The Trump Administration Should Not Mess With the EU-U.S. Data Privacy Framework

When the first Trump administration took office in 2017, it kept in place the Privacy Shield framework, which enabled transfers of personal data from the EU to the U.S. At that time, the framework allowed continued transatlantic data flows without violating the EU’s data protection law, sustaining one of the world’s largest trading relationships.

The second Trump administration should exercise the same wisdom as to the successor of the Privacy Shield, the EU-U.S. Data Privacy Framework.

In both 2016 and 2024, the President-elect Trump campaigned on promises to roll back his predecessors’ executive orders. Fortunately, the Privacy Shield was not included in these rollbacks. In remarks on his first day as Trump’s secretary of commerce in 2017, Wilbur Ross affirmed the importance of protecting the framework and the Trump administration left undisturbed the foundation of the Privacy Shield—President Barack Obama’s Presidential Policy Directive 28 (PPD-28). This executive order required intelligence agencies to extend to people outside the United States the privacy and civil liberties protections that intelligence laws and procedures accord to “U.S. persons,” i.e., U.S. citizens and noncitizens within the U.S. PPD-28 also designated a State Department undersecretary as an ombudsperson to review inquiries by individuals in the EU about surveillance that might affect them.

The economic calculus was simple: The cost of the Privacy Shield was low for the U.S., and undoing it would have handed the EU a trade barrier against U.S. businesses seeking to compete in European markets and reduced U.S. exports.

After the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield in July 2020, the Trump administration began negotiating a new arrangement. The Biden administration continued this work with the European Commission and arrived at a new framework in 2023. Like its predecessor, the new framework rests on another presidential directive, Executive Order (EO) 14086, issued in 2023. In this year’s campaign, Trump weighed in on revoking Biden’s executive orders. But this might not—and should not—include the one that undergirds the Data Privacy Framework.

Disrupting this framework would endanger data flows that are vital to transatlantic trade and to businesses and consumers in both the U.S. and Europe. During the long negotiations when a new framework was uncertain, there was a risk that data protection regulators in the EU could cut off flows of personal data to the U.S. Now, over 2,800 companies are certified under the framework (more than under the Privacy Shield). This figure includes not just big tech companies but also significant numbers of financial services companies, retailers, professional services, and travel and tourism companies of all sizes that contribute to U.S. exports.

The Current Executive Order

Both Trump himself and Project 2025’s Mandate for Leadership, the comprehensive blueprint for remaking the federal government drawn up by the Heritage Foundation and loyalists from the first Trump administration, have called out specific Biden executive orders for repeal. Drafting has been underway on a raft of orders to accomplish this soon after Inauguration Day 2025. The Project 2025 report last year called for an “immediate study” but did not recommend a repeal of EO 14086 of the order nor any suspension of any provisions that “unduly burden intelligence collection.” Nonetheless, the report recognized the order’s important role in enabling data flows and defending against a future challenge in the CJEU.

The incoming administration should avoid disrupting EO 14086 as it was carefully calibrated to fit elements of privacy protection essential under EU law into the confines of U.S. law and the constitutional separation of powers. The order does not change intelligence collection or procedures significantly but clarifies and codifies long-standing practices developed over multiple administrations. As Project 2025 has recognized, the Data Privacy Framework will inevitably face a challenge in the CJEU. Any significant changes to EO 14086 would jeopardize the Data Privacy Framework, potentially throwing commercial data transfers from Europe back into chaotic uncertainty and exacerbating distrust in the U.S. digital economy.

The CJEU invalidated the Privacy Shield on the basis that the Foreign Intelligence Surveillance Act (FISA) and PPD-28 failed to meet two key elements of EU fundamental rights. First, they failed to provide sufficient guardrails to ensure that surveillance (especially “bulk surveillance”) would be conducted on “necessary” grounds and remain “proportionate” to those grounds. Second, the review and redress mechanism lacked sufficient independence to constitute judicial oversight.

