Sinds de onthullingen van Snowden weten we dat de VS massaal EU-gebruikers bespioneert door persoonsgegevens van Amerikaanse Big Tech-bedrijven te verzamelen. De "Privacy and Civil Liberties Oversight Board" (PCLOB) is de belangrijkste Amerikaanse toezichthouder op deze wetten. De New York Times meldt nu dat Democratische leden van de (officieel "onafhankelijke") PCLOB brieven hebben ontvangen waarin wordt geëist dat zij uiterlijk vrijdagavond aftreden. Dit zou het aantal benoemde leden onder de drempel brengen om de PCLOB operationeel te houden en de onafhankelijkheid van andere uitvoerende beroepsinstanties in de VS in twijfel trekken. Het artikel gaat verder in het Engels.
The European Union has relied on these US boards and tribunals to find that the US provides "adequate" protection of personal data. Relying on PCLOB and other mechanisms, the European Commission allows European personal data to flow freely to the US in the so-called "Transatlantic Data Privacy Framework" (TADPF). Thousands of EU businesses, government agencies or schools rely on these provisions. Without TADPF, they would need to stop using US Cloud Providers like Apple, Google, Microsoft or Amazon instantly.
CJEU: Schrems I and Schrems II
The EU-US Data Transfer System - a mix of EU and US law. Generally EU law prohibits exporting personal data outside of the EU since 1995, unless there is an absolute need (e.g. when sending an email to any non-EU country) or when the non-EU country provides "essentially equivalent" protection of personal data of Europeans. The US on the other hand has very strong mass surveillance laws (e.g. FISA702 or EO 12.333), that allow the US government to access any data stored with Amazon, Meta, Microsoft, Google and any other US Big Tech firm without probable cause or individual judicial approval. Therefore, the European Court of Justice has held twice (Schrems I and Schrems II) that US law is not "essentially equivalent". However, Ursula von der Leyen has insisted to pass a third EU-US deal, called "Transatlantic Data Privacy Framework" (TADPF).
TADPF was built on sand. On 10.7.2023 the European Commission issued Implementing Decision (EU) 2023/1795, formally passing the TADPF. This allowed any EU business to freely transfer data to US providers, despite US surveillance laws. The European Commission relied on (very questionable) executive guarantees, including the PCLOB to find that the US is "essentially equivalent". However, these elements are not in US statutes and codified law, because there was no majority in the US Congress to pass such laws. Instead the EU relied on Executive Orders, letters by the US government and diplomatic good will. It was long criticised that the next US president can kill these protections with the strike of a pen. This scenario is now on the horizon. In its decision, the European Commission mentioned PCLOB a whopping 31 times to explain why the US has "essentially equivalent" protections. At the same time, the PCLOB is only an oversight mechanism, in addition to redress mechanisms. If the PCLOB is not operational, many other elements will gradually implode, but there is an argument that short-term vacancies will not kill the TADPF instantly.
Max Schrems: "This deal was always build on sand, but the EU business lobby and the European Commission wanted it anyways. Instead of stable legal limitation, the EU was agreeing to executive promises that can be overturned in seconds. Now where the first Trump waves hit this deal, it may soon dissolve in seconds and bring many EU businesses into a legal limbo. The PCLOB itself is only one puzzle piece and as long as it is only temporarily not functioning, there is an argument that the deal is not worse then before. However, the direction this is taking already in the first week of the Trump Presidency is really not looking good."
Independence of Executive Bodies called into question. Other than Data Protection Authorities in the EU, most US oversight bodies are creatures of the executive and hence not automatically independent. Independence is often just granted by the President, but can be revoced or overruled at any time. Many of these strange legal concepts are a reults of the structural inability to pass actual legislation in the US. Instead entire legal areas are merely regulated by Presidential orders. The fact that the US president is now attempting to simply remove people, calls into question if the idea of (allegedly) "independent" executive bodies was in any way factually arguable from the get go. Many other elements of the TADPF, like the "Data Protection Review Court" have even weaker legal protections.
Max Schrems: "There were long discussions as to the functioning and independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump Presidency. This is the difference between solid legal protections and wishful thinking - the European Commission has solely relied on wishful thinking."
41 days for next crunch point. In one of the first Executive Orders Trump has signed on Monday, he determined that all Biden national security decisions (including the relevant decisions that the EU-US transfers rely upon) shall be reviewed and potentially scraped within 45 days. This means that further elements the TADPF relied upon could be killed in a matter of weeks. As the entire deal is based on Biden executive decisions, Trump could scrap all key elements of the deal with a single signature - leading to instantly illegal data transfers between the EU and the US.
Max Schrems: "I can hardly see that a Biden Executive Order that was forced upon the US by the EU and regulates US espionage abroad would survive in Trump's logic. The problem is, that not just US Big Tech, but especially normal EU businesses all rely on this system of instable papers to argue that using US cloud systems is legal in the EU."
Commission manoeuvred EU businesses towards an edge. Despite all facts, criticism by the European Parliament and the EU Data Protection Authorities, the European Commission has consistently argued that the TADPF is solid and sound. The EU business lobby pushed for a deal - no matter how unstable or wacky. Equally, US Big Tech wanted to stay on the EU market without any technical limitations in relation to US government access. Now everyone from large banks, entire national school systems to many small businesses may wake up to a legal situation, where the use of US cloud products is soon illegal.
EU-US data transfers legal for now - but get prepared. Any decision by the US administration will not instantly make US transfers illegal, because the European Commission decision is generally legal as long as it is on the books and not annulled. So even if the material finding becomes wrong, the decision still formally exists until it is overturned. However, if key elements that the EU has relied upon are getting dysfunctional, the EU will have to annul the deal.
Max Schrems: "While the arguments for the EU-US deal seem to fall apart, companies can rely on the deal as long as it is not formally annulled. However, given the developments in the US, it is more crucial than ever for any business or other organisation to have a 'host in Europe' contingency plan."
European Comission in a tough spot. The European Commission has also manoeuvred itself in a tough spot not only from a credibility perspective, but also from a diplomatic perspective. If it now reacts quickly and annuls the TADPF, the US Tech Oligarchy will cry that the EU would be "screwing with" US Big Tech and the Trump Administration may take this as a reason to start a first major fight with the EU. However, not taking action and officially warning EU businesses, public bodies and other organisations sending data to the US also seems problematic, because the future of the TADPF may be very short-lived.
EU version of the US TikTok debate? While the US has long belittled European fears about personal data floating to the US and being used in mass surveillance against the EU, the US has suddenly turned around once its own data was aggregated by TikTok from China. While a prohibition or a compulsory acquisition of US Big Tech in Europe would be legally impossible - a duty to keep EU data outside of the hands of the US government would be the default under EU law, once the European Commission annuls the EU-US data deal. This would have major effects on US Big Tech in Europe.
