Do we need to worry about a Schrems III?

The future of the EU–US Data Privacy Framework (DPF) raises legitimate questions. Will there be a Schrems iii judgment? And what would happen to, for example, the use of US cloud services if the DPF were to be invalidated?

EU–US Data Privacy Framework: the near-term outlook

In January 2025, representatives of NOYB were asked whether they planned to challenge the DPF in court. Their answer was no — at least not in the short term. Their assessment was instead that the framework is more likely to collapse due to political changes in the United States. If proceedings were brought, a judgment would likely take at least two years, meaning a Schrems iii would not be expected before mid-2027.

Signals from the United States and oversight concerns

There are already indications that oversight in the United States has weakened. The Privacy and Civil Liberties Oversight Board (PCLOB), which plays a central role in the EU’s confidence in the reliability of US safeguards, currently has only one remaining member. Three of four members were recently removed by the Trump administration. This risks undermining trust in personal data protections in the United States.

Bindl (T-354/22): what the ruling says about transfers

If the DPF were to be invalidated — would US cloud services become unlawful to use? A recent EU judgment of 8 January 2025 (Bindl, T-354/22) provides guidance. The European Commission stored data with Amazon on servers located within the EU, and the Court held that the mere risk that data could be transferred to the United States does not in itself mean that a third-country transfer has occurred. An actual transfer to a third country is required for Article 46 GDPR to apply; the risk of such a transfer cannot be equated with a breach of that provision.

EU–US Data Privacy Framework: practical actions for organisations

How should organisations respond? Our recommendation is to prepare a contingency plan for changing conditions — for example, ensuring you can switch service providers or storage locations at pace if needed. Monitor developments and be ready to act. This will help you manage Schrems iii uncertainty while maintaining operational continuity.

• Map data flows and identify any actual third-country transfers, distinct from hypothetical risks.
• Contractually enable rapid vendor or hosting changes (including EU-only hosting options).
• Maintain and test fall-back transfer mechanisms and supplementary measures.
• Track legal and political developments affecting the DPF and US oversight.

Want to future-proof your cloud services against change? Contact Morling Consulting — our GDPR lawyers will help you make the right decisions in time.