Articles

EU–US data transfers under renewed scrutiny: what GDPR teams should review now

EU–US data transfers are once again under pressure.

A recent US Supreme Court decision in Trump v. Slaughter has raised new questions about the independence of the Federal Trade Commission, one of the US bodies relied on in the EU–US Data Privacy Framework. Privacy organisation noyb has argued that the ruling may undermine the independence requirements that EU law expects from oversight authorities and has called on the European Commission to withdraw the adequacy decision in an orderly way.

For now, there is no immediate legal change for European companies. The EU–US Data Privacy Framework remains formally in force unless and until it is repealed by the European Commission or annulled by the Court of Justice of the European Union. noyb itself has acknowledged that there is no immediate effect while the Commission’s adequacy decision remains in place.

However, the development is a timely reminder for privacy, legal and compliance teams: international data transfers should not be treated as a one-time exercise. If your organisation uses US vendors, cloud providers, analytics tools, HR systems, CRM platforms, support tools, AI tools or other SaaS providers, now is a good moment to review your data transfer documentation, vendor records and Transfer Impact Assessments.

Full article here

Why EU–US data transfers matter under the GDPR

Under the GDPR, personal data may only be transferred outside the European Economic Area if the transfer complies with Chapter V of the GDPR. In practice, European organisations usually rely on one of the following mechanisms when transferring personal data to the United States:

  • the EU–US Data Privacy Framework, where the US recipient is certified;
  • Standard Contractual Clauses, commonly referred to as SCCs;
  • Binding Corporate Rules, mainly for intra-group transfers;
  • limited derogations under Article 49 GDPR, where applicable.

The European Commission adopted the adequacy decision for the EU–US Data Privacy Framework on 10 July 2023. On that basis, personal data can flow freely from the EU to US companies that participate in the framework.

The adequacy decision followed the adoption of US safeguards intended to address concerns raised by the Court of Justice of the European Union in Schrems II. These safeguards included limits on access by US intelligence agencies and a redress mechanism for EU individuals.

The framework was designed to bring more legal certainty after the invalidation of both Safe Harbour and Privacy Shield. But, as recent developments show, EU–US data transfers remain politically and legally sensitive.

What changed after the US Supreme Court decision?

The latest concern relates to the US Supreme Court’s decision in Trump v. Slaughter. According to noyb, the decision affects the independence of the Federal Trade Commission, which has historically played an important role in enforcing EU–US data transfer arrangements. noyb argues that the European Commission relies heavily on the FTC’s independence in the current EU–US Data Privacy Framework and that this reliance may now be problematic under EU law.

The key legal concern is not simply whether the FTC can enforce privacy commitments. The deeper issue is whether the oversight and redress structure available in the US still meets EU requirements for independence and effective protection.

EU law requires independent oversight in the field of data protection. noyb points to Article 16(2) TFEU and Article 8(3) of the EU Charter of Fundamental Rights as part of this independence requirement.

This does not mean that every EU–US transfer is suddenly unlawful. But it does mean that organisations should avoid relying on outdated assumptions. If a Transfer Impact Assessment, vendor review or data transfer register was last updated when the Data Privacy Framework was adopted, it may no longer reflect the current risk environment.

Does this mean the EU–US Data Privacy Framework is invalid?

No. Not at this stage.

The Data Privacy Framework remains formally in force. The European Commission has not withdrawn the adequacy decision, and the Court of Justice of the European Union has not annulled it. The Commission’s current position remains that personal data can flow freely to US companies participating in the framework.

The European Data Protection Board has also continued to maintain guidance and related materials on the EU–US Data Privacy Framework, including updated FAQ materials and procedural documents in 2026.

That said, the legal debate is not theoretical. noyb has indicated that it intends to pursue further legal action and has called for an orderly exit from the current adequacy decision.

For GDPR teams, the practical takeaway is clear: do not panic, but do document.

Why SCCs and Transfer Impact Assessments still matter

Many European organisations do not rely solely on the EU–US Data Privacy Framework. They may use SCCs with US vendors, especially where the US recipient is not certified under the framework or where the transfer forms part of a wider vendor agreement.

