Updated juli 1, 2026
Summary: The EU-US Data Privacy Framework inherits structural vulnerabilities from FISA 702 and EO 12333 that neither Executive Order 14086 nor the Data Protection Review Court fully resolve; organisations handling sensitive data should build a transfer strategy that does not depend on the DPF remaining valid.

The EU-US Data Privacy Framework adequacy decision risk is the legal and operational exposure that arises when an organisation relies on the European Commission’s July 2023 DPF adequacy decision to justify personal data transfers to US-based cloud providers, processors or subsidiaries, and that decision is subsequently invalidated by the Court of Justice of the European Union. This is not a theoretical concern: the same court has already annulled two predecessor frameworks, Safe Harbour in 2015 and Privacy Shield in 2020, on structurally identical grounds.

A pattern, not an anomaly

The history of transatlantic data transfer frameworks tells a consistent story. Safe Harbour functioned for fifteen years before the CJEU struck it down in Case C-362/14 (Schrems I). Privacy Shield survived less than four years before the Grand Chamber invalidated it in Case C-311/18 (Schrems II) on 16 July 2020. In both cases, the court found that US surveillance law, particularly FISA Section 702 and Executive Order 12333, did not afford European data subjects rights “essentially equivalent” to those guaranteed by the EU Charter of Fundamental Rights.

The EU-US Data Privacy Framework, adopted by the European Commission on 10 July 2023, attempts to address those findings. It rests primarily on Executive Order 14086, signed by President Biden in October 2022, which introduces proportionality requirements for US signals intelligence collection and establishes the Data Protection Review Court (DPRC) as a redress mechanism for EU individuals who believe their data has been unlawfully accessed.

Key risk: FISA Section 702 was reauthorised by the US Congress in April 2024 for a further two years, leaving the bulk collection authority that the CJEU identified as problematic in Schrems II structurally intact. No amendment to the statute accompanied the DPF adequacy decision.

Why EO 14086 does not resolve the structural problem

Executive Order 14086 is a presidential instrument, not federal legislation. Critics, including noyb (the organisation that triggered both Schrems I and Schrems II), argue this creates three specific vulnerabilities.

First, an executive order can be modified or revoked by any sitting president without congressional approval. The legal protections it provides are therefore politically contingent in a way that a statute is not. Second, the Data Protection Review Court is an administrative body created within the executive branch; it is not an Article III court under the US Constitution, and its proceedings are classified. European data subjects cannot be represented by independent counsel, receive the decision, or challenge it before a genuinely independent tribunal. The European Data Protection Board has noted in its analysis of the DPF that the effectiveness of the DPRC as a remedy remains an open question under EU standards for judicial redress. Third, EO 14086 does not bind the National Security Agency or other intelligence agencies with respect to bulk collection under Executive Order 12333, which operates outside FISA entirely and covers data collected abroad, including from transatlantic cables.

The CJEU stated plainly in Case C-311/18: “The level of protection in the United States is not essentially equivalent to that in the EU.” That finding was grounded in the architecture of FISA 702 and EO 12333, both of which remain operative today.

The Schrems III scenario and its implications for SCCs

A referral challenging the DPF adequacy decision has been lodged before the CJEU. If the court issues what commentators call a Schrems III ruling, the consequences cascade quickly across the entire landscape of transatlantic data transfers.

Transfer mechanism Status after DPF invalidation Practical effect
DPF adequacy decision Void from date of judgment Transfers relying solely on DPF immediately unlawful
Standard Contractual Clauses (SCCs) with US processor Formally valid but contingent on TIA Transfer Impact Assessment must show effective protection; for mainstream US hyperscalers, this is extremely difficult to demonstrate
Binding Corporate Rules Unaffected in form but same substantive problem BCRs do not override FISA obligations on US group entities
Data stored exclusively in EU or Swiss jurisdiction No dependency on DPF No exposure; no contingency action required

Standard Contractual Clauses are a contractual instrument between two parties. They cannot compel a US cloud provider to refuse a lawful order under FISA Section 702. After Schrems II, the EDPB published Recommendations 01/2020 on supplementary measures, making clear that where a third country’s law prevents a data importer from honouring the SCCs, the clauses do not provide adequate protection in practice. A Schrems III ruling would reaffirm and sharpen that position.

Compliance note: Organisations that have documented their US cloud transfers as relying on SCCs plus the DPF as a supplementary context marker should audit those records now. A transfer impact assessment written in 2023 may no longer reflect the legal landscape by the time of a judgment.

Building a contingency posture that does not depend on the DPF

Compliance officers, data protection officers and CISOs in regulated sectors, including finance under DORA, healthcare under national implementations of the EU health data framework, and public authorities subject to NIS-2, face a specific documentation challenge. Supervisory authorities expect organisations to demonstrate not only current compliance but resilience against foreseeable legal change.

A defensible contingency posture has four components. First, a data mapping exercise that clearly identifies which personal data categories are transferred to US-controlled infrastructure and under which legal basis. This must be specific enough that the organisation can immediately identify what becomes exposed if the DPF falls. Second, a Transfer Impact Assessment for each US transfer that is honest about the limits of SCCs in the face of FISA 702, rather than relying on the continued validity of the DPF to paper over the gap. Third, a documented migration pathway: a written plan, with owner, timeline and budget, for moving identified high-risk data categories to a jurisdiction not subject to US law. Fourth, contractual provisions with US processors that require them to notify the organisation of any government access demand to the extent legally permitted, and to challenge such demands where possible.

The European Data Protection Board, in its guidance on Chapter V GDPR transfers, has consistently emphasised that organisations bear the burden of demonstrating essentially equivalent protection. Relying on an adequacy decision without a contingency plan is not a defensible posture when the decision’s legal history includes two prior invalidations.

Why repatriation eliminates the dependency rather than managing it

Moving sensitive data to infrastructure that is legally and operationally outside US jurisdiction does not merely reduce DPF exposure: it removes the legal hook that creates the problem. A cloud provider incorporated in Switzerland, operating under Swiss law and without a US parent, affiliate or legal entity subject to the CLOUD Act or FISA, has no obligation to respond to US government data demands. The revised Swiss Federal Act on Data Protection, which entered into force on 1 September 2023, aligns substantively with GDPR and Switzerland holds an EU adequacy decision under Article 45 GDPR. Data can therefore flow from EU controllers to Swiss processors without relying on the DPF, without SCCs with a US counterparty, and without a transfer impact assessment that must address American surveillance law.

The same logic applies to EU-only infrastructure: a German or French cloud provider without US corporate connections is outside the reach of FISA 702 by jurisdiction. The distinction matters because managing DPF risk through supplementary measures still requires ongoing legal monitoring, updated TIAs after each change in US law, and potential scrambling if a court ruling lands at short notice. Repatriation converts a recurring compliance liability into a settled architectural fact.

For organisations replacing Microsoft 365 or Google Workspace, a sovereign workspace built on open-source platforms such as Nextcloud, hosted within the EU or in Switzerland, delivers full collaboration functionality while moving the legal anchor point away from US jurisdiction entirely. The same principle applies to AI tools: running inference on models such as Mistral or Llama on infrastructure within the EU or Switzerland means that no personal data is processed by a US provider subject to FISA or CLOUD Act demands.

The CJEU said in Case C-362/14 that “the existence of domestic legislation permitting public authorities to have access to the content of electronic communications on a generalised basis must be regarded as compromising the essence of the fundamental right to respect for private life.” Until US law changes at the statutory level, that finding remains the judicial baseline against which every transatlantic transfer framework will be measured. Organisations that structure their data architecture to avoid US-controlled infrastructure are not being cautious to excess; they are aligning with the legal reality that two CJEU Grand Chamber judgments have already established.

FAQ

Is the EU-US Data Privacy Framework legally safe to rely on right now?

