The new political realities and their impact on data protection
The change of power in Washington in early 2025 marks a significant turning point for transatlantic data protection relations. The fundamental differences between US and European data protection law are thereby intensified, presenting European companies with new challenges. While the EU has established a comprehensive legal framework with the GDPR that enshrines the protection of personal data as a fundamental right, US data protection is based on a patchwork of sectoral regulations and corporate self-commitments.
Political decisions with far-reaching consequences
This discrepancy has become particularly evident through recent events: On 3rd February 2025, President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB). This decision has direct implications for the Transatlantic Data Privacy Framework (TADPF), which governs legal data transfer between the EU and the US. The now inquorate supervisory body can no longer fulfil its central task – namely overseeing US intelligence agencies regarding their data protection practices.
Experts warn that this could be just the beginning of a series of measures endangering the entire TADPF. Executive orders, on which the framework is substantially based, could be revoked in the coming weeks. This would particularly affect companies and institutions that currently rely heavily on US cloud services.
Cloud Act and TADPF: The fundamental legal conflict
The legal core of the problem lies in the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) passed in 2018. This US law enables American authorities and intelligence agencies to legally access data stored by US companies – regardless of where in the world this data is physically located. For European companies using services such as AWS, Microsoft 365, or Google Cloud, this specifically means: Even if data is stored in European data centres of American providers, US authorities can access it by invoking the CLOUD Act.
US companies are legally obliged to comply with this access, even if it violates European law. In many cases, the affected European companies may not even be informed about this access ("Gag Orders").
TADPF is not legally binding
This stands in direct contradiction to the GDPR, which demands a high standard of protection for personal data and sets strict requirements for international data transfers. European data protection legislation requires:
- Transparency in data processing
- Purpose limitation of collected data
- Restriction of governmental access possibilities
- Legal remedies for affected individuals
The TADPF was developed to defuse this legal collision by ensuring that US companies offer a level of data protection comparable to the EU. However, it is primarily based on executive orders rather than statutory regulations.