The Emperor's New Data Deal? Trump's Actions Expose the TADPF's Fragility

Let's be honest, nobody really believed the dust had settled on transatlantic data flows. Despite the European Commission's concerning meekness in this whole affair, most of us knew the EU-US Transatlantic Data Privacy Framework was a fragile construct, a carefully crafted illusion of security. And now, with President Trump's latest moves, the pretense is crumbling, and the TADPF's vulnerability is laid bare for all to see. The fig leaf of "adequacy" is gone.

Once again, it is a newly-elected President Trump pulling the strings, this time targeting the Privacy and Civil Liberties Oversight Board (PCLOB), a key component of the TADPF. By seeking to remove key members and potentially paralyze its operations, he's effectively undermining a cornerstone of the agreement. This, combined with a sweeping review of Biden-era national security decisions, is a clear and present danger to the entire framework. Nobody was fooled into thinking this agreement was robust, but this is far worse, and far sooner than anticipated. This echoes the 2017 executive order that sought to strip non-US citizens of privacy protections, an action that threatened to unravel the previous Privacy Shield agreement. As we saw then with concerns surrounding the Judicial Redress Act, seemingly indirect actions can have devastating consequences on these fragile data transfer frameworks.

For those of us championing the EuroStack ideas of European digital sovereignty, this is a resounding affirmation of our core principles. We've been consistently highlighting the folly of relying on US tech giants and precarious transatlantic agreements that hinge on the whims of a foreign power. The TADPF was always a house of cards, and Trump just blew on it. Again. As we said back in 2017 about the Privacy Shield, any suspension or effective invalidation of the TADPF will mean a "return to legal uncertainty" for a multitude of businesses that rely on transatlantic data flows, including both European tech giants and many smaller businesses. The EDPB itself warned that data exporters must "continue taking the actions required to comply with the case law of the CJEU," highlighting the precariousness of the situation.

But what's at stake is not only data protection; this is about reclaiming control. This underscores our firm belief that technological autonomy is paramount to our security and self-determination. The echoes of 2017 are deafening. Just as then-EU Parliament member Jan Philipp Albrecht called for the suspension of the Privacy Shield, we must again consider drastic measures to protect European data sovereignty. The European Commission, like before, might suggest that the core functions are untouched, as Vera Jourovà did in 2017, but the reality, as was apparent then, is that these frameworks are built on a foundation of sand, easily eroded by the shifting tides of US policy.

Annex: TL;DR of the NYOB Article

Since it is rather technical, here's a summary of the key points from the NYOB article:

• The Problem: US surveillance laws (like FISA702 and EO 12.333) allow the US government to access data stored by US tech companies, potentially without individual judicial approval. This conflicts with EU law, which requires "essentially equivalent" data protection for data transferred outside the EU.

• TADPF Under Threat: The TADPF, passed in 2023, was designed to bridge this gap and allow data transfers. However, it heavily relies on executive guarantees and oversight bodies like the Privacy and Civil Liberties Oversight Board (PCLOB), rather than solid US legislation. These are seen as weak and vulnerable, especially under a Trump administration.

• Trump's Actions: Newly elected President Trump has taken steps that threaten the TADPF. He has requested the resignation of Democratic members of the PCLOB, potentially rendering it non-functional. He has also ordered a review of all Biden national security decisions, including those underpinning the TADPF, within 45 days. The removal of the PCLOB members is the first hole in the agreement, and the review threatens to topple the entire framework.

• Weak Foundations: The article criticizes the European Commission for relying on these fragile executive guarantees instead of pushing for stronger US legislation. The TADPF is described as being "built on sand" and vulnerable to political shifts. The independence of US oversight bodies is also questioned.

• Consequences for Businesses: If the TADPF is annulled, using US cloud providers like Apple, Google, Microsoft, or Amazon could become illegal for EU businesses, government agencies, and schools. This would create a significant legal and operational challenge.

• Commission's Dilemma: The European Commission faces a difficult choice: quickly annul the TADPF and potentially anger the US, or wait and risk leaving EU businesses exposed to legal risks.

• Call to Action: While data transfers remain legal for now, the article strongly advises EU businesses to prepare a "host in Europe" contingency plan in case the TADPF is revoked.

References

• US Cloud soon illegal? Trump punches first hole in EU-US Data Deal., NYOB, 2025.
• Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework, CNIL, 2023.
• French lawmaker challenges transatlantic data deal before EU court, Politico, 2023.
• Max Schrems' Keynote at OSXP in 2022
• Quel avenir pour le privacy shield sous Donald Trump ?, IREDIC, 2017.
• Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows, Techcrunch, 2017.
• Trump signs 'no privacy for non-Americans' order – what does that mean for rest of us?, The Register, 2017.