EU-US Data Transfers: What UK Organisations Need to Prepare For
Explore emerging risks in EU-US data transfers, why current mechanisms like TADPF and SCCs may be at risk, and what UK organisations must do to protect compliance and privacy.
EU-US Data Transfers: What UK Organisations Need to Prepare For
EU-US data transfers continue to be a complex and evolving compliance challenge for organisations that transfer personal data from the European Union to the United States. A recent analysis from privacy group NOYB warns that existing mechanisms, including the Transatlantic Data Privacy Framework (TADPF) and Standard Contractual Clauses (SCCs), depend on fragile elements of US law and non-binding standards that may not hold up in the coming months. UK organisations that rely on these frameworks for cross-border data flows should act now to understand and mitigate emerging risks.
What’s Changed / What’s New in EU-US Data Transfers
Most EU-US transfers of personal data are based on two key instruments:
- The Transatlantic Data Privacy Framework (TADPF), an adequacy mechanism intended to allow free data flows by recognising US laws as providing sufficient protection.
- Standard Contractual Clauses (SCCs), contractual protections that supplement transfers where adequacy decisions do not apply.
According to NOYB, both instruments rely on unstable legal elements in US law, non-binding regulations and judicial decisions that are currently under challenge or at risk of being undermined. This “house of cards” approach means that the failure of a single legal element, such as recognition of enforcement bodies or oversight mechanisms, could cause the entire framework to collapse. This is particularly pressing in light of ongoing legal and political developments in the US.
Why EU-US Data Transfers Matter for Data Protection
Cross-border transfer mechanisms like TADPF and SCCs are essential for many organisations. They allow EU personal data to be legally processed in the United States, where many major cloud, marketing and analytics services are based. However, the legal basis for these mechanisms rests on several fragile foundations:
- US surveillance laws remain a core concern. Laws such as FISA Section 702 grant broad access to personal data held by US cloud and technology providers, conflicting with EU privacy principles.
- Judicial oversight in the US is contested, with cases such as Trump v. Slaughter challenging the independence of bodies relied upon in the TADPF.
- Legal challenges continue in the EU, including criticism that the current framework largely replicates past mechanisms invalidated by the Court of Justice of the EU (CJEU) in Schrems I and Schrems II.
These structural vulnerabilities create uncertainty for organisations that depend on EU-US data transfers. If key elements of the current framework are invalidated or withdrawn, many commonly used transfer mechanisms could become legally untenable overnight.
What UK Organisations Should Be Doing Now
UK organisations need to prepare for potential disruption to EU-US data transfers, even though the UK is outside the EU. This is because many UK businesses process EU personal data or operate in markets where compliance with EU transfer law is a business requirement.
- Review your transfer mechanisms – Identify where personal data is transferred to the US and on what basis (TADPF, SCCs, Binding Corporate Rules).
- Conduct Transfer Impact Assessments (TIAs) – Regularly assess whether US law, including surveillance and oversight regimes, provides adequate protection in practice.
- Prepare contingency plans – Consider technical and organisational measures such as encryption, storing EU data within EU-only environments, or alternative jurisdictions if transfers to the US become legally risky.
- Monitor litigation and regulatory developments – EU legal challenges, including potential “Schrems III” actions, could affect current frameworks. Stay updated on court decisions and regulator guidance.
- Update contracts and policies — Ensure data processing agreements and contracts include robust protective measures and clauses that anticipate legal uncertainties in transfer mechanisms.
Our View / Final Thoughts
The landscape of EU-US data transfers remains unsettled. While adequacy decisions like the TADPF provide temporary legal cover, underlying vulnerabilities in US law and ongoing legal challenges mean that certainty is far from guaranteed. UK organisations must act now to understand where their data flows depend on these mechanisms and build resilient approaches that protect privacy and compliance even in the face of legal shifts.
At Data Protection People, we recommend a pragmatic, proactive approach to cross-border transfers. This includes robust impact assessments, strong contractual safeguards, and contingency planning to ensure uninterrupted compliance with both EU and UK data protection obligations.
FAQs
What is the Transatlantic Data Privacy Framework (TADPF)?
The TADPF is a mechanism intended to allow personal data to flow legally from the EU to the United States by recognising US law as providing sufficiently equivalent protection. Its future is uncertain due to legal challenges and underlying vulnerabilities in US law.
Are Standard Contractual Clauses still valid for EU-US transfers?
Yes, SCCs remain available as a transfer mechanism, but organisations must conduct Transfer Impact Assessments and adopt additional safeguards because US law can conflict with EU privacy rights, especially around government access.
What happens if EU-US transfer mechanisms collapse?
If frameworks like the TADPF are invalidated without replacement, data transfers could be limited to “necessary” transfers under Article 49 of the GDPR or require alternative mechanisms such as enhanced contractual protections and technical measures. Strong planning and documentation will be critical.
Does this affect UK-only data transfers?
This primarily concerns transfers of EU personal data. However, UK organisations that handle EU data or have operations in the EU must align with these developments to avoid compliance risks and enforcement action.