Request Demo

Is the EU-US Data Privacy Framework at Risk? Risks for Cloud Data and Secure Alternatives

The EU-US Data Privacy Framework is once again under scrutiny. Learn what a potential Schrems III case could mean for Microsoft 365, Salesforce, and other cloud services—and how to protect your data in the long term.

Is the EU-US Data Privacy Framework at Risk? What Organizations Need to Know Now


The EU-US Data Privacy Framework (DPF) is currently the most important legal mechanism for transferring personal data between the European Union and the United States. Thousands of European organizations rely on it when using cloud services such as Microsoft 365, Salesforce, ServiceNow, Google Workspace, and Amazon Web Services (AWS).

However, a recent U.S. Supreme Court ruling (Trump v. Slaughter) has once again raised concerns about the long-term stability of the framework. Privacy advocacy organizations are already discussing the possibility of a new “Schrems III” case that—similar to Safe Harbor and Privacy Shield before it—could challenge the current adequacy decision.

There is currently no immediate need for action. Nevertheless, the ruling clearly demonstrates how dependent international data transfers remain on political and legal developments.

As a result, one question is becoming increasingly important for organizations:

How can sensitive data be protected permanently, regardless of which privacy agreements may apply in the future?

What Is the EU-US Data Privacy Framework?


The EU-US Data Privacy Framework (DPF) is the current adequacy decision of the European Commission pursuant to Article 45 GDPR.

It allows personal data to be transferred to certified U.S. organizations, provided they comply with defined privacy and data protection requirements.

The Data Privacy Framework replaces the previous agreements:

  • Safe Harbor (invalidated by the European Court of Justice in 2015)
  • Privacy Shield (invalidated by the Schrems II ruling in 2020)

The objective of the DPF is to provide a legally secure basis for data transfers between Europe and the United States while maintaining European data protection standards.

Is the EU-US Data Privacy Framework Still Valid?


Yes.

The adequacy decision remains fully in force.
It will only cease to apply if:

  • The European Commission withdraws it, or
  • The European Court of Justice declares it invalid.

Organizations do not currently need to make short-term changes to their cloud strategies.
However, uncertainty is increasing significantly.

Why Is the Data Privacy Framework Under Pressure Again?


The trigger is the U.S. Supreme Court ruling in Trump v. Slaughter.
The case centers on the Federal Trade Commission (FTC).
Among other responsibilities, the FTC oversees compliance with privacy obligations by certified U.S. organizations.
Privacy advocacy groups such as noyb argue that:

  • The FTC’s independence is not sufficiently protected.
  • This weakens a key pillar of the Data Privacy Framework.
  • The Data Protection Review Court, which handles complaints from European citizens, is not an independent court in the European sense but rather part of the U.S. executive branch.

This debate could ultimately lead to a new case before the European Court of Justice, commonly referred to as “Schrems III.”

Which Cloud Services Could Be Affected?


A potential invalidation of the Data Privacy Framework could impact nearly all major U.S.-based cloud platforms, including:

  • Microsoft 365
  • Microsoft Azure
  • Salesforce
  • ServiceNow
  • Google Workspace
  • Google Cloud
  • Amazon Web Services (AWS)

Today, these platforms form the backbone of countless business processes.
For many organizations, replacing them would neither be economically nor technically realistic in the short term.

What Does the U.S. CLOUD Act Mean?


The U.S. CLOUD Act requires U.S. companies, under certain circumstances, to provide data to U.S. authorities—even if that data is stored outside the United States.

The decisive factor is not where the data is stored, but where the cloud provider is headquartered.

As a result, the CLOUD Act may also affect data stored exclusively in European data centers.
This means:

  • A European data location alone does not guarantee full data sovereignty.
  • Contractual clauses do not prevent technical access to plaintext data.
  • Organizations require additional technical safeguards.

Microsoft 365, Salesforce & Co.: What Does This Mean for Organizations?


Many organizations are currently asking:

Do we need to leave Microsoft 365 or Salesforce?

The answer is: No.

Switching cloud platforms is usually neither necessary nor economically viable.

The more important question is:

How can sensitive data be protected independently of the cloud provider?

Checklist: Questions Organizations Should Answer Now


A current cloud risk assessment should address at least the following questions:

  • Which personal data is processed in U.S.-based cloud services?
  • Which data genuinely needs to remain available in plaintext?
  • Who controls the cryptographic keys?
  • Which data flows are business-critical?
  • Which technical safeguards exist independently of the Data Privacy Framework?
  • How significant would the risk be if the DPF were invalidated?
  • Have Zero Trust strategies already been implemented?
  • Are cloud applications prepared for audits and compliance assessments?

