The EU-US Data Privacy Framework. Since 1995 the EU generally prohibits the export of personal data to third countries, to ensure that EU privacy rules cannot be evaded by simply sending data abroad. While there are exceptions for necessary transfers ranging from anything like booking a hotel to complex transactions, many EU companies simply outsourced the processing of personal data to US cloud providers. Since 2000 the European Commission has repeatedly accepted that the US is an “adequate” country when it comes to the protection of personal data – allowing free data flows between the EU and the US. The European Court of Justice (CJEU) annulled the two previous decisions of the Commission in the so-called “Schrems I” decision (killing “Safe Harbour”) and “Schrems II” decision (killing the “Privacy Shield”), because of US Surveillance Laws and the lack of judicial remedies in the US. Nevertheless, the European Commission issued a third EU-US deal in 2023 called the “EU-US Data Privacy Framework”, which was largely a copy/paste of the previously annulled deals.

EU requirement for an independent DPA. EU treaty law (so the EU “constitutional” framework), namely Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights, requires that the oversight over data protection matters must be done by an “independent” authority. Because third countries must have “essentially equivalent” protections, it is necessary that any third country that wants to enjoy free flow of personal data from the EU also affords such protections. So far, the US has appointed the “independent” FTC to be the US privacy regulator to meet the EU need for independent oversight. The EU in turn has relied on the FTC a whopping 259 (!) times in it’s EU-US data flow decision.

Max Schrems: “Crucially the EU constitutional framework requires independent oversight. The only way to change this would be a unanimous vote by all EU Member States to change the EU treaties.”

The requirement for an independent Court. Furthermore, the CJEU also highlighted that the US would need to provide an independent legal redress mechanism in matters of government surveillance. Because the US was unable to pass relevant legislation, the Biden Administration created a “Data Protection Review Court”. While it is called a “Court” it is in fact an executive body within the US Justice Ministry. It is only “independent” via an Executive Order (EO) by former President Biden that can be changed by Trump any moment and is not binding on the President. 

The “Slaughter” Decision: Unitary (Trump) Executive. In a 180° turn from the case law, the conservative majority on the US Supreme Court has now decided that the independence of the FTC is unconstitutional. This follows a “unitary” theory, that the US President must have power over all US executive bodies and declared all US laws that make various agencies independent to be unconstitutional. Given that the EU in almost all cases relied on the “independence” of the FTC as a privacy watchdog, the entire structure of the EU-US Data Privacy Framework has just collapsed.

Max Schrems: “Even in the logic of the European Commission, the basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud – which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure, now that it clearly collapses it has to take responsibility.”

Impact not unlimited. Even if all the underpinning of the EU decision is gone, the European Commission Decision is formally in force until either the European Commission repeals it or the Court of Justice annuls it. There is hence no immanent effect. The GDPR also only regulated the transfer of personal data. Non-personal data can flow freely. Furthermore, Article 49 GDPR allows necessary data transfers to any third country. It does however not allow to structurally offshore data from the EU, if this is not strictly necessary.

SCCs and BCRs also affected. While some companies may not directly rely on the EU-US Framework and instead formally use SCCs and BCRs, they usually also rely on an “impact assessment” that in turn relies on formerly independent US executive bodies, like PCLOB or the Data Protection Review Court. The Supreme Court decision therefore usually affects them too, even if they do not rely on the FTC. Other than controllers relying on a formal Commission Decision, they must immanently update their assessment – and logically come to the conclusion that data transfers are not legal anymore.

Next Steps: Commission must repeal EU-US deal. noyb has sent a formal letter to the European Commission today, asking the Commission to take the appropriate steps to repeal the EU-US data deal in an orderly way. Politically many EU Member States have already moved towards a “digital sovereignly” approach and stated to decouple from US service providers. Some US service providers also move towards separate EU data processing. However, given that the US still exercises massive pressure on the EU to keep personal data flowing, noyb will also file a lawsuit in the coming weeks, aiming to allow the CJEU to annul the current deal. However, such a lawsuit typically takes 2-3 years until a final decision is reached.