EU-U.S. Data Privacy Framework

EU-U.S. Data Privacy Framework: Dealing with the Upcoming Political Changes in the USA

by

Update, January 29, 2025

U.S. President Donald Trump dismissed three Democrats from the Privacy and Civil Liberties Oversight Board (PCLOB) on Monday, January 27, 2025 (see PCLOB’s website). As a result, the Privacy and Civil Liberties Oversight Board now has only one board member, rendering it nonfunctional.

The PCLOB plays a central role in the EU-U.S. Data Privacy Framework. This is evident in the European Commission’s adequacy decision, which references the PCLOB more than 30 times. The PCLOB serves as the primary oversight body ensuring that U.S. intelligence agencies comply with the agreed-upon rules, laws, and commitments under the framework. It is essentially the only relevant supervisory body supporting the framework’s goal of ensuring “essentially equivalent” data protection to that of the EU.

While the PCLOB’s potential dysfunctionality does not immediately invalidate the EU-U.S. Data Privacy Framework, it significantly increases its vulnerability to legal challenges. The future course of action—particularly whether and how the vacant board positions will be filled—could be decisive. If a legal review of the framework takes place, the chances of a successful challenge to its legality could rise considerably. The European Commission could also consider revoking its adequacy decision for the EU-U.S. Data Privacy Framework.

A more immediate concern, however, is that on his first day in office, President Trump signed an executive order that could have a much more direct impact. It mandates a review of all national security decisions made by his predecessor within 45 days. This includes all regulations that form the basis of the EU-U.S. Data Privacy Framework. This review represents the first and possibly most critical test of the framework’s continued existence.

For companies relying on the EU-U.S. Data Privacy Framework for transatlantic data transfers, we recommend the following precautionary measures:

  1. Analyze and document data flows
    • Get a complete overview of all data transfers within your company, including internal transfers and those involving external partners.
    • Identify which of these data flows rely on the framework.
  2. Consider European alternatives
    • Evaluate the feasibility of switching to solutions where data processing takes place exclusively within the EU.
    • This “EU-only” approach could significantly reduce compliance risks and simplify GDPR adherence.
    • Check with your service providers to see if they offer EU-based hosting and processing options.
  3. Use Standard Contractual Clauses (SCCs)
    • As an alternative to the framework, implement SCCs, which serve as an independent legal basis for data transfers.

Challenges for the EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework, in effect since July 2023, may be at a critical turning point. With Donald Trump assuming the U.S. presidency and his plans for a broad political shift, the foundation of this transatlantic agreement on secure data transfers to U.S. companies may be at risk.

The framework’s legal foundation largely depends on Executive Order 14086 (“Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities”), issued by President Joe Biden on October 7, 2022. This executive order was specifically designed to meet the requirements set by the Court of Justice of the European Union (CJEU) in its landmark Schrems II ruling (C-311/18, July 16, 2020) regarding adequate data protection in the U.S.

Two key pillars define the safeguards introduced by this executive order:

  1. Strict necessity and proportionality criteria for U.S. intelligence agencies accessing data.
  2. An independent and impartial redress system allowing EU citizens to challenge unlawful data collection for national security purposes.

(Notably, as of November 2024, only one complaint had been filed under this redress mechanism.)

However, this legal structure is also the framework’s biggest weakness. Executive orders are presidential directives that can be issued or revoked without congressional approval. As such, Executive Order 14086, the backbone of the EU-U.S. Data Privacy Framework, could be overturned or significantly altered by President Trump at any time.

This creates considerable legal uncertainty for transatlantic data transfers. Companies and organizations relying on the framework as a legal basis for data transfers must be aware of this inherent instability. If Executive Order 14086 is revoked, the legal foundation of the European Commission’s adequacy decision would be undermined, potentially leading to another transatlantic data transfer crisis—similar to the previous collapses of Safe Harbor and Privacy Shield.

Historically, transatlantic data transfer agreements—Safe Harbor and Privacy Shield—failed due to legal challenges before the CJEU. Until now, the biggest threat to the current Data Privacy Framework was assumed to be another legal challenge at the European Court. However, this situation has taken an unexpected turn: The greatest immediate risk to the framework now comes from Washington, not Luxembourg.

If President Trump repeals the executive order underpinning the framework, it could unravel much faster than through a CJEU ruling. While a court case typically takes years and involves legal arguments, a presidential counter-order could instantly strip the framework of its legal foundation.

Companies and Organizations Must Act Proactively

Given these political uncertainties, businesses should adopt a dual approach to legally securing their transatlantic data transfers.

Alongside using the EU-U.S. Data Privacy Framework, companies should implement and continuously maintain Standard Contractual Clauses (SCCs) for all data transfers. This “backup strategy” provides an additional legal basis for compliant data transfers.

SCCs, as an EU Commission-approved mechanism, offer a key advantage: they remain valid regardless of political developments in the U.S. While the EU-U.S. Data Privacy Framework could be invalidated by a presidential decision, SCCs would remain a stable contractual foundation. Businesses using both mechanisms can rely on SCCs if the framework collapses.

However, a word of caution:

While implementing SCCs is an important safeguard, it is not a universal solution. If the EU-U.S. Data Privacy Framework is revoked, concerns about U.S. data protection levels will resurface. In that case, companies relying on SCCs would need to provide much stronger justifications to prove adequate data protection.

Specifically, companies would need to conduct Transfer Impact Assessments (TIAs), as required by the CJEU’s Schrems II ruling. These assessments must critically evaluate U.S. authorities’ access rights to data. Without the safeguards of Executive Order 14086, businesses would have to demonstrate significantly more protective measures to ensure data protection equivalent to EU standards.

Leave a Comment

Get in touch

Contact

  • Address: Wilhelm-Kabus-Straße 9, 10829 Berlin
  • Telephone: (+49) 30-20 88 999 0
  • Email: sofortdatenschutz@mip-consult.de
  • Working hours: Montag - Freitag 9:00 bis 17:00Uhr
Imprint
Privacy Notice

Sitemap

Logo_1.indd

© Copyright 2021 mip Consult GmbH. All Rights Reserved.