The Data Deal Propping Up $9.8 Trillion in US-EU Trade Is Fraying

Mark Scott is a contributing editor at Tech Policy Press.

To the growing list of grievances between the United States and the European Union, it’s time to add another one: the EU-US Data Privacy Framework.

Signed during Joe Biden’s presidency in 2023, the data transfer agreement marked the latest transatlantic attempt to do what previous data deals had failed to do: allow reams of data including everything from social media posts to corporate payroll information to flow freely between Europe and the US.

Thousands of American and European companies rely on the pact. It underpins much of the annual trade between two of the democratic world’s largest economies.

"You have a 9.8 trillion-dollar transatlantic economic relationship and a lot of that does depend on the ability to transfer data," Alex Greenstein, data privacy framework director at the US Department of Commerce’s International Trade Administration, told a conference last month. "There is a strong economic case for why [the agreement] matters to companies in the United States."

But the principles behind the EU-US Data Privacy Framework have been a long-time bugbear for European privacy advocates — and that tension is starting to bite.

The advocates claim US data protection rules aren’t sufficiently rigorous as those offered within the 27-country bloc. That includes Washington’s reliance on a White House executive order, not legislation, to answer European concerns about mass surveillance of its citizens by US authorities.

They also look at the ability of American national security agencies to collect data on non-US citizens — under section 702 of the recently reauthorized Foreign Intelligence Surveillance Act (FISA) — as an illegitimate attack on Europeans’ fundamental rights.

"A European citizen will have fewer rights than an American citizen because at least the American can appeal," said French politician Philippe Latombe, who unsuccessfully challenged the EU-US Data Privacy Framework in one of Europe’s top courts.

Latombe again laid out his case at the start of the Computer, Privacy and Data Protection (CPDP) conference last week where the French lawmaker headlined the opening night in Brussels. After his legal challenge against the transatlantic data protection pact failed last year, Latombe appealed to Europe’s highest court, where judges were expected to hear arguments on potentially invalidating the transatlantic data transfer deal by the end of 2026, at the earliest.

The arguments surrounding the EU-US Privacy Framework boil down to one basic question: are US privacy standards essentially equivalent to those available within the EU?

That has been the awkward litmus test Europe’s top court has used ever since it invalidated the original transatlantic data transfer agreement in 2015. A subsequent ruling, in 2020, similarly overturned a revamped EU-US framework in which Washington went further to meet Brussels’ demands to align American data protection standards with those of the 27-country bloc.

Under previous US administrations, including President Donald Trump’s first term in the White House, American officials acknowledged the need to allow Europeans some form of legal redress in the US if they believed their personal data had been misused by the countries’ national security authorities.

Fast forward to 2026, and such transatlantic goodwill has mostly evaporated. Both sides have become more guarded in how they interact with each other, and European officials fret that existing legal commitments from Washington may not be as solid as they once were. The European Commission remains committed to the data transfer agreement, though Europe’s courts are likely to make the final decision if it should be invalidated.

As part of the current EU-US Data Privacy Framework, for instance, a White House Executive Order was created to limit bulk data collection on non-US citizens. That included outlawing mass surveillance related to issues around free speech and politics, as well as making such collection proportionate to specific US national security priorities.

The Biden administration’s goal was to demonstrate to European courts — in the case of any future legal challenge — that there were defined boundaries to the types of data collected on non-US citizens which mirrored similar limitations within the EU.

European privacy advocates, however, worry the current Trump administration may pare back or rescind that executive order, though such steps have yet to materialize. Unlike Europe’s stable of data protection laws, US’ efforts to update federal privacy standards have been led by the executive, not legislative branch.

Ongoing friction in the transatlantic relationship may inevitably weaken that foundation to EU-US Data Privacy Framework.

“Laws are not made for when we all get along and everything works,” Max Schrems, the Austrian privacy campaigner whose legal challenges invalidated the previous two transatlantic agreements, told an audience in Washington in March. “Laws are made for when things go bad.”

A separate concern is how a newly-created legal review mechanism within the US Department of Justice will stand up to legal scrutiny from Europe’s highest court. The so-called Data Protection Review Court was designed to give Europeans’ legal redress in the US against how their data was used by American national security agencies.

So far, only two complaints have been filed to that body. But the court was similarly created via an executive order, and its judges can be removed by the president. Such ties to the White House — and a lack of independent legal basis for any future privacy decision — are exactly what will likely form part of the inevitable challenge in Europe’s highest court about whether the current EU-US data deal should remain in place.

“The court in question is not even established by law,” Schrems said last year. “It takes a lot of mental flexibility to accept this as an independent court."