Trump’s grip on the FTC puts EU-US data transfer at risk


Billions of data transfers occur every day between the US and Europe, but the agreement governing them might be at risk. The US Supreme Court has issued a landmark ruling that is throwing the status quo into doubt, and privacy activists have now called for a suspension of the arrangement.

Key takeaways:

The EU-US Data Privacy Framework allows companies to transfer personal data freely between the European Union and the US.

ADVERTISEMENT

Under EU law, countries that receive personal data from the bloc must have an independent authority to oversee data protection. The European Commission has repeatedly said that the US Federal Trade Commission (FTC) was fit to do so.

Under the current EU-US deal, Europe relies on the independence of the FTC 259 times in its data flow decisions.

However, things changed on Monday, when the US Supreme Court ruled that the FTC's independence is unconstitutional.

“This follows the 'unitary executive theory' that the US President must have power over all US executive bodies, declaring all US laws that make various agencies independent to be unconstitutional,” explains privacy protection group noyb.

US President Donald Trump, blonde hair, usa flag in wind, blue clear sky, white collar shirt
US President Donald Trump speaks in front of the American flag to the press. Kevin Dietsch/Getty.

The organization now argues that the entire structure of the EU-US Data Privacy Framework has collapsed and urges the European Commission to withdraw from it.

“The basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud, which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility,” said Max Schrems, chairman of the Austrian privacy advocacy group noyb.

Since 1995, the EU has generally prohibited the export of personal data to third countries due to privacy concerns. There have been exceptions to necessary data transfers, for example, when booking travel or hotels. However, many EU companies simply outsourced the processing of personal data to US cloud providers.

ADVERTISEMENT

Noyb has asked the European Commission to begin withdrawing the deal in an "orderly" way. It also plans to file a new legal challenge, though a final court decision could take 2 or 3 years.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

In the meantime, other data protection and cybersecurity experts say the US Supreme Court's ruling on the FTC's status is unlikely to have an immediate effect on EU-US data transfers, but warn of future implications.

“Long-term consequences could be significant, potentially marking a point of no return,” says Dr. Ilia Kolochenko, the founder of a global cybersecurity company ImmuniWeb.

Some “returns” have been made in the past as the current agreement between the US and EU has faced legal problems. Two previous agreements, Safe Harbor and Privacy Shield, were both struck down by the EU's highest court after legal challenges led by Mr Schrems.

The current agreement, introduced in 2023, was meant to fix those problems.

“Whether the framework falls a third time is uncertain. The EU is already moving to ease digital regulation, while the US has warned that further fines on American companies will have consequences. Some revision looks inevitable, but hopefully a less disruptive one than before," says Kolochenko.


Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT