Navigating between data war and peace
This essay is part of the report “Transatlantic horizons: A collaborative US-EU policy agenda for 2025 and beyond,” which outlines an agenda for common action for the next US administration and European Commission.
The bottom line
Ever since Edward Snowden revealed details on the US National Security Agency (NSA) covertly collecting Europeans’ electronic communications, companies have contended with deep uncertainty over whether they may continue to transfer personal data from Europe to the United States. Washington and Brussels, in their efforts to resolve a long-running dispute with major commercial consequences, have vacillated between data war and peace. A true settlement should be the focus of the next administrations in the United States and the European Union (EU), or the conflict could flare again. For the time being, a fragile truce prevails.
Commercial data transfers from the EU to the United States
State of play
As a direct result of the Snowden revelations, the Luxembourg-based Court of Justice of the EU (CJEU) twice invalidated EU-US international arrangements designed to ensure transatlantic data transfers consistent with EU privacy law. In 2015, the EU-US Safe Harbor Framework was struck down by the court, and in 2020, a successor arrangement, the Privacy Shield, met the same fate.
A third transfer arrangement, the EU-US Data Privacy Framework (DPF), concluded in 2023, put significant additional safeguards in place for Europeans’ personal data. Another legal challenge was immediately filed at the CJEU, this one by Philippe Latombe, a French parliamentarian. The court quickly denied Latombe’s request for a temporary injunction to suspend the application of the DPF. Final disposition of the case remains pending, though many commentators believe it ultimately will fail for procedural reasons.
A greater litigation threat looms, however. The European privacy advocacy organization NOYB —short for None of Your Business—headed by Austrian privacy activist Max Schrems, issued a statement last year suggesting that it also was considering a judicial challenge. There are recent signs that it could be close to doing so. Austria has just implemented a new EU directive enabling consumer protection organizations to file suits for collective redress—a European equivalent to US-style class action lawsuits. NOYB may avail itself of this new remedy in an Austrian court in an effort to block the DPF. A referral to the CJEU could follow quickly, setting the stage for a decisive legal determination by the judges in Luxembourg in the next year or two.
Looking ahead
For the time being, there is little for European Commission and US officials to do other than to jointly ensure that the DPF’s safeguards are being rigorously applied and to sharpen their arguments for the EU legal challenge. The DPF’s prospects before the CJEU are mixed. US observers tend to be impressed by the creativity and seriousness of the reforms that the US government has put in place. However, some European counterparts are more skeptical, pointing out remaining areas where the US steps still may fall short of strict CJEU fundamental rights requirements.
If the DPF, like its predecessors, were to be struck down, a new US administration—Democratic or Republican—might well hesitate whether to go back to the negotiating table with the European Commission for a fourth time. Adding even more US legal safeguards to protect Europeans’ personal data would likely require enactment of a US statute—a doubtful proposition in a new Congress—and could run up against US constitutional constraints.
A Trump administration could well conclude that enough is enough—that instead, it is time to fight back against endless European threats to transatlantic data flows. The Heritage Foundation‘s Project 2025 report, which was written by the former president’s allies though he has distanced himself from it, already has called for a skeptical review of the DPF safeguards and has mooted the possibility of curtailing US intelligence sharing with European governments if commercial data sharing is interrupted. Such an approach would once again vault data transfers into the first rank of transatlantic economic conflict.
Law enforcement data transfers
State of play
The NSA is not the only US challenge the EU sees to its digital sovereignty. Running a close second is the CLOUD Act, a 2018 US law. It empowers US law enforcement to demand that US cloud service providers turn over personal data companies host on foreign servers, including those located in Europe. Although several EU countries, including Belgium, give their prosecutors similar extraterritorial criminal evidentiary powers, the CLOUD Act has been heavily criticized in Europe.
However, the CLOUD Act also offers foreign governments an olive branch to accompany its unilateral offensive provisions. It authorizes the US Department of Justice (DOJ) to negotiate binding international agreements establishing the terms and limits under which each may directly seek electronic evidence from communications service providers. The United States has already reached such agreements with the United Kingdom and Australia, and negotiations with other Five Eyes nations are underway.
