US ruling could shatter transatlantic data flow

slow_typist1 pts0 comments

House of Cards: How a US ruling could shatter transatlantic data flow | heise online

heise+ entdecken

SuchenAbo

Suchen

Alle Magazine im Browser lesen<br>AnzeigeSpecial: Collaboration im KI-Zeitalter

Newsletter<br>heise-Bot<br>Push-Nachrichten

${lead}

${lead}

${content}

${content}

${content}

${content}

Anzeige<br>Special: Collaboration im KI-Zeitalter

Advertisement

Advertisement

A political and legal house of cards is threatening to collapse. With its decision in the case “Trump vs. Slaughter,” the conservative majority of judges on the US Supreme Court has declared the independence of the Federal Trade Commission (FTC) unconstitutional. What looks like a purely domestic political debate about the US President's powers turns out, upon closer inspection, to be an explosive device for the European digital economy. For the supposed independence of the FTC has long been the legal foundation upon which data traffic between the EU and the USA rested.

Continue after ad

The background to the current conflict is the so-called “Unitary Executive Theory.” According to this radical interpretation of the constitution, the US President must have unrestricted control over all federal agencies. The Supreme Court has now declared all legal regulations that protect agencies from direct White House intervention to be inadmissible.

This could have serious consequences for the transatlantic data protection framework. Since 2000, the EU Commission has relied heavily on the FTC as the supervisory body for its data export agreements with the USA. The problem is structural: EU contract law and the Charter of Fundamental Rights stipulate that data protection supervision must be carried out by independent authorities. Since third countries must guarantee an “essentially equivalent” level of data protection, this obligation of independence also applied to US supervision.

Disaster foretold for EU data protection?

In the current adequacy decision of the EU, the highly controversial EU-US Data Privacy Framework of 2023, the EU Commission refers to the FTC's supervisory function no less than 259 times. However, with the new ruling, this authority is now fundamentally subject to the direct political instructions of the US President. The painstakingly constructed argument that the USA offers independent supervision has thus likely become obsolete overnight.

Videos by heise

mehr Videos

c't 3003

heise & ct

Peertube

Max Schrems, founder of the data protection organization Noyb, sees the Brussels government institution as now being obliged. Since there are simply no independent authorities left in the USA, Noyb has formally called on the Commission to repeal the adequacy decision for the USA in an orderly process. It had built a legal castle in the air under pressure from industry, which has now collapsed. It is time to take responsibility and initiate a coordinated withdrawal of European industry from US cloud infrastructure.

Previously, Schrems had already brought down agreements on EU-US data transfer before the European Court of Justice (ECJ) twice.

Continue after ad

Limits of immediate impact

The legal implications of the ruling are not yet fully foreseeable. However, its practical effects are not considered unlimited. Although the factual basis of the EU decision has apparently dissolved, the agreement formally remains in force until the EU Commission itself revokes it or the ECJ, which is already dealing with the framework, declares it void. Companies relying on the agreement therefore do not face immediate penalties.

Furthermore, the General Data Protection Regulation (GDPR) exclusively concerns personal data. Purely business or non-personal information may continue to flow unhindered. Absolutely necessary data transfers – for example, for a hotel booking abroad – also remain legal under the exceptions in Article 49 of the GDPR. However, the systematic and structural outsourcing of European data stocks to US providers without a compelling reason is prohibited.

However, companies that circumvent the framework agreement and rely on alternative instruments such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are also left in limbo. These instruments require companies to conduct an internal risk assessment. These impact assessments regularly refer to US supervisory bodies such as the “Data Protection Review Court.” However, this body, established by the Biden administration, is not a real court but an agency within the US Department of Justice. Its independence is based solely on a presidential executive order. According to the Supreme Court's logic, this could also be revoked by Trump at any time.

Companies working with contractual clauses should therefore update their risk assessments. Legally, they are unlikely to reach a positive conclusion anymore.

U-turn at the Supreme Court

The US proceedings were triggered by Trump's dismissal of the two Democratic FTC commissioners, Rebecca Slaughter...

data court protection legal heise commission

Related Articles