The ongoing friction between the US and the EU over data privacy could have profound consequences for businesses that rely on transatlantic data transfers. With several of President Trump’s recent actions raising concerns about the future of the EU-US data transfer agreement, companies may soon face new regulatory challenges. This could even see business-critical tools such as Zoom and Teams, along with other US cloud services, possibly banned in the EU. So, what exactly is happening, and how can businesses mitigate their risk exposure?
The EU-US data transfer agreement: What’s at stake?
The EU-US Data Transfer System is a legal framework designed to ensure that personal data moving from the EU to the US receives protection equivalent to EU law. Since 1995, the EU has restricted data transfers to countries without “essentially equivalent” privacy safeguards. The US, with its broad government access to data stored by tech giants like Amazon, Meta, and Google, has long been at odds with the EU’s strict privacy standards.
This fundamental difference has led to repeated legal conflicts, with the European Court of Justice striking down two prior data transfer agreements in the Schrems I and Schrems II cases. In 2023, the European Commission introduced the Transatlantic Data Privacy Framework (TADPF) to restore a legal basis for transatlantic data transfers, with oversight from the US Privacy and Civil Liberties Oversight Board (PCLOB).
Trump’s moves to counter EU enforcement
At the end of January 2025, President Trump dismissed three Democratic members of the PCLOB, raising serious concerns about the future of the TADPF. Since this oversight board was crucial in aligning US surveillance practices with EU privacy standards, its sudden reshaping has fuelled speculation that US commitments to privacy protections could be weakened or dismantled altogether.
If the EU determines that the US no longer provides adequate data protection, the current agreement could be suspended. Some privacy advocates are talking about a third Schrems case to challenge the legality of the agreement already in light of US moves. This would leave thousands of companies scrambling to find alternative ways to manage transatlantic data flows.
What would happen to transatlantic data if the agreement is suspended?
Under GDPR, data transferred outside the EU must be protected by equivalent privacy standards. However, US surveillance laws allow government agencies to access data stored by US-based companies, even if that data is physically located in the EU. If regulators decide that US companies cannot guarantee compliance, businesses could face GDPR penalties or outright restrictions on data transfers.
This raises major concerns for cloud services and collaboration tools widely used by businesses, including Zoom, Microsoft Teams, and Google Meet. Because these platforms are owned by US companies, authorities could potentially access call data, messages, and recordings without notifying users. This has significant implications for industries handling sensitive data, such as healthcare, finance, and legal services. While some providers offer EU data residency options and encryption enhancements, their obligations under US law may still pose a compliance risk.
Could a full-blown EU-US data war erupt?
Tensions between the US and the EU over data privacy appear to be escalating. In a strongly worded Executive Order, Trump recently called for a review of GDPR’s impact on US businesses, describing EU data protection fines as “unfair penalties” and “overseas extortion.”
US tech giants have also voiced their frustration. Before Trump’s inauguration, Mark Zuckerberg urged him to push back against the EU’s regulatory approach, citing over $30 billion in fines levied against US companies like Meta, Amazon, Apple, and Google over the past two decades. Meta alone was hit with a €797 million antitrust fine in late 2024, adding to the numerous GDPR penalties it has already faced.
In a move that aligns closely with the Trump administration’s stance, Zuckerberg has also taken steps to shift Meta’s policies. He announced the end of Meta’s third-party fact-checking program in favour of a “community notes” model, a change widely interpreted as a response to Trump’s views on content moderation. Additionally, Meta has terminated its Diversity, Equity, and Inclusion programs to more closely align with the Trump Administration’s approach to corporate DEI.
What can businesses do to reduce their risk exposure?
If the EU-US data transfer agreement collapses, businesses will need to quickly explore alternative ways to keep going. Here are some key steps to mitigate risk:
- Implement Standard Contractual Clauses (SCCs) – SCCs provide a legal mechanism to transfer data outside the EU, but they require additional safeguards to be GDPR-compliant.
- Implement Binding Corporate Rules (BCRs): Large multinational companies can implement internal data transfer policies approved by EU regulators to ensure GDPR compliance.
- Consider EU data localisation – Hosting data within EU-based servers can help avoid regulatory uncertainty and ensure compliance with EU privacy laws.
- Adopt end-to-end encryption – Encrypting sensitive data ensures that even if accessed, the information remains unreadable to unauthorised parties.
- Conduct Privacy Impact Assessments – Regularly assessing data transfer risks can help businesses stay ahead of regulatory changes and minimise potential liabilities.
- Monitor regulatory developments – Staying informed on EU and US regulatory shifts will be crucial for businesses to anticipate and adapt to new compliance requirements.
