Privacy organization noyb describes the consequences of a recent ruling by the U.S. Supreme Court as the “collapse” of the EU-US Data Privacy Framework, which has been in effect since July 10, 2023. Founder Max Schrems is calling on the European Commission to revoke the adequacy decision for the U.S.
The U.S. Supreme Court has ruled that the independence of the Federal Trade Commission (FTC) is unconstitutional. This strikes at the heart of the EU-US Data Privacy Framework (DPF). The EU relies precisely on the FTC for oversight in the U.S.
The transfer of personal data to countries outside the European Union is permitted only in certain cases. One such case is an adequacy decision, in which the European Commission determines that a country protects data at a level comparable to that of the GDPR. According to the Dutch Data Protection Authority, such a decision applies to fifteen countries, including the U.S. One of the requirements is independent oversight by an authority. The U.S. designated the FTC for this purpose, but the FTC can no longer fulfill that role because it is not considered truly independent.
Third Time the Foundation Has Been Shaken
This is not the first time that an EU-U.S. arrangement regarding the exchange of personal data has come under pressure. Two previous agreements, Safe Harbor and Privacy Shield, were declared invalid by the European Court of Justice in 2015 and 2020, respectively.
“Given that the EU relies in almost all cases on the ‘independence’ of the FTC as a privacy watchdog, the foundation of the EU-US Data Privacy Framework has collapsed,” according to noyb.
Call to the European Commission
noyb has sent a letter to the European Commission requesting that it withdraw the agreement with the U.S. Schrems points out that the ruling also affects model contracts and corporate policies.
“We call on the Commission to move away from the U.S. cloud, which is not easy, but unfortunately inevitable,” says Schrems. Even though a ruling by the U.S. Supreme Court with these consequences had been expected for some time, the timing makes the mood all the more pronounced. Over the past few years, Europe has begun to think more maturely about its own digital autonomy and is discovering that it is virtually nonexistent.
The debate surrounding digital sovereignty now extends not only to data but also to applications and their management. Even European data stored in the data centers of U.S. companies—but located on European soil—will become even more contentious due to the alleged collapse of the EU-U.S. Data Privacy Framework. Microsoft already informed a French judge last year that it could not truly guarantee sovereignty for its own customers. As a result, partnerships with U.S. tech companies risk being based entirely on trust, without the legal foundation one would hope to find.