XPost: alt.privacy.anon-server   
   From: gallaxial@gallaxial.com   
      
   177 lines to much   
      
   On Sat, 07 Feb 2026 14:27:26 -0000, Michael A Turrell wrote:   
      
   > Most EU-US data transfers are based on the ¡§Transatlantic Data Privacy   
   Framework¡¨ (TAFPF)   
   > or so-called ¡§Standard Contract Clauses¡¨ (SCCs). Both instruments rely on   
   fragile US laws,   
   > non-binding regulations and case law that is under attack ¡V and is likely   
   blown up in the   
   > next months. As instability in the US legal system becomes undeniable and   
   the US shows   
   > open signs of hostility towards the EU, it is time to reconsider where our   
   data is   
   > flowing ¡V and how long the legal ¡§house of cards¡¨ that the EU has built   
   is holding up.   
   >   
   > Layers of US and EU law. The ¡§bridge¡¨ that the European Commission and   
   previous   
   > Democratic US administrations built to allow EU personal data to be   
   processed in the US   
   > does not rely on a simple, stable US privacy law. Instead, the EU and the US   
   relied on a   
   > wild patchwork of tons of internal guidelines and regulations, Supreme Court   
   case law, US   
   > factual ¡§practices¡¨ or Executive Orders.   
   >   
   > In an attempt to make ends meet, these layers are not supporting each other,   
   but are   
   > lined up to generate the thinnest possible connection between EU and US law   
   ¡V meaning   
   > that the failure of just one of the many legal elements would likely make   
   most EU-US   
   > data transfers instantly illegal. Just like a house of cards, the   
   instability of any   
   > individual card will make the house collapse.   
   >   
   > Given the enormously destructive approach of the Trump administration, many   
   elements   
   > of EU-US transfers are under attack ¡V often times not because of any direct   
   intentions.   
   > Instead, the current US administration just widely attacks the US legal   
   system and   
   > constitutional fabric (with the help of a highly politicised Supreme Court)   
   ¡V with   
   > many potential consequences for EU-US data flows.   
   >   
   > 1st Likely Point of Failure: FTC independence. This past Monday, the US   
   Supreme Court   
   > has heard a case about the independence of the Federal Trade Commission   
   (FTC). Ever   
   > since a case in 1935 (Humphrey's Executor), it is US Supreme Court case law   
   that the   
   > US legislator can create ¡§independent¡¨ bodies within the executive branch,   
   which is   
   > somewhat isolated from the US President.   
   >   
   > A previously fringe theory that, under the US Constitution, all powers of the   
   > executive must rest with one person only (the President) has now gained   
   traction   
   > among US conservative lawyers. This so-called ¡§unitary executive theory¡¨   
   would make   
   > any independent authority, such as the FTC, typically unconstitutional. All   
   powers   
   > would need to be concentrated in the President.   
   >   
   > In Trump v. Slaughter, the US Supreme Court now heard arguments of an FTC   
   > commissioner that was removed by Trump despite all independence guarantees   
   in 15 U.S.C.   
   > ¡± 41. Based on the comments and questions of the Judges, it is widely   
   believed   
   > (see e.g. The Guardian, CNN or SCOTUS Blog) that the conservative majority   
   on the   
   > US Supreme Court will side with Trump and (to one extent or another) follow   
   the   
   > ¡§unitary executive theory¡¨, overturning FTC independence.   
   >   
   > In combination with the US Supreme Court rulings on absolute immunity of the   
   President,   
   > the US would thereby move increasingly towards a system where the President   
   is an   
   > absolute ¡§King¡¨ ¡V at least for four years.   
   >   
   >>From a European perspective, FTC independence is a crucial element, because   
   > Article 8(3) of the EU Charter of Fundamental Rights (CFR) requires that the   
   processing   
   > of personal data is monitored and enforce by an ¡§independent¡¨ body. In the   
   TADPF   
   > (and previously in the ¡§Safe Harbor¡¨ and ¡§Privacy Shield¡¨ systems), the   
   EU and the   
   > US have agreed to give these powers to the FTC in the US ¡V being such an   
   ¡§independent¡¨   
   > body. Section 2.3.4. of the TADPF decision of the European Commission   
   highlights   
   > the Enforcement role being with the FTC. Recital 61 and Footnote 92   
   explicitly   
   > refer to 15 U.S.C. ¡± 41 as a basis to have the necessary independence   
   guarantees   
   > in the US.   
   >   
   > No other element in the TADPF has the necessary investigative powers and   
   independence.   
   > There is private arbitration as well, but they lack any investigative powers   
   or   
   > relevant enforcement powers. Consequently, any TADPF participant must be   
   either   
   > governed by the independent FTC or the DoT (for transport organizations).   
   >   
   > Trump v. Slaughter is scheduled to be decided in June or July 2026 the   
   latest, but   
   > could be decided earlier. So, it¡¦s time to ¡§buckle up¡¨ on this one and   
   get prepared.   
   >   
   > One path could be to switch to SCCs or BCRs, as they do not require an   
   independent   
   > US body for enforcement, but also allow to make the agreement subject to an   
   EU data   
   > protection authority. However, there are also massive questions as to how   
   already   
   > transferred data can be brought ¡§back¡¨ to any EU approved system or even   
   brought   
   > ¡§back¡¨ to the EU in general. Furthermore, SCCs and BRCs may also be   
   affected by   
   > massive shifts in US law (see below).   
   >   
   > 2nd Likely Point of Failure: Data Protection Review Court. Directly in   
   connection   
   > to Trump v. Slaughter, which deals with oversight in the private sector, the   
   > parallel question arises on how the so-called ¡§Data Protection Review   
   Court¡¨   
   > (DPRC) can still be relied upon as any form of realistic redress against US   
   > government surveillance.   
   >   
   > The DPRC has many legal issues (you could easily fill a PhD thesis with these   
   > problems), but crucially the DPRC is not a real US court ¡V also because it   
   is   
   > not established by law. It is actually a group of people within the executive   
   > branch that is solely established by an Executive Order of Biden (EO 14.086,   
   > see details below). This group of people may at best be called a ¡§tribunal¡¨   
   > from the perspective of Article 6 ECHR, but even this claim is probably an   
   > overstatement.   
   >   
   > The crux is that, in relation to Trump v. Slaughter, the ¡§independence¡¨ of   
   > this so-called ¡§Court¡¨ is not even established by law (as 15 USC ¡± 41 for   
   the   
   > FTC), but by EO 14.086, so a merely internal Presidential Order that can be   
   > changed at any time.   
   >   
   > Logically, if the Supreme Court in Trump v. Slaughter holds that independent   
   > executive bodies are unconstitutional, it may well be that any independence   
   > claims in EO 14.086 itself are (logically) also unconstitutional. This very   
   > much depends on the line of arguments that the Supreme Court will use in   
   > Trump v. Slaughter, but we may very likely see this as a direct consequence   
   > of any broader ruling.   
   >   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)