- Critical US privacy oversight body remains non-functional since January
- European Commission yet to take action despite mounting legal concerns
- US cloud services may face legal barriers for European customers
- Experts urge EU businesses to develop contingency plans as uncertainty continues
Months have passed since the Trump team shut down a key US privacy watchdog group, but the deal that lets European data flow to American tech companies still hangs in legal limbo. The Privacy and Civil Liberties Oversight Board (PCLOB) stopped working in January when several members were removed, yet the European Commission hasn’t addressed this major problem.
This leaves countless European businesses unsure if they can legally keep using services from Google, Microsoft, Amazon and other American tech giants.
Background of a fragile agreement
European law generally prohibits sending personal data outside the EU unless the receiving country provides “essentially equivalent” protection.
The European Court of Justice has twice ruled (in cases known as Schrems I and Schrems II) that US surveillance laws fail this standard. Despite these rulings, the European Commission established the EU-U.S. Data Privacy Framework in July 2023, creating a third attempt at legalizing these crucial data flows.
What went wrong
The shutdown of this watchdog group was an early warning sign. The European Commission mentioned this oversight board multiple times when approving the data sharing deal. Without it working properly, a key safeguard for Europeans’ data is missing.
Privacy advocate Max Schrems, whose legal challenges led to the previous EU-US data agreements being invalidated, expressed concerns about the current situation:
“This deal was always built on sand, but the EU business lobby and the European Commission wanted it anyway. Instead of stable legal limitations, the EU agreed to executive promises that can be overturned in seconds.”
Unlike in Europe, where data protection authorities maintain independence through law, US oversight bodies like the PCLOB exist at the discretion of the executive branch. January showed how quickly these safeguards can disappear.
Stuck in uncertainty
For European organizations using US cloud services, the situation creates significant uncertainty. Technically, they can continue operating under the current framework until it is formally invalidated, but prudent businesses should consider contingency plans.
“While the arguments for the EU-US deal seem to be falling apart, companies can rely on the deal as long as it is not formally annulled,” notes Schrems. “However, given the developments in the US, it is more crucial than ever for businesses and other organizations to have a ‘host in Europe’ contingency plan.”
Furthermore, the Commission seems reluctant to admit that a major part of their agreement hasn’t been working for months. Every day without action increases the legal risk for European organizations.
How to protect your business
With the legal foundation crumbling, European businesses should take these simple steps to protect themselves:
- Find your data: List exactly what personal information your company sends to America and which services use it.
- Look for European options: Check out cloud services based in Europe that keep data within European borders.
- Make a backup plan: Create a step-by-step guide for moving your services to European providers if needed.
- Check your contracts: Read agreements with American providers to understand where your data is stored and how to end the service if needed.
- Keep up to date: Watch for news from data protection authorities who might provide guidance as things develop.
Data protection experts recommend preparing now, while there’s still time to make changes without rushing. Waiting for an official announcement that the deal has failed could leave businesses scrambling to comply with the law.
Europe’s digital independence at risk
This ongoing uncertainty highlights bigger questions about Europe’s control over its own digital future. While the EU has created strong privacy laws like GDPR, it still heavily relies on American tech companies.
The situation shows a clear double standard. The same administration that crippled the privacy watchdog group has pushed hard against Chinese-owned TikTok over concerns about foreign access to American data – while making it harder to protect European data from American surveillance.
As this standoff continues, more people are calling for European solutions that don’t depend on foreign tech companies. The Commission has plans for greater tech independence, but the current situation shows there’s still a long way to go.
For now, European businesses must navigate these uncertain waters while getting ready for possible disruptions. Whether the Commission eventually admits the deal is broken or tries to keep it alive despite its problems, sharing data between Europe and America seems less secure than at any point since the agreement was approved last summer.