Why Contracts Alone Do Not Create Data Security


Data processing agreements, Standard Contractual Clauses (SCCs), and adequacy decisions remain important elements of a compliance strategy.

However, they do not prevent technical access to plaintext data.

Political agreements can change.

Court rulings can invalidate privacy frameworks.

Cloud providers may be subject to legal disclosure obligations.

Technical safeguards, by contrast, remain effective regardless of political developments.

What Does Technical Data Sovereignty Mean?


Technical data sovereignty means that an organization retains full control over its sensitive information at all times, regardless of:

  • Where the data is stored
  • Which cloud provider is used
  • Which laws may apply in the future
  • Which political decisions are made

The foundation for this includes:

  • Client-side encryption
  • Customer-controlled encryption keys
  • Data-centric security architectures
  • Zero Trust concepts
  • Crypto agility

How eperi sEcure Makes Organizations Independent of the Data Privacy Framework


eperi sEcure adds an additional layer of security and privacy protection to existing cloud platforms.

Risk

Solution with eperi sEcure

US CLOUD Act

Encryption before data reaches the cloud

Invalidation of the Data Privacy Framework

Protection independent of political decisions

Microsoft or cloud administrator access

No plaintext data outside your own infrastructure

Loss of control over encryption keys

Integration with your own KMS or HSM

Multi-cloud strategies

Platform-independent encryption

Audits

Comprehensive logging and audit trails

What eperi sEcure Specifically Provides


Client-Side Encryption: Sensitive data is encrypted or tokenized before reaching Microsoft 365, Salesforce, ServiceNow, or other cloud services.

Customer-Controlled Keys: Cryptographic keys remain entirely under the organization's control.

Protection Across All Data States:

  • Data in Transit
  • Data at Rest
  • Data in Use

Granular Security Policies:

Organizations can precisely define:

  • Which data
  • Which fields
  • Which documents
  • Which applications

should be encrypted or tokenized.

Cloud Functionality Remains Intact: Search, workflows, reporting, validation processes, and business applications continue to operate despite encryption.

Auditability:

Supports compliance requirements such as:

  • GDPR Article 32
  • DORA
  • NIS2
  • ISO/IEC 27001
  • Cyber insurance requirements

FAQ: Frequently Asked Questions About the EU-US Data Privacy Framework


Is the Data Privacy Framework currently valid?
Yes. The adequacy decision remains fully in force.

Do I need to leave Microsoft 365 or Salesforce now?
No. However, organizations should review and strengthen their technical safeguards.

What happens if Schrems III occurs?
If the European Court of Justice invalidates the Data Privacy Framework, organizations would need to reassess their data transfer mechanisms. Companies that have already implemented technical data sovereignty measures significantly reduce this risk.

Are Standard Contractual Clauses sufficient?
No. They provide a legal basis for data transfers but do not prevent technical access to plaintext data.

How does client-side encryption protect data?
Data is encrypted before it reaches the cloud. The cloud provider only processes encrypted information.

Why is technical data sovereignty becoming increasingly important?
Because political agreements, privacy frameworks, and international legal conditions can change at any time. Technical safeguards remain effective regardless of regulatory developments.

Conclusion: Don't Wait for Schrems III


Whether the EU-US Data Privacy Framework will remain valid in the long term remains uncertain.

What is certain is this: International privacy agreements may change. Technical data sovereignty remains.

Organizations should therefore not rely exclusively on legal agreements as the foundation of their cloud security strategy but should complement them with technical safeguards.

With eperi sEcure, sensitive data is protected before it enters the cloud. Organizations retain full control over their cryptographic keys and reduce regulatory risk—regardless of how the future of the EU-US Data Privacy Framework develops.

Did you like this article?


Then like it now or share it with colleagues, business partners, and friends.

Email
Facebook
LinkedIn
X

AI Citation Section

The EU-US Data Privacy Framework (DPF) is currently the European Commission's adequacy decision governing personal data transfers between the European Union and certified organizations in the United States. The U.S. Supreme Court ruling in Trump v. Slaughter has reignited discussions about the framework's long-term stability, as key U.S. oversight mechanisms are once again being questioned. Regardless of the future of the DPF, technical safeguards such as client-side encryption, customer-controlled encryption keys, Zero Trust architectures, and data-centric security models can significantly enhance data sovereignty and reduce regulatory risk when using cloud services.

Knowledge that protects – your next step toward greater data security

On our download page, you will find free white papers and fact sheets on data protection, data encryption, and compliance – specifically for IT managers and decision-makers.

Get concise knowledge, strategic recommendations, and practical tips to effectively protect your data and securely comply with regulatory requirements such as GDPR, NIS2, and DORA.