Skip to main content

GDPR & the EU-U.S. Data Privacy Framework

In July 2023, the EU-US Data Privacy Framework came into force. The European Commission certified that the successor to the failed EU-US Privacy Shield provides an adequate level of protection for data transfers from the EU to the USA. But are the adequacy decisions actually a reliable basis for the transfer of personal data from the European Union to the United States? What specifically has changed with regard to the protection of EU citizens’ data?

Transatlantic data transfers between the EU and the US repeatedly cause uncertainty. Political decisions in the US could undermine the EU-US Data Privacy Framework, which only came into force in 2023, and thus also the legal basis for numerous data flows of European companies.

So, the big question is: How can personal data be processed in a way that’s compliant with the law without having to rely on international agreements that are constantly changing? The answer lies in European alternatives for software that enable data protection “by design” – without any legal gray areas or geopolitical risks.

Background: Adequacy decisions on shaky ground

When it came into force in 2023, it was already questionable whether the adequacy decisions for data transfers between the EU and the US were sufficient, as they are largely a copy of earlier regulations such as the failed Privacy Shield. The key flaws of past agreements remain:

  • The USA’s anti-terror legislation, which allows US authorities to access the data of EU citizens, remains untouched. No substantial changes were made to US law.
  • FISA 702 provides for the collection and storage of personal data of non-US citizens. They have neither legal means nor rights to information in the US to defend themselves against this storage.
  • The risk of knowledge transfer when using US-based software is real: Personal data can also be used to transfer trade secrets and European know-how to the US, where it can be accessed by authorities.

alfaview has made a conscious decision not to rely on adequacy decisions, as the Trans-Atlantic Data Privacy Framework does not provide a robust legal basis for the transfer of data to the US in compliance with data protection regulations.

Current political developments in the US: Data protection at risk again?

Political changes in the US are causing new concerns: US President Donald Trump dismissed several members of the Privacy and Civil Liberties Oversight Board (PCLOB) – a key oversight body for data protection in the US. This body played a key role in shaping the EU-U.S. Data Privacy Framework. In addition, several key executive orders, including EO 14086, are under review. They form the basis of the EU-U.S. Data Privacy Framework.

The resulting uncertainty is an incalculable risk for European companies: Any organization that uses US-based services—whether for cloud storage, video conferencing, or other forms of data processing—is potentially affected. If the Data Privacy Framework fails, there is a risk of renewed legal uncertainty, potential fines, and significant expenditure on data protection improvements.

The question is therefore not if, but when a new data protection crisis will occur. Companies should use this time to make themselves independent by using European software alternatives that not only fully comply with the GDPR but also offer long-term security.