The legal foundation supporting transatlantic data transfers is facing renewed pressure as European privacy advocates intensify challenges to the EU-US Data Privacy Framework. At issue is whether the United States can provide privacy protections that European courts will consider equivalent to those guaranteed under EU law.
The debate comes at a critical moment for businesses that depend on cross-border data flows, according to a Tech Policy Press analysis. The framework, adopted in 2023, underpins data transfers supporting an estimated $9.8 trillion economic relationship between the United States and the European Union, allowing companies to move information ranging from employee records and payroll data to customer information and digital services data across the Atlantic.
While political tensions between Washington and Brussels have attracted attention in recent months, the more significant challenge for companies may be the unresolved policy differences that have plagued transatlantic data-transfer arrangements for more than a decade.
At the center of the dispute is a longstanding question that European courts have repeatedly asked: whether U.S. privacy protections are “essentially equivalent” to those available under EU law. That standard has already resulted in the invalidation of two previous transatlantic data-transfer frameworks, first in 2015 and again in 2020.
Privacy advocates argue that the current framework suffers from many of the same structural weaknesses as its predecessors.
One concern involves U.S. surveillance authorities under Section 702 of the Foreign Intelligence Surveillance Act. European critics contend that U.S. intelligence agencies retain broad authority to collect data relating to non-U.S. citizens and that Europeans lack protections comparable to those enjoyed by American citizens. French lawmaker Philippe Latombe, who unsuccessfully challenged the framework before a lower European court and has appealed to the EU’s highest court, argues that Europeans continue to have fewer legal rights than Americans when challenging government access to their data.
The Biden administration sought to address those concerns through executive actions designed to limit bulk collection of data on non-U.S. persons and to impose proportionality requirements on surveillance activities. According to Tech Policy Press, the measures were intended to demonstrate that U.S. intelligence-gathering practices contain safeguards comparable to those found in Europe.
Read more: Lawmakers Urge Trump To Close Loopholes in Biden-Era Data Protections
For privacy advocates, however, the problem is not only the substance of those protections but also their legal durability.
Unlike the EU’s privacy regime, which rests primarily on legislation, several of the framework’s key safeguards depend on U.S. executive branch actions. Critics note that executive orders can be modified or rescinded by future administrations, creating uncertainty about the long-term stability of protections relied upon by European regulators and courts. Although concerns have been raised that the Trump administration could alter existing safeguards, no such changes have occurred to date.
Another focal point is the Data Protection Review Court, a new redress mechanism established within the U.S. Department of Justice. The body was created to provide Europeans with a means of challenging how their personal data is handled by U.S. national security agencies. However, privacy advocates question whether a tribunal established through executive authority rather than legislation can satisfy European requirements for judicial independence. Critics also point to the fact that judges serving on the body can be removed by the president.
Those issues are expected to play a central role in future litigation before the Court of Justice of the European Union. While the European Commission continues to support the Data Privacy Framework, legal experts expect Europe’s courts ultimately will determine whether the arrangement survives. A hearing on Latombe’s appeal is not expected before late 2026.
Even absent immediate regulatory changes, the latest challenge highlights the continuing divergence between the European model, which relies heavily on statutory privacy rights and independent oversight, and the U.S. approach, which has increasingly depended on executive action to bridge the gap. How European courts evaluate those differences could determine the future of one of the world’s most important data-transfer mechanisms.
