The EU-US Data Transfer System - a mix of EU and US law. Generally, EU law prohibits exporting personal data to countries outside of the EU since 1995, unless there is an absolute need (e.g. when sending an email to any non-EU country). Data can be sent abroad when the non-EU country provides "essentially equivalent" protection of Europeans' personal data. The US, on the other hand, has very strong mass surveillance laws (e.g. FISA702 or EO 12.333), that allow the US government to access any data stored with Amazon, Meta, Microsoft, Google and any other US Big Tech firm without probable cause or individual judicial approval. Therefore, the European Court of Justice has held twice (Schrems I and Schrems II) that US law is not "essentially equivalent". However, Ursula von der Leyen has insisted to pass a third EU-US deal, called "Transatlantic Data Privacy Framework" (TADPF).
TADPF was built on sand. On 10.7.2023 the European Commission issued Implementing Decision (EU) 2023/1795, formally passing the TADPF. This allowed any EU business to freely transfer data to US providers, despite US surveillance laws. The European Commission relied on (very questionable) executive orders or letters by the US government, including the PCLOB, to find that the US is "essentially equivalent". However, these elements are not reflected in US statutes and codified law, because there was no majority in the US Congress to pass such laws. It was long criticised that the next US president could kill these protections with the strike of a pen. This scenario is now on the horizon. In its decision, the European Commission mentioned the PCLOB a whopping 31 times to explain why the US has "essentially equivalent" protections. The PCLOB is the only general "oversight" body that monitors if US services actually compy with laws, orders and other promises. Other elements of US law, like various redress mechanisms, require a plaintiff to become active. The US has traditionally blocked access to these bodies via various "standing" rules, leading to basically no lawsuits ever beeing admitted. This means that the PCLOB is the only relevant oversight mechanism that the TADPF relied upon.
Max Schrems: "This deal was always built on sand, but the EU business lobby and the European Commission wanted it anyways. Instead of stable legal limitations, the EU agreed to executive promises that can be overturned in seconds. Now that the first Trump waves hit this deal, it quickly throws many EU businesses into a legal limbo. The PCLOB itself is only one puzzle piece, and as long as it is only temporarily not functioning, there is an argument that the deal is not worse then before. However, the direction this is taking in the first week of the Trump Presidency is not looking good. We are closely monitoring, if this is a temporary problem or if the PCLOB is being killed for good."
Independence of executive bodies called into question. Different to data protection authorities in the EU, most US oversight bodies are creatures of the executive branch and hence not independent. Independence is often only granted by the President, but can be revoked or overruled at any time. Many of these strange legal concepts are a reults of the structural inability to pass actual legislation in the US. Instead, entire legal areas are merely regulated by Presidential orders. The fact that the US president is now attempting to simply remove people, calls into question if the idea of (allegedly) "independent" executive bodies was even factually arguable from the get go. Many other elements of the TADPF, like the Data Protection Review Court have even weaker legal protections than the PCLOB.
Max Schrems: "There were many questions on the independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump Presidency. This is the difference between solid legal protections in law and wishful thinking. The European Commission has solely relied on the latter."
45 days for next crunch point. In one of the first Executive Orders Trump has signed on Monday, he determined that all Biden national security decisions (including the relevant decisions that the EU-US transfers rely upon) shall be reviewed and potentially scrapped within 45 days. This means that further elements the TADPF relied upon could collapse within days. As the entire deal is based on Biden executive decisions, Trump could scrap all key elements of the deal with a single signature – leading to instantly illegal data transfers between the EU and the US.
Max Schrems: "I can hardly imagine that a Biden Executive Order that was forced on the US by the EU and that regulates US espionage abroad could survive Trump's 'America First' logic. The problem is, that not just US Big Tech, but especially normal EU businesses all rely on this system of instable executive orders to argue that using US cloud systems is legal in the EU."
Commission manoeuvred EU businesses towards a cliff. Despite all facts and criticism by the European Parliament and EU data protection authorities, the European Commission has consistently argued that the TADPF is solid and sound. The EU business lobby pushed for a(ny) deal – no matter how unstable or wacky. Equally, US Big Tech wanted to stay on the EU market without any technical limitations in relation to US government access. Now, everyone from large banks, entire national school systems to many small businesses may wake up to a legal situation, where the use of US cloud products is soon illegal.
EU-US data transfers legal for now – but get prepared. A decision by the US administration will not instantly make US transfers illegal. The European Commission's decision is generally legal as long as it is on the books and not annulled by the Commission itself or the Court of Justice. So even if the material finding becomes wrong, the decision still formally exists until it is overturned. However, if key elements that the EU has relied upon are not functioning, the EU will have to annul the deal.
Max Schrems: "While the arguments for the EU-US deal seem to fall apart, companies can rely on the deal as long as it is not formally annulled. However, given the developments in the US, it is more crucial than ever for businesses and other organisation to have a 'host in Europe' contingency plan."
European Comission in a tough spot. The European Commission has manoeuvred itself in a tough spot not only from a credibility perspective, but also from a diplomatic perspective. If it now reacts quickly and annuls the TADPF, the US Tech Oligarchy will cry that the EU would be "screwing with" US Big Tech. The Trump administration may take this as a reason to start a first major fight with the EU. However, not taking action and failing to officially warn EU businesses, public bodies and other organisations that send data to the US also seems problematic. The future of the TADPF may be very short-lived.
EU version of the US TikTok debate? While the US has long belittled European fears about personal data flowing to the US and being used in mass surveillance, the US has suddenly turned around once its own data was aggregated by TikTok. On one hand, a prohibition or a compulsory acquisition of US Big Tech in Europe would be legally impossible. US businesses would be protected from the EU passing an equivalent to a "TikTok ban". At the same time, a duty to keep EU data outside of the hands of the US government is the default under EU law since 1995. It would also be the law, once the European Commission annuls the EU-US deal. US Big Tech would then have to shield their EU data centers from access by their US parent companies..
Log in
reply
