For now, it’s still allowed, but the privacy of customers and employees is at stake.
After the first weeks of the Trump administration, it’s clear that many things are changing around the world. Unfortunately, this also applies to the realm of privacy. As a result, the agreements between the US and the EU on sharing personal data from 2023 already appear to be on shaky ground.
Until 2021, the sharing of personal data belonging to European citizens with US companies was regulated by the Privacy Shield: an agreement between Europe and the US with rules that seemed to comply with European privacy legislation. Emphasis on seemed, as became clear after Edward Snowden’s revelations in 2013 about mass surveillance by the US government. It also became clear that it didn’t matter whether the data was stored on European servers — the US could compel tech companies to provide access to that data anyway. Following a ruling by the European Court of Justice in 2020, the Privacy Shield was no longer considered sufficient. It wasn’t until 2023 that the Trans-Atlantic Data Privacy Framework (TDF) came into effect, introducing additional safeguards for EU citizens. The main oversight body responsible for ensuring compliance on the US side is the Privacy and Civil Liberties Oversight Board (PCLOB).
In January 2025, all three sitting members of this so-called ‘independent’ oversight body were dismissed by President Trump. This eliminates a crucial pillar supporting the TDF. The European Parliament has since raised questions with the European Commission, including the key question:
“Given the above developments, does the Commission consider that personal data transferred from the EU to the US in the context of law enforcement is adequately protected?”
The TDF remains in force for now, until the European Commission decides to suspend it. With Privacy Shield, this only happened after privacy activist Max Schrems brought the case before the European Court of Justice. The question now is whether it will take that long again, especially given the increasingly strained relationship with the US.
The collapse of the PCLOB as an oversight body does not immediately make US data transfers illegal. The European Commission’s decision remains valid until it is formally annulled by the Commission itself or the Court of Justice. However, if key elements that the EU relied on are no longer functioning, the EU will eventually have to invalidate the agreement. In the words of Max Schrems himself:
"Although the arguments supporting the EU-US agreement seem to be crumbling, companies can rely on the agreement as long as it is not formally invalidated. However, given the developments in the US, it is now more important than ever for companies and other organizations to have a 'host in Europe' contingency plan."
Data transfers between the EU and the US are still legal for now — but at the very least, prepare for the possibility of suspension or invalidation of the TDF.
This discussion could still go in many directions, but having a contingency plan can help your organization make the right decisions.
Our privacy specialists have extensive experience working with financial institutions in roles such as privacy officer and data protection officer. We are happy to help you develop your records of processing activities and other privacy documentation in a way that suits your organization. Want to know more about the possibilities? Feel free to contact us.
