Project 2025 and the specter of mass surveillance in Europe
Austrian privacy activist Max Schrems says U.S. espionage could have a chilling effect on civil society.
VIENNA — In 2020, Max Schrems changed the way that American tech companies do business in Europe. A few years earlier, the Austrian lawyer and digital privacy activist had filed a lawsuit arguing that Europeans' data were not safe in the hands of companies like Meta, citing the revelation that U.S. intelligence agencies were indiscriminately collecting their communications on platforms like Facebook.
The European Union has a strict privacy law, the General Data Protection Regulation, which limits the ability of companies and governments to access users' communications, whatever their nationality. The United States has the Fourth Amendment, which restricts the state's ability to spy on Americans without a warrant. But Section 702 of the Foreign Intelligence Surveillance Act permits U.S. intelligence agencies to spy on practically any non-citizen "reasonably believed to be located outside the United States."
The European Court of Justice agreed that posed a problem. If Europeans' data could be transferred to the U.S., where foreigners are deemed to have no right to privacy, and then sifted through by U.S. intelligence, what would be the point of the GDPR? This is especially concerning given that even most European governments are dependent on digital services from Silicon Valley. As the court ruled, users "must be afforded a level of protection essentially equivalent to that guaranteed within the EU," which means allowing them to meaningfully challenge alleged privacy violations — the storing of personally identifiable information without consent — wherever they may occur.
In 2023, President Joe Biden addressed the ruling by issuing an executive order promising to protect Europeans' data from indiscriminate snooping. Among other things, the order allows EU citizens to raise alleged intelligence agency violations in a newly created privacy court; an independent agency, the Federal Trade Commission, was also charged with ensuring corporate compliance.
"The FTC has long committed to protecting consumers and privacy across borders," then-Chair Lina Khan wrote in a June 2023 letter, "and we are committed to enforcement of the commercial sector aspects of this framework."
But it is 2023 no longer, and there is good reason to doubt that deal — insufficient as it is, from the perspective of Schrems and other critics — will be upheld much longer. In Washington, a government openly hostile to Europe is now in power, led by a man who claims the executive orders signed by his predecessor are null and void. Early on, though, there was still denial about what this means for U.S.-EU relations.
"We had the first meeting on data transfers, I think, a month or two into the Trump administration, and [European leaders] were like, 'Well, we have a deal. It's fine,'" Shrems, founder of the privacy advocacy group NOYB ("none of your business"), said in an interview. "Like, guys," Schrems said, "you know that all of this is based on executive orders that he's going to turn over in two seconds for some other reason?"
As for the FTC: "Now that's not independent anymore," Shrems said, noting the Trump administration's claimed right to fire all of its Democratic members — a right that the conservative majority at the U.S. Supreme Court appears likely to uphold. "Suddenly, this whole structure of how we transfer data back and forth between the U.S. and Europe is collapsing because the oversight body is gone."
The Project 2025 plan for US espionage
Trump has not actually overturned the data-transfer agreement with Europe, even if he has said all of Biden's executive orders are "fully and completely terminated." But Project 2025, the Heritage Foundation blueprint for Trump's second term, flags that agreement as an infringement of U.S. sovereignty, urging officials to immediately "suspend any provisions that unduly burden intelligence collection."
"The United States has never seriously pushed back against the EU; now is the time," the Project 2025 document states, suggesting that European privacy concerns are mere cover for an attack on American industry.
The Trump administration's outrage at the European Commission — Secretary of State Marco Rubio described a fine imposed on X for breaching EU transparency regulations as "an attack on all American tech platforms and the American people" — is a possible sign of what's to come. In Washington, "America First" means protecting the right of American tech companies to do business wherever and however they please.
What hope is there, then, of this U.S. administration maintaining an agreement made by its predecessor?
As Schrems asked: "How do you deal with a clown? How do you deal with someone where there's no reasonable argument anymore?"
We need readers like you to support our independent journalism.
Consider a paid subscription or one-time donation to help us keep covering the global fight for democratic values.
You can also sign up to receive our weekly newsletter, full of original reporting and progressive analysis, and a monthly dispatch with exclusive commentary on international affairs.
In its official national security strategy, the Trump administration describes the European Union and present European governments as enemies of the people (quite literally defined as: white Europeans), accusing it of facilitating the "prospect of civilization erasure" by way of mass immigration. The White House also expresses open support for Europe's far-right opposition, describing "the growing influence of patriotic European parties" — Alternative for Germany, the Freedom Party in Austria — as a "cause for great optimism."
Suppose that such an avowed opponent of the EU got its hands on sensitive or compromising communications, not just from elected officials, but activists and journalists in Europe: Would an administration staffed by Project 2025 alum and other illiberal sympathizers share it with their right-wing allies in Europe? There is no evidence to date that they have, but it is not safe to assume they would not.
Europe's dependence on America and its technology sector is the heart of the problem. There is no short-term solution, Schrems told The Redoubt, but the decoupling could be advanced if the U.S.-EU data-transfer agreement is tossed aside in the coming months, either by another European court ruling or the Trump administration itself.
Whatever happens, Schrems said, Europeans need to be aware of what's at stake. Agreement or not, their data is being collected by an adversary that does not feel bound by the rule of law on either side of the Atlantic. Digital privacy may not be a top concern of most EU citizens, but it is vital for the survival of their liberal democracies.
"Spying on people is never going to be relevant for the average European, directly," Schrems said. "But indirectly, in the sense that typical targets are journalists, are politicians, are decision-makers in big companies, activists and whatnot? If they cannot communicate freely anymore without getting into trouble? We know that may not end well."
Follow the author on Bluesky and reach out if you have a tip.
