decisions, and even order data deletion in cases of verified violations.

EU nationals don't need to prove their data was collected by US intelligence for a complaint to be admissible. They can submit a complaint to their national data protection authority, which will ensure proper transmission and provide related information, including the outcome. This allows individuals to contact a local authority in their own language. The European Data Protection Board will transmit complaints to the United States.

The 2025 Developments: A Critical Threat to Data Protection

The recent actions by the Trump administration represent a significant threat to the fragile EU-US Data Privacy Framework. The dismissal of Privacy and Civil Liberties Oversight Board (PCLOB) members and the emerging influence of the Department of Government Efficiency (DOGE) (led by Elon Musk) raise profound questions about data protection and privacy.

Potential Implications

The current developments suggest several potential scenarios:

• Framework Suspension: The European Commission may be compelled to suspend the Data Privacy Framework due to compromised oversight mechanisms.

Some questions regarding the Trump administration's implications for data protection and privacy were already submitted to the Commission on February 5, 2025.

1. Does the Commission have concerns about PCLOB's independence after the Trump administration's direct interference and the removal of three members?

2. Will the Commission pause the EU-US Data Privacy Framework until PCLOB is restored to full independence? If not, what is the reason?

3. Given the prior points, does the Commission believe that personal data transferred from the EU to the US for law enforcement purposes is sufficiently protected, particularly under the EU-US Umbrella Agreement and through collaboration between Europol, Eurojust, and US authorities?

• Business Disruption: Companies relying on transatlantic data transfers would face significant operational uncertainties.

  ---

How Can I Support You?

As you know by now, I run Legally Remote — a hub of legal advice and resources for digital entrepreneurs who want to grow their businesses and protect their dreams. Today, Legally Remote is a team of dedicated experts, each contributing to help bring this vision to life.

Here’s how we can work together:

1. Legal consultancy 1:1. For transatlantic collaborations we can do a GDPR audit and assess any risks your company may face when dealing with a US-based business or when using software developed and owned by US companies (think anything in the Google Workspace, Microsoft, Asana etc.). You can also get clarity on your business’s current standing, the compliance rules you need to follow, or whether a large platform is treating your company fairly.

2. Legal Packages for Freelancers. Includes a professionally tailored contract template designed for service providers and a 90-minute, one-on-one session with a legal expert who understands your challenges.

3. Legal Retainer Service. Receive consistent, reliable, tech-savvy legal support for your business throughout the year.

4. End-to-End Legal Services for Digital Businesses. For more in depth GDPR audits, data flows, and contingency plans regarding your data usage in transatlantic collabs. We also cover anything from corporate guidance to e-commerce compliance, trademark protection, and strategies for global expansion, we create personalized solutions for digital entrepreneurs to help your business succeed in the digital landscape.

Not sure what you need? Book a free 20' intro call, and let’s figure it out together!

---

Book a short intro call!

---

Legal updates

1. Amazon's GDPR Fine Upheld by Luxembourg Court: Amazon's appeal against a €746 million fine imposed by Luxembourg's privacy watchdog for GDPR violations was dismissed. The court upheld the fine, emphasizing the EU's strict enforcement of data protection regulations.

2. EU’s New AI Act: The European Commission considers softening parts of law that could spare Big Tech from key elements. (paywall).

3. Updates to PCT Applicant's Guide for Romania: Effective March 20, 2025, the World Intellectual Property Organization (WIPO) released updates to the PCT Applicant's Guide for Romania.

4. EU's Efforts to Reduce Bureaucracy for Businesses: EU launched the 'Simplification Omnibus' aimed at reducing administrative burdens to enhance competitiveness against the U.S. and China.

---

Have some thoughts?

Reply to this email and let’s chat! I’m open to constructive criticism and new and brave ideas.

See you soon! The next issue is on April 10.