International data transfers continue to create uncertainty and remain a persistent issue. Back in 2020, the topic gained momentum when the CJEU invalidated the then-existing adequacy decision for the U.S. in the “Schrems II” ruling, initiated by Max Schrems. As a result, the EU updated its Standard Contractual Clauses (SCCs), and controllers have since been explicitly required to conduct Transfer Impact Assessments (TIAs) for their data recipients to evaluate associated privacy risks and, where necessary, implement additional safeguards.

DPF – A Gradual Goodbye?

After the collapse of the Privacy Shield, hopes for a new adequacy decision for the U.S. quickly materialized with the introduction of the Data Privacy Framework (DPF) in 2022. For U.S. data recipients certified under the DPF, SCCs and TIAs are no longer required. For non-certified recipients, SCCs and TIAs remain mandatory – though U.S. legal reforms introduced under the DPF help reduce overall privacy risk and ease the TIA process.

From the start, the DPF faced criticism, notably from Max Schrems’ organization, noyb, which argued it failed to address key concerns raised by the CJEU. Supervisory authorities also cautioned against prematurely relying on the new framework. However, public discussion eventually quieted.

Now, the Trump administration may place the DPF in serious jeopardy. Legal reforms that underpin the framework are being called into question. At the center of the controversy are the dismissal of Democratic members from a key oversight body and reports of broad data access by a newly created agency – the Department of Government Efficiency (DOGE).

Following these developments, the first parliamentary questions were submitted to the EU Commission in January 2025. In its response, the Commission remained vague, referencing Executive Order 14086 as the ongoing legal basis for the DPF and emphasizing that U.S. safeguards formally remain in place. The minutes of the EDPB’s April meeting confirm that the topic was merely noted, not discussed – unlikely to reassure critics. Further legal challenges are possible.

New U.S. Bulk Data Rule: Transatlantic Data Flows Under Pressure

In April 2025, the U.S. adopted the so-called Bulk Data Rule, which restricts certain data transfers from the U.S. This rule, set to be fully implemented by October 2025, aims to protect sensitive personal and government-related data from access by “Countries of Concern” – currently including China, Russia, Iran, North Korea, Cuba, and Venezuela. Some transfers are outright prohibited, such as the large-scale sharing of genetic data, while others are only allowed under strict security requirements, including compliance with CISA guidelines and comprehensive risk and transfer assessments. Even encrypted, pseudonymized, or anonymized data may fall under the rule and theoretical access by these countries is sufficient.

Affected are primarily U.S. companies transferring data to foreign entities linked directly or indirectly to a Country of Concern – whether by location, ownership, or political control. However, the rule also has implications for EU businesses, particularly those operating within multinational structures involving the U.S., using U.S. service providers, or contracting with U.S. partners that in turn transfer data abroad. In these cases, organizations must ensure that no unauthorized onward transfers to affected countries occur. EU-based companies should therefore promptly assess their data and supply chains, involve their U.S. partners, and integrate the new requirements into existing compliance processes.

Chinese Companies in the Spotlight as Data Recipients

In January 2025, noyb filed complaints with various data protection authorities against six Chinese companies for allegedly unlawful transfers of personal data from the EU to China. Although an EDPB-commissioned study already raised concerns about China’s data protection regime in 2021 – especially due to potential state access – no official regulatory or judicial assessment of China's adequacy has been made to date. The noyb complaints also remain pending.

Under the stricter TIA requirements, conflicts between Chinese law and SCC obligations often become apparent. As a result, additional safeguards are increasingly important to mitigate national legal impacts and access risks in order to enable compliant data transfers.

A recent case from Ireland's DPC illustrates the practical and legal challenges of data transfers to China. On May 2, 2025, the DPC imposed a fine of €530 million on the Chinese provider of a social media platform. The case involved concerns about (remote) access to EU user data from China and deficiencies in transparency under Article 13 GDPR. The DPC found that even remote access constitutes a data transfer and must be treated accordingly. However, the company was unable to demonstrate either an equivalent level of data protection or adequate safeguards. The platform has announced plans to implement improvements. The DPC set a six-month deadline, after which data transfers to China may be suspended.

What Does This Mean in Practice?

The political and regulatory direction remains uncertain. Companies are well advised to stay flexible and take proactive steps:

• Review data flows: Regularly assess international data transfers.
• Check DPF certification: Ensure that U.S. recipients are certified and the certification covers the specific data transfer.
• Prepare SCCs and TIAs: Maintain these as viable and contractually feasible alternatives.
• Monitor the Bulk Data Rule: EU companies with U.S. links should determine whether their data flows fall under the new U.S. restrictions.
• Ensure risk analysis and transparency: The DPC case shows that even with SCCs, a robust and regularly revised TIA and third-country risk assessment are essential.