As anticipated, 2025 has started with a "data privacy bang", with events across the Atlantic and closer to home having a real impact on the international transfers space. In this piece we will look at the potential impact of the Trump administration's recent actions on the EU-US Data Privacy Framework, the EU Commission's response and the potential consequences for the UK-US Data Bridge. We will also consider the upcoming renewal of the UK's adequacy decision and whether the passage of the Data (Use and Access) Bill, or other developing events may have an impact. Finally, we will provide some practical tips on how businesses can prepare and steady the ship in these choppy waters.

The EU-US Data Privacy Framework

President Trump's first few months in office

The global impact of the actions of the Trump administration are at the front of many people's minds at the moment. The potential consequences for peace in Europe and global trade are beyond the scope of this article. However, from a data protection perspective, the impact of President Trump's actions on the guarantees that underpin the EU-US Data Privacy Framework (DPF) are particularly concerning.

Many believe that President Trump's actions since his inauguration are paving the way for a "Schrems III" and Max Schrems has been making his views known on social media of the "absurd state" of EU-US data transfers and that he "expects a collapse at any time". In a recent webinar hosted by TeachPrivacy, Schrems commented that he may not need to bring an action via the Court of Justice of the European Union (CJEU) as he thought the recent US government actions should prompt the European Commission to proactively suspend the DPF. However, he didn't rule out a legal challenge, if the Commission doesn’t take action, and even mentioned using a civil law injunction.

The historical context of the DPF

The DPF was developed by the European Commission and the then US administration to replace the Privacy Shield that was invalidated by the Schrems II CJEU decision in 2020 due to deficiencies in the protection of EU personal data transferred to the US; in particular, government surveillance and insufficient mechanisms for data subjects to seek redress.

To address these deficiencies, President Biden issued Executive Order 14086 (EO 14086) which set out the privacy principles that US agencies must follow when engaging in intelligence surveillance. It:

• Limits US intelligence agencies to collecting data only when it is necessary for national security
• Establishes a two tier redress system for data subjects through the creation of the Data Protection Review Court (DPRC), and
• Ensures independent oversight of US intelligence activities

Several oversight bodies were established to ensure this independence. These included:

• Privacy & Civil Liberties Oversight Board (PCLOB) which was set up as a five member bipartisan board with a remit to oversee the actions of the executive, to ensure that intelligence gathering aligns with privacy rights and civil liberties and to oversee how the US intelligence agencies implement EO 14086. The PCLOB also evaluates how the Civil Liberties Protection Officer and DPRC are working and ensure EU citizens' complaints about surveillance are handled fairly.
• Civil Liberties Protection Officer (CLPO) who is located in the Office of the Director of National Intelligence (ODNI) and conducts initial reviews of data subjects' complaints and ensures compliance with US intelligence safeguards.
• The Federal Trade Commission (FTC) was also given powers to oversee compliance of US companies that self-certify under DPF.

In the DPF adequacy decision process both the FTC and ODNI issued letters to the EU Commission confirming their commitment to enforce the DPF. The role of these oversight bodies was one of the key factors considered by the EU Commission when adopting the DPF adequacy decision.

In July 2023 the EU Commission granted adequacy to the DPF, concluding that the United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the DPF. Shortly after the UK-US extension to the DPF (UK Bridge) was agreed and granted adequacy by the UK government. These frameworks have enabled the safe, free flow of personal data from both the EU and the UK to the US. They have also simplified the completion of Transfer Risk Assessments (TRA) for US transfers. Companies can rely on the DPF adequacy finding as part of their risk assessment not only where the receiving US company is registered to the DPF but also where the standard contractual clauses (SCCs) or another transfer mechanism is used.

The Trump administration's actions

Although President Trump has not (yet) directly changed any of the underlying guarantees of the DPF, a few of his recent actions will potentially have far reaching consequences on the DPF.

PCLOB

In his first week in office, President Trump removed all three Democrat members of the PCLOB, leaving the five person board with only one Republican member and not quorate to formally make decisions. The potential concern with this action is that the PCLOB will be unable to effectively provide privacy-related oversight of the activities of US intelligence agencies.

The PCLOB's remaining member has issued a reassuring statement that it will continue to carry out its oversight work through the publication of staff reports, but we will have to wait and see if the Trump administration will appoint new members in compliance with the rule that only three members can be from the same political party.

Presidential actions

On 20^th January, President Trump passed the Presidential Action "The Initial Rescission of Harmful Executive Orders and Actions" which requires the review of all national security related orders implemented since January 2021 (which will include EO 14086). This review was to be carried out within 45 days which expired on 6 March. At the time of writing, there has been no update from the White House about the current status of this review and whether EO 14086 has been affected.

However, it is worth noting that Project 2025, a political agenda closely linked with the Trump administration, called for "an immediate study" of EO 14086. It is also worth noting Vice-President Vance's recent open criticism at the AI Action Summit of the EU's digital regulation and GDPR. If the Executive Order is revoked, this would likely sound the death knell for the DPF.

