Schrems II + DPF Update 2026: Status After Trump-2 Administration

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~7 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

EU-US Data Privacy Framework in force since 10 July 2023, still valid as of 04/2026
Trump Executive Order 14149 (20 Jan 2025) weakens the Data Protection Review Court — noyb challenge pending
EDPB opinion 03/2026: TIA still recommended, even under DPF
Recommended: Plan B with EU alternative for every critical US tool
TIA cost: EUR 200-5,000 per provider depending on legal-counsel involvement

1. DPF Status April 2026

The EU-US Data Privacy Framework (DPF) has been in force since 10 July 2023 (adequacy decision 2023/1795), replacing the Privacy Shield struck down in 2020. As of April 2026:

2,870 certified US companies (03/2026, dataprivacyframework.gov)
Annual recertification required
EDPB Annual Report 03/2026: effectiveness "largely sufficient, with room for improvement"
European Parliament November 2024: called for suspension; Commission rejected

2. Trump Executive Order and DPRC Risk

Executive Order 14149 of 20 January 2025 weakened the Data Protection Review Court (DPRC):

40% staff reduction
New DPRC member appointments without consultation
Restricted mandate for "Foreign Intelligence" complaints

noyb (Max Schrems) filed a challenge with the CJEU on 3 February 2025. Earliest expected ruling: April 2027. Until then, the DPF remains formally in force.

3. Decision Matrix for US Providers

Data class	DPF certified	Recommendation
Marketing email lists (master data)	Yes (Mailchimp, Brevo USA)	OK + TIA
HR data / payroll	Yes (ADP, Workday)	Prefer EU alternative
Special categories (Art. 9)	Yes	DO NOT process in US
Software telemetry	Yes (Microsoft, Google)	Activate EU data boundary
Customer support tickets	Variable	Force EU region

4. SCC 2021/914 + TIA

If the US provider is NOT DPF-certified: Standard Contractual Clauses 2021/914 plus a Transfer Impact Assessment (TIA) are mandatory.

TIA minimum content:

Data and recipient categories
US authority access exposure (FISA 702, EO 12333, CLOUD Act)
Sensitivity of data category
Encryption at rest and in transit
Key custody (controller or provider)
Additional technical and contractual measures
Residual risk assessment

5. EU Alternatives 2026

US tool	EU alternative (HQ)	Migration time
Microsoft 365	Stack-IT (DE), MagentaBusiness Cloud (DE), IONOS Cloud (DE)	2-6 months
Google Workspace	OpenDesk / openCoDE (DE-PHOENIX)	3-9 months
Slack	Mattermost (self-hosted), Element (UK), Rocket.Chat (BR/DE-hosted)	1-3 months
Salesforce	Pipedrive (EE), HubSpot with EU DC, Zoho EU region	3-12 months
AWS	OVH (FR), Hetzner (DE), Stack-IT (DE), IONOS Cloud (DE)	3-18 months
Mailchimp	Brevo (FR), CleverReach (DE), GetResponse (PL)	2-4 weeks

6. Third-Country Audit Checklist

Which US providers do I have? (RoPA extract)
For each: is DPF certification valid?
Are special categories involved?
SCC 2021/914 anchored in the DPA?
TIA documented?
Privacy notice third-country disclosure (Art. 13(1)(f))?
EU alternative scenario prepared?
Contingency plan if the DPF is struck down?

Summary

The DPF survives the Trump 2 transition formally but the political risk is elevated. Build a Plan B for every critical US tool. The minimum compliance posture: TIA on every US transfer (even DPF-certified), EU data boundary activated where available, and migration playbook documented. If the DPF collapses again, transition windows historically run 0-3 months — too short for organic migration without preparation.

View GDPR Kit →

Frequently Asked Questions

Is the DPF still valid?

As of 04/2026, yes, but the risk is high. The Trump executive order of 20 January 2025 weakens the Data Protection Review Court (DPRC). The EDPB opinion of 03/2026 calls for improvements.

Do I need to perform a TIA despite the DPF?

Recommended, yes. EDPB recommendation 01/2020 and 03/2026: for US sub-processors, conduct a TIA as a backup even under the DPF.

Which alternatives to US providers are available?

M365 - IONOS Cloud, MagentaBusiness Cloud, Stack-IT (Schwarz Group). Salesforce - Pipedrive (EU), Zoho (EU region). Slack - Mattermost (self-hosted), Element.

What does a TIA cost?

Lawyer-based: EUR 1,500-5,000 per provider. With a template and AI tools (e.g. Compliance-Kit): EUR 200-500 in-house effort.

How to verify DPF certification?

List available at dataprivacyframework.gov. Only companies that recertify annually. As of 03/2026: 2,870 companies, of which 134 are German subsidiaries.

Who is liable if the DPF is invalidated?

The controller (you). Historical transition periods have been 0-3 months (Privacy Shield 2020). Recommendation: prepare a plan B and test an EU alternative.

Sources

Commission Implementing Decision (EU) 2023/1795 — EU-US DPF (As of: 2026-05-02)
EuG T-553/23 — Latombe v Commission (DPF action dismissed) (As of: 2026-05-02)
CURIA Press Release — Latombe ruling (As of: 2026-05-02)