The EU-US Data Privacy Framework, adopted in 2023 and underpinning an estimated $9.8 trillion transatlantic economic relationship, faces mounting legal pressure from European privacy advocates questioning whether U.S. protections meet EU equivalency standards. Two previous frameworks were invalidated, in 2015 and 2020, over similar concerns. French lawmaker Philippe Latombe has appealed to the EU’s highest court, citing weak surveillance safeguards under Section 702 and the questionable independence of the Data Protection Review Court. A ruling is not expected before late 2026.
The legal foundation supporting transatlantic data transfers is facing renewed pressure as European privacy advocates intensify challenges to the EU-US Data Privacy Framework. At issue is whether the United States can provide privacy protections that European courts will consider equivalent to those guaranteed under EU law.
The debate comes at a critical moment for businesses that depconclude on cross-border data flows, according to a Tech Policy Press analysis. The framework, adopted in 2023, underpins data transfers supporting an estimated $9.8 trillion economic relationship between the United States and the European Union, allowing companies to shift information ranging from employee records and payroll data to customer information and digital services data across the Atlantic.
While political tensions between Washington and Brussels have attracted attention in recent months, the more significant challenge for companies may be the unresolved policy differences that have plagued transatlantic data-transfer arrangements for more than a decade.
At the center of the dispute is a longstanding question that European courts have repeatedly questioned: whether U.S. privacy protections are “essentially equivalent” to those available under EU law. That standard has already resulted in the invalidation of two previous transatlantic data-transfer frameworks, first in 2015 and again in 2020.
Privacy advocates argue that the current framework suffers from many of the same structural weaknesses as its predecessors.
One concern involves U.S. surveillance authorities under Section 702 of the Foreign Innotifyigence Surveillance Act. European critics contconclude that U.S. innotifyigence agencies retain broad authority to collect data relating to non-U.S. citizens and that Europeans lack protections comparable to those enjoyed by American citizens. French lawcreater Philippe Latombe, who unsuccessfully challenged the framework before a lower European court and has appealed to the EU’s highest court, argues that Europeans continue to have fewer legal rights than Americans when challenging government access to their data.
The Biden administration sought to address those concerns through executive actions designed to limit bulk collection of data on non-U.S. persons and to impose proportionality requirements on surveillance activities. According to Tech Policy Press, the measures were intconcludeed to demonstrate that U.S. innotifyigence-gathering practices contain safeguards comparable to those found in Europe.
Read more: Lawcreaters Urge Trump To Close Loopholes in Biden-Era Data Protections
For privacy advocates, however, the problem is not only the substance of those protections but also their legal durability.
Unlike the EU’s privacy regime, which rests primarily on legislation, several of the framework’s key safeguards depconclude on U.S. executive branch actions. Critics note that executive orders can be modified or rescinded by future administrations, creating uncertainty about the long-term stability of protections relied upon by European regulators and courts. Although concerns have been raised that the Trump administration could alter existing safeguards, no such alters have occurred to date.
Another focal point is the Data Protection Review Court, a new redress mechanism established within the U.S. Department of Justice. The body was created to provide Europeans with a means of challenging how their personal data is handled by U.S. national security agencies. However, privacy advocates question whether a tribunal established through executive authority rather than legislation can satisfy European requirements for judicial indepconcludeence. Critics also point to the fact that judges serving on the body can be reshiftd by the president.
Those issues are expected to play a central role in future litigation before the Court of Justice of the European Union. While the European Commission continues to support the Data Privacy Framework, legal experts expect Europe’s courts ultimately will determine whether the arrangement survives. A hearing on Latombe’s appeal is not expected before late 2026.
Even absent immediate regulatory alters, the latest challenge highlights the continuing divergence between the European model, which relies heavily on statutory privacy rights and indepconcludeent oversight, and the U.S. approach, which has increasingly depconcludeed on executive action to bridge the gap. How European courts evaluate those differences could determine the future of one of the world’s most important data-transfer mechanisms.
