heise PlusAbo
Anzeige

Will the agreement on data transfers to the USA be overturned?

After Donald Trump dismissed members of the data protection supervisory authority PCLOB, noyb is once again sawing away at the EU-US data protection agreement.

listen Print view
Data transfer between the EU and the USA has been a contentious issue for years.

(Image: iX)

7 min. read
iX Magazin
By
  • Stefan Hessel
  • Christina Kiefer
Contents

Following his official appointment, US President Donald Trump has asked the three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) to resign, which the authority has now confirmed. The PCLOB is an independent data protection supervisory authority in the USA and an important element in the legitimization of data transfers under the EU-US data protection framework (Transatlantic Data Privacy Framework, TADPF for short). The first two attempts at a data transfer agreement between the EU and the USA – Safe Harbour and Privacy Shield – failed in the past following legal action by the data protection NGO noyb before the European Court of Justice.

Stefan Hessel
Stefan Hessel

Stefan Hessel is a lawyer and salary partner at reuschlaw in SaarbrĂĽcken. As Head of Digital Business, he advises national and international companies on data protection, cyber security and IT law.

Christina Kiefer
Christina Kiefer

Christina Kiefer is a lawyer and Senior Associate in the Digital Business Unit at reuschlaw.

In the resignation of the three members, noyb now sees a first hole in the TADPF. This agreement between the EU Commission and the US government is the central basis for the adequacy decision for data transfers to the USA, which has been in force since June 10, 2023. This has put an end to years of legal uncertainty. Since then, controllers who transfer personal data to the USA do not have to agree any additional safeguards if the recipient in the USA is certified under the EU-US data protection framework. If the adequacy decision is abolished, companies on both sides of the Atlantic will once again face considerable legal uncertainty.

The role of the PCLOB


Among other things, the PCLOB examines whether national security measures guarantee an adequate level of data protection. This is to ensure that they do not have a disproportionate impact on privacy and civil liberties. However, such independent supervisory bodies clash with Trump's understanding of the constitution. According to the Unitary Executive Theory advocated by Trump, the entire executive branch is under the sole control of the president. Accordingly, the president also has the right to appoint and dismiss all executive officials and to oversee their work. Trump has already made extensive use of the powers derived from this in his first days in office.

In the meantime, the PCLOB has announced that the members concerned have been dismissed by the White House. However, the authority has stated that it is able to continue its work and is awaiting the appointment of new members. If one follows this interpretation, the dismissal could merely serve the purpose of ensuring that the Trump administration has a stronger influence on the PCLOB through new Republican representatives. The maximum five-member board requires three active members in order to be operational. A Republican re-nomination would therefore not affect the existence of the PCLOB as an independent supervisory body.

Executive Order as a shaky foundation

The PCLOB performs certain tasks necessary to maintain the EU-US data protection framework in accordance with Executive Order 14086. Executive Order 14086 is a presidential order issued by President Joe Biden in 2022. As such, however, it can be amended or rescinded at any time by a new Executive Order issued by a sitting President. It therefore remains to be seen if and when Donald Trump will make any changes.

One of the executive orders signed on January 20, 2025 provides for all of Biden's national security decisions to be reviewed within 45 days and, if necessary, revoked. This is the basis for noyb's concerns that the current data agreement could be on the brink of collapse: "Since the entire agreement is based on Biden's executive orders, Trump could cancel all key elements of the agreement with a single signature." Writes noyb in its own blog and concludes: "This would make data transfers between the EU and the US illegal with immediate effect."

Videos by heise

Is the data protection framework collapsing?

It remains to be seen whether the EU-US data protection framework will be affected by this. It should not be overlooked that even a US president does not govern completely detached from the other democratic institutions. For example, another of Donald Trump's decrees was immediately halted by a US federal judge. Moreover, some of the 46 decrees signed on the first day are more Trump PR than substantive instructions for action. It therefore remains to be seen whether a scenario in which the existing adequacy decision is jeopardized will occur at all. One argument against this is that the EU-US data protection framework, unlike the AI regulations repealed by Trump, does not represent a direct burden for US companies. However, a threat to transatlantic data traffic would jeopardize the economic activities of US companies on the EU market.

What the first few days should teach us Europeans

It is clear that an erosion of the EU-US data protection framework poses a risk to the existing adequacy decision and thus to transatlantic data transfers. Further developments will also depend on whether the EU Commission finds ways and means of dealing with Donald Trump and influencing him in the interests of Europe. In addition to the increased use of European solutions, conceivable means of exerting pressure include, in particular, requiring US companies to conduct their European business via EU branches and to guarantee exclusive data processing in the European Economic Area.

Should the adequacy decision fall despite all efforts, data controllers can still fall back on standard contractual clauses. Although this will not make data transfers to the USA impossible, it will involve significantly more effort. Data exporters must then check on a case-by-case basis whether the clauses guarantee an adequate level of data protection, taking into account the legal situation and legal practice in the third country. If this is not the case, additional protective measures must be taken. Anyone who does not yet have a complete overview of their data transfers to the USA and other third countries should obtain this as soon as possible.

The official communication from the PCLOB can be found here. The statement from noyb on the NGO's blog.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten