| Currently, the EU-U.S. Data Privacy Framework often serves as the basis for the GDPR-compliant transfer of personal data from the EU to the U.S. However, the future of this framework is uncertain following recent developments under President Trump. The framework is based on two key components. The first is a so-called adequacy decision by the European Commission, which formally confirms that the U.S. ensures an adequate level of protection for personal data. The second component is an Executive Order issued by then-President Joe Biden. This Executive Order established the independent Privacy and Civil Liberties Oversight Board (PCLOB), which was tasked with improving oversight of US intelligence agencies and to oversee a new mechanism enabling EU citizens to lodge complaints in case of unlawful processing of their personal data in the U.S. In January, new US President Trump dismissed three members of the PCLOB, raising concerns about the board’s ability to function. Furthermore, there is a risk that Trump may revoke the Executive Order underpinning the Framework. Additionally, the European Parliament has recently urged the Commission to review the basis of the adequacy decision. Due to these developments – and the possibility that the Court of Justice of the European Union (CJEU) could invalidate the adequacy decision in the medium term – the future of the Privacy Framework is uncertain. In practice, personal data is frequently transferred to the U.S. in cases in which cloud services such as those from Microsoft or Google are used. In many cases, the GDPR compliance of these transfers depends on the continued validity of the Framework. Companies should therefore closely monitor future developments on both sides of the Atlantic. Should the EU-U.S. Data Privacy Framework cease to exist, GDPR-compliant data transfers could still be achieved by other means, for example through the use of so-called Standard Contractual Clauses (SCCs). (Dr. Lukas Mezger, Unverzagt Rechtsanwälte) |