New uncertainties for international data transfers and European digital sovereignty
TMWP Analysis
From TMWP's perspective, there is currently no immediate obligation to act, as the EU–US Data Protection Framework (EU–US Data Privacy Framework) remains in effect. However, companies should closely monitor the situation and critically reassess their international data transfers.
The debate has long surpassed the mere question of data protection and now touches on fundamental issues such as digital sovereignty, cloud strategies, accountability in supply chains, and regulatory resilience.
Concrete recommendations for businesses
Regardless of the future of the Data Privacy Framework, TMWP currently recommends the following measures:
- Document all data transfers to the United States and other third countries.
- Identify the cloud and SaaS services used, including Microsoft 365, Azure, AWS, Google Workspace, and Salesforce.
- Review existing standard contractual clauses (SCC) as well as the data transfer mechanisms currently in use.
- Examine subcontracting contracts and the subcontractors involved in data processing.
- Integrate data protection, information security and supplier management into a common compliance framework.
- Monitor regulatory developments at the level of the European Commission, European data protection authorities and the Court of Justice of the European Union.
TMWP supports companies in assessing transfers to third countries, risks related to data protection, cloud strategies, as well as in establishing robust compliance and governance structures.
Context
Transatlantic data exchanges between the European Union and the United States may once again face legal challenges.
The situation originates from a decision of the Supreme Court of the United States (US Supreme Court), which limits the independence previously enjoyed by the Federal Trade Commission (FTC). In the future, FTC commissioners may be more easily removed by the President of the United States.
However, this institutional independence was an important element of the analysis conducted by the European Union when assessing the level of protection offered by the EU–US data protection framework.
The central question is therefore as follows:
Do the United States still meet the requirements for an adequate level of data protection under European law?
Why are companies closely monitoring this development?
Several professional organisations view this development with concern.
Economic representatives emphasise that a reliable and legally secure data exchange with the United States is essential for many business processes. At the same time, they warn against an increase in legal uncertainties, compliance costs, and potential barriers to investment.
Companies dependent on cloud services and platforms based in the United States would be particularly affected, especially those using:
- Microsoft Azure
- Microsoft 365
- Office 365
- Amazon Web Services (AWS)
- Google services
- Salesforce
Today, these solutions form the foundation of many business processes, from email and collaboration to CRM systems, data analysis, and document management.
Is there currently a need to act?
To date, the EU–US data protection framework remains fully applicable.
In light of the publicly available information, there is nothing to indicate that data transfers to the United States have automatically become illegal. However, there is uncertainty regarding the future legal stability of this agreement.
Representatives from economic and data protection circles believe that it is advisable, for the time being, to wait for political and judicial developments at both the European and American levels.
At the same time, companies are advised to review their existing data transfers and, where appropriate, to rely on additional safeguards, including the European Commission's standard contractual clauses.
Beyond data protection: the issue of digital sovereignty
The current debate once again shows that data protection cannot be considered in isolation.
Many companies today heavily depend, both technically and organisationally, on global cloud providers. A rapid shift to alternative solutions would often incur significant costs, technical risks, and considerable organisational efforts.
It is precisely for this reason that the issue of digital sovereignty in Europe is gaining even more importance.
The challenge is not to systematically replace existing technologies. Companies must first understand where their data is processed, which providers are involved in these processes, and what regulatory risks may arise from these dependencies.
Conclusion
The decision of the United States Supreme Court has reignited the debate on the future of transatlantic data flows.
The EU–US data protection framework is currently still in effect. Nevertheless, companies should take advantage of this situation to critically reassess their international data flows, their cloud services, and the protection measures already in place.
TMWP recommends a proactive approach:
Companies that already have a clear view of their data transfers, their providers, and the associated regulatory risks will be significantly better prepared for any future developments.
Data protection, information security, supplier management, and digital sovereignty must be considered as closely linked components of a modern governance and compliance strategy.en …