EU's Supreme Court Revokes EU-US Safe Harbor Framework
In the ever-evolving landscape of data privacy, American tech companies are bracing for a more stringent and complex European Union (EU) regulatory environment. Here's a rundown of the significant developments that are set to impact tech giants like Facebook, Google, and their peers.
The EU-US Data Privacy Framework, which replaced the rejected Privacy Shield program, is expected to have substantial implications for both the EU and the U.S. This new framework, adopted by President Biden on October 7, 2022, aims to establish a new framework for cross-border data transfers, addressing the concerns raised by the Schrems II judgement.
However, the EU General Court is set to rule in September 2025 on whether the Data Privacy Framework complies with EU data protection standards. If invalidated, companies would lose a major legal mechanism for transatlantic data transfers, leading to a scramble for alternative tools such as Standard Contractual Clauses.
In June 2025, the Council of the EU and the European Parliament provisionally agreed on a new regulation to speed up and harmonize cross-border enforcement of the EU's General Data Protection Regulation (GDPR) by national data protection authorities (DPAs). This will simplify complaint procedures, grant access to case files in investigations, and require better cooperation between DPAs across the EU. This impacts all businesses operating EU-wide, especially large tech companies with cross-border data flows.
Starting September 2025, the EU Data Act will impose requirements on data service providers regarding data portability and switching fees during a transition period until 2027. US providers offering cloud and related data services will need to update their terms to facilitate easier data switching for EU customers. This could potentially impact user experience and business models for companies like Google and Facebook that provide cloud or platform services.
It's important to note that there remain fundamental differences in US and EU privacy law approaches. The EU requires "adequate" protection based on comprehensive principles, while the US has a patchwork of state laws and sector regulations. Discussions regarding harmonization, including within Free Trade Agreement negotiations, are ongoing but have yet to resolve these divergences.
In addition, the Email Privacy Act, a separate bill, was unanimously approved by the House Judiciary Committee on the same day to protect Americans' emails from government surveillance.
In conclusion, American tech giants face a more stringent and complex EU privacy regulatory environment with new enforcement rules, looming legal challenges to data transfer frameworks, and evolving data rights for EU customers. Companies must proactively adapt their compliance strategies, data transfer mechanisms, and service offerings to align with these 2025 developments in EU data privacy law.
[1] Increased regulatory scrutiny, faster investigations, and complex cross-border compliance obligations. [2] Legal uncertainty and risk of losing a key data transfer mechanism, necessitating expensive compliance adjustments. [3] Requirement to enable easier customer data portability and restructured service terms affecting cloud and platform services. [4] Continued need to navigate divergent legal standards, complicating transatlantic data-driven business models.
- The upcoming changes in EU policy-and-legislation, such as the new regulation to speed up and harmonize cross-border enforcement of the GDPR, will lead to increased regulatory scrutiny, faster investigations, and complex cross-border compliance obligations for tech companies operating in the US.
- The potential invalidation of the EU-US Data Privacy Framework by the EU General Court in September 2025 could result in legal uncertainty and risk of losing a key data transfer mechanism, necessitating expensive compliance adjustments for these companies.
