The Trump administration's actions have had far-reaching consequences across various domains, including immigration, the conflicts in Ukraine and Palestine, border control, taxes, and tariffs. While data protection has largely remained unaffected until now, recent developments suggest that data privacy may soon be impacted, raising concerns about the future of the Data Protection Framework ("DPF") that safeguards data transfers from the EEA to the US, and by its Extension from the UK to the US (for more information see our articles here and here).
The current position of the Data Protection Framework
Under the EU's General Data Protection Framework ("GDPR"), transfers of personal data to a third country like the US are generally prohibited, because the third country cannot provide the same level of protection for personal data processed in that jurisdiction.
The DPF is a legal mechanism that allows personal data to be transferred from the European Economic Area (EEA), and by its Extension the UK, to third countries, such as the US, by requiring that the third country provides a level of protection equivalent to that guaranteed by the GDPR. Further, the concerns that led the Court of Justice of the European Union ("CJEU") to find that the DPF's predecessor (the Privacy Shield) did not provide sufficient protection, were addressed by, among other elements, the following measures:
- The Executive Order ("EO") 14086 adopted on 7 October 2022 on Enhancing Safeguards for United States Signal Intelligence. This sets out privacy guidance that US agencies must comply with when carrying out intelligence surveillance.
- The US Department of Justice adopted a rule under the above EO to establish a Data Protection Review Court ("DPRC") to consider applications for review of determinations by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.
- The Department of Justice ("DOJ") designated the EU, Iceland, Liechtenstein, Norway, the UK, and Switzerland as "qualifying states" under the DPF arrangement, allowing their citizens to petition the DPRC in the US for redress.
Actions from the Trump administration
At present, the Trump administration has maintained all existing privacy protections related to US signals intelligence and continues to endorse the Commission's adequacy decision for the DPF, however two recent actions could pose risks to the DPF if there was a challenge.
First, the EO on "Ensuring Accountability for All Agencies" requires federal agencies to submit significant regulatory actions for presidential review, potentially impacting the Federal Trade Commission's ("FTC") independence in enforcing DPF principles.
Second, the Trump administration terminated three Democratic members of the Privacy and Civil Liberties Oversight Board ("PCLOB"), leaving it with only one member and therefore lacking its statutory quorum. This could limit the PCLOB's functionality, which is crucial for overseeing US intelligence activities and the DPF's redress mechanism.
Despite these concerns, the remaining PCLOB member has committed to continuing oversight work, and the administration can appoint new members following statutory procedures. The impact on DPF functions will depend on the speed of these appointments and the remaining member's ability to perform necessary tasks.
What should businesses do?
While there is no cause for alarm, businesses should remain vigilant and prepare for potential changes. Here are some steps to consider:
- Monitor developments: Stay informed about any changes in US data privacy laws and the EU Commission's decisions regarding the DPF.
- Map/review your data flows: Take time to understand what data flows to the US so if the DPF is invalidated you know where to focus your time and resources.
- Review data transfer mechanisms: Assess current data transfer practices and be sure to check any US companies you are transferring data to retain their DPF certification. It may also be prudent to consider implementing an alternative "fallback" transfer mechanism, such as SCCs, to ensure compliance if the DPF is invalidated. Many organisations will have provided for such a mechanism already but an audit of your contracts may also be advisable to ensure this has been put in place.
- Conduct Transfer Impact Assessments (TIAs): Regularly evaluate the privacy risks associated with data transfers to the US and document these assessments.
- Engage legal counsel: Consult with data privacy experts to understand the implications of potential changes and to develop a robust compliance strategy.
Conclusion
While there is no imminent change expected, certainly a challenge in the CJEU would take months, if not years, to reach a determination, the evolving political landscape necessitates vigilance and proactive measures from businesses engaged in transatlantic data transfers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.