EU requirement for an independent DPA. EU treaty law (hence the “constitutional” framework of the EU), i.e. Article 16(2) TFTU And Article 8(3) of the Charter of Fundamental Rights.Requires that data protection matters be monitored by an “independent” authority. Because third countries must have “essentially equivalent” protection, it is required that any third country that wishes to enjoy the free flow of personal data to and from the EU also provides such protection. So far, the US has appointed the “independent” FTC as the US privacy regulator to fulfill the EU’s independent monitoring requirement. In turn, the EU has relied on the FTC 259 (!) times in EU-US data flows decisions.
Max Schrems: “Importantly, the EU’s constitutional framework requires independent oversight. The only way to change this would be for all EU member states to vote unanimously to change the EU treaties“
The need for an independent court. Furthermore, the CJEU also highlighted that the US would need to provide an independent legal redress mechanism in cases of government surveillance. Since the US was unable to pass relevant legislation, the Biden administration created a “Data Protection Review Court“. Despite being called a “Court”, it is actually an executive body within the US Department of Justice. It is “independent” only through a executive Order (EO) by former President Biden which can be changed by Trump at any moment and is not binding on the President.
“Slaughter” Decision: Unitary (Trump) Executive. In a 180° turn on previous case law, the conservative majority in the US Supreme Court has now decided that the FTC’s independence is unconstitutional. It follows the “unitary executive principle” that the US President should have the power All The US executive body declares all US laws making various agencies independent as unconstitutional. Given that the EU relied on the “independence” of the FTC as a privacy watchdog in almost all cases, the entire structure of the EU-US data privacy framework has collapsed.
Max Schrems: “Even in the European Commission’s argument, the basis for any EU-US data transfer deal is lost. We call on the Commission to begin an orderly exit from the US cloud – which is not easy, but unfortunately inevitable. The Commission created a legal house of cards under pressure from the industry. Now that it has clearly collapsed, it has to take responsibility“
Impact is not unlimited. Even if all the grounds for an EU decision have been exhausted, the European Commission decision remains formally in force unless the European Commission revokes it or the Court of Justice cancels it. So there is no lasting effect. The GDPR also only regulates the transfer of personal data. Non-personal data can flow freely. Ahead, Article 49GDPR Allows the necessary data transfer to a third country. However, it does not structurally allow offshore data from the EU if it is not strictly necessary.
SCC and BCR were also affected. While some companies may not rely directly on the EU-US framework and instead formally use SCCs and BCRs, they also commonly rely on “impact assessments”, which in turn rely on previously independent US executive bodies such as the PCLOB or the Data Protection Review Court. So the Supreme Court’s decision usually impacts them too, even if they don’t trust the FTC. In addition to controllers relying on the formal Commission decision, they must urgently update their assessment – and logically come to the conclusion that data transfers are no longer legal.
Next steps: The Commission must repeal the EU-US agreement. Noyab sent one Formal letter to the European Commission Today, it called on it to take appropriate steps to dismantle the EU-US data deal in an orderly manner. Politically, several EU member states have already moved toward a “digital sovereignty” approach and announced decoupling from US service providers. Some US service providers are also moving towards separate EU data processing. However, given that the US still places heavy pressure on the EU to keep personal data flowing, Noyab A lawsuit will also be filed in the coming weeks with the aim of allowing the CJEU to strike down the current deal. However, such litigation generally takes 2-3 years until a final decision is reached.
<a href