Insight

GDPR information in US Cloud Services

European organizations should prepare exit strategies to move personally identifiable information (PII) that falls under the EU data protection regulation GDPR out of US cloud services.

2025-03-19
Insight

EU determines which countries, regions or organizations, outside the EU, that information that falls under GDPR may legally be moved. In the USA, the oversight by the US Privacy and Civil Liberties Oversight Board (PCLOB) is an important factor that the EU tracks when it makes decisions about whether it is allowed to store data that falls under GDPR in USA.

The new Trump administration has now fired several board members of the PCLOB and left their positions vacant, which means that the board is no longer capable of making rulings anymore. This is not a major issue if these members are quickly replaced, but if their posts are vacant for a longer period this could be a problem.

The Norwegian Data Protection Agency, Datatillsynet, now warns that EU may be forced to reconsider their rulings regarding storing information that falls under GDPR in the USA if PCLOB can’t function. Similar warnings have unofficially been issued in Denmark.

Any changes in regulation regarding storing information that falls under GDPR will either come form of a decision by the EU commission or a ruling in the EU court.

Assessment

The Trump administration’s objective of slashing government oversight and spending means that it may want to eliminate government functions like PCLOB. Firing members of the board to make them unable to make decisions may be part of a strategy to reduce its ability to function. The fact that all the fired members of PCLOB are Democrats also raises concerns about it’s ability to conduct oversight, if they are replaced by Republicans.

The PCLOB mechanism is not the only way US cloud services can be compliant with GDPR regulation. Prior to PCLOB individual US companies could become compliant through Standard Contractual Clauses (SCC) and this path will still be open, even if the PCLOB mechanism is no longer accepted by EU.

Regardless of whether the EU deems storing data that falls under GDPR in US cloud providers compliant with EU regulation, either through PCLOB or SSC, or not, organizations in Europe are recommended to monitor developments and consider how to manage their risks from exposure from having their data stored in USA.

References

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2025/informasjon-om-overforinger-til-usa https://www.version2.dk/artikel/datatilsynet-advarer-trump-kan-traekke-taeppet-vaek-under-danske-virksomheders-cloud