Photo: Locked Shields 2021. Credit: NATO Cooperative Cyber Defence Centre of Excellence

Transatlantic Data Truce Under Threat

As Europe doubles down on tech sovereignty and Washington waters down privacy protections, the crucial deal allowing data flows across the Atlantic could collapse.

By Peter Chase and Anda Bologa

June 27, 2025

Is the third time the charm? The European Court of Justice twice declared US protection of European data “inadequate,” creating a confusing legal limbo for thousands of companies that depend on the transfers.

Here’s the problem: the European Union’s General Data Protection Regulation allows personal data to be transferred freely only to countries with “equivalent” data privacy protections. The US has no national privacy law and Europeans fear that US security services could gain access to their data. Negotiations came up with workarounds, the Safe Harbor in 2000 and the Privacy Shield in 2016, only for European judges to veto them in 2015 and 2020, respectively.

In July 2023, the two sides agreed on a new Data Privacy Framework, hoping it would be a legal bridge strong enough to survive judicial review. In order to assuage European concerns, the new deal included tight necessity-and-proportionality limits on US bulk surveillance and a new redress mechanism. If Europeans feared the US government was abusing their personal information, they could complain to a Civil Liberties Protection Officer and an independent Data Protection Review Court – both subject to oversight by the five-member Privacy and Civil Liberties Oversight Board.

Today, these protections are wobbling. After retaking office in January 2025, President Donald Trump fired three Democratic members of the Privacy and Civil Liberties Board, including its chair, leaving just one member and no quorum. The Board needs at least three members to launch new investigations or issue formal reports. This hollowing-out has recreated the oversight gap cited by the top European court in 2020 when it struck down Privacy Shield.

Austrian activist Max Schrems, who filed both cases against the earlier transatlantic data deals, now smells a third victory. His None of Your Business NGO warns that the firings show that the US no longer provides “essentially equivalent” safeguards. He vows a new legal challenge.

Should Europe’s top court again agree with Schrems, the Data Privacy Framework adequacy decision would collapse and – overnight – the main legal basis for most transatlantic personal data transfers would vanish. Every transatlantic data transfer – including under so-called standard contract clauses – would become presumptively illegal, and could fall the moment a European data protection regulator concludes that Washington’s guardrails have slipped.

Get the Latest

Data flows fuel transatlantic business. According to the Transatlantic Economy 2025, total EU-US commercial ties are worth roughly $9.5 trillion, including goods and services trade and sales by US and European investments on the opposite side of the pond. Virtually all those operations rest on transatlantic data flows. US and European companies that sell digitally enabled services, in particular, would suffer. For example, European companies bought some €130 billion in cloud computing services in 2024, much of which were sophisticated offerings such as database hosting or AI-model training from American cloud hyperscalers, who both store and process much of the data in the US.

Before the present data deal went into effect, legal uncertainty sent compliance costs soaring, delaying AI deployments, and inviting a cascade of European privacy fines – exactly the kind of friction Brussels says it wants to avoid as it tries to catch up in cloud and artificial intelligence infrastructure.

Yet the European political calculus has changed since the Privacy Shield fell in 2020. Talk of tech sovereignty animates flagship files from the European Chips Act to the AI Act and the Cyber-Resilience Act. Against that backdrop, the sense that Washington is dismantling privacy oversight could force the European Commission to withdraw its adequacy finding even before the European Court decides to invalidate it. Even before such drastic steps, the weakening of protections in the US reinforces calls for Europeans to store data with European, not American, companies.

If Europe gives up on the Data Privacy Framework, privacy activists such as Schrems will applaud, saying the move proves Europe’s privacy principles are more than paper. Yet it would hurt companies and public administrations, forcing them to purchase expensive, hurried data migrations that could delay everything from the European Health Data Space to next-generation railroad signalling. Each week of uncertainty fuels skepticism about US reliability.

The lesson of the past decade is clear. European courts demand privacy protections. If the Trump Administration does not shore up the Data Privacy Framework, it risks blowing up the world’s busiest data corridor. Europe will again be hoist on its privacy petard, and Washington will be left standing in the debris.

Peter Chase is a former US diplomat and now a Visiting Senior Fellow in the Brussels office of the German Marshall Fund of the United States.

Dr. Anda Bologa is a senior researcher in the Tech Policy Program at the Center for European Policy Analysis (CEPA).

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.