Article / 25 Feb 2025

New risks for companies using US-based tech services

Insight shared by:

Gateley Legal

Decisions made by President Trump during his first few weeks in office could have significant implications for UK or EU-based companies that use technology services operated by US-based suppliers, or that otherwise transfer personal data to the US. Here, we examine the Data Privacy Framework, why it is important, and how the new US President could disrupt it with the single stroke of a pen.

Whilst President Trump’s threats to impose heavy tariffs on imports and his MAGA (Make America Great Again) campaign made headlines, one equally important development largely flew under the radar.

More MMSAA (Make Max Schrems Angry Again, in reference to the Austrian privacy campaigner) than MAGA, Trump’s actions have called into question the future of the Data Privacy Framework, a mechanism by which UK and EU-based companies are permitted to transfer personal data to the US.

  • How are personal data transferred between the US and the UK/ EU?

    EU (and now UK) law generally prohibits the transfer of personal data to countries outside the UK/ EEA, unless there is absolute need, appropriate safeguards are put in place, or the country can demonstrate that its data protection laws are “essentially equivalent” to those of the UK/ EU.

    Although the European Court of Justice historically held that US law is not “essentially equivalent”, largely due to its surveillance laws, the reliance of UK and EU-based businesses on US tech providers led to the creation of a scheme that allowed UK and EU-based businesses to transfer personal data to US-based suppliers, provided the US-based supplier was registered with this scheme.

    So far, this scheme has had three iterations: Safe Harbor, Privacy Shield, and the current Data Privacy Framework.

  • What is the Data Privacy Framework?

    The history of the three schemes has been anything but smooth sailing, in part due to the aforementioned Max Schrems.

    For those unfamiliar with Mr Schrems, his views on privacy are anything but private. He has brought a number of cases before the European Courts, the most famous of which was ‘Schrems II’.

    Heavily criticising Privacy Shield, the second iteration of the scheme, Schrems II ultimately led to the scheme being declared unlawful, thus making the use of many US-based services technically unlawful as well. Overnight, companies who used these services went from lawful data practices, to risking substantial fines.

    In response, a new version of the scheme – the Data Privacy Framework – was launched in 2023. This once again made it possible to use most of the popular US-based services, without needing to implement special safeguards, and without the risk of huge fines. Even the legal rules concerning US-based suppliers that are not registered with the Data Privacy Framework were relaxed.

  • Why is the Data Privacy Framework at risk?

    The Trump administration’s opposition to legislation such as the General Data Protection Regulation (GDPR) is well-known. Vice-President JD Vance even criticised it in a speech recently.

    This opposition was put into action as early as the day of his inauguration, when Trump signed into law an executive action calling for all national security decisions, including those underpinning the Data Privacy Framework, to be reviewed and potentially rescinded.

    Recently, he also dismissed three members of the Privacy and Civil Liberties Oversight Board (PCLOB), a body that has played a pivotal role in the EU’s decision to approve the Data Privacy Framework. The dismissals have cast doubts on the PCLOB’s independence, as well as its ability to carry out its role without a sufficient number of board members.

    Even before Trump’s election, Schrems and his campaign group, NYOB, had expressed concerns about the Data Privacy Framework, suggesting it was little different to the previous schemes and saying that: “They say the definition of insanity is doing the same thing over and over again and expecting a different result.”

    In an article published on 23 January 2025, Mr Schrems said that the Data Privacy Framework is “built on sand” and that: “Instead of stable legal limitations, the EU agreed to executive promises that can be overturned in seconds. Now that the first Trump waves hit this deal [sic], it quickly throws many EU businesses into a legal limbo.”

    Mr Schrems and NOYB have said that they are now “closely monitoring if this is a temporary problem or if the PCLOB is being killed for good.”

  • What does this mean for UK companies using US-based suppliers?

    Given that the UK also relies on the Data Privacy Framework for personal data transfers, any invalidation of the Data Privacy Framework will affect UK businesses as much as it affects those in the US and EU.

    Furthermore, if the aftermath of Privacy Shield – and its predecessor Safe Harbor – are anything to go by, it is unlikely that businesses will receive any prior warning, meaning using US-based services could become unlawful immediately.

    All companies using US-based suppliers should immediately review their contracts to check whether any transfers rely on the Data Privacy Framework. This includes reviewing whether the findings of transfer risk assessments are based on the findings connected to the Data Privacy Framework.

    For critical services, businesses may want to put alternative measures in place now. Otherwise, it is important to be ready to act immediately, should the Data Privacy Framework be invalidated.

    We also suggest that businesses think carefully before relying on the Data Privacy Framework for any new agreements and, where possible, consider alternative approaches.

    Preparation is key here. Whether the Data Privacy Framework is invalidated or not, it is important that businesses evaluate their data transfer practices now to ensure they are as robust as they can be, whatever the future holds.

Get in touch

Our experts are happy to assist with any concerns in this area, whether that is by reviewing your agreements and transfer risk assessments to check they are compliant, or to advise on any changes you will need to make if the Data Privacy Framework is invalidated.