Skip to content
12.8Intermediate7 min

Third-Country Transfers to the USA: Data Privacy Framework and AI

Blck Alpaca·
Definition

The EU-US Data Privacy Framework (DPF) is the European Commission's adequacy decision in force since 10 July 2023, on the basis of which personal data may be transferred to certified US companies. For AI agents using US providers it is currently the central, though legally contested, basis for third-country transfers under Chapter V GDPR.

Key Takeaways

  • The EU-US Data Privacy Framework has applied as an adequacy decision since 10 July 2023; the General Court of the EU (GC) upheld it on 3 September 2025 in the Latombe case (T-553/23) - but expressly only as at the time of adoption. An appeal before the CJEU (pending since 31 October 2025) and a broader challenge announced by NOYB make the status provisional (as of 2026, subject to change).
  • Schrems II (CJEU C-311/18, 16 July 2020) remains the benchmark: standard contractual clauses (SCC 2021/914, 4 June 2021) are effective only with a case-specific transfer impact assessment (TIA) and, where necessary, supplementary measures.
  • Recommendation of the supervisory authorities (Garante, CNIL, publications 2025): dual safeguarding - DPF certification plus SCC as a fallback plus TIA, even with DPF-certified US recipients where required.
  • For AI agents, all data flows count: prompts, inference outputs, agent memory, vector stores, tool calls and logs often leave the EU area - each hop is potentially a standalone third-country transfer.
  • The TIA risk profile for US providers covers the CLOUD Act, FISA 702 / EO 12333 as well as protective measures such as encryption at rest/in transit/in use, BYOK/HYOK and EU data residency.
  • Switzerland uses its own regime: the Swiss-US DPF since 15 September 2024, otherwise EU SCC with a Swiss Finish per the FDPIC guidance of 23 July 2024. Switzerland itself has been recognised as EU-adequate since 15 January 2024.

When deploying AI agents, third-country transfer is not a peripheral topic but often the most critical compliance pathway: as soon as an agent calls a US-hosted model endpoint, prompts, outputs and tool-call contents leave the EU area. This brings Chapter V GDPR into play. The EU-US Data Privacy Framework (DPF) has been the central adequacy basis for this since 10 July 2023 - legally valid, but contested and therefore to be treated as provisional.

  • The DPF applies but is uncertain: in force since 10 July 2023, upheld by the General Court of the EU on 3 September 2025 (with reference to the time of adoption), but a CJEU appeal and a NOYB challenge are pending (as of 2026, subject to change).
  • Safeguard twice: supervisory authorities recommend DPF plus standard contractual clauses (SCC) as a fallback plus a transfer impact assessment (TIA).
  • Every data flow counts: prompts, outputs, agent memory, vector stores, tool calls and logs may each, in their own right, trigger a third-country transfer.

The third-country transfer problem under Chapter V GDPR

Chapter V GDPR prohibits the transfer of personal data to third countries as long as no adequate level of protection is guaranteed there. A transfer is only permitted on one of the prescribed bases: an adequacy decision of the European Commission, appropriate safeguards such as standard contractual clauses (SCC) or binding corporate rules (BCR), or narrowly defined derogations.

For AI agents this is particularly delicate, because an agentic stack has many transfer points. Personal data flows not only in inference (prompts and outputs) but also into agent memory, into persistent vector stores for RAG, into tool-call payloads to external interfaces and MCP servers, as well as into observability logs and traces. Each of these hops can be a standalone third-country transfer if the recipient or the hosting lies outside the EU.

Schrems II: why SCC alone are not enough

The benchmark stems from the CJEU's Schrems II judgment (C-311/18, 16 July 2020). It struck down the then Privacy Shield and made clear that standard contractual clauses are only viable if the controller assesses, on a case-by-case basis, whether a level of protection essentially equivalent to that of the EU actually exists in the recipient country - and adds supplementary protective measures where necessary. This assessment is the transfer impact assessment (TIA).

The Commission operationalised this with the standard contractual clauses 2021/914 (4 June 2021). They contain four modules for the controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller constellations. The choice of the appropriate module depends on the allocation of roles in the AI stack - with a managed API provider, typically controller-to-processor.

