Dr. Dominik Schürmann
February 26, 2025

The EU-US Data Privacy Framework on the brink - How secure will my data be in the future?

What has happened?

The EU Parliament has learned that the Privacy and Civil Liberties Oversight Board (PCLOB), a central oversight body for US surveillance programs, is no longer adequately staffed. This authority controls programs such as FISA Section 702, which allow US intelligence agencies access to data of non-US citizens. The EU Commission had designated the PCLOB as a central protective measure in the EU-US Data Privacy Framework (DPF). In the absence of this oversight, one of the few independent authorities against mass surveillance of European data in the USA will no longer exist. Without effective oversight, the protective effect of the entire agreement is questionable.

What is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework was introduced as the successor to the Privacy Shield after it was declared invalid by the European Court of Justice (ECJ) in 2020. It is intended to provide companies with a legally secure basis for the transfer of EU user data to the USA and guarantee data protection in accordance with European law. The USA has promised various protective measures in return, including improved control mechanisms for surveillance programs, an independent complaints procedure for EU citizens and a limitation on access by US intelligence services.

The EU Commission had presented the DPF as a viable solution to harmonize European data protection standards with the US situation. Companies that rely on the DPF can transfer personal data to the USA without having to rely on additional legal mechanisms such as standard contractual clauses.

The problem

The data protection debate between the EU and the USA is picking up speed again. Following the failure of Safe Harbor and Privacy Shield, the EU-US Data Privacy Framework is now also in danger of collapsing. The reason: The Privacy and Civil Liberties Oversight Board (PCLOB), which acts as the central supervisory authority for US surveillance programs, is no longer sufficiently staffed. This authority should actually ensure that mass surveillance programs such as FISA Section 702 are proportionate and do not violate European data protection rights.

The weakening of this supervisory authority comes at a time of political upheaval in the USA, particularly in the wake of Donald Trump's possible return to the White House. In the past, the Trump administration has tended to treat data protection issues less seriously and even expanded surveillance programs. It is therefore questionable whether the protection of European user data will still be a high priority in the USA under a new Trump administration.

However, without a functioning independent control, an essential protective measure on which the EU Commission based its approval of the DPF is missing. If it turns out that the protection of European user data in the USA is no longer guaranteed, the European Court of Justice (ECJ) could declare the agreement invalid again. This would lead to considerable legal uncertainty for companies that rely on the DPF and could spark a new legal dispute between the EU and the US.

Impact on companies and users

This would have significant consequences for companies that transfer personal data to the USA. Services such as LastPass and Dashlane, which are on the Data Privacy Framework list, rely on the agreement to transfer data from EU users to the US. Should the DPF become invalid, they would once again be left without a clear legal basis - and their European users would have to ask themselves whether their data is really secure.

Companies that continue to work with US providers would have to implement alternative protection measures or choose GDPR-compliant European providers. For users, the question arises as to whether they want to continue relying on providers that rely on a legally uncertain agreement.

Source: https://www.dataprivacyframework.gov/list

Is history repeating itself?

Safe Harbor and Privacy Shield have already failed before the European Court of Justice because they did not offer sufficient protection for EU data. If it is now confirmed that the PCLOB is no longer functional, the EU-US Data Privacy Framework could suffer the same fate. This would put many US services back in the legal gray area - and European users would have to look for GDPR-compliant alternatives.

What can companies and users do?

In view of the recurring uncertainties, companies and users should act proactively:

- Prefer GDPR-compliant providers: Services that store data exclusively on European servers and do not rely on US legal bases offer a secure long-term solution.
- Monitor legal developments: Companies should prepare for the possibility that the DPF may end up in court again and be declared invalid.
- Check alternatives: Security-critical services such as password managers in particular should be checked to see whether they can guarantee legally compliant use in the EU.

Conclusion

The EU-US Data Privacy Framework stands on shaky ground. Companies that rely on compliance with data protection guidelines should not just rely on short-term political solutions. Especially for security-critical services such as password managers, it is advisable to look at GDPR-compliant alternatives without US dependency. Users should be aware that their data is only really secure if they choose a provider that fully implements European data protection standards.

Switch to GDPR-compliant alternatives now!