Content updated on May 6, 2026
The history of transatlantic data transfers is one of the most turbulent in modern privacy law. Safe Harbor fell in 2015. Privacy Shield fell in 2020. The EU-US Data Privacy Framework (DPF), adopted in July 2023, is now in place, but it too is operating under political and legal uncertainty. For organisations managing whistleblowing data across the Atlantic, the right question is not which framework is currently valid. It is whether your setup is resilient enough to survive whatever comes next.
What replaced the Privacy Shield
After the Court of Justice of the European Union invalidated the Privacy Shield in its Schrems II ruling in July 2020, organisations transferring personal data from the EU to the US were left relying on Standard Contractual Clauses (SCCs). This included the added burden of conducting transfer impact assessments to verify that the data would be adequately protected on arrival. For many, that process was complex and the outcome uncertain.
The EU-US Data Privacy Framework was adopted by the European Commission in July 2023, built on an Executive Order signed by President Biden in October 2022. It introduced new restrictions on US intelligence services' access to EU data, new oversight mechanisms, and an independent redress process for EU citizens whose data is transferred to the US.
In September 2025, the EU's General Court dismissed the first legal challenge to the framework, confirming that the United States ensured an adequate level of protection for personal data transferred to certified organisations. For now, organisations that have self-certified under the DPF can transfer personal data from the EU to the US on that basis.
Why uncertainty remains
The DPF's survival of its first legal challenge is significant, but it does not mean the framework is stable. Max Schrems has indicated that a broader challenge remains possible and that structural changes to US oversight bodies, including the Privacy and Civil Liberties Oversight Board and the Federal Trade Commission, are driving concerns about whether the redress mechanisms that underpin the framework are still intact.
More fundamentally, the DPF rests on a presidential executive order, not legislation. That makes it more vulnerable to being unwound by a future administration than a statutory framework would be. The current deregulatory agenda and the restructuring of key oversight bodies create a real possibility that the mechanisms built into the framework could be weakened, either directly or gradually.
The practical lesson from the last decade is straightforward: organisations that build their compliance model on the assumption that any given transatlantic transfer framework will remain valid indefinitely are exposed to a risk they do not need to take.
Why whistleblowing data requires particular care
Whistleblowing reports are among the most sensitive data an organisation holds. They contain details about reporters, subjects, witnesses, and the nature of the alleged misconduct. The consequences of that data being improperly accessed, whether by a foreign intelligence service, through inadequate platform security, or via a third-party vendor, can be severe for the individuals involved and damaging to the organisation's ability to sustain a functioning reporting culture.
If your whistleblowing platform is hosted in the US and your reporters are based in Europe, that data is subject to GDPR. Transferring it to the US requires a lawful mechanism. Today that mechanism is either the DPF for certified organisations or SCCs with documented transfer impact assessments. If the DPF were to be invalidated again, organisations would need to fall back on SCCs immediately, and they would need the documentation already in place.
The more resilient solution is to keep European data in Europe, removing the need to depend on the current status of any transatlantic transfer framework.
How Whispli handles your data
Security is at the core of how Whispli is built. Whispli is ISO 27001 certified and fully compliant with GDPR requirements and the EU Whistleblower Protection Directive.
By working with EU-based infrastructure providers across multiple locations, Whispli ensures that European data stays in Europe. No transfer of European data to the US or any other non-EU country takes place when you choose an EU-based server. This means that the current status of the DPF, or any future changes to it, does not affect your compliance posture.
For organisations operating on both sides of the Atlantic, Whispli offers multi-region hosting. Data from US-based subsidiaries is hosted in the US. Data from European subsidiaries is hosted in Europe. The two never mix. This approach satisfies both EU and US regulatory requirements without any cross-border transfer of whistleblowing data.
Whispli also gives customers full control over their data, including the ability to manage their own encryption keys, and protects all messages and uploaded documents by removing associated metadata. If a report or investigation is shared with a third party outside the EU, access controls and supervision remain with the organisation's designated case manager.
Conclusion
The EU-US data transfer landscape has shifted significantly since the Privacy Shield was invalidated in 2020. The current framework has survived its first legal challenge, but the political and legal conditions that could undermine it are already in place. Organisations that have built their data transfer compliance around a single mechanism have learned twice now that those mechanisms can disappear.
The safest approach for organisations managing whistleblowing data is to keep it in the jurisdiction where it was collected. Whispli makes that straightforward and ensures that whatever happens next between Brussels and Washington, your reporters' data is not caught in the middle. By prioritizing data residency, you build a compliance strategy that is not just compliant with today's rules, but resilient against tomorrow's uncertainty.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
