By Mari S. Clifford and Scott C. Hall
Cross-border data transfers between the EU and U.S. remain a legal and operational minefield. While the July 2023 adequacy decision ushered in the EU-U.S. Data Privacy Framework (DPF), recent developments have called its long-term stability into question. In parallel, both EU regulators and U.S. authorities have ramped up scrutiny of international data flows—ushering in a more complex, risk-sensitive compliance era for transatlantic businesses.
The DPF, designed to replace the invalidated Privacy Shield, allows certified U.S. companies to receive EU personal data without standard contractual clauses (SCCs) or transfer impact assessments (TIAs). But its legal foundation—U.S. Executive Order 14086—has come under renewed pressure following:
The European Commission has signaled support for maintaining the DPF but acknowledged that ongoing U.S. political developments could impact its sustainability. Legal challenges remain possible, and several supervisory authorities have advised against over-reliance.
In January 2025, the Dutch DPA fined Uber €290 million—the largest penalty issued by the regulator to date—for unlawful transfers of EU driver data to the U.S. without valid safeguards after discontinuing SCCs in 2021. Uber argued that GDPR’s territorial scope negated the need for Chapter V safeguards. The DPA rejected this, reaffirming that data transfers must meet all GDPR conditions regardless of joint controllership claims.
The decision underscores that even global, well resourced companies cannot afford gaps in transfer compliance.
The compliance calculus is also shifting in the other direction. The U.S. Department of Justice’s “Bulk Data Rule,” effective April 2025, imposes strict restrictions on transfers of sensitive personal data from the U.S. to “countries of concern” (including China, Russia, and others). While aimed at national security, the rule applies to any U.S.-based entity—including those acting as processors for EU data—raising novel compliance challenges for onward transfers out of the U.S.
Implications include:
To maintain compliant and resilient data transfer programs in this dynamic environment, organizations should:
While the DPF provides useful breathing room, it is not a bulletproof shield. EU-U.S. data flows remain structurally fragile, and organizations must layer compliance strategies—technical, contractual, and legal—to minimize exposure. Proactive alignment with evolving expectations on both sides of the Atlantic remains the best defense.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.