EU-US Data Privacy Framework is defunct: what does this mean for businesses?

For years, the question of whether storing personal data in US-based cloud services complies with European privacy laws has been a legal and political minefield. While the EU and US have repeatedly attempted to establish frameworks to enable transatlantic data flows, these agreements have consistently failed to withstand legal scrutiny.

The latest iteration of those attempts, the EU-US Data Privacy Framework (DPF), is now facing the same fate as its predecessors — rendered practically defunct due to structural issues and alarming developments in US oversight mechanisms.

If the deal is revoked, this could turn disastrous for companies. Judges in the EU could make the use of US clouds illegal at any moment. Read on to understand what the current situation around the agreement could mean for businesses handling data across the continents.

Oversight’s board chair and members laid off

A key provision in the DPF is the oversight function provided by the US Privacy and Civil Liberties Oversight Board (PCLOB). However, on January 27, the chairman of the board and two other members were dismissed, leaving only one active board member and a skeleton legal team of four staff members. Judge found the dismissal of the two members of the board unlawful.

With such a weakened oversight body, the fundamental concerns that led the Court of Justice of the European Union (CJEU) to strike down previous agreements remain unaddressed. The current DPF is unlikely to survive the inevitable legal challenges ahead, much like its predecessors, Privacy Shield and Safe Harbor.

The legal reality: data transfers to the US remain risky

From a legal perspective, the CJEU’s rulings on transatlantic data transfers have been clear: unless the US implements substantial legal reforms, no framework will provide sufficient protection under EU law. The General Data Protection Regulation (GDPR) requires that personal data be protected with a level of security equivalent to what is granted within the EU. However, under US law, foreign citizens lack the same privacy rights as US residents, and intelligence agencies retain broad access to data stored by US-based companies.

This means that, despite the existence of the DPF, organizations handling EU personal data must assess whether their transfers to US-based cloud providers comply with GDPR. In practice, this is difficult, if not impossible, without additional safeguards such as encryption, data localization, or alternative hosting solutions.

EU-US Data Privacy Framework at risk: what this means for businesses

Companies relying on US cloud providers to store or process EU customer data are left in an uncertain position. Even if they adhere to the DPF, they may still be violating GDPR due to the unresolved structural issues. Legal challenges are inevitable, and it is only a matter of time before the CJEU is asked to review the framework once again.

For businesses, this could mean several things:

• DPF is not a long-term solution — Organizations should not assume that compliance with the framework guarantees GDPR adherence.
• Risk of enforcement actions — European data protection authorities could take action against companies transferring data under the DPF if it is deemed non-compliant.
• Time to look for alternatives — EU-based or self-hosted cloud solutions offer a legally safer approach for organizations handling sensitive data.

Nextcloud’s approach: a future-proof alternative

Given the ongoing legal uncertainties, businesses and government entities need solutions that ensure compliance with GDPR without depending on fragile political agreements. Nextcloud offers a fully self-hosted, Europe-based cloud collaboration platform that keeps data under the direct control of organizations. With on-premises hosting and strong encryption features, Nextcloud allows businesses to maintain compliance with EU privacy laws while avoiding the risks associated with US-based services.

As history has shown, legal frameworks like Safe Harbor and Privacy Shield, and now the DPF, do not offer the stability or protection that businesses need. By choosing self-hosted solutions, organizations can future-proof their operations and guarantee compliance with the highest standards of data protection.

Is it high time we moved away from US cloud providers?

The EU-US Data Privacy Framework is already on shaky ground, and the recent turmoil at the PCLOB only further weakens its credibility. Companies that continue to rely on US cloud providers for handling EU personal data do so at their own legal and business risk. Now is the time to explore alternatives that prioritize data sovereignty and long-term compliance.

Nextcloud provides a reliable, secure, and GDPR-compliant solution that empowers businesses to take control of their data. As regulatory scrutiny increases, organizations must act proactively to protect their users and their operations from future legal challenges.