Why the Data Privacy Framework is no guarantee for your data

When Edward Snowden revealed the first documents about PRISM in 2013, it was a wake-up call for the entire world. Twelve years later, we once again find ourselves at a crossroads. Despite new treaties, commitments and diplomatic statements, one question remains: how safe is European data in U.S. hands?

Reality? The Data Privacy Framework (DPF) adopted in 2023 offers only false security, and recent political developments in the US underscore that risk.

What is the Data Privacy Framework and what are the issues?

The DPF was introduced in 2023 as a successor to the invalidated Privacy Shield. The promise: an adequate level of protection for EU data processed in the US. In practice, however, it remains largely based on the same fundamentals as its predecessors, and those were already in question.

A key argument for the validity of the DPF was the creation of the Privacy and Civil Liberties Oversight Board (PCLOB). But after the inauguration of President Trump II in January 2025, all Democratic members of this body were fired. The PCLOB has not been operational since then, when this was precisely the safeguard on which the DPF rested.

In addition, U.S. laws – such as the CLOUD Act and FISA 702 – remain in full force. These give government agencies access to data of non-U.S. citizens, even if that data resides in a European data center from a U.S. provider.

What does this mean for Dutch organizations?

• Do you rely on U.S. cloud providers like Microsoft, AWS or Google Cloud? Then your data – legally speaking – is not safe within the EU.

• Sectors with sensitive information such as healthcare, government, education and industry are at increased risk of legal and operational consequences.

• Even when you work with European data centers of U.S. parties, U.S. law will prevail once a legal claim is made.

So the question is not whether the DPF will hold up legally, but how long it will take for this regulation to fall as well. And whether your organization will be prepared by then.

Why a hybrid data strategy is essential now

At a time when political stability and legal protection are no longer a given, it is important to take charge yourself. And that starts with conscious data management:

✅ Classify your data: What is critical, what should be allowed in the cloud, what should stay local?
✅ Opt for hybrid storage: Combine the scale of the cloud with the control of on-premises.
✅ Ensure legal control: Know where your data resides and who has access to it.

At Comex, we call this: Zero Loss thinking. Because digital sovereignty is not just about technology, it is about trust, availability and independence.

Want to know more? Read our latest white paper

📘 “Fact check: European data in US hands – how vulnerable is the Data Privacy Framework?”
This whitepaper shows why legal and political changes outside Europe directly affect your organization – and what you can do now to regain control.

👉 Read it here.
🌐 More on digital sovereignty.

For organizations that want to remain AVG-compliant and keep their data under control, it’s time for action.