Here’s the latest about cross-border transfers of personal data from the European Union and United Kingdom to the United States:
- In Europe: The European Union-U.S. Data Privacy Framework (“EU-U.S. DPF”) survived the first round of a legal challenge in September 2025. But that decision is on appeal to the Court of Justice for the European Union (“CJEU”), which famously rejected two prior mechanisms. Regardless, this challenge does not address whether as implemented the EU-U.S. DPF still satisfies the requirements on which the EU Adequacy Decision was based. Among changes of concern:
- In the U.S.: The Privacy and Civil Liberties Oversight Board (“PCLOB”), on which in part the EU-U.S. DPF was based, has lacked a quorum to act since January 2025. That’s because the Trump Administration fired three Members, leaving the PCLOB with only one. How then could the PCLOB be satisfying its oversight functions as a bipartisan, independent agency? (A legal challenge to two of the firings is pending, its trajectory intertwined with a Federal Trade Commission firing case being heard by the United States Supreme Court.)

Stay tuned….
Background:
On July 10, 2023, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) came into force. That’s when the European Commission announced its Adequacy Decision for EU-protected personal data transfers to certain entities in the United States (those self-certified under the EU-U.S. DPF).
Subsequently, mechanisms were approved for transferring personal data protected by the United Kingdom (and Gibraltar) and Switzerland via (respectively) the UK Extension to the EU-U.S. DPF (“UK Extension,” or in the preferred terminology of the UK Information Commissioner’s Office, a data bridge) and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”).
Thousands of companies have since self-certified to the EU-U.S. DPF, UK Extension, and the Swiss-U.S. DPF via the U.S. Secretary of Commerce’s International Trade Administration website (www.dataprivacyframework.gov).
Meanwhile, in September 2023 a challenge (request to annul) was filed with the General Court of the European Union (“General Court”): Philippe Latombe challenged the European Commission’s Adequacy Decision on multiple grounds. (Mr. Latombe, a member of the French Parliament and commissioner of the French Data Protection Authority (“CNIL”), brought the claim in his personal capacity.)
The General Court heard arguments in April 2025 and, on September 3, 2025, dismissed the challenge, upholding the Adequacy Decision (and ordering Mr. Latombe to pay the Commission’s costs). In October 2025, Mr. Latombe appealed to the Court of Justice for the European Union. As of this writing, the CJEU has not yet ruled.
As those of us in the data privacy field will recall, the CJEU rejected two prior efforts to legitimize trans-Atlantic data flows (in 2015, the Safe Harbor (aka Schrems I), and in 2020, the Privacy Shield (aka Schrems II)).
Even if the CJEU upholds the decision of the General Court, this case was limited to the EU-U.S. DPF as of the time of the Adequacy Decision – it is not about how it has worked in practice. The General Court noted that the European Commission is to monitor the DPF’s application, and may take appropriate action if there are changes, including suspension, amendment, or repeal.
And changes there have been in the U.S., since the change in Presidential administrations. These include, starting in early 2025, the Trump Administration purported to fire many federal workers — including members of federal boards and agencies.
This included, in January 2025, firing the three Democrat members of the Privacy and Civil Liberties Oversight Board (“PCLOB”).

Initially established in 2004, the PCLOB is to monitor compliance with procedural safeguards over the U.S. government’s surveillance activities. By statute, the PCLOB is an independent agency (not advisory committee) comprised of five Members, of whom no more than three may be from the same political party.
As a result of the Trump Administration’s purported firings of all but one Member of the PCLOB (a Republican), the agency lacks a quorum (which requires three). So it cannot perform its statutorily required obligations.
The PCLOB’s independence from the Executive Branch was a key part of the EU’s Adequacy Decision allowing the EU-U.S. DPF: Part of the PCLOB’s role is to oversee the redress mechanism for non-U.S. citizens. Relatedly, in striking down the Privacy Shield, the CJEU had deemed its Ombudsperson Mechanism insufficiently independent of the U.S. Executive Branch.
Two of the three fired PCLOB Members sued, asserting the President lacks authority to remove them. (The statute governing the PCLOB had been amended, post-9/11 Commission, to remove language that previously subjected their service to the President’s “pleasure.” It requires that Members be appointed “without regard to political affiliation.”)
In May 2025, a U.S. District Court agreed, ordering them reinstated. Unsurprisingly, the Trump Administration appealed. The PCLOB remains in limbo.

Addressing the appeal has been deferred, awaiting a ruling by the U.S. Supreme Court in a different case (Donald Trump v. Rebecca Slaughter). The Slaughter case regards the Federal Trade Commission, with far-reaching consequences for checks and balances in the U.S. legal system. At issue is a nearly one hundred year old precedent about the independence of federal agencies. Oral argument was heard December 8, 2025. As of this writing, the Supreme Court has not yet ruled.
As usual in the data privacy/contracting space, we all need to keep an attentive eye on what develops, both internationally and within the U.S.
Meanwhile … What About Contractual Data Processing Terms, Including “Standard Contractual Clauses”?
Despite this turmoil, commerce rolls on and with it, contracts.
Robust contract terms are still required for transfers of personal data to the U.S. for processing, regardless of whether the EU-U.S. DPF remains viable (or the UK Extension or Swiss-U.S. DPF, as applicable), and regardless of whether a party is certified.
(For reference, see the EU-U.S. DPF’s Supplemental Principles, and the EU’s Standard Contractual Clauses for controllers and processors in the EU/EEA.)
But where the EU-U.S. DPF applies, transfers to certified companies don’t require additional terms specific to risks of cross-border transfer to the U.S. — terms which form part of the European Union’s other “Standard Contractual Clauses,” those for the transfer of personal data outside the EU/EEA (“EU SCCs”) (notably, transfer impact assessments).
The European Commission, UK, and U.S., in 2023, voiced the opinion that the U.S.’ safeguards not only legitimized the EU-U.S. DPF, but strengthened contractual mechanisms for cross-border personal data transfers (which in addition to EU SCCs include the UK’s mechanisms, alternatively the UK Addendum to the EU SCCs, or the UK’s International Data Transfer Agreement “IDTA”)). As the European Commission explained:
The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules. (Emphasis added).
Indeed, many transactions still do — and will — incorporate the EU SCCs (and, where applicable, mechanisms for UK and/or Swiss transfers) regardless of whether a company is certified to the EU-U.S. DPF. For just some of the reasons why, including risk tolerance, please see this article.
(For prior articles about international data transfers, please see: July 2023 (EU Adequacy Decision), December 2022 (draft EU Adequacy Decision), October 2022 (U.S. Executive Order, etc.), September 2022 (EU contract terms), March 2022 (UK contract terms).)
And to learn more about information technology contracts, including data privacy and security terms generally, Tech Contracts Academy offers public and in-house trainings.
__________________________________________________________________________________
© 2025 by Kathy O’Sullivan Esq. (CIPP/E, CIPP/US). All rights reserved.
Thank you to Pixabay.com for great, free stock images.
THIS ARTICLE IS NOT LEGAL ADVICE. IT IS GENERAL IN NATURE AND MAY NOT BE SUFFICIENT FOR A SPECIFIC CONTRACTUAL, TECHNOLOGICAL, OR LEGAL PROBLEM OR DISPUTE, AND IT IS NOT PROVIDED WITH ANY GUARANTEE, WARRANTY, OR REPRESENTATION. LEGAL SITUATIONS VARY, SO BEFORE ACTING ON ANY SUGGESTION IN THIS ARTICLE, YOU SHOULD CONSULT A QUALIFIED ATTORNEY REGARDING YOUR SPECIFIC MATTER OR NEED.