The EU–US Data Privacy Framework (DPF) was meant to fix the problems that led to the collapse of its predecessors, Safe Harbor and Privacy Shield. But with ongoing concerns over US surveillance laws, is it just another stopgap before the next legal challenge? Privacy professionals in the UK need to be prepared for a potential invalidation and its impact on UK-EU and UK-US data flows.

US surveillance and the risk to UK data

The root of the problem lies in the access US intelligence agencies have to personal data. When Safe Harbor was struck down in 2015, it was because the European Court of Justice (CJEU) found that US surveillance programs allowed indiscriminate access to Europeans’ data. When Privacy Shield was invalidated in 2020, the same issue remained: the US government’s broad surveillance powers meant that data transferred from the EU to the US was not adequately protected. Now, with the DPF, privacy advocates argue that nothing has fundamentally changed.

US intelligence agencies can still collect and process data from foreign nationals without the kind of oversight required under EU law. The DPF introduces a new mechanism, the so-called Data Protection Review Court, which is meant to provide redress for EU citizens. But many experts argue that this isn’t enough—it's not an independent court in the EU sense, and it still operates under US national security frameworks. For critics like NOYB (None of Your Business), led by Max Schrems, the issue is clear: as long as US mass surveillance continues, the DPF cannot be legally sound. NOYB has already signalled its intent to challenge the framework in court, and legal experts predict another CJEU ruling could come as soon as 2025 or 2026.

The UK’s Role in the DPF

While the UK is no longer part of the EU, it has adopted its own version of the adequacy decision, allowing data to flow freely to certified US companies through the UK Extension to the DPF. This means that UK organisations can transfer data to US businesses that have self-certified under both the DPF and the UK extension. However, if the EU strikes down the framework, the UK’s decision may come under immediate scrutiny, with the Information Commissioner’s Office (ICO) facing pressure to reassess its adequacy stance.

The UK’s approach to international data transfers is closely tied to EU decisions, as any divergence could create further complexities for organisations operating across both regions. If the EU invalidates the DPF, the UK may need to revise its agreements, leading to uncertainty for businesses reliant on transatlantic data flows. Businesses should consider data privacy management tools to track evolving compliance requirements and ensure smooth adjustments.

What this means for UK businesses

If the DPF is invalidated, businesses will once again be left scrambling for alternatives. Privacy professionals should already be preparing for that possibility. The first step is to assess which data transfers currently rely on the DPF and identify any US-based service providers handling personal data. If an organisation is dependent on the framework, it needs a backup plan.

For many, GDPR compliance tools and data governance solutions will play a key role in ensuring continued compliance. Standard Contractual Clauses (SCCs) will likely be the next best option. However, SCCs require companies to conduct Transfer Impact Assessments (TIAs) to determine whether additional safeguards are needed. If the risk of US surveillance is too high, SCCs alone may not be enough. Organisations should also consider whether UK or EU-based hosting or cloud data compliance options could be viable alternatives, particularly for sensitive or high-risk data.

Another key action is engaging with vendors and legal teams. Companies should ensure their contracts allow for flexibility—if the DPF is struck down, switching to SCCs or another mechanism should be straightforward. Investing in privacy management software can also help automate compliance reporting and manage cross-border data transfer risks. Keeping a close eye on the legal landscape will be essential, as any ruling by the CJEU could reshape data transfer rules once again.

The EU–US Data Privacy Framework is not a long-term fix. Safe Harbor and Privacy Shield both collapsed under legal scrutiny, and there’s every reason to believe the DPF will follow. The key difference this time is that privacy professionals can see the warning signs in advance. Being proactive—by reviewing transfer mechanisms, exploring UK and EU hosting options, and staying informed on legal challenges—will help organisations avoid the last-minute chaos that followed the previous invalidations.

Will the CJEU strike it down? Time will tell. But if history is any guide, privacy pros should have their contingency plans ready.

Preparing for change

Privacy professionals in the UK should take proactive steps to ensure their organisations are ready for potential changes. Assessing current data transfers and identifying dependencies on the DPF is a critical first step. Businesses should strengthen their contractual safeguards by implementing Standard Contractual Clauses (SCCs) with thorough Transfer Impact Assessments (TIAs) and consider alternative mechanisms like Binding Corporate Rules (BCRs). Exploring privacy compliance automation tools or AI-driven privacy solutions can help organisations stay ahead of regulatory shifts. Engaging with vendors to ensure flexibility in contractual agreements will help avoid last-minute disruptions. Monitoring legal developments, particularly NOYB’s challenge and potential CJEU rulings, is essential, as is staying informed on any ICO guidance related to the UK Extension to the DPF. Finally, organisations must keep leadership informed and prepared for any regulatory shifts, ensuring business continuity in the face of uncertainty.

Looking ahead

The future of the DPF remains uncertain, and history suggests that legal challenges could once again reshape transatlantic data flows. While businesses cannot predict the outcome, they can prepare. A proactive approach to compliance, strong contractual safeguards, and close monitoring of regulatory developments will ensure that organisations are not caught off guard. Whether the DPF endures or follows the fate of its predecessors, UK businesses that act now will be in the strongest position to adapt and continue operating with confidence.