Regulatory focus on the legality of data transfers to the U.S.
However, these transfers have been subject to increasing scrutiny and legal challenges in recent years. The latest mechanism to govern this transatlantic data flow is the EU-U.S. Data Privacy Framework (DPF). It was introduced to ensure that such data transfers comply with the EU’s stringent General Data Protection Regulation (GDPR).
With the return of Donald Trump to the U.S. presidency, several decisions have sparked renewed concern among EU regulators and businesses. In particular, the operational status of oversight mechanisms like the Privacy and Civil Liberties Oversight Board (PCLOB) has become a focal point. This raises critical questions about the ongoing adequacy of the DPF and what this means for European companies.
Current Legal Basis for Transfers to the U.S. (as of 2025)
As of early 2025, the EU-U.S. Data Privacy Framework remains the primary legal mechanism allowing personal data to be transferred from the European Economic Area (EEA) to the United States. The European Commission’s adequacy decision is still in place. This means EU businesses can legally transfer personal data to U.S. organizations that are certified under the DPF.
DPF Certification and Compliance Requirements
To be eligible, these organizations must be included on the Data Privacy Framework List. They must also adhere to strict privacy principles, including data minimization, purpose limitation, and access and redress rights for EU citizens. These principles are enforced by the U.S. Federal Trade Commission (FTC) and the Department of Commerce.
However, due to recent political developments—especially those impacting U.S. oversight mechanisms like the PCLOB—EU authorities are exercising increased vigilance. Norway’s data protection authority (Datatilsynet) recently emphasized that although the DPF remains legally valid, businesses should prepare for potential disruption if this status changes.
Privacy and Civil Liberties Oversight Board (PCLOB)
The PCLOB plays a crucial role in ensuring that U.S. surveillance practices align with democratic principles and respect for civil liberties. This independent oversight body is tasked with reviewing U.S. intelligence operations and ensuring they do not infringe upon individual rights, especially in the context of foreign citizens whose data may be processed under national security exceptions.
In the context of the DPF, the PCLOB was a key component in securing the EU’s adequacy decision. The European Commission highlighted the board’s independence and investigative powers as a critical safeguard that supports the claim that U.S. laws offer protections “essentially equivalent” to the GDPR.
Without a functioning PCLOB, it becomes much more difficult to validate U.S. compliance with the requirements set out in the DPF.
Latest Changes in the PCLOB
One of the most significant and controversial moves by the Trump administration in 2025 has been the dismissal of several members of the PCLOB. With only one member remaining, the board is currently not decision-capable. This effectively suspends its ability to issue reports, conduct investigations, or exercise its full oversight powers.
Although there are indications that new appointments will eventually be made, the current lapse has alarmed European regulators. According to Datatilsynet, this non-functional state of the PCLOB undermines one of the key pillars supporting the adequacy decision.
The situation introduces a level of uncertainty that could, if prolonged, jeopardize the legal foundation of the DPF and reignite the legal challenges that previously led to the annulment of Safe Harbor and Privacy Shield.
Stalled oversight body PCLOB fuels uncertainty around DPF
The inactivity of the Privacy and Civil Liberties Oversight Board (PCLOB) is not just a bureaucratic issue. It directly undermines the EU’s confidence in the U.S. as a trusted data partner under the Data Privacy Framework (DPF). Without active oversight, the central promise of the DPF—that EU citizens’ data rights are protected—becomes questionable.
Moreover, legal experts and European regulators warn of potential consequences. If the PCLOB cannot monitor U.S. surveillance activities effectively, there’s no guarantee of accountability. This creates uncertainty about whether intelligence agencies might overstep their bounds, which in turn shakes the legal foundation of the DPF.
European reaction: Norway sounds the alarm
In February 2025, Norway’s Data Protection Authority, Datatilsynet, issued a clear warning. While they still recognize the DPF as legally valid, they emphasized that the lack of a functioning PCLOB is a serious issue.
Accordingly, Datatilsynet recommends that businesses prepare for a scenario in which the DPF is invalidated. Their guidance includes creating an exit strategy, reviewing data transfers, and considering alternatives—like using service providers based entirely within the European Economic Area (EEA).
What this means for marketers and website owners still using U.S.-Based tools
If your marketing stack still includes Google Analytics, Google Tag Manager, or other U.S.-based platforms, it could be advisable to review your compliance strategy. Recent developments in U.S. privacy oversight—particularly the inoperability of the PCLOB—have cast doubts over the long-term viability of the EU-U.S. Data Privacy Framework (DPF).
We’ve seen this before: when Privacy Shield was invalidated in 2020, several European Data Protection Authorities acted quickly, issuing rulings that effectively banned the use of Google Analytics in their jurisdictions. Now, with the Norwegian DPA raising concerns European businesses once again face uncertainty.
Instead of waiting for enforcement notices or scrambling to pivot under pressure, you can take action now. Switch to a privacy-compliant, European-built platform like JENTIS. With its server-side tracking architecture and GDPR-compliant data handling — hosted entirely within the EU — JENTIS offers future-proof analytics with maximum data control.
A Privacy-Safe Alternative
Instead of waiting for rulings or rushing into last-minute fixes, you can future-proof your setup now. A platform like JENTIS offers a strong alternative. Built in Europe and hosted entirely within the EU, JENTIS combines server-side tracking with full GDPR compliance.
With JENTIS, you get control over your data—without relying on U.S. providers or risking non-compliance. It’s a proactive step that ensures you’re prepared, no matter what happens with the DPF.
Dive Deeper: What is the Data Privacy Framework (DPF)?
The Data Privacy Framework (DPF) was developed to replace earlier frameworks—Safe Harbor and the Privacy Shield. Both were invalidated by the Court of Justice of the European Union (CJEU) in the Schrems I and Schrems II rulings. The court criticized the lack of legal remedies for EU citizens and raised concerns about U.S. surveillance practices.
Introduced in 2023, the DPF aims to rebuild trust in transatlantic data transfers. It offers a structured system for U.S. companies to process personal data from the EU in line with European privacy standards. To participate, companies must self-certify their compliance with key privacy principles. These principles are enforced by the U.S. Department of Commerce and monitored by the Federal Trade Commission (FTC).
However, only companies listed on the official DPF website (dataprivacyframework.gov) are authorized to receive personal data from the EU under this scheme.
Adequacy decisions and their role
An adequacy decision is a declaration by the European Commission. It confirms that a non-EU country ensures a level of data protection comparable to EU standards. As a result, personal data can flow freely to that country—without needing tools like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
The adequacy decision for the U.S. under the DPF was a major milestone. It followed the legal uncertainty caused by the invalidation of the Privacy Shield. The decision was based on a detailed evaluation of U.S. surveillance laws, redress mechanisms, and institutional safeguards.
Notably, bodies like the Privacy and Civil Liberties Oversight Board (PCLOB) played a crucial role. Their oversight helped convince the Commission that EU citizens’ rights would be protected—even when their data is processed in the U.S.