In brief
In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.
This chapter outlines how 2025 could mark the beginning of a significant legal challenge to the EU-US Data Privacy Framework (DPF), potentially jeopardizing data transfers from Europe and the UK to the US. We’ll also highlight other key developments and trends that businesses need to keep an eye on when transferring data across borders.
The DPF is a landmark mechanism negotiated between the EU and the US which entered into force in 2023 to facilitate the transfer of personal data from the European Economic Area (EEA) to eligible US companies that choose to participate in the DPF (see here for further detail). The two predecessors to the DPF were each invalidated by the Court of Justice of the EU (CJEU) following concerns raised by privacy activist Max Schrems that the schemes did not appropriately protect European’s personal data. Max Schrems and other activists have indicated they will challenge the DPF in the CJEU given similar concerns.
While 2024 did not see any actions from these privacy activists regarding the DPF, 2025 may be the year for Max Schrems or others to start the third (and final?) round of battle over data transfers from the EU to the US.
Since the EU-US DPF’s adoption, many US organizations have decided to participate:
Since the DPF’s implementation in July 2023, more than 2,800 enterprises have joined the framework, 70 percent of which are small and medium-sized businesses.
The UK agreed a UK Extension to the DPF shortly after the DPF entered force and, in 2024, Switzerland joined the UK in allowing the transfer of personal data to US-based recipients that are certified under the DPF without the need for other transfer safeguards to be implemented under national data protection laws (see here).
2025 will likely be another year with a lot of movement regarding cross border data transfers subject to the EU’s GDPR. Most important, the EU-US Data Privacy Framework might be challenged by privacy activists, requiring clients to closely follow the developments.
Philipp Roos, Principal Associate
The UK is no longer subject to the jurisdiction of the CJEU, which means any successful challenge against the DPF would not immediately affect the UK Extension. However, any successful challenge might be considered by the UK in determining whether to amend or revoke the UK Extension or renew it when it comes up for review.
Looking ahead
By staying informed and proactive, you can better manage risks and seize opportunities in the ever-evolving data landscape. It’s essential for businesses to be equipped to navigate the complex and rapidly changing requirements around data transfers and localization, which can differ greatly across jurisdictions.
Keep a close eye on developments in cross-border transfer and localization laws, especially those recently introduced in the US, China, and Vietnam. If your business is involved in data transfers from Europe, be prepared for potential legal challenges to the DPF and anticipate likely changes to the SCCs for data transfers from the EU. Planning ahead will be crucial to ensure compliance and maintain smooth operations.
Our team
