Security

Impact of Trump’s Presidency on EU-US Data Transfer Agreement

8 min read

February 12, 2025

US President Donald Trump took office in January 2025, and his actions are already having an impact on existing agreements between the US and the rest of the world. Many of his decisions are influencing the international political and economic landscape, with potential effects on both bilateral and multilateral agreements.

One of the agreements now at risk is the EU-US Data Transfer Agreement.

What is the EU-US data transfer agreement?

The EU-US Data Transfer System is a legal framework designed to regulate the transfer of personal data from the European Union to the United States, balancing the requirements of both EU and US laws. Under EU law, exporting personal data outside the EU has been restricted since 1995 unless the receiving country offers "essentially equivalent" data protection to that of the EU. This ensures that Europeans' personal information is not exposed to lax privacy standards in other jurisdictions. However, the United States operates under a vastly different legal regime, where national security and surveillance laws such as the Foreign Intelligence Surveillance Act Section 702 (FISA702) and Executive Order 12.333 permit extensive government access to data stored by major US tech firms like Amazon, Meta, and Google.

This fundamental divergence in privacy standards has led to ongoing tensions and legal conflicts, including the annulment of two previous EU-US data transfer agreements by the European Court of Justice in the Schrems I and Schrems II rulings.

In response to these challenges, the European Commission introduced a new agreement in 2023 called the Transatlantic Data Privacy Framework (TADPF), aimed at restoring legal grounds for transatlantic data transfers. Despite previous concerns, the Commission issued Implementing Decision (EU) 2023/1795 on 10 July 2023, formally adopting the TADPF. This decision allowed EU businesses to transfer data freely to US providers by relying on executive orders and assurances from the US government. A key element in this rationale was the role of the Privacy and Civil Liberties Oversight Board (PCLOB), which is tasked with monitoring US compliance with surveillance restrictions and privacy commitments. The Commission referenced the PCLOB 31 times in its decision as a crucial oversight mechanism, arguing that this body provides sufficient guarantees to meet the "essentially equivalent" standard for data protection.

However, critics have pointed out that these protections are built on a fragile foundation. Unlike EU laws, the safeguards underpinning the TADPF have not been codified in US statutes, as there was no congressional majority to pass such legislation. This lack of legal permanence means that the next US president could potentially dismantle these protections with a simple executive order. The PCLOB remains the primary oversight body ensuring compliance with privacy commitments under the framework, as other redress mechanisms in US law are often inaccessible due to restrictive standing rules that block most lawsuits.

Trump dismisses PCLOB

And this warning by the critics has already come true. In a move that has raised significant concerns over transatlantic data flows, at the end of January 2025, President Donald Trump dismissed three Democratic members of the PCLOB. This action has led to apprehensions about the future of the EU-U.S. Data Privacy Framework.

As already mentioned, the PCLOB plays a pivotal role in ensuring that U.S. surveillance practices align with European data protection standards, a key component of the Data Privacy Framework. The removal of these members has sparked fears that the board's independence and effectiveness could be compromised, potentially undermining the trust that underpins the data-sharing agreement. Privacy advocates warn that this politicisation of the oversight board may jeopardise the legality of transatlantic data flows, affecting thousands of companies that rely on this framework.

This development is the latest in a series of actions by the Trump administration that have strained the US-EU relations concerning data privacy. The European Union has previously expressed concerns over U.S. surveillance practices and their compliance with EU data protection laws. The recent changes to the PCLOB could prompt European regulators to reassess the adequacy of the Data Privacy Framework, potentially leading to its suspension and causing significant disruptions for businesses engaged in transatlantic data transfers.

Storage of EU data on US-owned servers

For European data stored on servers owned by US companies like AWS (Amazon Web Services), the situation raises serious privacy and legal concerns due to conflicting laws between the EU and the US. Here's what it entails:

EU data protection requirements:

Under the General Data Protection Regulation (GDPR), personal data exported outside the EU must be protected with standards that are "essentially equivalent" to EU laws. This includes transparency, limited government access, and strong rights for individuals over their personal data.

US Surveillance laws:

US laws like the FISA702 and Executive Order 12.333 allow the US government to request or access data stored by US-based companies, including AWS, without needing individual judicial approval or probable cause. This access extends to any data stored on servers owned by US companies, even if those servers are located within the EU.

Legal risks for data transfers:

The European Court of Justice (ECJ) has ruled that US surveillance practices are incompatible with EU privacy standards, leading to the invalidation of previous data transfer frameworks (e.g., the Privacy Shield) in the Schrems I and Schrems II cases. Without legally adequate safeguards, data transfers from the EU to US companies may be challenged, creating uncertainty for businesses that rely on cloud services like AWS.
Potential consequences:
- Data compliance issues: If EU regulators determine that US-based companies cannot guarantee adequate data protection, companies may face fines and restrictions under GDPR.
- Operational disruptions: Businesses may need to move their data to EU-owned or local data centres to avoid legal challenges.
- Reduced trust: Individuals and organisations may become wary of entrusting sensitive data to US companies, impacting their reputation and market position in the EU.

