The issues surrounding the transfer of data to the USA have been known for a long time and are subject to constant fluctuations. As soon as political changes occur, this has always had an impact on the agreements at the time in the past. Therefore, the EU-US DPA should also be examined more closely with the current change of government.
The instrument that made the framework possible in the first place is Executive Order 14086, which in turn resulted in the so-called PCLOB - Privacy and Civil Liberties Oversight Board. This is a supervisory body that was set up to monitor the protection of citizens' rights. Following the election of US President Trump, however, all Democratic members were dismissed from this board. The consequence of this dismissal is that this body can no longer fulfill its original function and is effectively unable to work.
What does this mean in concrete terms for the agreement?
According to Art. 45 para. 4 GDPR, the EU Commission is required to monitor developments in third countries, which undoubtedly includes the USA. It must now determine whether, despite the changes to the EU-US DPF, a suitable legal basis for data transfer can still be established. Such monitoring and evaluation already took place in October 2024. A need for improvement was identified. The number of members of the PCLOB was also discussed. This is likely to be relevant again in the upcoming evaluation.
For the time being, this means that you cannot rely on the continued existence of the agreement.
In the meantime, it might make sense to check your US service providers and get an overview of them. If the EU-US DPF could indeed no longer provide a legal basis, alternative options such as the standard contractual clauses should be considered. Alternative providers could also be considered in the long term.
However, the agreement is currently still valid. We will inform you immediately of any changes.