Much of Big Tech may have aligned itself with President Donald Trump, but U.S. tech firms large and small could soon find themselves ruing his actions.
According to a Wednesday New York Times report, the president has ordered three Democrat-picked members of the independent Privacy and Civil Liberties Oversight Board (PCLOB) to resign by the end of Thursday. That would leave just one Republic-picked member on a board that is supposed to have five members (one seat is already vacant) and needs at least three to function.
Paralyzing the agency, which was established as U.S. intelligence activities surged in the wake of the 9/11 terrorist attacks, could have serious domestic implications. Sen. Ron Wyden (D-OR) said Trump would be “kneecapping one of the only independent watchdogs over government surveillance who could alert Congress and the public about surveillance abuses by his administration.”
But the move also threatens to sink a U.S.-EU data-sharing agreement that is a lifeline for American companies that handle the personal data of European customers. Without it, they would have no legal basis for operating in the EU, and would likely have to withdraw from the market.
The agreement, known as the Data Protection Framework (DPF), is the latest in a line of three. The first two were struck down by the EU’s top court, in cases initiated by the Austrian lawyer and privacy campaigner Max Schrems — the first version, Safe Harbor, was cancelled in 2015, while its replacement, Privacy Shield, bit the dust in 2020.
“Where the first Trump waves hit [the DPF], it may soon dissolve…and bring many EU businesses into a legal limbo,” Schrems warned Thursday, in the wake of the Times report.
Deal after deal
To understand the urgency of the situation, it is worth looking back at what the stricken deals and their replacement were intended to achieve.
EU data-protection law says that Europeans’ personal data can only be sent to an outside country that provides an “adequate” level of protection for that information — its privacy laws don’t need to be exactly the same, but they should be roughly equivalent.
The U.S. has no federal privacy laws outside the realms of health-care and children’s data, but it is also the country where most of European consumers and businesses’ favorite services are based. So to square this circle, the European Commission repeatedly struck agreements with the U.S. Department of Commerce, based on U.S. assurances. The deals established registers that American companies could sign up to, to promise that they would provide EU-grade protection for Europeans’ personal data, even if their country’s laws did not. This allowed the Commission to bestow “adequacy” status on the U.S. and make transatlantic data transfers fairly painless.
The Commission is a political body that needs to play nice with the U.S., but the EU courts are not. The Court of Justice of the European Union struck down Safe Harbor and then Privacy Shield because those U.S. assurances didn’t actually protect Europeans’ data when it went across to American data centers — U.S. intelligence agencies could still access that information with near impunity, the companies had little way to push back, and Europeans had no useful way of complaining.
After Privacy Shield’s demise, the situation headed into a full-blown crisis for Big Tech. When the Court of Justice cancelled that deal, it also blew a hole in the other legal mechanisms that large tech companies — particularly Meta, the company at the center of the ruling — had been using to send Europeans’ data to the U.S. In May 2023, the Irish regulator announced an October ban on Meta’s transatlantic data transfers, despite the company’s warnings that it would have to pull Facebook and Instagram out of Europe.
So when the DPF was finally approved by the Europeans in July 2023, it was a last-minute reprieve for Meta, its peers, and countless smaller U.S. tech firms.
This time, the U.S. assurances came in the form of a 2022 executive order from President Joe Biden, extending safeguards on U.S. intelligence collection and, crucially, establishing a Data Protection Review Court that could handle Europeans’ complaints about the treatment of their data in the U.S.
The new court has to be re-certified each year by the Privacy and Civil Liberties Oversight Board, which is supposed to make sure that the U.S. intelligence community is keeping its privacy promises. So if PCLOB is paralyzed, a central pillar of the U.S.-EU data-sharing deal collapses.
Fraying bonds
Schrems, the lawyer whose activism led us to this point, has been warning since the DPF was approved that it would meet the same fate as its predecessors. Now he sees that outcome drawing closer, particularly if Trump rescinds the executive order that allowed the deal to take place.
“I can hardly see that a Biden executive order that was forced upon the U.S. by the EU and regulates U.S. espionage abroad would survive in Trump's logic,” Schrems said in a statement.
“There were long discussions as to the functioning and independence of these oversight mechanisms. Unfortunately, it seems that they may not even stand the test of just the first days of a Trump presidency. This is the difference between solid legal protections and wishful thinking — the European Commission has solely relied on wishful thinking.”
A Commission spokesman said Thursday that the EU executive body had seen the media reports but would "not speculate at this point." However, he stressed that the terms of the DPF apply regardless of PCLOB's membership.
The U.S. Commerce Department did not reply to a request for comment, while Meta declined to comment.
Although this could be the return of a recurring regulatory nightmare for U.S. Big Tech and its European users, it comes at a time of unprecedented antagonism between the sector and the European authorities.
Meta CEO Mark Zuckerberg earlier this month weakened Facebook and Instagram’s anti-hate-speech policies, potentially setting up a clash with new EU content rules that are already being used to crack down on Elon Musk’s X. At the same time, he urged President Trump to force the EU not to penalize U.S. tech firms for antitrust and other violations — a move that would amount to telling the EU it cannot apply its own laws on its own territory.
It remains to be seen how the Trump Administration and the European Commission will handle these and other issues, at a time when other factors like tariffs and China policies will surely come into play. But the implications will be significant, and PCLOB may turn out to have been just the first domino to fall.
