Max Schrems, the privacy advocate behind the landmark legal cases that challenge the EU-US data transfer agreement, is raising alarms about the future of transatlantic data privacy. As the political winds shift in the U.S., Schrems warns that the legal foundation for the EU-US data privacy deal could crumble, leaving businesses in a legal void.
The Transatlantic Data Privacy Framework (TADPF) was designed to ensure that data flows freely between the EU and U.S., even though U.S. surveillance laws remain a major point of contention. But recent developments are causing growing concern.
The U.S. government is making changes to key oversight bodies, including the Privacy and Civil Liberties Oversight Board (PCLOB), a crucial part of the TADPF structure. If the board’s independence is compromised, the entire framework could collapse, taking with it the stability that EU businesses rely on to transfer personal data to the U.S.
Schrems, whose legal challenges led to the invalidation of the previous Safe Harbor and Privacy Shield frameworks, argues that TADPF was already shaky. “The EU Commission’s reliance on executive promises rather than solid legal protections was always a gamble,” he says. Now, with potential vacancies on the PCLOB and other oversight bodies, the EU-US deal looks more fragile than ever.
The Transatlantic Data Privacy Framework, while still in place, is built on promises from U.S. officials. It relies heavily on executive orders and diplomatic goodwill, rather than binding legal commitments. This lack of stability has always been a problem, and as the U.S. political landscape shifts, these guarantees could be overturned in an instant. With former President Donald Trump re-entering the political scene, there’s a real possibility that the framework could be dismantled altogether.
For now, EU businesses continue to transfer personal data to U.S. companies like Google, Microsoft, and Amazon under TADPF’s provisions. However, this could change quickly. Should the U.S. government revoke key parts of the agreement, businesses could find themselves in a legal limbo, forced to stop using U.S. cloud services overnight.
“Without a solid backup plan, EU businesses could face significant disruption,” Schrems warns. He advises companies to start considering alternative solutions, including hosting data within the EU, to protect against potential fallout. While the EU Commission has not yet moved to annul the deal, the pressure is mounting. If things continue down this path, businesses in both the EU and U.S. will face a new reality where data flows are restricted, and legal certainty is gone.
In this volatile climate, the EU Commission is caught between a rock and a hard place. Any swift action to annul TADPF could provoke a political showdown with the U.S., while inaction could leave EU businesses vulnerable to sudden legal changes. Either way, the future of data privacy between the EU and U.S. is increasingly uncertain.
As the legal and political landscape continues to shift, Schrems’ warning becomes clearer: the EU-US data privacy deal, once hailed as a breakthrough, may soon face its biggest test yet. And when that day comes, it may not be just the legal experts who feel the impact—it will be businesses and individuals alike who rely on cross-border data transfer.