Digital data flows showing privacy board and disruption to EU-US data transfers

Trump Removal of Privacy Board Members Could Throw EU-US Data Transfers Back Into Chaos

As part of his broad housecleaning amongst federal officials and employees, Donald Trump has removed three Democrat-affiliated members of the Privacy and Civil Liberties Oversight Board (PCLOB). That could send EU-US data transfers back into chaos after things had finally seemed to stabilize with the 2023 EU-US Data Privacy Framework, though the privacy board does remain intact.

The European Commission has not committed to any actions yet, but has said it is monitoring the situation and will “respond appropriately.” The 2023 agreement allowed the US to once again join the ranks of trusted EU data partners after years of legal challenges upended prior agreements, and the door would be open for those challenges to return if the board is determined to have been rendered ineffective.

Trump dumps all Democrats from privacy board

Trump fired the Democrat members of PCLOB on January 17, after having given them several days to voluntarily resign. The privacy board has indicated that its work is now at a standstill until replacement members are appointed, which involves a nomination and confirmation process.

The news impacts EU-US data transfers as the privacy board serves as the watchdog for US intelligence access to foreign communications, ensuring these agencies do not run afoul of the terms agreed to in the 2023 framework. After the General Data Protection Regulation (GDPR) was instituted in 2018, Meta (then Facebook) was the target of privacy complaints pointing out that its international data transfers did not pass the regulation’s security requirements. The EU courts eventually ruled that data transfer partner nations must be able to ensure parity with EU privacy standards, and that the US was not an adequate data partner due to known routine interception of foreign communications by its intelligence agencies.

The privacy board is also the agency that fields questions and complaints from European users about how US entities might be handling their data, a critical component of the current adequacy terms that EU-US data transfers are operating under. If PCLOB is hobbled to the point that it cannot address these requests, it might open the door for another legal challenge from privacy groups in the EU akin to those that scrapped the prior agreements in 2015 and 2020.

Trump-tech alliance raises questions about EU-US data transfers

The concerns amidst EU-US data transfers come amidst broader tensions caused by the tech industry’s strong alignment with the Trump administration. Figureheads that have seen their companies be heavily regulated and that have publicly clashed with EU authorities over bloc privacy and speech laws, such as Mark Zuckerberg and Elon Musk, have made themselves very close with Trump and are expected to receive favorable treatment during his term.

The driving force behind the previous challenges to EU-US data transfers, Max Schrems and his privacy advocacy group noyb, has not committed to any new actions as of yet but has said that the Trump administration’s direction is “really not looking good.” But it would likely take a demonstrable failure by the privacy board to protect the personal data of Europeans before any new legal action could be taken. One move that might accelerate the pace of the situation would be a repeal by Trump of the Biden-era executive order that affirmed the 2023 framework. There is no specific indication of that happening as of yet, but Trump has ordered that all Biden orders related to national security decisions be reviewed for potential repeal within the next 45 days.

If that executive order is ultimately repealed, it would not automatically invalidate EU-US data transfers. However, it would very likely dissolve the privacy board and prompt the EU Commission to review and invalidate the framework, without Schrems or anyone else necessarily needing to issue another legal challenge to get the ball rolling.

But thus far there is not yet a reason to sound an alarm. The privacy board has one remaining member, Republican-appointed Beth Williams, but requires only three members in total to take official actions. If two new members are approved to the board in a timely fashion and Trump does not repeal the prior Biden order, EU-US data transfers could continue as usual. Trump has already rescinded some other Biden orders on technology, but this particular order is generally to the benefit of the big tech interests that now sit in his court. Meta and others would be forced back to the drawing board in the EU after years of wrangling, a state of affairs that already frustrated the company so much that it at one point threatened to simply withdraw its services from Europe entirely. Trump has also famously clashed with the “deep state” intelligence agencies that have conducted the warrantless surveillance and indiscriminate gathering of foreign communications that prompted all the EU difficulties in the first place.