Edward Snowden, a whistleblower, revealed how the US government has been utilizing US IT companies to get data from the European Union since 2013. To try to address this, the Privacy and Civil Liberties Oversight Board (PCLOB) was created to monitor data privacy in the US and ensure that privacy laws are adhered to, especially when it involves data which moves between the Us and the European Union.
Recent reports, however, suggest that Democratic PCLOB members will be being pressed to step down form their current positions by the incoming Trump administration. Three Republicans are still in power as of this moment. The dismissal or forced resignation of these members could hinder the effectiveness of the board while having an effect on other organizations that govern data privacy.
The European Union depends on PCLOB to justify the transfer of data between Europe and the US under a special agreement called the Trans-Atlantic Data Privacy Framework (TADPF). This agreement was created to ensure that personal data from EU citizens remains protected even when transferred to the US. If PCLOB is weakened, businesses and institutions in the EU may have to stop using US-based cloud services because they would no longer meet EU privacy standards.
Under EU law, personal data can only be transferred outside the EU if the receiving country guarantees the same level of data protection as in Europe. However, US surveillance laws, such as FISA702, allow American intelligence agencies to access data without requiring court approval. Because of this, the European Court of Justice has ruled in the past that the US does not provide adequate data protection. These rulings, known as Schrems I and Schrems II, led to the collapse of previous data-sharing agreements between the US and the EU.
Despite these legal challenges, the European Commission pushed forward with a new agreement, which led to the creation of TADPF. This framework was officially adopted on July 10, 2023. The agreement was based on promises from US authorities, including PCLOB, that they would ensure proper data protection. However, these protections are not backed by law. Instead, they rely on executive orders and diplomatic agreements, meaning they could be easily overturned by a new US president.
The European Commission placed a lot of trust in PCLOB, even though it only serves as an additional oversight mechanism. Weakening PCLOB could make the entire framework unstable. Even though the system may not collapse immediately, it is becoming more fragile. Critics, such as privacy activist Max Schrems, argue that the EU is relying too much on uncertain promises instead of strong legal protections.
The situation became even more uncertain when Donald Trump signed an executive order on January 20, 2025. This order calls for a review of all national security decisions made by Joe Biden’s administration within 45 days. This means that TADPF could be overturned within weeks. If that happens, data transfers between the EU and the US would become illegal. Schrems has warned that EU companies should start preparing for this by considering alternatives, such as storing their data within Europe.
The European Commission now faces a difficult choice. If they cancel the agreement too quickly, they may face backlash from major US tech companies and risk conflict with Trump’s administration. On the other hand, if they do nothing, they risk not warning European businesses and institutions in time about the potential legal problems they might face.
This situation is similar to the debate in the US about TikTok. In that case, US lawmakers suddenly became concerned about data privacy when it involved data belonging to American citizens. If the EU cancels the TADPF, it would mean that EU data must be protected from access by the US government. This would have serious consequences for big US tech companies operating in Europe.
If the agreement is overturned, European companies that rely on US cloud services will have to find alternative solutions. Many businesses use services like Amazon Web Services, Google Cloud, and Microsoft Azure, all of which are based in the US. Without a legal framework for data transfer, companies may be forced to store their data in European-based services instead. This could be expensive and disruptive, especially for businesses that depend on US technology for their operations.
Some experts believe that the EU should have focused on creating stronger legal protections instead of relying on agreements that can be easily changed. The past failures of previous data transfer agreements show that the US government’s approach to surveillance is unlikely to change. This makes it risky for the EU to continue depending on the TADPF without solid legal guarantees.
For now, data transfers remain legal until the agreement is officially repealed. However, companies that operate internationally should start preparing for possible legal uncertainties. This could include shifting their data storage to European servers or finding legal workarounds to continue their operations smoothly. The main lesson from this situation is that data privacy agreements must be based on strong laws rather than temporary political agreements.
The uncertainty surrounding the TADPF highlights a bigger issue: the balance between national security and individual privacy. Governments argue that they need access to data for security reasons, but privacy advocates stress that individuals’ rights should be protected. This ongoing conflict is not just between the EU and the US but is part of a global debate on data privacy and digital rights.
The European Commission must now decide how to handle the situation. If they act quickly, they can avoid a legal crisis but might face political backlash. If they delay, businesses might be left unprepared for the possible legal consequences. In any case, EU companies and institutions must start planning ahead to avoid potential disruptions in their operations.
The situation also raises questions about the future of data privacy in an increasingly digital world. As more businesses move online and rely on cloud services, the need for strong data protection laws becomes even more important. If the EU and the US cannot find a stable long-term solution, companies may need to rethink how they handle personal data.
For now, the fate of the TADPF remains uncertain. The coming weeks will be crucial in determining whether the agreement survives or falls apart. Regardless of the outcome, this situation serves as a reminder that data privacy must be protected by laws, not just temporary political deals. European businesses and institutions must stay informed and be ready to adapt to changes in data protection regulations.