The EU-US Data Privacy Framework: current status

The European Commission adopted the adequacy decision for the EU-US Data Privacy Framework on 10 July 2023, thereby replacing the Privacy Shield. US companies that certify under the DPF have since been considered recipients with an adequate level of protection - without the data exporter necessarily having to conclude SCC.

On 3 September 2025, the General Court of the European Union (GC) dismissed the first action against the DPF in the case Latombe v Commission (T-553/23) and confirmed its validity as at the time of adoption. However, this is not the last word:

  • Latombe lodged an appeal before the CJEU on 31 October 2025; the proceedings are pending (as of 2026, subject to change).
  • NOYB / Max Schrems has signalled a separate, broader challenge. It targets executive orders of the Trump administration that have affected the independence of the Privacy and Civil Liberties Oversight Board (PCLOB).
  • The GC expressly held that the Commission must continuously monitor the legal framework and may suspend, amend or repeal the adequacy decision if the conditions change.

The DPF therefore continues to apply, bindingly, as a valid transfer basis. Yet the (still) legally binding foundation is subject to reservation - a "Schrems III scenario" remains plausible according to the current state of research.

SCC plus TIA as a fallback - the recommended dual safeguard

Because of this uncertainty, the operational guideline is: do not rely on the DPF alone. The Garante and the CNIL continued to recommend a dual safeguard in their 2025 publications - DPF certification plus standard contractual clauses as a fallback plus a TIA, even for DPF-certified recipients where this is required.

The practical advantage: if the DPF falls away, the data flow remains safeguarded via the SCC and does not become unlawful overnight. The TIA for US providers should address the following risks:

  • US CLOUD Act: the risk of ordered disclosure to US authorities, even with US parent companies that have an EU subsidiary, irrespective of the storage location.
  • FISA 702 / EO 12333: exposure for providers of electronic communications services such as Microsoft, Google, AWS, Meta.
  • Technical protective measures: encryption at rest and in transit as a minimum standard; encryption in use (confidential computing, TEE) increasingly relevant for AI inference; BYOK/HYOK, so that the controller holds the keys and the provider cannot decrypt without its involvement.
  • EU data residency: region pinning, EU Data Boundary, EU regional endpoints.

Overview: transfer bases for AI agents

Basis

Legal basis

Suitability for AI agents

Status / note

EU-US DPF (adequacy)

Commission decision 10.07.2023

High, if the US provider is certified

Valid, but contested (CJEU appeal since 31.10.2025)

Standard contractual clauses (SCC 2021/914)

Art. 46 GDPR

High, as a fallback and for non-certified recipients

TIA mandatory (Schrems II)

Binding corporate rules (BCR)

Art. 47 GDPR

Intra-group, robust

Lead DPA approval, approx. 18-30 months

Adequacy Switzerland (EU→CH)

Decision 15.01.2024

High

Switzerland recognised by the EU as adequate

Swiss-US DPF

in force 15.09.2024

High for CH exports to certified US recipients

Own CH regime under revFADP

SCC with Swiss Finish

FDPIC guidance 23.07.2024

Standard for non-certified CH-US flows

revFADP context

Decision flow for an AI data transfer to the USA

  1. Is there actually a third-country transfer? Create a data-flow diagram: where are prompts, outputs, memory, vectors, tool calls and logs processed? If the flow can be kept entirely within the EU through EU data residency and region pinning, Chapter V is not engaged at all.
  2. Is the US recipient DPF-certified? If so, the transfer is legally covered - but do not rely on this alone.
  3. Conclude SCC as a fallback. Choose the appropriate module (usually controller-to-processor).
  4. Conduct and document a TIA. CLOUD Act, FISA 702 / EO 12333, supplementary measures such as encryption in use, BYOK/HYOK.
  5. Establish monitoring. Continuously observe DPF status, appeals and supervisory practice in order to switch immediately to SCC if it lapses.

A concrete numerical example

An agency operates a customer-service agent for a B2B client on the basis of a US-hosted model endpoint. Around 2,000 conversations run per day, each with an average of 4 prompt-output pairs - that is roughly 8,000 third-country transfers per day, i.e. around 240,000 per month, plus logs and vector-store write operations. Without the DPF and without SCC plus a TIA, each individual one of these transfers would be without a legal basis.

