News about Trump's inauguration and the first laws he has enacted are currently piling up. In addition to many other serious and worrying consequences for the USA, these could also have a significant impact on the EU-US Data Privacy Framework and therefore also have a major impact on European companies.
As the New York Times reported on January 22, three members of the five-person „Privacy and Civil Liberties Oversight Board“ (an agency that is supposed to be a watchdog and protect Americans from abuse by surveillance agencies) received letters this week asking them to resign by Thursday or prepare to be fired.
It is not yet clear whether Trump plans to appoint new members or leave these positions vacant. The latter would mean that the Privacy and Civil Liberties Oversight Board would effectively be shut down. This could be a piece of the puzzle that could cause the EU-US Data Privacy Framework, the adequacy decision for data transfers to the USA, to crumble.
One of the main arguments that brought down the predecessor decision to the EU-US Data Privacy Framework - namely the EU-US Data Privacy Shield - was that the US security authorities had too extensive access rights and could access all data stored by US companies almost without sufficient reason or individual court approval.
However, the matter with the Privacy and Civil Liberties Oversight Board will not be Trump's last action concerning data protection in the US. In one of the first executive orders signed by Trump, he decided that all of Joe Biden's national security decisions (including the relevant decisions on which the EU-US Data Privacy Framework is based) should be reviewed and possibly discarded within 45 days. This could result in the removal of other key elements on which the EU-US Data Privacy Framework is based.
Practical note:
The fact is that the EU-US Data Privacy Framework is not automatically overridden by Trump's actions to date. It is up to the ECJ to determine whether the EU-US Data Privacy Framework provides an adequate level of protection for data transfers from Europe. However, this assessment will depend on how Trump structures the protection of personal data and access to it by the US security authorities
Data protection activist Max Schrems has already expressed his displeasure at the changes and Trump's behavior. It is therefore not unrealistic that the ECJ could reach a Schrems III decision. However, this would not happen immediately, but will probably take a few more months
If the EU-US Data Privacy Framework is declared invalid, this means that companies in Europe will no longer be able to base their data transfers when using tools from Amazon, Google, Microsoft and others on the adequacy decision. The conclusion of EU-US standard contractual clauses and the agreement of additional security measures will then once again play a central role. It is therefore advisable to keep an eye on current developments. We will of course keep you up to date accordingly.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
