First-day executive orders signed by the new US president could make it impossible for thousands of EU businesses and public bodies to use US cloud providers such as Google, Microsoft and Amazon without breaching EU privacy.
A rollback by US President Donald Trump jeopardises the legality of thousands of companies’ transatlantic data flows, privacy group NOYB warned on Thursday.
If Democrats resign from the US Privacy and Civil Liberties Oversight Board, it would bring the number of appointed members below the threshold for the agency to operate, and puts the independence of American executive redress bodies in question, NOYB said.
The EU has relied on these boards to find that the US adequately protects personal data, a requirement for the free flow of information under the bloc’s strict data protection rules.
Thousands of EU businesses and public agencies rely on these provisions. Without the framework, they might need to stop using US cloud providers such as Google, Microsoft or Amazon.
“There were long discussions as to the functioning and independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump Presidency,” NOYB founder Max Schrems said.
Executive Order
In one of the first Executive Orders signed as he took office on Monday, Trump said that all Joe Biden-era national security decisions, including those that EU-US transfers rely upon, should be reviewed and potentially cancelled within 45 days.
If he does cancel them, that wouldn’t on its own make data transfers to and from the US illegal, but it would add to pressure on the European Commission to reverse its previous finding approving data exchange, NOYB said.
“If key elements that the EU has relied upon are getting dysfunctional, the EU will have to annul the deal,” NOYB said.
The EU’s highest court has already struck down two predecessors to the EU-US data transfer framework, known as Safe Harbor and the Privacy Shield, following cases brought by Schrems. Judges cited US mass surveillance laws that allow the government to access any data stored with big tech firms without probable cause or individual judicial approval.
In an annual review in October, the Commission found that the US was complying with the framework, despite warnings from privacy advocates that the US Foreign Intelligence Surveillance Act still allows US intelligence to collect data from American platforms and applications such as Microsoft Teams, Cisco, and WebEx.
A spokesperson for the Commission said on Thursday that it has “worked closely” with different US administrations on data arrangements in the past.
“The rules remain applicable.”
“The data transfer agreement ensures that there is an adequate level of protection, and under the GDPR all adequacy decisions are subject to monitoring,” the spokesperson added.
