Trump Administration Playing Truth or Dare with EU-US Data Privacy Framework

Dr Divya Sridhar, Vice President, Global Privacy Initiatives & Operations, BBB National Programs

In the proverbial game of truth or dare, President Trump’s administration to date has been blunt about its plans to assert US competitiveness and dominance. It has also not been afraid to subject itself and others to some bold dares under a volatile political agenda.

Some are reconciling these high-level policy moves as causing a soon-to-be domino effect on the trillion-dollar digital economy, which is underpinned by data privacy commitments.

The EU-US Data Privacy Framework (DPF) is one such transatlantic data privacy agreement, designed to streamline data flows across the Atlantic. This supports close to 3000 small, from “mom-and-pop” to unicorn-sized, businesses, by allowing those entities that adhere to the framework to certify that they are meeting the data protection obligations on personal data transfers set forth by the European Commission and the US Department of Commerce.

Given the sheer volume of companies participating in the DPF, of which 70% are classified as small-and-medium-sized, a transfer mechanism between the countries offers a competitive advantage, continuity and streamlined business operations.

A bulk of both economies back digital data flows and a vast majority of the data flows are fueled by small or medium-sized businesses. If those businesses don’t have a low-cost and streamlined data transfer mechanism to depend on, they are likely to tank, taking their respective products, services, and jobs with them. This is not a future that is in either country’s best interest.

However, recent actions by the new US administration have created uncertainty about the future of the DPF, and its adherence of US firms to the framework.
 

Recent Federal Actions Impacting the DPF

The EU-US DPF is, in its current state, still operating and a valid data transfer mechanism.

A few recent policy actions, including recent tariff struggles, are driving speculation that the US is shaking the tranquility of the transatlantic economic and trade relationships, at least in the short term.

Most recently, the new Trump Administration has fired two Democratic Commissioners at the Federal Trade Commission (FTC), the administrative agency that oversees and enforces consumer protection violations including the DPF principles.

The FTC works with the EU to protect consumer privacy across jurisdictions. While this is a temporary action, it creates a vacuum in the role of enforcement action on behalf of the FTC until the rest of the appointments are complete.

In addition, at the end of January, President Trump terminated three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent intelligence watchdog created in 2007 that provides the Executive branch with independence and oversight on national security interests.

The PCLOB has been an integral part of the DPF, as it helps align the US signal intelligence practices to the EU legal standards by ensuring necessity and proportionality, which were challenges brought against the DPF’s predecessor, Privacy Shield.

On the flip side, the Trump Administration’s appetite is focused on deregulation of digital and tech policy, rather than privacy. For example, the recent wave of rescissions that President Trump carried out in his first 100-day plan did not include the Executive Order that backs commitments made by the US with regard to the DPF.
 

DPF from the EU Perspective

While mainstream focus remains on the US position on the DPF, it should not be forgotten that the ball remains in the EU’s court regarding the validity of the EU-US DPF.

The European Commissioner for Democracy, Justice, and the Rule of Law and Consumer Protection, Michael McGrath, recently confirmed that DPF is a valid transfer mechanism, putting weight behind the continuity of the DPF. The Commissioner also recently met with newly appointed FTC Chair Andrew Ferguson, who has backed commitment to the DPF.

Based on the “one-year look back” that was published by the European Commission in cooperation with US authorities, as of last October 2024, there was clear data demonstrating the heightened structures, procedures and protections that are in place to back the DPF.

The principles that back the EU-US DPF have been in place for decades, since the first Safe Harbor framework came into place in 2000.

In previous iterations, these frameworks had come under court challenges that required the US to strengthen its original framework to support an adequate level of privacy protection with the EU.

More recently, the updates made from Privacy Shield to DPF left all seven principles (notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability) perfectly intact. Instead, they focused on strengthening process-related elements (i.e., adding a data protection review court to support a two-level redress mechanism for complaints).
 

Should Organizations Stick to the Framework?

Lessons learned from court challenges like the original Schrems case and Schrems II are that even with the invalidation of Safe Harbor and later Privacy Shield, many companies knew not to panic and leave, but instead, to remain in compliance with the principles even under uncertain times.

The US Department of Commerce also continued in a status quo. At that time, BBB National Programs also continued to offer its services to provide transatlantic data transfer compliance and IRM accountability services, including dispute and complaint handling.

Because of the nature of independent accountability and its principles-based role, companies are better off aligning to, and sticking to, a framework to ensure they have a viable mechanism to transfer data – especially in uncertain times. Organizations may find it is better to wait things out and operate under their current commitments and compliance efforts, then course correcting if a new privacy framework comes into effect.

After the DPF came into effect, more companies joined the DPF as compared to when it operated as Privacy Shield, up from 2400 companies to 2800. Perhaps the enforcement of the EU General Data Protection Regulation (GDPR) and an uptick in national privacy laws across global jurisdictions is prompting companies to fulfill fiduciary duty through privacy compliance to customers and key stakeholders.

Regardless of the data transfer framework in place, organizations can and should continue to meet their business obligations with regard to transferring data overseas in a responsible manner. Even if challenged, it is likely that the framework is not going away for good, but instead, will only be further strengthened through its next iteration, all while being tied to the same uniform foundational principles.

Therefore, as we all hold on to our hats and wait to see how the US will act next, we should know that the expectations to demonstrate robust data privacy commitments will remain the same to its core, especially if backed by accountable privacy practices – regardless of whether it is questioned in truth or dared to improve.

Originally published in Infosecurity Magazine