Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  3. 2025 Data law trends
  5. International data transfers are under the spotlight
2. International data transfers are under the spotlight
2025 Data law trends
hero-image-0
In brief

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

This chapter outlines how 2025 could mark the beginning of a significant legal challenge to the EU-US Data Privacy Framework (DPF), potentially jeopardizing data transfers from Europe and the UK to the US. We’ll also highlight other key developments and trends that businesses need to keep an eye on when transferring data across borders.

Download report
International data transfers are under the spotlight

The DPF is a landmark mechanism negotiated between the EU and the US which entered into force in 2023 to facilitate the transfer of personal data from the European Economic Area (EEA) to eligible US companies that choose to participate in the DPF (see here for further detail). The two predecessors to the DPF were each invalidated by the Court of Justice of the EU (CJEU) following concerns raised by privacy activist Max Schrems that the schemes did not appropriately protect European’s personal data. Max Schrems and other activists have indicated they will challenge the DPF in the CJEU given similar concerns.

While 2024 did not see any actions from these privacy activists regarding the DPF, 2025 may be the year for Max Schrems or others to start the third (and final?) round of battle over data transfers from the EU to the US.

Since the EU-US DPF’s adoption, many US organizations have decided to participate:

QuoteMarks_34x25px_Gold.png

Since the DPF’s implementation in July 2023, more than 2,800 enterprises have joined the framework, 70 percent of which are small and medium-sized businesses.

Source: Joint Press Statement: Commissioner Didier Reynders and US Secretary of Commerce Gina Raimondo on the first periodic review of the EU U.S. Data Privacy Framework – European Commission (europa.eu)

The UK agreed a UK Extension to the DPF shortly after the DPF entered force and, in 2024, Switzerland joined the UK in allowing the transfer of personal data to US-based recipients that are certified under the DPF without the need for other transfer safeguards to be implemented under national data protection laws (see here).

QuoteMarks_34x25px_Blue.png

2025 will likely be another year with a lot of movement regarding cross border data transfers subject to the EU’s GDPR. Most important, the EU-US Data Privacy Framework might be challenged by privacy activists, requiring clients to closely follow the developments.

Philipp Roos, Principal Associate

The UK is no longer subject to the jurisdiction of the CJEU, which means any successful challenge against the DPF would not immediately affect the UK Extension. However, any successful challenge might be considered by the UK in determining whether to amend or revoke the UK Extension or renew it when it comes up for review.

Looking ahead

By staying informed and proactive, you can better manage risks and seize opportunities in the ever-evolving data landscape. It’s essential for businesses to be equipped to navigate the complex and rapidly changing requirements around data transfers and localization, which can differ greatly across jurisdictions.

Keep a close eye on developments in cross-border transfer and localization laws, especially those recently introduced in the US, China, and Vietnam. If your business is involved in data transfers from Europe, be prepared for potential legal challenges to the DPF and anticipate likely changes to the SCCs for data transfers from the EU. Planning ahead will be crucial to ensure compliance and maintain smooth operations.

Our team

Our team

London
Rachael AnnearPartner
Hong Kong
Richard BirdPartner
Washington, DC
Madeline CiminoAssociate
London
Tochukwu EgentiAssociate
Shanghai
Fan LiSenior Associate
Silicon Valley
Christine E. LyonPartner and Global Co-Head of Data Privacy and Security
Düsseldorf
Philipp RoosPrincipal Associate
Düsseldorf
Christoph WerkmeisterPartner
Düsseldorf
Yvonne WolskiAssociate
2025 Data law trends

2025 Data law trends

Data Trends 2025
Reports
29 Nov 2024
1. AI governance takes center stage

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

Reports
29 Nov 2024
2. International data transfers are under the spotlight

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

Reports
29 Nov 2024
3. A new wave of cyber threats is here

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape.

Reports
29 Nov 2024
4. New global regulations are changing our digital operations

Over the past year, a global push to regulate the safety, accountability, and transparency of online services have begun to crystalize. In late 2023, the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act, signaling a significant shift in how digital intermediaries are regulated.

Reports
29 Nov 2024
5. Tougher enforcement is reshaping data and privacy compliance

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment.

Reports
29 Nov 2024
6. US State consumer privacy laws are expanding

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

Reports
29 Nov 2024
7. Asia’s privacy laws are maturing

In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws.

Reports
29 Nov 2024
8. New EU data access regulations are shaping the future

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparancy in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: