EU-US data deal faces uncertainty as Trump administration takes action

On January 23, 2025, the New York Times reported that Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), a key US oversight authority, were asked to resign. According to the report, this move could reduce the number of appointed members below the threshold required for the board to operate, raising concerns about the independence of US executive redress bodies. The PCLOB plays a critical role in the Transatlantic Data Privacy Framework (TADPF), which allows European personal data to flow freely to the US. Without a functioning PCLOB, the legal foundation for these data transfers could be undermined.

The TADPF, formally adopted by the European Commission on July 10, 2023, through Implementing Decision (EU) 2023/1795, permits EU businesses to transfer data to US providers despite US surveillance laws. The framework relies on executive guarantees, including the PCLOB, to assert that the US provides "essentially equivalent" data protection to that of the EU. However, these guarantees are not codified in US law, making them vulnerable to changes in administration. According to Max Schrems, a prominent privacy activist, "This deal was always built on sand, but the EU business lobby and the European Commission wanted it anyways."

The European Union has long struggled with the issue of data transfers to the US. Since 1995, EU law has prohibited the export of personal data outside the EU unless the receiving country offers "essentially equivalent" protection. The US, however, has strong mass surveillance laws, such as FISA 702 and Executive Order 12.333, which allow the government to access data stored with US tech companies without probable cause or individual judicial approval. This discrepancy led the European Court of Justice to rule in the Schrems I and Schrems II cases that US law does not meet the EU's standards for data protection.

Despite these rulings, the European Commission, under President Ursula von der Leyen, pushed for a third EU-US data deal, resulting in the TADPF. The framework was designed to address the shortcomings identified in Schrems II by introducing mechanisms like the PCLOB and the Data Protection Review Court. However, these mechanisms are not enshrined in US law, relying instead on executive orders and diplomatic assurances. According to Schrems, "Instead of stable legal limitations, the EU was agreeing to executive promises that can be overturned in seconds."

The recent developments under the Trump administration have cast further doubt on the stability of the TADPF. In one of his first executive orders, signed on January 20, 2025, President Trump mandated a review of all Biden-era national security decisions, including those underpinning the TADPF, within 45 days. This review could lead to the scrapping of key elements of the framework, potentially rendering data transfers between the EU and the US illegal. Schrems noted, "I can hardly see that a Biden Executive Order that was forced upon the US by the EU and regulates US espionage abroad would survive in Trump's logic."

The potential collapse of the TADPF would have significant implications for EU businesses, government agencies, and schools that rely on US cloud providers like Apple, Google, Microsoft, and Amazon. According to the European Commission, thousands of organizations depend on the framework to legally transfer data to the US. If the TADPF is annulled, these entities would need to find alternative solutions to comply with EU data protection laws.

The European Commission finds itself in a difficult position. If it annuls the TADPF in response to the US developments, it risks provoking a diplomatic conflict with the Trump administration and US tech companies. However, failing to act could leave EU businesses in a legal limbo, unsure of the legality of their data transfers. Schrems warned, "While the arguments for the EU-US deal seem to fall apart, companies can rely on the deal as long as it is not formally annulled. However, given the developments in the US, it is more crucial than ever for any business or other organization to have a 'host in Europe' contingency plan."

The situation has drawn comparisons to the US debate over TikTok, where concerns about Chinese access to US user data led to calls for restrictions on the app. Similarly, EU lawmakers have long expressed concerns about US mass surveillance and its impact on European data privacy. If the TADPF is annulled, the default position under EU law would be to prohibit the transfer of personal data to the US unless adequate protections are in place. This would have major implications for US tech companies operating in Europe.

The TADPF's reliance on executive assurances rather than solid legal foundations has been a point of criticism since its inception. According to Schrems, "There were long discussions as to the functioning and independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump Presidency. This is the difference between solid legal protections and wishful thinking - the European Commission has solely relied on wishful thinking."

As the 45-day review period progresses, the future of the TADPF remains uncertain. The European Commission must navigate a complex landscape of legal, diplomatic, and business interests. The coming weeks will be critical in determining whether the framework can survive the changes in the US administration or if it will dissolve, leaving EU businesses to grapple with the legal and operational challenges of data transfers.

In conclusion, the TADPF's future is hanging in the balance as the Trump administration takes steps that could undermine its legal foundation. The framework, which was designed to facilitate data transfers between the EU and the US, now faces significant challenges due to its reliance on executive assurances rather than codified law. The European Commission must carefully consider its next steps to avoid a diplomatic fallout while ensuring the protection of European data. According to Schrems, "The direction this is taking already in the first week of the Trump Presidency is really not looking good."