As EU Commissioner for Democracy, Justice and the Rule of Law, Michael McGrath will be at the center of debates about the DPF’s future.
Transatlantic Tech Tensions—The Future of the U.S.-EU Data Privacy Framework
By Kyler Schardein, Adjunct Fellow
As the second Trump Administration moves to assert greater control over independent regulatory agencies , its changes have drawn concerns about the future of the Privacy and Civil Liberties Oversight Board (PCLOB), a key component in the U.S.-EU Data Privacy Framework (DPF). Potential disruptions to the board’s oversight responsibilities risk upending the framework that maintains trans-Atlantic data transfers, heightening uncertainty about a vital aspect of the U.S.-EU economic relationship.
According to tIn 2023, the Commerce Department estimated that this lifeblood enabled over $1 trillion in annual trade and investment while supporting the entire $7.1 trillion U.S.-EU economic partnership, benefiting companies across the whole economy on both sides of the Atlantic.
Despite the value in preserving this trade, a stable framework to structure data flows has proven elusive over the last decade. The uncertainty began in 2015 when the Court of Justice of the European Union (CJEU) struck down the 15-year-old Safe Harbor agreement that allowed firms to self-certify their compliance with European data protection laws. In Schrems I, the CJEU ruled that Safe Harbor did not protect Europeans’ data adequately. In response, then-President Obama negotiated the Privacy Shield Framework with EU officials. In 2020, the CJEU struck down the Privacy Shield in Schrems II, ruling that the revised framework still did not go far enough in safeguarding EU citizens’ data.
Following the second ruling, then-President Biden issued Executive Order 14086, giving a central oversight role to the PCLOB, an independent agency tasked with a mission “to ensure that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.” The Biden Administration provided the PCLOB oversight over the revised Data Privacy Framework to address the European court’s concerns through monitoring and assessing the Intelligence Community’s adherence to EO 14086’s privacy provisions. In a 2023 report certifying that the United States offered sufficient data protection, the European Commission cited PCLOB oversight as a factor.
On January 22, President Trump fired the Democratic members of the PCLOB. This decision left the board with only one Republican member and lacking a quorum. Though two fired members—Travis LeBlanc and Edward Felten—are appealing their terminations in court, the board currently remains sub-quorum. This move has called into question whether the PCLOB can continue to fulfill its duties, as the board is no longer party-independent or able to issue formal reports. Silvia Lorenzo Perez, an expert at the Brussels-based Center for Democracy and Technology, states that Trump’s actions “effectively crippled PCLOB as an oversight body.”
Perceived tumult and disruption at the PCLOB may affect the framework’s ability to withstand legal review by the CJEU. Data privacy experts, including Mary T. Costigan—a U.S.-based expert—and Lorenzo Perez, have warned that a sub-quorum PCLOB may invite additional legal suits within the EU and negatively influence any CJEU deliberations about the DPF. Even before the terminations, the European Parliament and European digital policy experts expressed skepticism about the sufficiency of the DPF’s protections.
Even if the DPF can withstand legal challenges, the Trump Administration may seek to revise the framework substantially. The Heritage Foundation’s Project 2025 Mandate for Leadership accused the EU of using data export restrictions as a trade tool and unfairly singling out the United States for onerous regulations. Regarding the DPF, the report urged, “an incoming President should ask for an immediate study of the implementation of Executive Order 14086 and suspend any provisions that unduly burden intelligence collection” while pushing to “reset Europe’s expectations.” Though Trump has attempted to distance himself from Project 2025, many individuals involved in developing the report were veterans of his first administration, and some have been nominated or appointed to positions in his second administration.
Whether through conflicting imperatives of the parties or a CJEU ruling, the absence of a bilateral data privacy agreement would lead to significant uncertainty for the trans-Atlantic business community. In its first year, over 2,800 firms were certified under the DPF. Under EU law, these and other U.S. firms would have limited compliance alternatives. A firm could create Binding Corporate Rules (BCRs) with data protection policies that conform to EU privacy standards. However, EU officials must approve every individual BCR agreement, presenting a potential capacity issue if used as a stand-alone solution. Further, subsequent CJEU decisions could impact BCRs; in Schrems II, the CJEU imposed more stringent responsibilities on firms using a similar mechanism. Some firms like Meta have floated withdrawal from the European market rather than navigating a post-Schrems II regulatory environment without a bilateral deal.
Despite the potential economic fallout of firms leaving the European market, established EU law and political pressure may limit the European Commission’s maneuverability in negotiations. Given existing European concerns about the DPF’s adequacy, the Commission would likely encounter significant pushback to pursuing any remedy perceived as weakening data privacy standards. Moreover, though the Commission negotiates frameworks and makes adequacy determinations, these decisions are subject to court review. The Schrems’ decisions suggest an agreement with less stringent privacy protections may only serve as a stopgap.
Additionally, a prolonged U.S.-EU data dispute may fuel European arguments for phasing in data localization, requiring EU citizens’ data to be hosted in the EU and other designated countries. Though potentially expensive, this approach would be congruent with the “digital sovereignty” approach of recent EU legislation, such as the Digital Markets Act and the Digital Services Act.
Markets and trade rely on a degree of predictability, and the firings of the PCLOB’s Democratic members ultimately underscores the uncertainty around the DPF’s future. Going forward, the Trump administration, the European Commission, and likely the CJEU will have to make crucial decisions about the DPF and the trajectory of trans-Atlantic data transfers. Policymakers should strive to provide a lasting foundation for the smooth maintenance of data flows critical to economies on both sides of the Atlantic.
Image Credit: European Parliament, CC BY 2.0 via Wikimedia Commons
