Data Transfers
On Monday, the US Supreme Court decided in Trump v. Slaughter that the US Federal Trade Commission (“FTC”) may not be independent anymore. Since 2000, the EU has relied on the “independent” FTC as the enforcer of EU-US deals on personal data. According to EU treaty law, such oversight must be independent. In the current EU-US deal, the European Commission relies on the independent FTC 259 (!) times. Max Schrems: “
Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US
.”
Commission Implementing Decision EU 2023/1795 on the EU-US Data Privacy Framework (EUR-Lex)
US Supreme Court Decision in
Trump v. Slaughter
noyb
letter to the European Commission
The EU-US Data Privacy Framework.
Since 1995, the EU generally prohibits the export of personal data to third countries in order to prevent EU privacy rules from being circumvented by simply sending data abroad. While there are exceptions for necessary transfers, ranging from anything like booking a hotel to complex transactions, many EU companies simply outsourced the processing of personal data to US cloud providers. Since 2000, the European Commission has repeatedly accepted that the US is an “adequate” country when it comes to the protection of personal data – allowing free data flows between the EU and the US. The European Court of Justice (CJEU) annulled the Commission's two previous decisions in the so-called
“
Schrems I
” decision (killing “Safe Harbour”)
and
“
Schrems II
” decision (killing the “Privacy Shield”)
because of US Surveillance Laws and the lack of judicial remedies in the US. Nevertheless, in 2023 the European Commission issued a third EU-US deal, called the “
EU-US Data Privacy Framework
”, which was largely a copy of the previously annulled deals.
EU requirement for an independent DPA.
EU treaty law (so the EU's “constitutional” framework), namely
Article 16(2) TFEU
and
Art
