Your digital "Home of IT Security"
365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
Make an appointment with
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
Create an onsite appointment with
So that you can make an onsite appointment, the appointment request will open in a new tab.
IT services and data transfers compromised by the US government
Constant arbitrary measures by the US government are now also threatening the use of US IT services. These are almost always based on data transfers, but their legal basis no longer seems secure. This is suggested by a warning from the German Federal Minister of the Interior. However, this is not the first time that European companies have faced this problem.
Whether it's tariffs, the dismantling of the state apparatus or the ignorance of the judiciary, the Trump administration's arbitrary measures are causing unrest and distrust against the USA. Not one week goes by without new reports of arbitrary data access by Elon Musk's so-called "Department of Government Efficiency" (DOGE). According to a report in the US magazine Wired, DOGE has gained access to 19 highly sensitive databases of the US Department of Health and Human Services (HHS). This gives cause for concern as to whether at least rudimentary data protection can still be guaranteed in the USA.
Fears from the German Federal Ministry of the Interior are currently fuelling the debate about transatlantic data exchange. There is a risk that the "EU-U.S. Data Privacy Framework" (DPF) could be cancelled. This would mean that European companies would no longer be able to use US IT services such as cloud services without further measures. The agreement, also known as the Transatlantic Data Privacy Framework (TADPF), is the foundation for any transfer of personal data to the USA. This also includes cloud usage, such as AWS or Azure. Such a transfer is only permitted if data protection there is considered to be roughly equivalent to that in the EU.
Data protection committee unable to act
The current situation has arisen as a result of radical measures taken by the Trump administration. Compliance with the DPF in the USA was previously monitored by a body, the Privacy and Civil Liberties Oversight Board (PCLOB). However, with the dismissal of almost all members of this body, the Trump administration is questioning its ability to function. Beth A. Williams is currently the only person left on the board. It is considered impossible for the board to fulfil its tasks under these conditions.
Shortly before Easter, the acting German Federal Minister of the Interior, Nancy Faeser, expressed fears that the transatlantic data protection agreement DPF could be cancelled by Trump. In response, Iris Plöger, Member of the Executive Board of the Federation of German Industries (BDI), stated in the Handelsblatt newspaper that this "would have devastating consequences for companies and authorities and would lead to a great deal of additional work and legal uncertainty".
Data protection officer alarmed - trip to the USA
On Easter Monday, it was announced that the new German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Specht-Riemenschneider, is travelling to Washington immediately to hold talks with the US government. In addition to talks with the PCLOB, this includes talks with two US ministries, the US Department of Commerce and the US Department of Justice, according to a BfDI press release. This is bypassing the EU Data Protection Commissioner Wojciech Wiewiórowski, who is still in office. Specht-Riemenschneider is concerned as to whether the US commitments agreed with the EU as part of the Data Privacy Framework will continue to be honoured. Specht-Riemenschneider commented: "It is crucial for German and European citizens that their personal data remains protected in the future, for example when they use services from US companies or the services of German or European companies that rely on data transfers to the USA". The BfDI adds: "Companies also need clarity as to whether the EU-U.S. Data Privacy Framework can still be relied upon".
The Data Privacy Framework was already regarded as a rather fragile legal basis for transatlantic data transfer. This was partly due to the body's initial role in monitoring access to European personal data by US intelligence services. The data protection NGO NOYB ("none of your business"), founded by Austrian lawyer and data protection activist Max Schrems, writes about this: The USA "has far-reaching laws on mass surveillance (e.g. FISA702 or EO 12.333). These allow the US government to access all data stored by Amazon, Meta, Microsoft, Google and other US big tech companies without probable cause or individual court authorisation". This is the basis for fears that the Trump administration could arbitrarily access the data of EU citizens, as it already seems to be doing with US citizens. On the incidents at the PCLOB, Schrems writes on the NOYB website: "The fact that the US president simply removed people from a (supposedly) independent authority calls into question the independence of all other appellate bodies in the US".
No lasting legal certainty
The Data Privacy Framework was only adopted by the EU in 2023 after several years of negotiations. Prior to this, the European Court of Justice (ECJ) had declared the predecessor of the DPF, the Privacy Shield Agreement, invalid in 2020 in the Schrems II judgement. This in turn was the successor to the Safe Harbour Agreement, which was also overturned by Schrems in a lawsuit before the CJEU back in 2015. In both cases, the CJEU ruled that US law does not offer anywhere near the same level of protection as the European General Data Protection Regulation (GDPR). In an interview we asked Rebekka Weiß from Bitkom at the time, what this means for companies.
For some time now, data transfers to non-European countries have only been possible under certain conditions in order to protect sensitive data of EU citizens. "In general, EU law has prohibited the export of personal data to countries outside the EU since 1995. Exceptions exist in cases of absolute necessity (e.g. when sending an email to a non-EU country) or if the non-EU country offers 'essentially equivalent' protection of personal data," writes the NOYB.
During her trip to the USA, the German Federal Data Protection Commissioner will also be attending the "Global Privacy Summit" data protection conference organised by the International Association of Privacy Professionals (IAPP), which is being held in Washington at the same time. Her authority estimates that the DPF is likely to be a key topic at the world's largest conference in the field of data protection, which will be attended by participants from regulatory authorities and government representatives as well as business, science and civil society.
Sources:
Handelsblatt: Trump bedroht wichtigen Daten-Deal – Wirtschaft schlägt Alarm
Press release BfDI: Specht-Riemenschneider reist zu Gesprächen nach Washington D.C.
Board Members Privacy and Civil Liberties Oversight Board
NOYB: US Cloud soon illegal? Trump punches first hole in EU-US Data Deal
Wired: Here’s All the Health and Human Services Data DOGE Has Access To
CNN: DOGE is building a master database for immigration enforcement, sources say
