Excerpted from an IAPP Blog by Brian Hengesbaugh and Lukas Feiler
To date, the Trump administration’s actions have been swift across many domains, focusing on tariffs, trade, immigration, border control, the Ukraine war and more. While none of the administration’s moves have directly affected the core U.S. elements that underpin the EU-U.S. Data Privacy Framework, two recent actions create a concern that the DPF might be susceptible to a Court of Justice of the European Union finding that invalidates the European Commission’s DPF adequacy decision.
Overall, our sense is that such a CJEU finding would be unlikely to mature in the short term, given the longer timelines needed for judicial review. Moreover, when such a case is presented before the CJEU, much will depend on the other actions the Trump administration and the Commission take in the interim. Both the Trump administration and the Commission have a strong interest in continuing to support the DPF as the “trans-Atlantic bridge” for data transfers. More than 2,800 U.S. companies participate in the DPF. Their participation benefits their own commercial interests, as well as those of their European customers and business partners.
All U.S. and EU companies that engage in trans-Atlantic business transactions benefit from the DPF. Specifically, all U.S. companies that receive personal data from European customers or business partners must perform transfer impact assessments that evaluate the privacy risk of U.S. government surveillance and access to data. As long as the laws, regulations and policies on government surveillance in the DPF continue to be deemed adequate, U.S. companies can rely on that DPF adequacy finding for the substantive aspect of the TIA. This is the case regardless of whether the U.S. company participates in the DPF, the parties implement the Commission standard contractual clauses or other solutions are used. Since the value of U.S.-EU trade in services is approximately USD2 trillion annually, both sides have a strong incentive to continue to provide certainty for companies and maintain a high degree of privacy protection.
Legal context for the DPF
In general, Articles 44-49 of the EU General Data Protection Regulation prohibit the transfer of personal data from the EU to a third country, such as the U.S., unless the third country assures a level of protection guaranteed by the GDPR. The U.S. administration and the European Commission worked collaboratively to develop the DPF in the wake of a July 2020 CJEU finding that the DPF’s predecessor, the EU-U.S. Privacy Shield, did not provide sufficient protection. The CJEU’s finding on the Privacy Shield focused on perceived inadequacies of U.S. law and policy on intelligence surveillance, including apparently insufficient rights of data subjects and the inability to raise complaints.
Among other elements to address the CJEU’s concerns, the U.S. administration adopted Executive Order 14086 of October 7, 2022, on Enhancing Safeguards for United States Signal Intelligence, which sets out privacy principles that U.S. agencies must follow when engaging in intelligence surveillance. The U.S. Department of Justice then adopted a final rule implementing the order to establish a Data Protection Review Court to consider applications for review of determinations by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.
Trump administration actions
Importantly, the Trump administration has not changed any of the above elements that provide privacy protections related to U.S. signals intelligence and supports the Commission’s adequacy decision for DPF. However, the administration has undertaken two more general actions that could be interpreted to create risk for the DPF in the context of a CJEU case or otherwise, as follows.
First, Trump issued the executive order on “Ensuring Accountability for All Agencies” 18 Feb. 2025. The accountability executive order articulates a policy to ensure consistent regulatory policy across federal agencies, including the FTC and at least seventeen other independent regulatory agencies. Among other steps, this executive order requires all federal agencies to submit proposed and final significant regulatory actions for presidential review before publication in the Federal Register. The potential concern with the accountability executive order is that it might infringe on the FTC’s ability to be sufficiently independent to enforce the DPF privacy principles in accordance with GDPR Article 44(2)(b).
Second, on or around 23 Jan. 2025, the Trump administration reportedly terminated all three Democratic members of the Privacy and Civil Liberties Oversight Board. The PCLOB was established by federal law as an independent federal agency, composed of a bipartisan, five-member board appointed by the president for a fixed six-year term with Senate approval. Its mission includes the analysis and review of actions taken by the executive branch in the fight against terrorism to ensure such actions are balanced with the need to protect privacy and civil liberties. With one prior vacancy, this leaves only one member of the PCLOB at present. Lacking its statutory quorum of three members, the PCLOB may have limited functionality.
For the full story, please click here.