XPost: alt.privacy.anon-server   
   From: mike.am.surreal@earthleenk.nut   
      
   Most EU-US data transfers are based on the “Transatlantic Data Privacy   
   Framework” (TAFPF)   
   or so-called “Standard Contract Clauses” (SCCs). Both instruments rely on   
   fragile US laws,   
   non-binding regulations and case law that is under attack – and is likely   
   blown up in the   
   next months. As instability in the US legal system becomes undeniable and the   
   US shows   
   open signs of hostility towards the EU, it is time to reconsider where our   
   data is   
   flowing – and how long the legal “house of cards” that the EU has built   
   is holding up.   
      
   Layers of US and EU law. The “bridge” that the European Commission and   
   previous   
   Democratic US administrations built to allow EU personal data to be processed   
   in the US   
   does not rely on a simple, stable US privacy law. Instead, the EU and the US   
   relied on a   
   wild patchwork of tons of internal guidelines and regulations, Supreme Court   
   case law, US   
   factual “practices” or Executive Orders.   
      
   In an attempt to make ends meet, these layers are not supporting each other,   
   but are   
   lined up to generate the thinnest possible connection between EU and US law   
   – meaning   
   that the failure of just one of the many legal elements would likely make most   
   EU-US   
   data transfers instantly illegal. Just like a house of cards, the instability   
   of any   
   individual card will make the house collapse.   
      
   Given the enormously destructive approach of the Trump administration, many   
   elements   
   of EU-US transfers are under attack – often times not because of any direct   
   intentions.   
   Instead, the current US administration just widely attacks the US legal system   
   and   
   constitutional fabric (with the help of a highly politicised Supreme Court)   
   – with   
   many potential consequences for EU-US data flows.   
      
   1st Likely Point of Failure: FTC independence. This past Monday, the US   
   Supreme Court   
   has heard a case about the independence of the Federal Trade Commission (FTC).   
   Ever   
   since a case in 1935 (Humphrey's Executor), it is US Supreme Court case law   
   that the   
   US legislator can create “independent” bodies within the executive branch,   
   which is   
   somewhat isolated from the US President.   
      
   A previously fringe theory that, under the US Constitution, all powers of the   
   executive must rest with one person only (the President) has now gained   
   traction   
   among US conservative lawyers. This so-called “unitary executive theory”   
   would make   
   any independent authority, such as the FTC, typically unconstitutional. All   
   powers   
   would need to be concentrated in the President.   
      
   In Trump v. Slaughter, the US Supreme Court now heard arguments of an FTC   
   commissioner that was removed by Trump despite all independence guarantees in   
   15 U.S.C.   
   § 41. Based on the comments and questions of the Judges, it is widely believed   
   (see e.g. The Guardian, CNN or SCOTUS Blog) that the conservative majority on   
   the   
   US Supreme Court will side with Trump and (to one extent or another) follow the   
   “unitary executive theory”, overturning FTC independence.   
      
   In combination with the US Supreme Court rulings on absolute immunity of the   
   President,   
   the US would thereby move increasingly towards a system where the President is   
   an   
   absolute “King” – at least for four years.   
      
   >From a European perspective, FTC independence is a crucial element, because   
   Article 8(3) of the EU Charter of Fundamental Rights (CFR) requires that the   
   processing   
   of personal data is monitored and enforce by an “independent” body. In the   
   TADPF   
   (and previously in the “Safe Harbor” and “Privacy Shield” systems),   
   the EU and the   
   US have agreed to give these powers to the FTC in the US – being such an   
   “independent”   
   body. Section 2.3.4. of the TADPF decision of the European Commission   
   highlights   
   the Enforcement role being with the FTC. Recital 61 and Footnote 92 explicitly   
   refer to 15 U.S.C. § 41 as a basis to have the necessary independence   
   guarantees   
   in the US.   
      
   No other element in the TADPF has the necessary investigative powers and   
   independence.   
   There is private arbitration as well, but they lack any investigative powers or   
   relevant enforcement powers. Consequently, any TADPF participant must be either   
   governed by the independent FTC or the DoT (for transport organizations).   
      
   Trump v. Slaughter is scheduled to be decided in June or July 2026 the latest,   
   but   
   could be decided earlier. So, it’s time to “buckle up” on this one and   
   get prepared.   
      
   One path could be to switch to SCCs or BCRs, as they do not require an   
   independent   
   US body for enforcement, but also allow to make the agreement subject to an EU   
   data   
   protection authority. However, there are also massive questions as to how   
   already   
   transferred data can be brought “back” to any EU approved system or even   
   brought   
   “back” to the EU in general. Furthermore, SCCs and BRCs may also be   
   affected by   
   massive shifts in US law (see below).   
      
   2nd Likely Point of Failure: Data Protection Review Court. Directly in   
   connection   
   to Trump v. Slaughter, which deals with oversight in the private sector, the   
   parallel question arises on how the so-called “Data Protection Review   
   Court”   
   (DPRC) can still be relied upon as any form of realistic redress against US   
   government surveillance.   
      
   The DPRC has many legal issues (you could easily fill a PhD thesis with these   
   problems), but crucially the DPRC is not a real US court – also because it is   
   not established by law. It is actually a group of people within the executive   
   branch that is solely established by an Executive Order of Biden (EO 14.086,   
   see details below). This group of people may at best be called a “tribunal”   
   from the perspective of Article 6 ECHR, but even this claim is probably an   
   overstatement.   
      
   The crux is that, in relation to Trump v. Slaughter, the “independence” of   
   this so-called “Court” is not even established by law (as 15 USC § 41 for   
   the   
   FTC), but by EO 14.086, so a merely internal Presidential Order that can be   
   changed at any time.   
      
   Logically, if the Supreme Court in Trump v. Slaughter holds that independent   
   executive bodies are unconstitutional, it may well be that any independence   
   claims in EO 14.086 itself are (logically) also unconstitutional. This very   
   much depends on the line of arguments that the Supreme Court will use in   
   Trump v. Slaughter, but we may very likely see this as a direct consequence   
   of any broader ruling.   
      
   This problem would expand far beyond the TADPF, because other transfer   
   systems (SCCs or BCRs) rely on so-called “Transfer Impact Assessments”   
   (TIAs)   
   that in turn usually point to EO 14.086 and the DPRC as a ground why any EU   
   controller came to the conclusion that US law may not overrule SCCs or BCRs   
   beyond what is permissible under Article 7, 8 and 47 of the Charter.   
      
   If these elements are gone, we are down to Article 49 GDPR for “necessary”   
   transfers (e.g. sending an email to the US, placing an order or booking a   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)