EU/US DPF: More trouble for transatlantic data transfers?

Do recent Trump administration actions raise doubts about the EU-US Data Privacy Framework’s future and threatening transatlantic data transfers? Some analysts suggest they do…

The key points: As we observed at the end of February, actions by the Trump administration have raised doubts about the future of the EU-US Data Privacy Framework (DPF), which governs data transfers between the EU and US. The dismissal of key oversight officials and a new executive order increasing White House control over regulatory agencies have sparked concerns about the independence of the US end of the framework, as required under EU law.

Meanwhile on GDPR reforms: The EU’s data regulatory authorities, the EDPB and EDPS, have said that they “can express preliminary support” to simplifying GDPR record-keeping for firms under 500 employees, but final approval depends on a formal consultation process… but why ring fence long overdue reforms to just one segment of business? See our March comments on this matter. 

Why this matters: If the DPF is seen as inadequate by EU authorities, it could disrupt transatlantic data flows, affecting businesses that rely on transferring personal data between the EU and US. This would particularly impact small and medium-sized enterprises and could strain EU-US relations.

What might happen next: EU regulators may review or could even suspend the DPF if they conclude US agencies can no longer guarantee adequate privacy protections. Though the DPF is primarily used by small/medium sized companies, any organisations transferring data between the EU and US via DPF should monitor regulatory developments closely and review their data transfer arrangements, to ensure compliance if the DPF is invalidated.

Two of the commentaries referenced in this news story. 

• kennedyslaw.com/en/thought-leadership
• infosecurity-magazine.com/opinions