In summary, European data stored on US-owned servers like AWS faces heightened privacy risks due to US government surveillance laws, which may conflict with GDPR's stringent data protection standards. This legal tension continues to drive debates over data sovereignty and the future of cross-border data transfers.

Video conferencing and data protection of EU citizens

The impact of US surveillance laws on video conferencing services provided by US companies such as Zoom, Microsoft Teams or Google Meet is significant, particularly for organisations and users in the European Union. Here's how it affects video conferencing offerings:

1. Privacy risks and trust issues

European users and businesses expect high privacy standards under GDPR. However, US video conferencing providers such as Microsoft Teams, Google Meet, or platforms hosted on AWS are subject to US surveillance laws like FISA702 and Executive Order 12.333. These laws allow US authorities to potentially access video calls, chat messages, and stored recordings without notifying users. This undermines trust, particularly in privacy-sensitive sectors such as healthcare, education, and legal services.

2. Data compliance challenges

GDPR requires that EU users’ personal data, including video recordings, chats, and other call metadata, must be handled with appropriate safeguards. If a US company cannot guarantee "essentially equivalent" data protection, EU regulators could deem the data transfers unlawful. This has led to increased scrutiny of US-based providers and concerns about fines and sanctions for non-compliance.

3. Demand for local and alternative solutions

To avoid compliance risks, many European organisations are turning to privacy-focused, EU-based video conferencing providers or platforms that offer on-premise hosting options. Solutions like Digital Samba, for example, are marketed as GDPR-compliant and designed to keep data within EU jurisdictions, thereby mitigating the risk of unauthorised access by foreign governments.

4. Custom data flow arrangements

Some US providers have introduced measures to address these concerns, such as:

EU data centres: Hosting data on servers physically located in Europe.
Data residency options: Allowing customers to choose where their data is stored.
Enhanced encryption: Implementing end-to-end encryption to limit access, even for the provider itself.

However, these measures may still not fully protect against US government access under certain circumstances, leaving questions around compliance unresolved.

5. Business consequences

If EU regulators or courts challenge the legality of data transfers under the TADPF, US video conferencing providers may face operational restrictions in Europe. This could lead to lost business opportunities as European organisations shift to competitors offering stronger privacy guarantees.

In summary, US video conferencing providers face growing challenges in Europe due to privacy concerns and conflicting data protection laws. To stay competitive, these companies must improve their data protection strategies and build trust by offering robust, legally compliant solutions.

European video conferencing with a data privacy-first approach

There are various solutions on the market that not only address this data protection problem but also prevent it from becoming an issue, thanks to their business entity structure and European legal foundation.

Digital Samba’s video conferencing API is designed with privacy and compliance as top priorities, offering a secure and GDPR-compliant solution specifically tailored to meet the needs of European clients. Here’s how we address the data protection challenges posed by US providers:

1. Data hosting within the EU

Digital Samba ensures that all data—video calls, chat messages, and recordings—is hosted on servers located within the European Union. This eliminates the risk of data being subject to US surveillance laws like FISA702 and Executive Order 12.333, providing peace of mind that sensitive information remains protected under GDPR standards.

2. Strong privacy measures

Digital Samba’s platform adheres strictly to GDPR requirements by:

Minimising data collection: Only collecting data necessary for service functionality.
Providing data control options: Giving clients full control over access, storage, and deletion of data.
Ensuring user consent: Implementing features that require explicit user consent for data processing, including recording sessions.

3. End-to-end encryption

The API supports robust end-to-end encryption (E2EE) to protect data in transit. This ensures that only authorised participants can access call content, making it difficult for external actors, including Digital Samba itself, to intercept or decrypt video and audio streams.

4. Customisable data privacy settings

Digital Samba's API allows clients to configure privacy settings to align with their specific compliance needs. Organisations can control how data flows within their infrastructure, manage user access, and implement custom policies to ensure compliance with both internal and regulatory privacy standards.

5. No dependence on US legal frameworks

Unlike US-based providers, Digital Samba is not subject to US data access and surveillance laws. By keeping our operations and data centres within the EU, our platform significantly reduces the risk of foreign government access to user data. This approach also aligns with the EU’s requirement for “essentially equivalent” data protection, making Digital Samba a reliable choice for European organisations concerned about international data transfers.

6. Trust for privacy-sensitive sectors

Digital Samba’s privacy-first approach is particularly well-suited for industries where data protection is crucial, such as healthcare, education, finance, and legal services. Clients in these sectors can confidently use the API for video conferencing without worrying about breaches of privacy regulations.

By focusing on local data hosting, strict compliance with EU laws, and advanced encryption, Digital Samba’s video conferencing API provides a secure and compliant alternative for European clients who are wary of the risks posed by US providers.

If you are concerned about the protection of your personal and professional data, reach out to us to learn how Digital Samba can alleviate your privacy concerns while providing a future-proof video conferencing solution that remains unaffected by ongoing political arrangements and agreements. As a European company with a strong European foundation, we guarantee the use of subprocessors that are not only based in Europe but are also owned by European companies, ensuring they are not subject to any US legal regulations or laws. Contact our sales team to learn more about our legal structure and framework—they will be happy to assist you.

Sources: