EU-US DPF Latest Developments Tracker
by Streamlex 15 March 2025
A continuously updated tracker summarizing the latest developments, including positions of the data protection authorities and EU institutions, on the future of the EU-US Data Privacy Framework (DPF) and any related regulatory challenges. Includes key takeaways for companies and direct links to official statements.
Backround
The EU-US Data Privacy Framework (EU-US DPF), adopted by the European Commission in July 2023, was long awaited by many EU businesses. It allows the EU companies to transfer personal data to US companies certified under EU-US DPF without requiring additional safeguards.
Issue
However, the EU-US DPF is coming under increased scrutiny primarily due to the political developments in the US (read more about the reasons for concern here and here), raising challenges about its long-term stability. Recent statements from the Nordic DPAs signal uncertainty over the longevity of the adequacy decision. If the decision is overturned, companies relying on it for data transfers may need to find alternative mechanisms.
EU-US DPF Latest Developments Tracker
Last updated: 15 March 2025
Jurisdiction | Date | Institution | Development | TL;DR | Analysis |
|---|---|---|---|---|---|
EU | 1 April 2025 (coming up) | Court of Justice of the EU (CJEU) | Mr Latombe seeks annulment of the EU-US DPF alleging infringements of the Charter and GDPR. Mr Latombe's application for an interim relief was dismissed by the Court in 2023. | ||
Netherlands | 17 March 2025 | Dutch Ministry of Interior and Kingdom Relations | Cabinet response on the sustainability of the European Union-U.S. Data Privacy Framework (DPF) | Dismissals at the U.S. PCLOB do not undermine the EU-US DPF adequacy decision. The PCLOB can still oversee Executive Order 14086, which underpins U.S. data protection standards. However, if the DPF no longer ensures adequate protection under the GDPR, the European Commission may need to suspend or withdraw the adequacy decision, requiring alternative safeguards like SCCs or BCRs for data transfers. | |
EU | 13 March 2025 | European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath | Statement during the CSIS webinar The Future of Transatlantic Digital Collaboration | The EU will continue to monitor the U.S. developments, but it is "committed" to continuing the agreement. Continuation of EU-US DPF remains a goal for the EU and US. | European commissioner discusses EU-US Data Privacy Framework, potential GDPR reform |
Sweden | 5 March 2025 | Swedish DPA | Authority statement: Transfer of personal data to the USA, what applies? | The US adequacy decision is still in effect. However, it may be revoked or annulled by the Commission or CJEU if data protection is deemed inadequate. Companies must stay informed about US adequacy decision updates and be prepared to find alternative data transfer mechanisms if it is revoked. | |
Norway | 26 February 2026 | Norwegian DPA | Authority statement: Information about transfers to the United States | The EU-US DPF is still in effect, but the companies should prepare an exit strategy in case the adequacy decision is revoked, as there may be no transition period. | |
EU | 5 February 2026 | Member of the European Parliament Raquel García Hermida-Van Der Walle (Renew) | MEP questioned the European Commission on U.S. data privacy policies, specifically PCLOB’s independence. She asked if the Commission would consider suspending the EU-US DPF until the board is fully independent. | ||
Denmark | 29 February | Danish DPA | Statement of the authority representative in the media: The Danish Data Protection Agency warns: Trump may pull the rug from under Danish companies' cloud | Danish companies must make concrete plans for how they can "free themselves" from the US services in case EU-US DPF is invalidated. |
