european commission
Image: paws and prints / Unsplash

Supreme Court decision threatens EU-US data transfer agreement

A key data privacy agreement between the European Union and the U.S. may be in danger following a Supreme Court ruling that allows presidents to remove members of so-called independent agencies at will.

In a Tuesday letter, Max Schrems, the founder of the Vienna-based privacy advocacy organization noyb, told European officials he plans to sue to invalidate the EU-U.S. Data Privacy Framework (DPF) that allows for the transfer of personal data from the EU to U.S. companies. 

The most recent version of the law, which was formally adopted by the European Commission in 2023 to address worries over how the U.S. gathers data, requires an independent U.S. body to oversee the data transfers to ensure they are regulated and limited. The U.S. Federal Trade Commission (FTC) has been the key organization playing that role

.

On Monday, the Supreme Court held that President Donald Trump acted legally in firing FTC Commissioner Rebecca Slaughter without cause, calling into question the independence of that and similar agencies.

“The basis for any EU-US data transfer deal is dead,” Schrems said in a statement released Tuesday. “We call upon the Commission to start an orderly exit from the U.S. cloud, which is not easy, but unfortunately unavoidable.”

“The Commission built a legal house of cards under industry pressure,” Schrems said. “Now that it clearly collapses, it has to take responsibility.”

If a court sides with Schrems, the decision could threaten the flow of data between Europe and the U.S. Meta and Google already have said they will pull out of Europe if the transfer of data to America is no longer allowed. 

The DPF’s existence fuels €1.7 trillion ($1.9 trillion) in transatlantic trade each year, experts say.

Schrems has won two previous court battles concerning how Europe transfers data to America and has a long record of prevailing in European privacy lawsuits.

Europe has relied on the independence of the FTC 259 times in its data flow decisions under the current framework, Schrems contends. 

Officials respond

Multiple spokespersons for the European Commission did not respond to requests for comment on how it plans to grapple with the impact of the Supreme Court case.

However, spokesperson Markus Lammert told Politico Europe the Commission has “taken note” of the Supreme Court’s decision and “will now carefully analyze any implications it may have for the EU-U.S. agenda.”

The European Data Protection Board (EDPB), which is composed of privacy regulators from countries across Europe, reportedly said Tuesday that it is reviewing the Supreme Court decision and the "potential implications for the oversight mechanisms underpinning the EU-U.S. Data Privacy Framework.” 

The EDPB also called the independence of the body overseeing how the U.S. uses Europeans’ data a matter of "central importance" to the legitimacy of the DPF.

While the EDPB does not have the power to overturn or change the DPF — only the commission does — its members’ views are influential.

Schrems is pushing for the EU to suspend the data transfers until the court decision is issued, which could take years. However, French Parliamentarian Phillipe Latombe already has a case pending before the Court of Justice of the EU, seeking to invalidate the DPF.

On Tuesday, Latombe called on European Commission president Ursula von der Leyen to “immediately cancel” the DPF which can “no longer be legal,” according to a LinkedIn post.

A strong case

Experts say the European Commission is trapped in a politically difficult situation as a result of the court ruling.

“The commission cannot come to a different interpretation of U.S. law than the U.S. Supreme Court and so therefore it has to articulate either why a lack of independence is okay, and that's hard… or it's going to have to say why it's not okay and what it's going to do about it,” Joe Jones, director of research and insights at IAPP, said in an interview.

The commission does not want to invalidate the DPF given how it underpins the European economy, but Jones said it is “going to get squeezed, no doubt, from different stakeholders that it should do something, and this is for some people a night and day situation — independent one day, not independent the next, so it has to do something.”

About a quarter of Meta’s ad revenue comes from the EU, Jones said. If it can’t use Europeans’ data to target ads it will either need to build data storage infrastructure in Europe or tackle a complicated compliance environment without the incentive of making money, Jones said.

TikTok is currently building data centers and other data storage infrastructure in Ireland, Jones said, and the effort has taken significant time and cost more than $10 billion.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering digital privacy, surveillance technologies and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.