Data transfer to the USA: recommended action for companies in 2025

Transatlantic data transfer is once again under considerable pressure. In particular, the political changes in the USA since the re-election of Donald Trump raise serious questions about the future of the Trans-Atlantic Data Privacy Framework (DPF). This agreement currently ensures the lawful exchange of personal data between the EU and the US in accordance with Art. 45 GDPR.

However, the new US administration has introduced initial measures that call into question the continued existence of this level of protection: For example, it has been announced that all executive orders issued by the Biden administration - including those that form the legal basis of the DPF - will be reviewed within 45 days. In addition, three of the four members of the Privacy and Civil Liberties Oversight Board (PCLOB) were dismissed, effectively paralyzing the oversight body.

Why this is critical for companies

Companies that use services from US providers - such as for cloud hosting, CRM or web analytics - regularly transfer personal data to the USA. As long as the EU Commission's adequacy decision on the DPF is in force, this is permitted without additional guarantees. A possible abolition of the DPF would mean that companies would have to resort to standard contractual clauses (SCCs) and transfer impact assessments (TIAs) in order to continue to make data transfers GDPR-compliant.

Our recommendation as CCM19

• Carry out a risk assessment: Check whether and to what extent personal data is transferred to the USA.
• Prepare standard contractual clauses: Agree SCCs with US service providers as a backup solution.
• Plan transfer impact assessments: Document possible risks of data transfer to the USA.
• Establish monitoring: Actively track regulatory developments around the DPF.
• Consider backup solutions: Review European service providers as a privacy-friendly alternative.

You can test your site again here!

How CCM19 can help you in particular

CCM19 offers a fully GDPR-compliant consent management platform with a server location in Germany. We ensure that no third country transfers take place through our solution - regardless of international developments. Our technology makes it possible to load services from the USA only after active consent from the user. Everything is fully documented, audit-proof and dynamically controllable.

What you should pay particular attention to in the banner

If you currently use US services such as Google Analytics, Meta Pixel, reCAPTCHA or similar, make sure:

• No pre-selection or pre-loading without consent.
• Transparent recipient naming including country information (e.g. "Google LLC, USA").
• Differentiated consent groups, e.g. statistics, marketing, third-party providers.
• Consent logging for verification purposes.
• Fallbacks and blocking in the absence of consent.

With CCM19, you can implement all these requirements securely and flexibly - without external dependencies.

Conclusion

The developments surrounding the DPF show how closely data protection and geopolitics are linked today. Companies should not wait for regulatory intervention, but act now. With CCM19, you can rely on a solution that is independent, future-proof and fully compliant with European data protection standards. If you have any questions about legally compliant implementation or the adaptation of your banner, we will be happy to help you - competently, practically and legally compliant.

Who trusts in CCM19