ESG and Data Protection: How GDPR Compliance Drives Sustainable Business Practices
Environmental, Social, and Governance (ESG) compliance has evolved into a critical factor in corporate sustainability. Investors, regulators, and customers now […]
EU–US data transfers are once again under pressure.
A recent US Supreme Court decision in Trump v. Slaughter has raised new questions about the independence of the Federal Trade Commission, one of the US bodies relied on in the EU–US Data Privacy Framework. Privacy organisation noyb has argued that the ruling may undermine the independence requirements that EU law expects from oversight authorities and has called on the European Commission to withdraw the adequacy decision in an orderly way.
For now, there is no immediate legal change for European companies. The EU–US Data Privacy Framework remains formally in force unless and until it is repealed by the European Commission or annulled by the Court of Justice of the European Union. noyb itself has acknowledged that there is no immediate effect while the Commission’s adequacy decision remains in place.
However, the development is a timely reminder for privacy, legal and compliance teams: international data transfers should not be treated as a one-time exercise. If your organisation uses US vendors, cloud providers, analytics tools, HR systems, CRM platforms, support tools, AI tools or other SaaS providers, now is a good moment to review your data transfer documentation, vendor records and Transfer Impact Assessments.
Full article here
Under the GDPR, personal data may only be transferred outside the European Economic Area if the transfer complies with Chapter V of the GDPR. In practice, European organisations usually rely on one of the following mechanisms when transferring personal data to the United States:
The European Commission adopted the adequacy decision for the EU–US Data Privacy Framework on 10 July 2023. On that basis, personal data can flow freely from the EU to US companies that participate in the framework.
The adequacy decision followed the adoption of US safeguards intended to address concerns raised by the Court of Justice of the European Union in Schrems II. These safeguards included limits on access by US intelligence agencies and a redress mechanism for EU individuals.
The framework was designed to bring more legal certainty after the invalidation of both Safe Harbour and Privacy Shield. But, as recent developments show, EU–US data transfers remain politically and legally sensitive.
The latest concern relates to the US Supreme Court’s decision in Trump v. Slaughter. According to noyb, the decision affects the independence of the Federal Trade Commission, which has historically played an important role in enforcing EU–US data transfer arrangements. noyb argues that the European Commission relies heavily on the FTC’s independence in the current EU–US Data Privacy Framework and that this reliance may now be problematic under EU law.
The key legal concern is not simply whether the FTC can enforce privacy commitments. The deeper issue is whether the oversight and redress structure available in the US still meets EU requirements for independence and effective protection.
EU law requires independent oversight in the field of data protection. noyb points to Article 16(2) TFEU and Article 8(3) of the EU Charter of Fundamental Rights as part of this independence requirement.
This does not mean that every EU–US transfer is suddenly unlawful. But it does mean that organisations should avoid relying on outdated assumptions. If a Transfer Impact Assessment, vendor review or data transfer register was last updated when the Data Privacy Framework was adopted, it may no longer reflect the current risk environment.
No. Not at this stage.
The Data Privacy Framework remains formally in force. The European Commission has not withdrawn the adequacy decision, and the Court of Justice of the European Union has not annulled it. The Commission’s current position remains that personal data can flow freely to US companies participating in the framework.
The European Data Protection Board has also continued to maintain guidance and related materials on the EU–US Data Privacy Framework, including updated FAQ materials and procedural documents in 2026.
That said, the legal debate is not theoretical. noyb has indicated that it intends to pursue further legal action and has called for an orderly exit from the current adequacy decision.
For GDPR teams, the practical takeaway is clear: do not panic, but do document.
Many European organisations do not rely solely on the EU–US Data Privacy Framework. They may use SCCs with US vendors, especially where the US recipient is not certified under the framework or where the transfer forms part of a wider vendor agreement.
However, SCCs are not a “set and forget” solution.
After Schrems II, organisations relying on SCCs must assess whether the law and practice of the destination country could affect the effectiveness of the contractual protections. This is usually documented in a Transfer Impact Assessment, or TIA.
A TIA should consider questions such as:
This is where the recent US Supreme Court decision becomes relevant. Even if your organisation uses SCCs instead of the Data Privacy Framework, your TIA may rely on assumptions about US oversight, redress and institutional safeguards. If those assumptions have changed or become more contested, your documentation should show that the issue has been considered.