The DPF is currently in force following the European Commission’s adequacy decision of July 2023. However, a legal challenge coordinated by noyb is already before the CJEU. Given that Safe Harbour lasted fifteen years and Privacy Shield less than four, compliance officers should treat the DPF as a conditionally valid mechanism and maintain a documented contingency plan that does not depend on its continued validity.

What would a Schrems III ruling mean in practice for organisations using US cloud services?

A third invalidation would strip the DPF of legal force immediately upon judgment. Standard Contractual Clauses would remain on paper, but transfer impact assessments would need to reflect a legal landscape in which US intelligence law is again deemed incompatible with the EU Charter. Supervisory authorities could order suspension of transfers, as the Irish Data Protection Commission did following Schrems II.

Does Executive Order 14086 eliminate the FISA 702 problem?

No. EO 14086 creates a redress mechanism through the Data Protection Review Court and requires proportionality in signals intelligence collection, but it does not amend FISA 702 itself. The statute still authorises targeted collection of non-US persons’ communications held by US providers, and the DPRC operates without the transparency or adversarial process that EU courts recognise as an effective judicial remedy.

Can Standard Contractual Clauses alone protect a transfer to a US cloud provider after a DPF invalidation?

Only if a transfer impact assessment demonstrates that the specific transfer is not exposed to FISA 702 or EO 12333 collection in practice. For mainstream US hyperscalers subject to those statutes, the EDPB has consistently held that contractual clauses cannot override the access obligations imposed on providers by US law.

Why does Swiss hosting under the revised FADP remove the DPF dependency rather than just reduce it?

Switzerland is not subject to US jurisdiction, FISA 702, the CLOUD Act or the EU-US DPF framework at all. A Swiss provider incorporated and operating exclusively under Swiss law has no obligation to comply with US government data demands. The revised FADP, in force since September 2023, aligns with GDPR principles and Switzerland holds an EU adequacy decision, meaning data can flow from EU controllers to Swiss processors lawfully without relying on the DPF or SCCs referencing a US entity.

Frequently asked questions

Is the EU-US Data Privacy Framework legally safe to rely on right now?
The DPF is currently in force following the European Commission's adequacy decision of July 2023. However, a legal challenge coordinated by noyb (Max Schrems' organisation) is already before the CJEU. Given that Safe Harbour lasted 15 years and Privacy Shield less than four, compliance officers should treat the DPF as a conditionally valid mechanism and maintain a documented contingency plan.
What would a Schrems III ruling mean in practice for organisations using US cloud services?
A third invalidation would strip the DPF of legal force immediately upon judgment. Standard Contractual Clauses would remain on paper, but the underlying transfer impact assessments would need to reflect a legal landscape in which US intelligence law is again deemed incompatible with the EU Charter. Supervisory authorities could order suspension of transfers, as the Irish DPC did after Schrems II.
Does Executive Order 14086 eliminate the FISA 702 problem?
No. EO 14086 creates a redress mechanism through the Data Protection Review Court and requires proportionality in signals intelligence collection, but it does not amend FISA 702 itself. The statute still authorises targeted collection of non-US persons' communications held by US providers, and the DPRC operates without the transparency or adversarial process that EU courts recognise as effective judicial remedy.
Can Standard Contractual Clauses alone protect a transfer to a US cloud provider after a DPF invalidation?
Only if a transfer impact assessment demonstrates that the specific transfer is not exposed to FISA 702 or EO 12333 collection in practice. For mainstream US hyperscalers subject to those statutes, the EDPB has consistently held that contractual clauses cannot override the access obligations imposed on providers by US law.
Why does Swiss hosting under the revised FADP remove the DPF dependency rather than just reduce it?
Switzerland is not subject to US jurisdiction, FISA 702, the CLOUD Act or the EU-US DPF framework at all. A Swiss provider incorporated and operating exclusively under Swiss law has no obligation to comply with US government data demands. The revised Swiss Federal Act on Data Protection (FADP, in force September 2023) aligns with GDPR principles and Switzerland holds an EU adequacy decision, meaning data can flow from the EU to Switzerland lawfully without relying on the DPF or SCCs with a US entity.