Then on 18^th February, President Trump issued the Presidential Action "Ensuring Accountability for All Agencies". This sets out the administration’s policy of “Presidential Supervision and Control of the Entire Executive branch" which includes submitting for Presidential review all significant regulatory actions. The concern here is that these changes could mean that the FTC is not sufficiently independent to enforce the DPF. This concern has already materialised, as on 18^th March, the White House removed the two Democrat FTC Commissioners, leaving only two Republican Commissioners. Again, there have been statements from sources in the US that the day-to-day functions of the FTC would not be impaired by these firings.

Response by the EU Commission

Up until 14^th March, the EU Commission had remained noticeably silent on President Trump's actions. This is perhaps not surprising bearing in mind the current fragile relationship between the EU and US in light of the Ukraine peace negotiations and potential trade tariffs. Also, although President Trump's initial actions are concerning, we anticipate the Commission are also waiting to see what will actually happen in practice to the FTC and the PLCOB.

Despite the Commission's silence, several European Data Protection Authorities have started to make their views known. For example, the Norwegian, Danish and Swedish DPA's have recently published FAQs regarding the state of lawful EU-US data transfers following the developments under the Trump administration. They have all concluded that as the adequacy decision still applies, it is still permissible to transfer personal data to organisations in the US that are covered by the DPF. However they expect that the rules will be challenged and businesses should have an "exit strategy".

Finally on 14^th March, there was comment from a Commission representative. It was reported that the EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, had been in Washington, DC where he met with members of Congress, US agencies, and the EU-US business community. His discussions focused not only on the DPF but also the EU’s efforts to boost competitiveness, simplify regulations, and drive innovation. Interestingly, he met with one of the remaining PCLOB board members, Beth A. Williams, where they discussed the PCLOB's role under EO 14086.

In a livestreamed event on 13^th March at the Centre for Strategic and International Studies focusing on The Future of Transatlantic Digital Collaboration, Commissioner McGrath said that he was "committed" to continuing the DPF, noting that the DPF generates more than $1 trillion annually. He said that "It is an objective of the European Union to continue with full implementation and enforcement of the Data Privacy Framework".

Commissioner McGrath also said the EU will continue to monitor the US developments and any DPF complications that may arise. However, he insisted maintaining the transfer agreement remains an obvious goal for the EU and the US: "It is my expectation, because of the mutual benefits that it provides for European companies, for American companies, that there is a willingness on both sides of the Atlantic to continue with this".

McGrath also explained that he had "a very good meeting with US Federal Trade Commission Chair, Andrew Ferguson, and he reassured me of his support for the DPF". However it must be noted that McGrath's comments were made days before the firings at the FTC.

What actions should UK business be taking now?

As so much will depend on what further actions President Trump or the Commission will take over the coming months, it is hard to predict with certainty what will happen. Overall, our current view is that nothing will change drastically in the short term, albeit this is an area that businesses that transfer personal data to the US should remain very vigilant towards.

However, business should start to prepare their DPF "exit strategy" and we think the following would be prudent actions to put in place sooner rather than later:

• Know which of your transfers to the US rely on the DPF (or the UK Bridge) and have in place an action plan to implement the SCCs or an alternative transfer mechanism if the DPF ceases to be a lawful transfer mechanism.
• Consider implementing clauses into contracts that provide for the SCCs to automatically come into effect if the DPF is invalidated.
• Identify which of your TRAs rely on the DPF adequacy decision and have in place a plan to update them.

It is worth remembering that although the UK Bridge is an extension of the DPF, it is a separate legal mechanism. The invalidation of the DPF in the EU will only affect transfers between the EU and the US. Therefore, there is a possibility that the UK Bridge could continue (even if the DPF was invalidated) if the US continues to operate the DPF registration for US companies. However, if the DPF fails and UK companies continue to make transfers under the UK Bridge, there may be pressure from the EU Commission to review the EU-UK adequacy decision. Readers may remember that when Safe Harbor and Privacy Shield were invalidated, the Swiss quickly followed suit to invalidate their equivalent decisions.

We will look at UK adequacy in the next section of this article as this is another area of international transfers that is very relevant to UK businesses and is in a period of uncertainty.

UK adequacy

The European Commission's adequacy decisions in respect of the UK are set to expire on 27th June, unless the European Commission reaffirms that the UK continues to provide an appropriate level of personal data protection. On 18^th March, the Commission announced that it intends to extend the UK adequacy decisions by six months, meaning that the current decisions would expire on 27^th December 2025 unless renewed. This proposal for an extension has to be referred to the European Data Protection Board for its opinion before it is approved, although we do not currently see any reason why it would not be approved.