European organisations do not need to suspend all US transfers overnight. But they should be able to show that they have an up-to-date overview of their international transfers and that they are actively monitoring relevant developments.
A practical review should include the following steps.
Start with your vendor register. Identify all vendors, sub-processors and systems that involve a transfer of personal data to the United States.
This may include obvious cloud and SaaS providers, but also less visible tools such as:
Many organisations underestimate the number of US-linked tools in their environment. A vendor discovery exercise can help uncover shadow IT and systems that are used outside the formal procurement process.
For each US vendor, confirm the legal transfer mechanism. Do not assume that a DPA or vendor contract automatically solves the issue.
Check whether the transfer relies on:
Where the vendor claims to participate in the EU–US Data Privacy Framework, verify that the certification is still active and covers the relevant entity and data categories.
Next, review your TIAs for US transfers.
A strong TIA should not simply state that SCCs are in place. It should explain the nature of the transfer, the legal environment, the likelihood and severity of risks, and the technical, contractual and organisational measures used to protect the data.
Where recent legal developments may affect the analysis, update the TIA accordingly. This does not necessarily mean that the conclusion must change, but it should show that the organisation considered the new information.
Not every transfer carries the same risk. Prioritise transfers involving:
High-risk transfers should receive more detailed review and stronger supplementary measures.
For SCC-based transfers, supplementary measures may be essential. These can include encryption, pseudonymisation, access controls, strict retention limits, transparency commitments, audit rights and technical restrictions on remote access.
The right measures depend on the transfer. For example, encryption may be highly effective where the US vendor cannot access the key, but less useful where the vendor needs access to data in the clear to provide the service.
Your documentation should explain why the measures are suitable for the specific transfer.
International transfers should also be reflected in your Record of Processing Activities and vendor documentation.
For each relevant processing activity, make sure your RoPA clearly records:
Your vendor register should also identify where vendors are based, whether they use US sub-processors, and what transfer mechanism applies.
Regulators do not expect organisations to predict the future. But they do expect organisations to take data protection obligations seriously and to maintain evidence of their decisions.
Keep a record of:
This is especially important in a changing legal environment. If the EU–US Data Privacy Framework is challenged again, organisations with structured records will be in a better position than those relying on scattered spreadsheets and email threads.
The renewed scrutiny around EU–US data transfers should not be seen only as a legal issue. It is also an operational governance issue.
Many organisations struggle with international transfers because the relevant information is spread across procurement, IT, legal, security and business teams. Vendor contracts may sit in one folder, RoPAs in another, TIAs in a spreadsheet, and sub-processor notices in someone’s inbox.
That makes it difficult to answer basic questions quickly:
This is exactly where a structured privacy management platform can help.
GDPR Register helps privacy, legal and compliance teams keep their international transfer documentation organised, current and audit-ready.
Instead of managing transfer reviews across spreadsheets and disconnected folders, teams can centralise vendor information, RoPAs, DPIAs, LIAs, risk assessments and supporting evidence in one place.
With GDPR Register, teams can:
This becomes especially valuable when legal developments require a targeted review. Instead of starting from scratch, privacy teams can filter the vendor register, identify US-linked systems, review affected RoPAs and update TIAs in a structured workflow.
The EU–US Data Privacy Framework brought welcome relief for many organisations after years of uncertainty. But the latest developments show that international transfer compliance cannot depend on a single document or a one-time vendor check.
The legal environment can change. Vendor structures can change. Sub-processors can change. New systems can be introduced without privacy review. AI tools can create new data flows. Employees can start using SaaS tools before the privacy team knows they exist.
For this reason, organisations should treat international transfers as part of continuous GDPR governance.
That means:
There is no immediate change to the legal status of the EU–US Data Privacy Framework. Personal data may still be transferred to US companies participating in the framework, and SCCs remain widely used for other US transfers.
But the renewed scrutiny is a clear warning sign. European organisations should not wait for a crisis before reviewing their US vendors and transfer documentation.
Now is the right time to:
EU–US data transfer compliance is not only about having the right contract in place. It is about knowing where personal data goes, why it goes there, what safeguards apply, and whether those safeguards still make sense in the current legal environment.
GDPR Register helps organisations turn that work into a structured, repeatable process — so privacy teams can stay prepared, even when the legal landscape changes.