To enable the new framework, EO 14086 clarified and amplified the definition of the lawful purposes of surveillance under both FISA and the 1983 executive order that governs surveillance conducted under the president’s national security and foreign affairs powers, and it spelled out more specific predicates for bulk surveillance. It also instituted processes to review inquiries about surveillance by EU residents, culminating in a review court. This court consists of former federal judges and senior officials from both Republican and Democratic administrations who are available part time to hear cases that come to the court.

The new framework was based on an agreement in principle at the highest levels—between the U.S. president and the president of the European Commission. The final framework came only after lengthy negotiations to work out the details and get the EU side to accept terms that would not require changes to U.S. law or the Constitution.

The boundaries set out in EO 14086 on grounds for surveillance are a more detailed articulation of the purposes for which surveillance has been conducted in practice. To a great extent, they reflect practices followed even before the Edward Snowden leaks broke. To allay fears by spelling out U.S. guardrails, the intelligence community declassified its procedures in transformative ways unmatched by any other government. If practices resulting from PPD-28 and EO 14086 were not yet fully established before Snowden, they have been internalized in the decade since, reflected in what has become an extensive factual record on Tumblr.

It is also conceivable that incoming Justice Department officials might object to the review process established by the order because the regulations for the appointment of the review court judges are based on the same statute as the regulations that enable the appointment of special counsel like Jack Smith. Judge Aileen Cannon dismissed the cases before her on the grounds that Smith’s appointment violated the Appointments Clause of the U.S. Constitution, a ruling that is under appeal in the U.S. Court of Appeals for the Eleventh Circuit. In that appeal, former Florida Attorney General Pam Bondi signed a brief on behalf of the American First Policy Institute supporting the ruling before she was announced as the president-elect’s choice to become U.S. attorney general, in which capacity, she would have the power to appoint judges of the data protection review court.[2]

Whatever the merits of the Fifth Circuit case, which will likely become moot soon, the data protection review judges present a very different case. Much of the argument against Smith’s appointment focuses on whether the breadth of his appointment as special counsel and resulting independent powers make him an “inferior officer” of the United States within the meaning of the Constitution. By contrast, the data protection review court judges have much narrower tenures: They are part-time special government employees who can be called on periodically to review individual cases when and if they arise to supplement the work of other oversight officials. In this limited capacity, they function as hearing officers with the narrow short-term purpose of deciding whether particular instances of surveillance conform with intelligence law and procedures and report to intelligence agencies accordingly. In contrast to lengthy special counsel investigations and prosecutions, decisions of the review court are limited to the individual involved, without precedential value or binding the intelligence community.

The incoming administration may see the review mechanisms as some form of concession to Europeans. But providing a mechanism for independent recourse by Europeans was essential to addressing one of the CJEU’s grounds for striking down the Privacy Shield. It took considerable effort to educate Europeans on how federal court limits on standing to sue and the reviewability of various national security decisions make it infeasible to rely on federal courts for recourse, even if legislative changes could be enacted. Establishing the review court created a quasi-judicial review process by administrative means that could fit within these constraints on U.S. law.

EO 14086 also required a Justice Department opinion confirming that EU member states have reciprocal safeguards in place on intelligence collection, similar to the approach in the Republican-sponsored Judicial Redress Act of 2015. That act gave Europeans rights under the Federal Privacy Act to secure law enforcement information-sharing with EU members. If an incoming attorney general wants to push back on Europeans, looking into these reciprocal protections is a way to do so.

Any objections that the review court encroaches on intelligence gathering have no basis in fact, as the court has yet to hear any cases. U.S. and EU officials expect a case to emerge from the vetting by EU data protection authorities, but even so it is clear that EO 14086 has not opened any floodgates. However, undoing the recourse mechanism or other key elements of EO 14086 risks shutting off the free flow of digital commerce and valuable trading relationships with the EU. The incoming Trump administration should keep its powder dry unless the CJEU strikes down the Data Privacy Framework.