The EU-US Data Privacy Framework (the “DPF“) is one of the primary legal mechanisms enabling the transfer of personal data from the EU to the United States, since the European Commission issued its adequacy decision in July 2023. It is the third such data transfer arrangement between the EU and US, following the successive invalidation of Safe Harbour by the Court of Justice of the EU (“CJEU“) in Schrems I (2015) and of Privacy Shield in Schrems II (2020). Both predecessor frameworks fell largely because the CJEU found that US surveillance law and the absence of genuine redress mechanisms meant that EU data subjects were not afforded an essentially equivalent level of protection in respect of their personal data in the US. The DPF was designed to address those deficiencies — but a recent US Supreme Court decision has placed its future in doubt.
The Trump v Slaughter decision
In Trump v Slaughter, the US Supreme Court was asked to rule on the legality of President Trump’s dismissal of Rebecca Slaughter, a Democratic commissioner of the Federal Trade Commission (“FTC“). The President had removed the commissioner without cause, a step previously considered constitutionally impermissible in respect of members of independent agencies. The Court held that the President possesses the constitutional authority to remove leaders of independent agencies or commissions (including the FTC) without the need to establish cause. In doing so, the Court may have called into question the FTC’s independence, and therefore, the validity of the DPF itself.
Why this matters for the DPF
The adequacy decision underpinning the DPF is based, in material part, on the independence and effectiveness of US oversight and enforcement mechanisms, to ensure EU data subjects are afforded an essentially equivalent level of protection in respect of their personal data. The FTC occupies a central role in this framework: it has responsibility for enforcing DPF commitments made by US companies and providing an avenue of redress for EU individuals who believe their right to the protection of their personal data has been violated.
The US Supreme Court ruling therefore brings the EU Commission adequacy decision in respect of the DPF into question. If FTC commissioners (or the leaders of other independent bodies) can be removed at the order of the US President, it is arguable that such agencies are no longer independent supervisory authorities in the manner required under EU law. The CJEU’s judgments in Schrems I and Schrems II make clear that effective independence of oversight bodies is a prerequisite for any finding of adequacy.
While the ruling does not have the effect of immediately invalidating the DPF, privacy advocacy group NOYB, founded by Max Schrems, whose litigation led to the invalidation of both Safe Harbour and Privacy Shield, has already indicated its intention to challenge the DPF adequacy decision in light of this ruling. The EU Commission may also review the adequacy decision of its own volition if it is of the opinion that EU data subjects are no longer provided with an equivalent level of personal data protection in the US.
Practical implications for businesses
Businesses who rely on the DPF to facilitate transfers of personal data to the US should not wait to see how the situation plays out before taking action. Businesses should now:
- Review transfer mechanisms and identify which data flows currently depend on DPF certification, and therefore would be exposed to suspension / invalidation.
- Assess current fall back mechanisms to the DPF, such as the EU Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”). Neither of these options are straightforward, however, as the BCRs require a lengthy approval process with EU Data Protection Authorities, and the SCCs require prior completion of a transfer impact assessment, which could be more complicated if there is divergence on privacy standards between the US and EU, which could necessitate the implementation of “supplementary measures” to bridge known gaps.
- Monitor regulatory developments in relation to the status of the DPF and any indications of suspension or a ruling of invalidity.
Contact Us
If you have any questions on anything contained in this article or on international data transfers in general, please contact any member of our Technology and Innovation Group or your usual Matheson contact.