The clean safeguard: the provider is DPF-certified (basis 1), in addition SCC are concluded in the controller-to-processor module (basis 2), and a TIA documents CLOUD Act and FISA exposure including encryption at rest/in transit. Log retention is limited to 30 days, and prompts are pseudonymised before storage. Should the DPF be struck down, operations continue via the SCC - without an emergency shutdown of the agent.

Anyone who can technically enforce EU data residency reduces the problem at its root: EU regional endpoints or the EU Data Boundary move storage and processing into the region. It should be noted that individual model families are not yet available everywhere there - the AWS European Sovereign Cloud (eusc-de-east-1) launched in January 2026, but Claude models were not yet available there at that time.

For agencies and B2B decision-makers

Anyone deploying AI agents for DACH clients should treat third-country transfer not as a contract-clause detail but as an architectural decision. Three levers pay off: first, data-flow mapping across the entire agent stack including MCP servers and observability; second, the dual safeguard of the DPF, SCC and a documented TIA, so that the lapse of the DPF does not become an operational risk; third, where possible, EU data residency or sovereign-cloud options, in order to prevent the transfer problem from arising in the first place. For agencies this is at the same time a differentiator: clients in regulated sectors expect robust transfer documentation as part of the offering.

Note: This article is provided for professional information purposes and does not constitute legal advice. For a legally binding assessment of specific data transfers, please seek qualified legal counsel.

FAQ

Is the EU-US Data Privacy Framework a secure basis for AI data transfers to the USA?
It is currently a valid transfer basis: the European Commission established adequacy on 10 July 2023, and the General Court of the EU (GC) upheld it on 3 September 2025 in the Latombe case (T-553/23) - but expressly only with reference to the time of adoption. It is not permanently secure: the appeal before the CJEU has been pending since 31 October 2025, and NOYB/Max Schrems has announced a broader challenge in view of executive orders of the Trump administration affecting the independence of the PCLOB. As of 2026, subject to change. This is why supervisory authorities recommend dual safeguarding with SCC and a TIA.
Is it sufficient if my US AI provider is DPF-certified?
No, that is not sufficiently robust. The DPF certification legitimises the transfer legally, but the Garante and the CNIL continued to recommend in their 2025 publications a dual safeguard: DPF plus standard contractual clauses as a fallback plus a transfer impact assessment, even for DPF-certified recipients where this is required. If the adequacy decision falls away, the SCC remain in place as a backstop, without the data flow becoming immediately unlawful.
What is a transfer impact assessment (TIA) and when do I need it?
A TIA is the case-specific assessment of whether a level of protection essentially equivalent to that of the EU exists in the recipient country, required since Schrems II (CJEU C-311/18). When using SCC it is mandatory. For US providers, the TIA assesses, among other things, CLOUD Act exposure, FISA 702 / EO 12333, as well as technical protective measures such as encryption at rest, in transit and in use, BYOK/HYOK and EU data residency, and sets out supplementary measures where necessary.
Does the DPF also apply to Switzerland?
No, Switzerland has its own regime under the revFADP. The Swiss-US Data Privacy Framework has been in force since 15 September 2024 and enables transfers to US recipients that have certified under the Swiss-US DPF. For non-certified data flows, EU SCC with a Swiss Finish in accordance with the FDPIC guidance of 23 July 2024 remain the standard. Switzerland itself has been recognised as EU-adequate since 15 January 2024.
What happens to my AI data transfers if the DPF is struck down (Schrems III)?
Dual safeguarding serves precisely this scenario. The General Court expressly emphasised that the Commission must continuously monitor the legal situation and may suspend, amend or repeal the adequacy decision. Anyone who has already documented SCC plus a TIA can fall back seamlessly onto this basis if the DPF lapses. Without a fallback, ongoing US transfers would suddenly be left without a legal basis - the Schrems III scenario is still considered plausible according to the research.

Want to go deeper?

Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.

Subscribe to newsletterOur services
PreviousMistral and Aleph Alpha: The GDPR Advantages of European LLM ProvidersNextData Protection Impact Assessment (DPIA) for AI Agents: Obligation, Thresholds and a Step-by-Step Approach