Vault Door

EU-U.S. Data Transfers in 2025

By Mari S. Clifford and Scott C. Hall

Cross-border data transfers between the EU and U.S. remain a legal and operational minefield. While the July 2023 adequacy decision ushered in the EU-U.S. Data Privacy Framework (DPF), recent developments have called its long-term stability into question. In parallel, both EU regulators and U.S. authorities have ramped up scrutiny of international data flows—ushering in a more complex, risk-sensitive compliance era for transatlantic businesses.

The State of the Framework

The DPF, designed to replace the invalidated Privacy Shield, allows certified U.S. companies to receive EU personal data without standard contractual clauses (SCCs) or transfer impact assessments (TIAs). But its legal foundation—U.S. Executive Order 14086—has come under renewed pressure following:

  • Dismissals of key privacy oversight officials in the U.S.
  • Structural changes to the Data Protection Review Court.
  • Broad access authority granted to a new U.S. intelligence body—the Department of Government Efficiency (DOGE).

The European Commission has signaled support for maintaining the DPF but acknowledged that ongoing U.S. political developments could impact its sustainability. Legal challenges remain possible, and several supervisory authorities have advised against over-reliance.

Enforcement is Real: The Uber Case

In January 2025, the Dutch DPA fined Uber €290 million—the largest penalty issued by the regulator to date—for unlawful transfers of EU driver data to the U.S. without valid safeguards after discontinuing SCCs in 2021. Uber argued that GDPR’s territorial scope negated the need for Chapter V safeguards. The DPA rejected this, reaffirming that data transfers must meet all GDPR conditions regardless of joint controllership claims.

The decision underscores that even global, well resourced companies cannot afford gaps in transfer compliance.

New U.S. Restrictions Create Reverse Pressure

The compliance calculus is also shifting in the other direction. The U.S. Department of Justice’s “Bulk Data Rule,” effective April 2025, imposes strict restrictions on transfers of sensitive personal data from the U.S. to “countries of concern” (including China, Russia, and others). While aimed at national security, the rule applies to any U.S.-based entity—including those acting as processors for EU data—raising novel compliance challenges for onward transfers out of the U.S.

Implications include:

  • Required audits and risk assessments.
  • CISA-level cybersecurity obligations.
  • Potential delays or restrictions for multinational
    vendor chains.

Takeaways for Businesses

To maintain compliant and resilient data transfer programs in this dynamic environment, organizations should:

  • Verify DPF Certifications: Ensure U.S. recipients are currently certified and that the certification covers the specific data and processing purpose.
  • Retain SCCs and TIAs as a Backup: Maintain robust documentation and fallback mechanisms in case the DPF is invalidated or suspended.
  • Monitor U.S. Bulk Data Rules: Assess whether EU data processed in the U.S. is subject to onward transfer restrictions under the DOJ’s new regime.
  • Conduct Ongoing Transfer Risk Reviews: Include recent regulatory, legal, and political developments in third-country assessments.
  • Align Internal Definitions: Ensure data transfer definitions match those used by EU authorities— including for remote access scenarios.
  • Anticipate Regulatory Questions: Regulators may require granular evidence of safeguards, especially for transfers involving sensitive data (e.g., biometrics, employment, location).

While the DPF provides useful breathing room, it is not a bulletproof shield. EU-U.S. data flows remain structurally fragile, and organizations must layer compliance strategies—technical, contractual, and legal—to minimize exposure. Proactive alignment with evolving expectations on both sides of the Atlantic remains the best defense.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.