However, SCCs are not a “set and forget” solution.

After Schrems II, organisations relying on SCCs must assess whether the law and practice of the destination country could affect the effectiveness of the contractual protections. This is usually documented in a Transfer Impact Assessment, or TIA.

A TIA should consider questions such as:

  • What personal data is transferred?
  • Who receives the data?
  • Is the recipient located in the US or subject to US law?
  • What is the purpose of the transfer?
  • Is the data encrypted, pseudonymised or otherwise protected?
  • Could public authorities access the data?
  • What supplementary measures are in place?
  • Has the legal or political risk environment changed since the last assessment?

This is where the recent US Supreme Court decision becomes relevant. Even if your organisation uses SCCs instead of the Data Privacy Framework, your TIA may rely on assumptions about US oversight, redress and institutional safeguards. If those assumptions have changed or become more contested, your documentation should show that the issue has been considered.

What European companies should review now

European organisations do not need to suspend all US transfers overnight. But they should be able to show that they have an up-to-date overview of their international transfers and that they are actively monitoring relevant developments.

A practical review should include the following steps.

1. Identify all US vendors and sub-processors

Start with your vendor register. Identify all vendors, sub-processors and systems that involve a transfer of personal data to the United States.

This may include obvious cloud and SaaS providers, but also less visible tools such as:

  • analytics and marketing platforms;
  • CRM systems;
  • customer support tools;
  • HR and recruitment platforms;
  • email and collaboration tools;
  • payment providers;
  • AI tools and productivity assistants;
  • website plug-ins and tracking technologies;
  • security, logging and monitoring tools.

Many organisations underestimate the number of US-linked tools in their environment. A vendor discovery exercise can help uncover shadow IT and systems that are used outside the formal procurement process.

2. Check which transfer mechanism is used

For each US vendor, confirm the legal transfer mechanism. Do not assume that a DPA or vendor contract automatically solves the issue.

Check whether the transfer relies on:

  • EU–US Data Privacy Framework certification;
  • Standard Contractual Clauses;
  • SCCs plus supplementary measures;
  • Binding Corporate Rules;
  • Article 49 derogations;
  • another specific mechanism.

Where the vendor claims to participate in the EU–US Data Privacy Framework, verify that the certification is still active and covers the relevant entity and data categories.

3. Review Transfer Impact Assessments

Next, review your TIAs for US transfers.

A strong TIA should not simply state that SCCs are in place. It should explain the nature of the transfer, the legal environment, the likelihood and severity of risks, and the technical, contractual and organisational measures used to protect the data.

Where recent legal developments may affect the analysis, update the TIA accordingly. This does not necessarily mean that the conclusion must change, but it should show that the organisation considered the new information.

4. Reassess high-risk transfers first

Not every transfer carries the same risk. Prioritise transfers involving:

  • special category data;
  • employee data;
  • children’s data;
  • financial data;
  • health data;
  • large-scale customer databases;
  • behavioural analytics;
  • AI training, profiling or automated decision-making;
  • data stored in or remotely accessible from the United States.

High-risk transfers should receive more detailed review and stronger supplementary measures.

5. Check supplementary measures

For SCC-based transfers, supplementary measures may be essential. These can include encryption, pseudonymisation, access controls, strict retention limits, transparency commitments, audit rights and technical restrictions on remote access.

The right measures depend on the transfer. For example, encryption may be highly effective where the US vendor cannot access the key, but less useful where the vendor needs access to data in the clear to provide the service.

Your documentation should explain why the measures are suitable for the specific transfer.

6. Update your RoPA and vendor register

International transfers should also be reflected in your Record of Processing Activities and vendor documentation.

For each relevant processing activity, make sure your RoPA clearly records:

  • the categories of personal data;
  • the categories of data subjects;
  • the purposes of processing;
  • recipients and processors;
  • transfers to third countries;
  • safeguards used for international transfers;
  • retention periods;
  • relevant technical and organisational measures.

Your vendor register should also identify where vendors are based, whether they use US sub-processors, and what transfer mechanism applies.

