Most Norwegian businesses use at least one service that transfers personal data to the US—Microsoft 365, Google Workspace, Salesforce, or similar. The legal basis for these transfers is called the EU-US Data Privacy Framework (DPF). However, in March 2026, there is reason to pay attention.
The Trump administration dismissed Democratic members from the body responsible for enforcing the DPF from the US side. Without enough members, the body cannot make decisions. European data protection organizations and legal experts are now questioning whether the DPF can be maintained as a valid transfer mechanism.
This is not the first time. Safe Harbor collapsed in 2015. Privacy Shield collapsed in 2020. Both times, companies without backup mechanisms were left without a valid basis overnight.
Businesses with Standard Contractual Clauses (SCC) in data processing agreements Since, stood much better both times.
Practical point: Check your data processing agreements with US cloud providers. Do they include Standard Contractual Clauses (SCCs) as backup? If not, contact the provider and request an updated agreement now, not after a potential ruling.
Inspired by: IAPP