Another Schrems II in the making? Trump’s privacy moves could wreck EU-US Data Transfers (again)

EU privacy pros, brace yourselves, transatlantic data transfers might be on the chopping block once more. 

In a move that is already raising alarms in the privacy and compliance world, President Donald Trump has removed key members of the Privacy and Civil Liberties Oversight Board (PCLOB), the very body meant to ensure US surveillance practices respect privacy rights. 

Why does this matter for GDPR compliance? Because the PCLOB plays a key role in the EU’s trust in US data protection mechanisms under the new EU-US Data Privacy Framework (DPF). Without it, European regulators could pull the plug on the DPF just like they did with Privacy Shield, throwing companies back into legal uncertainty. 

Déjà Vu? we have been here before 

First, Safe Harbor ( an agreement between EU and U.S that allowed companies to transfer personal data from the EU to the U.S based on a self-certification of adequate privacy protections) collapsed. Then, Schrems II , a case brought by Max Shrems, an Austrian privacy advocate and lawyer which led the CJEU to invalidate the Privacy Shield (the successor of Safe Harbour) in 2020 because. The Court found that U.S surveillance laws were deemed incompatible with GDPR and the fundamental rights guaranteed by the EU Charter. The DPF was supposed to fix this by strengthening oversight, but with the PCLOB in disarray, is it still credible? 

If the EU decides the US isn’t holding up its end of the deal, we could see: 

  • Another invalidation of EU-US data transfers 
  • More legal battles from privacy activists (Schrems III?) 
  • Companies scrambling for Standard contractual clauses (SCCs) or costly local hosting solutions 

What’s next? 

European regulators will likely demand answers and possibly rethink the DPF’s adequacy decision. Max Schrems and his organization “None of your business “(NOYB) could challenge the framework in court and history tells us they tend to win. But most importantly, businesses relying on EU-US data flows should prepare for disruption and explore alternative compliance strategies. Nonetheless, to ensure compliance, conducting a Data Transfer Impact Assessment (DTIAs) is strongly advised 

What’s your take? 

Is this just political noise, or are we on the verge of yet another GDPR disaster? Should companies start future-proofing their data transfer strategies now?

 

Need help navigating the shifting landscape of EU-US data transfers? Our experts can support you in assessing risks and future-proofing your data transfer strategy.

Please reach out to us on: info@compliancechamps.com

Read more articles here.