US Cloud Services at Risk? Trump Administration Targets EU-US Data Deal
On January 23, 2025, alarming news surfaced that could shake the foundation of data privacy between the European Union (EU) and the United States (US). President Trump’s administration has taken its first steps to undermine the Transatlantic Data Privacy Framework (TADPF), a critical agreement enabling seamless data transfers across the Atlantic. These developments threaten the legality of EU businesses and institutions relying on US cloud giants like Google, Microsoft, and Amazon. This move brings the already fragile EU-US data transfer agreement into sharper focus, sparking concerns about mass surveillance, legal instability, and the future of global data flows.
A Key Oversight Mechanism Under Siege
At the center of this controversy lies the Privacy and Civil Liberties Oversight Board (PCLOB), a critical US agency established to oversee surveillance practices and protect privacy rights. Reports indicate that the Trump administration has asked Democratic-appointed members of the PCLOB to resign, effectively paralyzing the board. Without the minimum number of members required for decision-making, the PCLOB’s oversight capabilities are at risk, undermining the credibility of US assurances to the EU regarding data protection.
Learn more about DELTA Data Protection Manager Courses: DELTA Data Protection & Compliance Academy
This situation is especially troubling as the PCLOB has been cited extensively by the European Commission to justify the adequacy of the TADPF. Its incapacitation could call into question the framework’s validity, leaving EU businesses dependent on US-based data solutions in a precarious position.
The Transatlantic Data Privacy Framework
The TADPF, adopted by the European Commission in July 2023, aimed to address long-standing challenges in transatlantic data transfers. The framework replaced previous agreements such as Safe Harbor and Privacy Shield, both invalidated by the European Court of Justice (CJEU) in the Schrems I and II rulings. The court’s decisions highlighted US surveillance laws, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12.333, that allow extensive government access to personal data stored by US companies.
Despite the legal hurdles, the TADPF was built on executive guarantees, such as oversight mechanisms and redress options, rather than legislative reforms. Critics have long warned that such assurances were vulnerable to political changes, and the Trump administration’s recent actions confirm these fears.
The Fragility of US Oversight Mechanisms
Unlike the EU’s robust data protection authorities, US oversight bodies like the PCLOB lack institutional independence. They operate within the executive branch and are subject to the president’s discretion. While these bodies were instrumental in convincing the EU of “essentially equivalent” data protection standards, their reliance on executive orders instead of codified laws has always been a point of contention.
Privacy advocate Max Schrems, whose legal battles led to the annulment of previous agreements, criticized the reliance on such mechanisms:
“This deal was always built on sand. The EU business lobby and the European Commission wanted it anyway, despite knowing that executive promises could be overturned in seconds. The direction this is taking in the first days of the Trump presidency already shows how unstable the framework is.”
Implications for EU Businesses and US Tech Giants
Should the TADPF collapse, thousands of EU businesses and institutions, ranging from schools to multinational corporations, will face significant legal uncertainties. These entities rely heavily on US cloud providers to manage operations, communicate globally, and store data. Without a valid adequacy decision, transferring personal data to the US would become illegal under EU law unless alternative measures, such as Standard Contractual Clauses (SCCs), are implemented. However, these measures are costly, complex, and not always feasible for smaller organizations.
For US tech giants, the stakes are equally high. Losing access to the EU market could lead to substantial revenue losses and operational disruptions. The situation mirrors the US government’s own concerns about Chinese-owned apps like TikTok accessing American users’ data, a striking example of the double standards in global data politics.
Learn more about Future Jobs & Manager Programs: DELTA Data Protection & Compliance Academy
The Clock is Ticking
President Trump’s executive order, signed earlier this week, mandates a review of all Biden-era national security decisions within 45 days. This includes key elements of the TADPF, raising the possibility that the framework’s core guarantees could be rescinded by mid-March. If this happens, the European Commission may have no choice but to annul the TADPF, leaving EU-US data flows in a legal limbo.
While businesses can technically continue using US cloud services until the TADPF is officially invalidated, the uncertainty has prompted experts to advise organizations to prepare contingency plans. Max Schrems recommends:
“Companies should act now and establish a ‘host in Europe’ strategy. Relying on a system of unstable executive orders is no longer a sustainable option.”
The European Commission’s Dilemma
The European Commission faces an unenviable task: balancing diplomatic relations with the US while ensuring compliance with EU data protection laws. Annulling the TADPF would provoke backlash from both US tech companies and the Trump administration. However, failing to act could expose EU citizens’ data to mass surveillance and undermine public trust in the Commission’s commitment to privacy rights.
The Future of Transatlantic Data Transfers
As the TADPF hangs in the balance, the EU and US must confront the deeper structural issues in their approach to data privacy. Without substantial legislative reforms in the US, any future framework will likely face similar vulnerabilities. For now, businesses and policymakers on both sides of the Atlantic must navigate an increasingly unstable landscape, where the stakes for privacy, trade, and international relations have never been higher.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
