Is the USA Open for EU Personal Data Transfers? The Story So Far

Updated March 2026  written by Maeve Dunne

Back in July 2020, the Court of Justice of the EU (CJEU) sent new shockwaves through the data transfer world with its Schrems II judgment (so good they did it twice). The court struck down the EU-US Privacy Shield — the mechanism thousands of companies relied on to transfer personal data across the Atlantic — finding that US surveillance law gave American intelligence agencies disproportionate access to EU citizens' data, with no meaningful redress available.

Standard Contractual Clauses (SCCs) survived, but with a major catch: organisations could no longer sign and file them away. Controllers had to assess, on a case-by-case basis, whether the destination country actually offered adequate protections in practice — a significant compliance burden that fell hardest on businesses transferring data to the US.

Enter the Data Privacy Framework

After three years of negotiations, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) on 10 July 2023, effectively reopening the transatlantic data transfer route. The DPF is underpinned by a US Executive Order introducing new binding safeguards designed to ensure that access to data by US intelligence agencies is limited to what is necessary and proportionate, along with an independent redress mechanism for EU citizens  directly addressing the two core failings the CJEU identified in Schrems II.

The DPF is a voluntary framework: US companies self-certify to the Department of Commerce that they comply with DPF Principles, and a participating company's failure to comply may violate FTC enforcement powers. If your US counterpart is certified, you can transfer personal data to them without SCCs or a Transfer Impact Assessment.

The Framework Survives Its First Legal Challenge

Privacy advocates — most notably Max Schrems and his organisation NOYB — immediately signalled they would challenge the DPF, as they had successfully done with its predecessors Safe Harbor and Privacy Shield. On 3 September 2025, the EU General Court dismissed the first action seeking to annul the DPF, confirming that the United States ensures an adequate level of protection for personal data transferred to certified organisations. Workforcebulletin

However, the debate is far from settled. The ruling is limited to the specific arguments raised by the French plaintiff and does not preclude future legal challenges based on different arguments or new facts arising since July 2023.

The Elephant in the Room: Trump-Era Uncertainty

In January 2025, the Trump administration fired Democrat members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it short of the three members required to make decisions Wikipedia — a body central to the DPF's redress architecture. Several European data protection authorities, including Norway's Datatilsynet and Germany's Federal Ministry of the Interior, have advised businesses to develop contingency plans in light of potential future challenges to the DPF. The Firewall

What This Means for Your Business

The DPF is currently valid and usable — but its long-term stability is genuinely uncertain. The practical advice for organisations is:

• If your US provider is DPF-certified, transfers are lawful today under Article 45 GDPR. Verify certification status at dataprivacyframework.gov.

• Don't rely solely on DPF. Have SCCs in place as a fallback, and ensure your Transfer Impact Assessments are up to date in case the framework falls.

• Keep watching. A CJEU appeal of the September 2025 ruling is possible, and political developments in the US remain a live risk factor.

EU-US data transfers are open — for now. But the history of this area tells us that "for now" can change quickly.

Need help reviewing your data transfer arrangements or putting a robust fallback in place? Contact the Privacy Path team today.