7. Keep an audit trail

Regulators do not expect organisations to predict the future. But they do expect organisations to take data protection obligations seriously and to maintain evidence of their decisions.

Keep a record of:

  • when your US transfer review was completed;
  • who was responsible;
  • which vendors were reviewed;
  • what documents were checked;
  • what risks were identified;
  • what decisions were made;
  • what follow-up actions were assigned.

This is especially important in a changing legal environment. If the EU–US Data Privacy Framework is challenged again, organisations with structured records will be in a better position than those relying on scattered spreadsheets and email threads.

What this means for privacy teams in practice

The renewed scrutiny around EU–US data transfers should not be seen only as a legal issue. It is also an operational governance issue.

Many organisations struggle with international transfers because the relevant information is spread across procurement, IT, legal, security and business teams. Vendor contracts may sit in one folder, RoPAs in another, TIAs in a spreadsheet, and sub-processor notices in someone’s inbox.

That makes it difficult to answer basic questions quickly:

  • Which US vendors do we use?
  • Which processing activities involve transfers to the US?
  • Which vendors rely on the Data Privacy Framework?
  • Which transfers rely on SCCs?
  • When were our TIAs last reviewed?
  • Which transfers involve sensitive data?
  • Which vendors use additional US sub-processors?
  • Who owns the review of each vendor?

This is exactly where a structured privacy management platform can help.

How GDPR Register helps manage EU–US data transfer risk

GDPR Register helps privacy, legal and compliance teams keep their international transfer documentation organised, current and audit-ready.

Instead of managing transfer reviews across spreadsheets and disconnected folders, teams can centralise vendor information, RoPAs, DPIAs, LIAs, risk assessments and supporting evidence in one place.

With GDPR Register, teams can:

  • maintain a clear vendor and processor register;
  • link vendors to relevant RoPAs and systems;
  • document international transfers and safeguards;
  • keep Transfer Impact Assessments connected to the relevant processing activities;
  • assign review tasks to responsible team members;
  • track deadlines and follow-up actions;
  • keep an audit trail of decisions and updates;
  • use reporting to understand where transfer risks are concentrated.

This becomes especially valuable when legal developments require a targeted review. Instead of starting from scratch, privacy teams can filter the vendor register, identify US-linked systems, review affected RoPAs and update TIAs in a structured workflow.

The bigger lesson: international transfers need continuous governance

The EU–US Data Privacy Framework brought welcome relief for many organisations after years of uncertainty. But the latest developments show that international transfer compliance cannot depend on a single document or a one-time vendor check.

The legal environment can change. Vendor structures can change. Sub-processors can change. New systems can be introduced without privacy review. AI tools can create new data flows. Employees can start using SaaS tools before the privacy team knows they exist.

For this reason, organisations should treat international transfers as part of continuous GDPR governance.

That means:

  • keeping vendor records up to date;
  • reviewing transfer mechanisms regularly;
  • updating TIAs when legal or factual circumstances change;
  • documenting decisions;
  • prioritising high-risk transfers;
  • ensuring that procurement, IT, legal and privacy teams work from the same source of truth.

Key takeaway

There is no immediate change to the legal status of the EU–US Data Privacy Framework. Personal data may still be transferred to US companies participating in the framework, and SCCs remain widely used for other US transfers.

But the renewed scrutiny is a clear warning sign. European organisations should not wait for a crisis before reviewing their US vendors and transfer documentation.

Now is the right time to:

  • map US vendors and sub-processors;
  • verify transfer mechanisms;
  • review SCCs and TIAs;
  • reassess high-risk transfers;
  • document supplementary measures;
  • update RoPAs and vendor registers;
  • create a clear audit trail.

EU–US data transfer compliance is not only about having the right contract in place. It is about knowing where personal data goes, why it goes there, what safeguards apply, and whether those safeguards still make sense in the current legal environment.

GDPR Register helps organisations turn that work into a structured, repeatable process — so privacy teams can stay prepared, even when the legal landscape changes.

Tags:
case study
gdpr
gutenberg
interesting
PREVIOUS
The UK Data Use and Access Act 2025 is now practical, not theoretical and businesses have a deadline approaching.
NEXT
AI providers under GDPR