When the European Union slapped Meta with a record 1.2 billion euro fine in May 2023 for shipping Facebook users’ data to the United States, it was supposed to be a turning point. Brussels had drawn a line. Washington responded with a new legal framework promising tighter surveillance limits. Yet more than two years later, European public opinion has barely budged: roughly 84% of Europeans say they do not trust American technology companies to handle their personal data responsibly, according to polling cited in EU institutional discussions and broadly consistent with Eurobarometer findings on digital rights and data protection.
That number is not just a talking point for privacy advocates. It is shaping regulation, trade negotiations, and the business strategies of every company that moves personal information across the Atlantic.
A record fine that exposed deeper fractures
Ireland’s Data Protection Commission issued its decision against Meta Ireland on 12 May 2023, concluding that the company’s transfers of European user data to U.S. servers violated the General Data Protection Regulation. The 1.2 billion euro penalty remains the largest GDPR fine ever imposed. It did not come easily. The European Data Protection Board had to issue a binding decision in April 2023 to force the Irish regulator’s hand, after years of complaints that Dublin was too slow to act against the tech giants headquartered on its soil.
Meta appealed the decision. As of spring 2026, the outcome of that appeal has not been made public, leaving a significant question mark over whether the fine’s deterrent effect will hold. If Meta prevails on procedural or substantive grounds, it could blunt the enforcement signal Brussels spent years building. If the penalty stands, other data protection authorities across the EU’s 27 member states may feel emboldened to pursue similarly aggressive sanctions.
A third attempt at a transatlantic data deal
Two months after the Meta fine, in July 2023, the European Commission formally adopted the EU-U.S. Data Privacy Framework, the third attempt in a decade to create a stable legal basis for moving Europeans’ personal data to American companies. The first two agreements, Safe Harbor and Privacy Shield, were both struck down by the Court of Justice of the European Union after Austrian privacy lawyer Max Schrems argued they failed to protect Europeans from U.S. government surveillance.
The new framework rests on Executive Order 14086, signed by President Biden in October 2022, which imposed limits on how U.S. intelligence agencies collect foreign signals intelligence and established a Data Protection Review Court to hear complaints from Europeans. The U.S. Departments of Commerce and Justice issued a joint statement with the Commission calling the arrangement a vehicle for “safe and trusted transatlantic data flows.”
European regulators were less enthusiastic. In Opinion 5/2023, the EDPB acknowledged improvements but flagged unresolved questions about the scope of U.S. bulk data collection and whether the new redress mechanism would function effectively in practice. Those concerns did not block the Commission’s adequacy decision, but they put Washington on notice that the framework would face ongoing scrutiny.
The first review raised more questions than it answered
In October 2024, the EDPB published its first review report on the Data Privacy Framework’s implementation. The document examined whether the safeguards Washington promised were actually functioning. It specifically questioned the effectiveness of the Data Protection Review Court and the real-world application of the surveillance limits in Executive Order 14086.
The review stopped short of declaring the framework inadequate, but it did not offer a clean bill of health either. One core problem: the Data Protection Review Court operates in secrecy. Its proceedings are not public, its decisions are classified, and the EDPB could not confirm that any complaints had been fully adjudicated. Without aggregated statistics, declassified summaries, or independent oversight, there is no way for European regulators or citizens to verify that the court is delivering meaningful redress.
That opacity feeds the very distrust the framework was designed to resolve. Europeans are being asked to trust a system they cannot see working.
Why the distrust runs so deep
The 84% figure did not appear overnight. It reflects more than a decade of revelations, starting with Edward Snowden’s 2013 disclosures about NSA mass surveillance programs that swept up data from European citizens routed through American tech platforms. Each subsequent legal battle, from the Schrems I ruling in 2015 to Schrems II in 2020, reinforced the perception that U.S. law prioritizes intelligence access over foreign privacy rights.
More recent developments have added new layers of concern. The rapid expansion of artificial intelligence has raised questions about whether European personal data is being used to train large language models without adequate consent or transparency. The change in U.S. administrations has introduced uncertainty about whether executive-order-based protections, which can be modified or revoked without congressional action, will endure. And European cloud sovereignty initiatives, including efforts to build alternatives to American hyperscale providers, signal that some policymakers view reducing dependence on U.S. tech infrastructure as a strategic priority, not just a privacy issue.
Schrems himself, through his organization NOYB, has publicly indicated that a legal challenge to the Data Privacy Framework is likely. No formal case had been filed as of the most recent available information, but the pattern is well established: each new transatlantic data agreement has faced a court challenge, and each challenge has succeeded.
What this means for businesses and ordinary users
For large platforms like Meta, Google, and Amazon, the legal uncertainty is a cost of doing business, absorbed by sprawling compliance teams and outside counsel. For mid-sized European companies and startups that rely on American cloud services, payment processors, or analytics tools, the situation is far more precarious. These firms must navigate overlapping guidance from national regulators, the EDPB, industry groups, and legal advisers, often without clear answers about whether their data transfers will hold up if the framework is challenged again.
For ordinary Europeans, the practical impact is harder to see but no less real. Every time a user signs up for a social media account, stores files in a cloud service, or makes an online purchase processed through U.S. infrastructure, their data crosses the Atlantic under a legal arrangement that EU regulators themselves describe as incomplete. The 84% distrust figure suggests most Europeans sense this, even if they cannot articulate the regulatory details.
A provisional arrangement, not a permanent fix
Three things are clear from the documented record. First, EU regulators have shown they will impose unprecedented fines and challenge the legal basis of transatlantic data flows when they believe European standards are not met. Second, both Brussels and Washington have made a significant political investment in keeping data moving across the Atlantic, and neither side wants to see the framework collapse. Third, the official reviews conducted so far stop well short of declaring the system trustworthy, and public skepticism toward U.S. tech companies remains entrenched.
The current arrangement is best understood as provisional and contested. Courts may revisit it. Regulators will continue probing the adequacy of U.S. surveillance safeguards. And until there is transparent, verifiable evidence that the new limits on intelligence collection are being applied and that the redress system works in real cases, the trust deficit between European citizens and American technology companies is unlikely to close.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
