Data Protection Network

Are EU/UK data transfers to the US under threat?

For as long as I’ve worked in data protection there have been rulings, conflicts and other shenanigans over the transfer of personal data from the European Union to the United States. From Safe Harbor to Privacy Shield and the court rulings on Schrems I and II, this is starting to look like ‘The Never Ending Story’! Latest chapter? A ruling by the US Supreme Court has cast a shadow over the already fragile EU-US Data Privacy Framework (DPF).

This framework permits the transfer of personal data from the EU to US organisations which are participants to the DPF. Notable participants include Google LLC and Microsoft Corporation.

Data flows between the UK and US also depend on this scheme by virtue of a specific extension known as the UK-US Data Bridge, but for transfers from UK to US to be lawful under the Framework, the US organisation must also sign up to the UK Extension. If the Framework collapses, the bridge comes tumbling down too.

The Trump v. Slaughter ruling gives the President of the United States the power to remove from office, without cause, Federal Trade Commissioners and other public officials. From a data transfers perspective, oversight of the DPF rested on the independence of a number of US federal agencies. The ruling rocks the Framework’s foundations.

Will it still be judged robust enough to provide EU citizens adequate protection when their data is transferred to the US? Privacy advocacy groups are already preparing for legal challenges.

The potential ramifications of the Framework being ruled invalid (as previous arrangements have) shouldn’t be underestimated. Safe Harbor fell in 2015, the Privacy Shield was struck down in 2020. Could we see a similar fate befall the EU-US DPF in 2026? This could in turn lead to other transfer safeguard mechanisms, notably EU Standard Contractual Clauses (SCCs), also being deemed ineffective if US federal agencies are judged incapable of exercising independence.

The UK could find itself in an impossible bind if the EU strikes down the DPF and SCCs. It could continue to allow personal data transfers to the US, perhaps under UK International Data Transfer Agreements (IDTAs), but, and it’s a big but, taking a significantly different stance to European neighbours is likely to lead to the EU rescinding the UK’s adequacy status. A status which lucratively allows for the free flow of personal data between the UK and European Economic Area. See the bind?

Unsurprisingly, Trump v. Slaughter was high on the agenda for a European Data Protection Board plenary meeting this week. Once again international data transfers is back in the spotlight and definitely one to watch for the many organisations heavily dependent on data transfers to the US.

Politics it bound to play its part, with fears any EU decision to collapse the Framework will lead to an unwelcome reaction from the White House.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.
Data Protection Network