Back

Data Transfer Between the U.S. and Europe – December 2024 Update

2024-12-09

All Data in Trust

As 2024 draws to a close, the legal landscape governing the transfer of personal data between the United States and Europe remains both complex and evolving. Following years of regulatory uncertainty after the invalidation of the EU-U.S. Privacy Shield by the European Court of Justice (ECJ) in the Schrems II ruling, stakeholders have closely watched the fate of the new EU-U.S. Data Privacy Framework (DPF).

EU-U.S. Data Privacy Framework Status:
In early 2024, the European Commission granted an adequacy decision for the DPF, aiming to restore a stable legal basis for transatlantic data transfers. The framework introduces enhanced safeguards, oversight mechanisms, and redress opportunities for EU citizens whose personal data is transferred to the U.S. However, the DPF remains under scrutiny. Privacy advocates and NGOs have already initiated legal challenges, alleging that U.S. surveillance laws still do not meet the stringent privacy standards set forth by the GDPR and the EU’s highest court. By December 2024, no final ECJ decision has yet been issued, leaving the framework’s long-term viability in question.

Standard Contractual Clauses (SCCs) and Supplementary Measures:
In the meantime, Standard Contractual Clauses continue to serve as a widely used mechanism for lawful data transfers, though companies must implement robust supplementary measures to mitigate surveillance risks. Encryption, pseudonymization, and strict data minimization practices have become the norm, as European Data Protection Authorities demand heightened diligence. For businesses, this means ongoing compliance efforts, close monitoring of regulatory guidance, and possible re-assessments of data flows.

U.S. Legislative and Regulatory Developments:
On the U.S. side, calls for comprehensive federal privacy legislation and reforms to surveillance powers persist. While no landmark federal privacy statute has been passed, incremental policy shifts and executive orders have sought to bolster protections for EU personal data when transferred stateside. Still, concerns remain regarding the scope and oversight of U.S. intelligence activities.

Transfers from the U.S. to Europe:
Data flows from the United States to Europe are less contested, given that the GDPR’s primary concern lies with outbound EU data. Nonetheless, U.S. companies operating in Europe must comply with EU privacy laws, ensure they meet local adequacy standards, and address the complexities of processing EU-origin data, especially in light of the GDPR’s extraterritorial reach and robust enforcement stance.

Outlook for 2025 and Beyond:
The next year will likely see continued legal challenges to the DPF and potentially new guidance from European Data Protection Authorities and the European Data Protection Board. Businesses are encouraged to adopt a proactive stance: monitoring legal developments closely, maintaining flexible compliance strategies, and investing in privacy-by-design and advanced security measures. Until the EU-U.S. data transfer framework attains true legal certainty—if ever—organizations must remain vigilant and prepared to adapt as the regulatory environment continues to shift.

View other news

The Cyber Security Congress series

2025-04-26

EU’s Digital Operational Resilience Act (DORA) Set to Strengthen Cybersecurity and Data Protection Across Europe

2024-12-15

News: Expansion of State-Level Data Privacy Laws in the U.S. – December 2024

2024-12-11

Data Transfer Between the U.S. and Europe – December 2024 Update

2024-12-09

U.S. Legal Landscape Update – December 2024

2024-12-03

Oregon Advances in Privacy Protection with New Consumer Privacy Act

2023-07-20

Essential Guidelines for Organizations Participating in the DPF Program

2023-07-19

Biden-Harris Administration Unveils Comprehensive National Cybersecurity Strategy Implementation Plan

2023-07-15

EU-US Data Privacy Framework Ratified, Ensuring Greater Data Protection Across Borders

2023-07-12

Texas: New consumer privacy law on the horizon, Texas Data Privacy and Security Act (“TDPSA”)

2023-06-01

Kansas Governor Approves Senate Bill 44: A New Era for Financial Institutions’ Information Security

2023-05-24

Understanding the Indiana Data Privacy Law: Consumer Rights and Controller Obligations

2023-05-23

Indiana Steps Up with Comprehensive Consumer Data Privacy Legislation

2023-05-23

Montana Joins the Ranks with New Comprehensive Consumer Data Privacy Legislation

2023-05-23

Tennessee Information Protection Act: Implementation of a customized and profiled privacy program

2023-05-12

Tennessee Information Protection Act outlines specific responsibilities for controllers and processors of personal information.

2023-05-12

Tennessee House Bill 1181 – “Tennessee Information Protection Act” Aims to Strengthen Consumer Data Privacy

2023-05-12

Understanding if your U.S. Business falls under the Gramm-Leach-Bliley Act

2023-05-11

Understanding the FTC Safeguards Rule: A Guide for Businesses

2023-05-11

Texas: SUBCHAPTER A. GENERAL PROVISIONS, Consumer Data Protection Legislation

2023-05-11

Texas: SUBCHAPTER D. ENFORCEMENT.

2023-05-11

Texas: SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED DUTIES AND PROHIBITIONS

2023-05-11

Texas: SUBCHAPTER B. CONSUMER’S RIGHTS, Consumer Data Protection Legislation

2023-05-11

Texas: Bill for Data Privacy and Security Act passes both Houses

2023-05-11

Florida Unveils CS/CS/SB 262 — Technology Transparency Legislation

2023-05-11

Understanding the California Consumer Privacy Act (CCPA) and its Impact – REQUIRED NOTICES

2023-05-10

Groundbreaking My Health My Data Act (House Bill 1155)

2023-05-08

My Health My Data Act (House Bill 1155) Reinforces Consumer Health Data Privacy Protections

2023-05-08

Consumer Data Privacy Laws Across States: The Growing Landscape

2023-05-04

California Consumer Privacy Act (CCPA)

2023-05-02

The Virginia Consumer Data Protection Act (VCDPA)

2023-04-27

Texas Data Privacy and Security Act Moving Forward

2023-04-07

PILLAR FOUR – INVEST IN A RESILIENT FUTURE

2023-03-31

PILLAR THREE – SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE

2023-03-31

Enhancing Cybersecurity Through Public-Private Partnerships – A Strategic Overview

2023-03-30

PILLAR ONE – DEFEND CRITICAL INFRASTRUCTURE

2023-03-30

National Cybersecurity Strategy of the United States of America

2023-03-03

Strengthening Data Security: The Updated Gramm-Leach-Bliley Act

2023-01-11

Responsibilities of Data Controllers and Processors under the Virginia Consumer Data Protection Act (Effective January 1, 2023)

2023-01-09

Understanding the Scope and Exemptions of the Virginia Consumer Data Protection Act (VCDPA)

2023-01-04

Navigating the CCPA Privacy Policy Landscape

2023-01-03

Implementation of State Data Protection Laws in the US.

2022-10-11

Support from the Data Protection Officer,
vCISO and auditors

Comprehensive support from our auditors and data protection officers.
Deep resilience of data protection and cyber security. Continuous training.

decoration

Policies, data protection procedures for each state in the U.S. and GLBA federal regulations

decoration

Policies, procedures, IT information security standards

decoration

Data protection auditing applications

decoration

IT information security audit applications

simple image of pc monitor with charts, magnifying glass and charts decoration
decoration

Applications with GDPR checklists and other rules concerning the protection of personal data

decoration

Applications with checklists CCPA, CPRA, HIPAA, VCDPA and more

decoration

Applications with NIST checklists 800-53, all levels

decoration

CMMC checklist applications (level 1-3)

Our team consists of: data protection officers, certified internal auditors, lawyers, attorneys, legal advisors, information security and IT specialists, information security and IT database auditors, trainers and authors of guides on data protection and cyber security.

View details