The new Trump administration continues to rage…
… and is busy laying off staff. Members have also been removed from the Privacy and Liberties Oversight Board (PCLOB), one of the bodies set up by Biden to strengthen the rights of data subjects – especially those from the EU – which was an essential building block for aligning the US level of protection for personal data with that required by the GDPR. This, in turn, was a prerequisite for the EU Commission’s adequacy decision in 2023. Whether it can continue to exist under these new circumstances is questionable.
Background:
You will no doubt remember Schrems I and Schrems II, the ECJ rulings that the transfer of personal data from EU citizens to the US and the processing of this data there was unlawful because it violated the GDPR. It was sufficient that, for example, US parent companies had purely theoretical access to such data hosted by their subsidiaries or branches in the EU. Austrian data protection activist Max Schrems first brought down the so-called “Safe Harbor” solution for data transfers and then its successor, the “EU-US Privacy Shield,” through his proceedings before the ECJ.
This was followed by more than two years of legal uncertainty for European customers of US companies until, following adjustments demanded by the EU and implemented by the Biden administration finally, the EU Commission finally was able to issue an adequacy decision. The Commission thus certifies that the US has an adequate, reasonably comparable level of data protection. This serves as a guarantee in accordance with Art. 45 GDPR, and personal data could then be transferred to the “third country” USA again without special further authorization. However even at that time there was serious criticism, in particular that the legal changes in the US relevant to the EU Commission’s decision regarding complaint and appeal procedures and the additional instances were only implemented by means of executive orders, i.e. instructions from the White House to subordinate authorities. These can be easily changed or withdrawn at any time by a new president.
There was therefore great concern about how and when Trump and Musk’s regulatory cuts, along with their usual MAGA concessions for the domestic technology industry, might affect us here. And – bingo! – it seems that these concerns are now being confirmed. The PCLOB, an essential component of the above-mentioned complaint and appeal procedure, is effectively no longer functional due to the current exodus of personnel, as it no longer has a quorum and, in the opinion of many data protection experts, can no longer guarantee the protection of EU data.
Request to the EU Commission
In any case, on February 6, Javier Zarzaleojos, Chair of the Committee on Civil Liberties, Justice, and Home Affairs, wrote to Mr. Michael McGrath, the EU Commissioner responsible for justice and law, asking the Commission to explain what impact this has on the adequacy decision, i.e., whether it can be maintained under the new circumstances. The response is currently pending, but I cannot imagine that this will have no impact. A new phase of uncertain and illegal data transfers to the US could be imminent.
So please follow this topic closely—I will also stay on top of it and keep you informed.