For the past five years, the DOJ and the European Commission also have been negotiating a CLOUD Act agreement. The talks paused for several years while the EU finalized its own counterpart legislation, the E-Evidence Regulation, but resumed actively last year. Progress has been slow and difficult. But in June, senior EU and US home affairs and justice officials issued an optimistic joint statement welcoming “further progress” in the negotiations and looking forward to “advancing and completing” them.
Policy recommendations
Now that an agreement appears to be within reach, negotiators should redouble their efforts to finalize the text—or at least come to a political agreement in principle— by the end of this year, before changes in leadership on both sides. Although transatlantic law enforcement negotiations historically have been largely nonpartisan in nature, a Trump administration DOJ might nonetheless question whether to continue negotiations with the EU.
Completing the CLOUD Act agreement would neutralize EU sensitivities over judicial sovereignty in a way comparable to how the DPF has quieted concerns over US foreign surveillance activities in Europe. The two, taken together, would bring an important measure of data peace to transatlantic digital relations.
National security limits to data transfers
State of play
After four decades of propounding unrestricted international commercial data flows, in late 2023, the United States made a course correction—opting to control certain data exports to China, Russia, and other “foreign adversaries” for national security reasons. The new approach is reflected in both legislation and an executive order. The measures will subject a range of data flows to these countries to either outright bans or export controls through a regime akin to what is in place for goods.
The United States similarly reversed course in a World Trade Organization (WTO) negotiation intended to liberalize services trade, the Joint Statement Initiative on Electronic Commerce (JSI). Last fall, the Office of the US Trade Representative unexpectedly withdrew its proposal that the prospective agreement guarantee the free flow of data across borders. The final text of the JSI, announced in July, not only lacks such an obligation, it also allows parties essentially unlimited scope to restrict data flows for data protection reasons, as the EU had sought.
Most notably, the United States singled out its view that the essential security exception is inadequate as a reason for deciding not to join the JSI agreement. That provision simply refers to the essential security exception in the existing General Agreement on Trade and Tariffs (GATT) and the General Agreement on Trade in Services (GATS). Although the United States traditionally had taken a broad view of the GATT/GATS provisions, it now appears to believe that its new national security data controls might not pass WTO muster. Thus, the United States has come full circle on digital trade—from being a principal proponent of free data flows to an opponent of a traditional multilateral limitation on its ability to restrict them for security reasons.
The new US multilateral posture on data transfers reflects a degree of convergence between Washington and Brussels on the proper extent to which data protection may be invoked as a limitation, no doubt to Brussels’ satisfaction. The European Commission has acknowledged some puzzlement, however, over why the United States is no longer content with the WTO’s historic national security exception.
Looking ahead
Neither a Democratic nor a Republican US administration is likely to alter the new approach emphasizing national security considerations in data flows to certain adversary countries.
Although Europe is not, of course, the home of “foreign adversary” countries, the new US policy could eventually pose problems there if Washington were to pressure European governments to adopt similar measures. Alternatively, the United States could seek to directly shut down data transfers from European companies to China and Russia analogous to how it has employed secondary sanctions in the financial realm.
Such steps could pose dilemmas in Europe. The EU, as an institution, largely lacks meaningful authority over export controls, which are reserved to member states, as are national security measures. Individual member states would struggle to develop coherent responses to such potential US pressure.
The United States and the EU have come far toward settling on safeguards accompanying access to personal data by their national security and law enforcement authorities, but definitive resolution in both areas still awaits. In the meantime, new concerns over foreign adversaries’ access to data have emerged, also calling for transatlantic coordination.
Kenneth Propp is a nonresident senior fellow at the Atlantic Council’s Europe Center. He teaches EU law at Georgetown University Law Center and is a former legal counselor to the US Mission to the European Union in Brussels.
read more essays

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.
Image: A photographer takes a picture during NATO-led cyber war games 'Locked Shields 2023' in Tallinn, Estonia April 18, 2023. REUTERS/Ints Kalnins.