The intention behind the extension for the existing adequacy decisions is to provide the European Commission with sufficient opportunity to consider changes to the UK's data protection legislative landscape, which will be brought about with the passage of the Data (Use and Access) Bill (DUA Bill). Once the legislative process is concluded, the Commission will assess the new legal framework and decide on the UK's adequacy. For now, it appears that there will continue to be uninterrupted data flows from the EU to the UK until at least the end of the year.

Effect of the provisions of the DUA Bill on UK adequacy

So, what impact is the passage of the DUA Bill likely to have on the European Commission’s decision on the UK's adequacy status?

The DUA Bill is currently making its way through the legislative process, so we do not have a final version of the text as yet – hence why the Commission decided to extend the existing UK adequacy decisions (i.e., to give itself ample time to properly consider the final provisions of the DUA Bill once it becomes an Act of Parliament).

The DUA Bill has already proceeded through the House of Lords, and made its way to the House of Commons. It has had its first and second readings there, and the committee stage which commenced early in March and has now concluded. We are currently awaiting confirmation of the date for the Report stage in the House of Commons, and after that there will be a third reading. The Bill may then enter a 'ping-pong' phase, passing between the two houses, before it moves to the final stages and to Royal Assent. It would then officially become the Data (Use and Access) Act 2025. We understand that the Bill is being progressed fairly rapidly. On 12^th March at the IAPP Data Protection Intensive: UK 2025 conference, Chris Byrant, who is the Minister of State for Data Protection & Telecoms suggested that the Bill is now in its "final straights" and said "We will finish this Bill by Easter or a couple of weeks after".

Readers will remember that there were some controversial provisions in the DUA Bill's predecessor bills (the Data Protection and Digital Information (No.1 and No. 2) Bills), including changes to the definition of personal data which arguably narrowed the scope. At that time, the proposed changes to the definition were raising questions about the UK's ongoing adequacy status. This particular provision has been dropped in the DUA Bill.

However, there are a number of proposed changes in the DUA Bill that the European Commission will no doubt be paying close attention to as and when the Bill is passed. These include changes in relation to international data transfers and the introduction of a new "data protection test" that applies when the UK is considering whether to grant a UK adequacy decision to a third country. That new standard will see a different (lower) standard applied, as compared to the test applied under the EU GDPR. There are proposed changes too in relation to automated decision-making, which would see a relaxation on the current regime, meaning that solely automated decisions would be subject to fewer legal controls where there is no special category personal data involved. There are also proposed provisions intended to facilitate the flow and use of personal data for law enforcement and security purposes, which may bring about a potential reduction in accountability around data flows of that nature.

Noting that adequacy does not require the UK to have exactly equivalent laws in place to those in the EU, and given the UK GDPR's general alignment with the EU GDPR, we do not anticipate that the DUA Bill itself will give the Commission reason to refuse to renew the UK's adequacy. This is a view also shared by the Information Commissioner, whose response to the DUA Bill confirms that he considers the proposed changes to strike a positive balance which should not present a risk to the UK's adequacy status.

Other factors effecting adequacy

There are wider developments, though, that may be on the Commission's mind when considering renewal. Over the last few weeks, there has been an interesting development in relation to Apple taking the unprecedented step of removing its highest level data security tool from customers in the UK. This position was taken after the Home Office demanded access to user data. In a statement Apple said it was "gravely disappointed" that the security feature would no longer be available to British customers. "As we have said many times before, we have never built a backdoor or master key to any of our products, and we never will". Where the security feature is used, neither Apple nor others such as law enforcement agencies would have any way of accessing the data stored on a device. It is easy to see parallels between the Home Office's demands and the US surveillance regimes that ultimately led to the demise of the predecessors to the DPF.

Additional Standard Contractual Clauses

To further complicate the international transfer landscape, additional SCCs are expected imminently. It is worth noting the anticipated set of clauses will be relevant where the data importer is itself caught by the extra-territorial scope of the EU GDPR. The current versions of the SCCs only apply where the importer is not subject to the extra-territorial scope of the EU GDPR, and will continue to apply for relevant transfers. A public consultation in respect of the new SCCs, despite being planned for the end of last year, has not yet commenced. However, the Commission’s proposed timeline says that the consultation is planned for Q1 2025 with adoption planned for Q3 2025. So we can hopefully expect the consultation to be published imminently.

Steadying the ship

The next few months may well bring more challenges for transatlantic transfers and it remains to be seen whether the DPF and UK Bridge are strong enough to withstand President Trump's desire for deregulation and central control by the executive.

The invalidation of the DPF remains a possibility and business would be well advised to start considering their DPF "exit strategy". Unfortunately, it is now a waiting game to observe how President Trump's actions will really affect the independence of the oversight boards, so crucial to the continued adequacy of the DPF, and how the Commission will respond. Playing in tandem to these issues will be whether the UK's Adequacy decision is renewed. We will watch with interest the almost weekly developments. Do follow our regular podcasts and monthly newsletter where we will keep you abreast of any updates.