Since the Edward Snowden leaks in 2013, it has been known that the US is spying on users from the European Union by monitoring personal data from big US tech companies. The Privacy and Civil Liberties Oversight Board (PCLOB), the main US supervisory authority for these laws, is central to assessing data protection in the US.
However, reports suggest that PCLOB members who belong to the Democratic Party have been pressured to resign to by incoming Trump administration. On Monday of this week, the three Democrats serving on PCLOB “remain in their seats,” according to an agency representative. How this standoff plays out could jeopardize both the body’s ability to function and the independence of other appeal bodies.
The EU uses the PCLOB to legitimize data transfers under the Trans-Atlantic Data Privacy Framework (TADPF). If the framework is weakened, EU companies and institutions could be forced to forgo US cloud services.
Pushing for agreement despite differences
Currently, EU law requires that personal data be transferred to non-EU countries only when absolutely necessary or when equivalent data protection is guaranteed. However, US mass surveillance laws such as FISA702 allow extensive access to data without judicial authorization.
The European Court of Justice therefore ruled in the Schrems I and II cases that the US does not offer equivalent data protection. Despite these rulings, EU Commission President Ursula von der Leyen pushed for a new agreement, which became TADPF.
The TADPF was formally adopted on July 10, 2023, based on guarantees from US bodies such as the PCLOB to classify the US as “equivalent” in terms of data protection. However, these protections are not enshrined in law; instead they are based on executive orders and diplomatic will. They could thus easily be repealed by a new US president.
The European Commission relied heavily on the PCLOB in the agreement, although it functions only as a supplementary supervisory mechanism. Weakening the PCLOB would endanger the stability of the TADPF, even if short-term vacancies do not immediately cause the framework to collapse. Max Schrems criticizes the EU Commission for relying on uncertain monitoring mechanisms and wishful thinking instead of on stable legal protection.
A possible end within 45 days
The TADPF is in danger of collapsing under the Trump presidency, as Trump signed an executive order on Monday, Jan. 20, 2025. It provides for all decisions made by his predecessor Biden on national security to be reviewed and possibly repealed within 45 days. This could overturn the basis of the agreement in a matter of weeks. This would result in illegal data transfers between the EU and the US, said Schrems, who also criticizes the dependence of EU companies on such a politically unstable system.
If the US government repeals key elements of the TADPF, it could become illegal for EU companies to use US cloud services. Although data transfers will remain legal for now until the agreement is formally repealed, Max Schrems warns that companies should urgently develop contingency plans such as “Host in Europe” to prepare for potential legal uncertainties.
The European Commission is caught in a diplomatic dilemma. Repealing TADPF quickly would trigger protests from US big tech and possibly conflict with the Trump administration. On the other hand, inaction risks not warning EU companies and public institutions about the legal uncertainties in time.
The situation is reminiscent of the US debate about TikTok. There, data protection concerns were suddenly taken seriously as soon as US data was affected. If the EU were to annul the TADPF, EU data would have to be protected from access by the US government, which would have serious consequences for US big tech in Europe.
Read More from This Article: Will the US cloud soon be illegal in the EU?
Source: News