29.8k unique visitors in the last 3 days

Trump Jeopardizes EU-US Data Transfer Deal

The European Commission keeps choosing to believe the USA has a data protection framework of stable genius when all the evidence suggests it is unreliable and untrustworthy.

In a move that could have significant implications for transatlantic data flows, US President Donald Trump has removed Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), reducing the number of appointees below the minimum needed to operate. This threatens the Transatlantic Data Privacy Framework (TADPF), a recent agreement enabling the flow of personal data between entities in the European Union and the USA.

The PCLOB plays a vital role per the TADPF, serving as the primary oversight mechanism for US surveillance laws. The European Commission, relying on the PCLOB and other mechanisms, had deemed the US as providing ‘adequate’ protection for personal data under the TADPF. The removal of the board members now jeopardizes the Commission’s assessment, potentially rendering data transfers non-compliant with EU law.

EU law has prohibited the export of personal data to countries outside the EU unless there are mechanisms in place to ensure the personal data of EU citizens is handled in a way consistent with EU law. The basic approach to accomplishing this goal is for the organization exporting the data to place contractual obligations on the organization receiving it. However, the European Commission and businesses have always pushed for a more streamlined relatiionship with the USA. The European Commission has repeatedly argued that US data protection law is equivalent to that in the EU, thus sparing the need for contractual obligations at the level of individual organizations. Decide for yourself if they are motivated by a genuine belief that American organizations and institutions can be trusted to behave just like their European counterparts or by the commercial realities of the US having many tech and cloud businesses in addition to the US government having the power to ignore EU law if they choose.

US mass surveillance laws, such as FISA702 or EO 12.333, allows the US government to access data stored by US tech companies. The European Court of Justice twice ruled in the Schrems I and Schrems II cases that the effective limits placed on US surveillance powers are not sufficient to meet European standards. Despite this, a third EU-US deal, the TADPF, was passed at the insistence of European Commission President Ursula von der Leyen.

The European Commission cited the PCLOB 31 times when justifying the decision to treat the USA as having ‘essentially equivalent’ protections for personal data. This was already controversial, given how often they have previously chosen to believe in the strength of US data protection safeguards that were deemed inadequate when presented to the EU’s top judges. Unlike other elements of US law that require individual action, the PCLOB is the sole body that broadly monitors US services’ compliance with relevant laws and orders. No working PCLOB would mean there is no credible justification for the blanket assumption that US entities will comply with EU data protection law.

Austrian privacy activist Max Schrems has fought this battle before, as demonstrated by the two European Court of Justice decisions named after him. Schrems responded with characteristic disdain to the news about Trump’s interference with the PCLOB.

This deal was always built on sand, but the EU business lobby and the European Commission wanted it anyways. Instead of stable legal limitations, the EU agreed to executive promises that can be overturned in seconds. Now that the first Trump waves hit this deal, it quickly throws many EU businesses into a legal limbo. The PCLOB itself is only one puzzle piece, and as long as it is only temporarily not functioning, there is an argument that the deal is not worse then before. However, the direction this is taking in the first week of the Trump Presidency is not looking good. We are closely monitoring, if this is a temporary problem or if the PCLOB is being killed for good.

Unlike data protection authorities in the EU, most US oversight bodies are part of the executive branch. This structure allows for potential revocation or overruling of their independence at any time. Many of these legal concepts arise from the inability to pass actual legislation in the US, leading to regulation through presidential orders instead. Trump’s recent actions have further undermined the credibility of Europeans who maintain the pretense that there are checks and balances against the US government’s access to the personal data of Europeans. Other elements of the TADPF, like the Data Protection Review Court, have even weaker legal protections than the PCLOB. Schrems elaborated on these points in his criticism of the European Commission.

There were many questions on the independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump Presidency. This is the difference between solid legal protections in law and wishful thinking. The European Commission has solely relied on the latter.

Trump has also mandated a review of all Biden-era national security decisions that could potentially dismantle other key aspects of the TADPF. Given that the TADPF exists because of executive decisions made by Biden, a single signature could lead to the immediate illegality of data transfers between the EU and the US.

Despite criticism from members of the European Parliament and some European data protection authorities, the European Commission has maintained that the TADPF is robust. The EU business lobby and American Big Tech companies have consistently pushed for a deal to minimize the legal burden when they choose to transfer data pertaining to European citizens. This situation could soon leave many organizations in a precarious legal position regarding their use of US-managed cloud services. On the other hand, European governments and data protection authorities could respond to this crisis like they did to Schrems’ two legal victories: they may choose to look the other way by refusing to enforce the law as it actually stands.

This crisis in data protection also has parallels with American debates over control of TikTok. Trump has vacilated over whether Chinese ownership of TikTok makes it dangerous to allow the social media platform to collect so much data about Americans. US politicians have often dismissed European concerns about data flows, but they sometimes react strongly when data about American citizens is made available to potential enemies. Trump’s PCLOB intervention raises questions about whether it is realistic to expect organizations governed by US law to ever fully reconcile themselves to the obligations enshrined in Europe’s General Data Protection Regulation (GDPR).

Look here for further analysis of Trump’s intervention in PCLOB by noyb, the privacy activist group co-founded by Schrems.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email