Politicization of intel oversight board could threaten key US-EU data transfer agreement

The Trump administration’s decision to order the resignations of all Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) could jeopardize a transatlantic data privacy agreement designed to protect the flow of commercial data between Europe and the U.S., potentially complicating the way American companies do business in Europe.

PCLOB plays a central role in a data agreement struck between the U.S. and the European Union in 2023 that allows data to flow freely between the two, despite differences in policy approaches. The EU has relied in large part on the PCLOB to ensure that the U.S. adequately protects personal data, and to address complaints from Europeans about any misuse of their data. 

The agreement, known as the Transatlantic Data Privacy Framework (TDPF), relies on the PCLOB as a “key oversight mechanism introduced by the U.S. to align its surveillance oversight and accountability standards with EU law,” according to Silvia Lorenzo Perez, the EU program director for security, surveillance and human rights at the Center for Democracy and Technology.

The PCLOB’s role in ensuring limited bulk data collection by U.S. intelligence agencies is vital for Europe, Perez said.

The credibility of the safeguards Europe has come to rely on as a prerequisite for allowing cross-border data flows “hinges on the PCLOB’s independence and operational capacity,” Perez said. “If the PCLOB is weakened or rendered non-functional, it undermines trust in the TDPF and the adequacy of protections for EU citizens’ data transferred to the U.S.” 

Although it’s unclear if Trump intends to kneecap PCLOB — it would not be able to operate with fewer than three members, and only one would be left if its Democratic members resigned or are fired — or appoint loyalists, having TDPF fall apart could dramatically change the way U.S. companies do business in Europe.

U.S. cloud services would be forced to rely on other mechanisms under Europe’s General Data Protection Regulation in order to continue data transfers. Those alternatives might not always be feasible and “come with big challenges,” Perez said.

Even the Trump administration’s threat to fire PCLOB members raises significant questions about the agency’s independence moving forward and therefore could imperil Europe’s faith in its oversight, Perez said.

The PCLOB is highly regarded in Europe and has been seen as a vital check on U.S. surveillance activities and as a necessary bulwark protecting against the violation of Europeans’ privacy, said Joe Jones, director of research at the International Association of Privacy Professionals.

If losing an operative and independent PCLOB leads to the collapse of TDPA then there would be a “legitimate and real question as to whether you could ever send European data to the United States,” Jones said.

Prominent companies have previously said that without the TDPA they might have to pull out of Europe, Jones said. 

“That's the high point of the consequences,” Jones said. “That's how bad it could get.”