Use of US Cloud Providers under the Trump Administration: Risks and Recommendations for Action for Companies

Recent political developments in the US are putting the EU-US Data Privacy Framework to the test – for many companies, the legal basis on which they use US providers such as AWS or Microsoft without fear of high fines under the GDPR. If the Data Privacy Framework is suspended due to the changes under the Trump administration, companies that use US cloud providers will face the challenge of continuing to make their data transfers legally compliant and secure. We inform you whether US cloud providers can still be used, what risks exist and what measures companies should take.

Background: The EU-US Data Privacy Framework

Since the USA is a so-called third country that is not part of the European Economic Area, data transfers to the USA are only permissible if either an adequacy decision of the Commission certifies a level of data protection equivalent to that in the EU or other measures have been taken in accordance with Art. 46 GDPR. If there is no adequacy decision, the agreement of Standard Contractual Clauses (SCCs) can be considered, but these require a complex Transfer Impact Assessment (TIA) in which the company assesses the risks of transferring the data to the third country. In this case, a "transfer" also exists if a US company can access personal data in Germany.

The EU-US Data Privacy Framework from 2023 is based on such an adequacy decision of the EU Commission under Art. 45 GDPR. This decision allows data transfers to companies in the USA as long as they have submitted to the Privacy Framework (a list of participating companies can be found here). An essential part of the framework is the monitoring of the activities of the US intelligence services by the Privacy and Civil Liberties Oversight Board (PCLOB), which is supposed to monitor intelligence agencies and authorities with regard to data protection as an independent authority. The PCLOB is intended to ensure that laws such as the CLOUD Act, which allows the US government to access data stored by US companies without individual court approval – even if it is processed exclusively by European subsidiaries – are not exploited..

Current developments and risks

However, the political situation in the US has  changed significantly with the firing of the three Democratic members of the PCLOB at the end of January and the Trump administration's review of all executive orders of the Biden administration. The ability of the PCLOB, which originally consisted of five members, is considerably limited by the dismissals, and there are also considerable doubts about the independence of an authority whose members are so dependent on political decisions (see, for example, this written question to the Commission). In addition, although the existence of the PCLOB  is secured by law, not only the powers of the PCLOB, but also a two-tier redress mechanism for EU citizens, which is new for the Privacy Framework, depend on executive orders of the respective president, which can be changed much more easily than laws.

The Privacy Framework is still active and can be used as a basis for commissioning US service providers or cloud companies in the USA.

However, the data protection organization noyb and the activist Max Schrems, who has already brought down the two predecessors of the current EU-US Data Privacy Framework with his lawsuits before the European Court of Justice (ECJ), assessed the situation critically (see noyb's statement of January 23, 2025). Schrems is of the opinion that the Privacy Framework must be suspended or declared invalid at the latest against the background of current developments. A corresponding lawsuit before the ECJ is already pending.

However, at least a short-term suspension of the Privacy Framework is not to be expected at present, because the EU Commission seems to be doing everything it can to continue the agreement in order not to further damage relations with the USA, which have already suffered since Donald Trump took office. However, the data protection authorities of the EU member states, such as the German Federal Data Protection Commissioner to the magazine CloudComputing-Insider (article of January 29, 2025) and the Swedish Data Protection Authority (only available in Swedish), have already expressed concerns about the long-term maintenance of the adequacy decision without an independent PCLOB. And even the EDPB (European Data Protection Board) adopted a report on the review of the EU-US Privacy Framework as recently as November, in which it attested that the measures taken by the US need to be improved, even without the innovations by the Trump administration.

Recommendations for action for companies

Despite the uncertainties, companies can continue to use US cloud providers in the short term. However, it is advisable to prepare alternative strategies in order to be able to react to possible changes. The following measures should be considered:

Use EU servers

Some US cloud providers, such as Microsoft with the EU Data Boundary, offer the use of EU servers without data access from the USA. This solution reduces the risk of data transfer to the US, but there is still a residual risk from the US CLOUD Act because it allows the US government to access data at US companies even if it is stored in the EU. Companies should therefore carefully consider whether this solution is sufficient for their specific requirements.

Conclude EU Standard Contractual Clauses (SCCs)

Alternatively, companies can conclude EU Standard Contractual Clauses (SCC) with the cloud providers. However, this requires a Transfer Impact Assessment, in which it must be examined whether the cloud providers can prevent access by government agencies in the USA and, if necessary, additional protective measures must be agreed. A TIA requires a comprehensive process that evaluates the legal, technical, and organizational measures that a cloud provider takes to ensure data protection. It is even possible that a TIA comes to the conclusion that data transfer is no longer possible without the control of PCLOB, for example because the cloud company is not in a position to protect the data sufficiently technically from state access.

Prepare exit strategy

In the worst case, it may be that the data can no longer be adequately protected and the use of certain US companies is no longer possible. Companies should therefore have an exit strategy in place for their US cloud providers in order to be able to react quickly in the event of a suspension of the Privacy Framework. An exit strategy could include switching to another cloud provider or implementing a hybrid cloud solution, where sensitive data is stored and processed in the EU while less sensitive data remains in the US.

Checklist for companies

1. Monitoring of political developments: Closely follow political developments in the US and their impact on the EU-US Data Privacy Framework. We will keep you informed of all important developments, but the websites of data protection authorities and professional associations also often have helpful information available.
2. Use of EU servers: Check the possibility of using EU servers from your US cloud providers to reduce the risk of data transfer to the US. Make sure that the cloud provider gives clear contractual assurances that no data transfers to the US will take place.
3. Conclude EU Standard Contractual Clauses (SCC): Conclude EU Standard Contractual Clauses with the cloud providers and conduct a Transfer Impact Assessment. Document all steps and results of the TIA to be able to demonstrate that you have taken appropriate action in the event of a review by data protection authorities.
4. Prepare an exit strategy: Have an exit strategy in place for your U.S. cloud providers to respond quickly in the event of a suspension of the Privacy Framework. Identify alternative cloud providers and assess their data protection measures. If the risk is particularly high, it's worth creating a detailed plan for switching to another provider, including timelines, responsibilities, and communication strategies.
5. Regular review and adaptation of data protection measures: Regularly review and update your data protection measures to ensure they comply with current legal requirements and best practices. If necessary, your own technical and organisational measures can also reduce the risks of third-country transfers. Adapt your measures as the political or legal environment changes, and ensure that your data protection strategy is flexible enough to respond to unforeseen developments.

Result

The use of US cloud providers is still possible despite the current political developments, but it is associated with certain risks. Companies should prepare alternative strategies and closely follow political developments in order to continue to make their data transfers legally compliant and secure. By following the above recommendations, companies can minimize their risks and ensure that they are prepared for possible changes in the EU-US Data Privacy Framework.