The Legality of EU-US Data Transfers is Once Again Shaken

We need to work on implementing strategies to ensure data privacy and regulatory compliance. This is the great need that the Cloud Summit 2025 event for the technology and legal sector, held this April in Madrid, confirmed.

One of the keynote speakers at the event organised by APECDATA (Spanish Association of Cloud and Data Centre Providers), ASOTEM (Association of Business Telecommunications Providers) and Nebrija University was Maximilian Schrems.

The lawyer and data protection activist, founder of NOYB, warned about the legal limbo Europe currently finds itself in.

After the Court of Justice of the European Union (EU) annulled the Safe Harbour and Privacy Shield frameworks, the relationship between the continent and the United States in this area relies on the Transatlantic Data Privacy Framework or TADPF, which relies on executive orders.

This means that, with a simple signature, President Donald Trump could alter the privacy agreement between the two sides.

‘Instead of betting on stable legal limitations, Europe relied on executive promises that can disappear in seconds,’ says Schrems. ‘Now that Trump is starting to make a move, many European companies are entering a legal limbo.’

‘I cannot imagine that a Biden executive order, imposed on the US by the EU and regulating US spying, will survive Trump’s ‘America First’ logic,’ he adds.

The expert criticised during the event in Spain that EU authorities and the business lobby had accepted this weak legal basis for the transfer of data.

With Trump’s return to the White House, members of the Privacy and Civil Liberties Oversight Board (PCLOB), which is the only independent oversight body for the agreement, have already been removed.

Schrems advises companies to prepare a contingency plan, including looking for alternative hosting within the European Economic Area, and to review cloud contracts to include clauses protecting against possible regulatory changes.

It also recommends monitoring current developments in the United States for the possibility of an invalidation of the current agreement.

On the risks inaugurated in this new political era, he highlights the fact that ‘thousands of contracts involving data transfers to the US – especially cloud services from Microsoft, Amazon, Google and Apple – could become illegal in a matter of days’.

This will impact a range of areas, including financial institutions, hospitals, educational institutions and public administrations, among other sectors.

The summary is the realisation of Europe’s dependency and lack of sovereignty in the face of a lack of sufficient options vis-à-vis US technology.

Also participating in Cloud Summit 2025 were Alfonso López de la Osa, dean of the Faculty of Law at Nebrija University; Francisco Pérez Bes, assistant to the president of the Spanish Data Protection Agency (AEPD), who believes that data protection and cybersecurity must be ‘integrated into the operational core of the company’, and Roberto Beitia, president of APECDATA, who believes that ‘technological evolution must go hand in hand with awareness and digital sovereignty’.

In addition, a round table was held on the ‘Challenges of privacy and cybersecurity in the cloud’ with spokespersons from the National Cryptologic Centre (CCN), the Agency for Digital Administration of the Community of Madrid and the Legal Technology Agency.

The debate addressed the impact of the NIS2 directive and the challenges of certification and compliance with the National Security Scheme (ENS).