How Making the PCLOB Great Again Hurt U.S. Business - A Self-Imposed Privacy Tariff

Retaliation Will Be Complicated.

As has now been widely reported, within a week of taking office in January 2025, the Trump Administration terminated the appointment of all three Democratic members of the Privacy and Civil Liberties Oversight Board (the "PCLOB"), leaving it with only one Republican member (one seat was already vacant). The PCLOB, instituted to address civil rights and privacy concerns arising in the context of U.S. government intelligence operations, had been playing an important oversight role in support of the EU-US Data Privacy Framework (the "DPF").

The DPF allows more than 2000 U.S.-based businesses, including major public companies, to do business in the European Economic Area (E.U. countries, Iceland, Liechtenstein and Norway), the UK, and Switzerland by obtaining personal data of their respective data subjects in the E.U. free of compliance burdens otherwise imposed by the General Data Protection Regulation (the "GDPR") and privacy laws of the other participating countries. More information about the DPF is available at https://www.dataprivacyframework.gov/s/ and https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us.

Diminishing the PCLOB causes uncertainty and increases the cost U.S. businesses bear in serving their European customers—costs they will presumably pass on to customers. Put another way, reducing the PCLOB to a single Republican member works like a tariff on U.S. products and services provided to the European markets, applied not by a foreign government, but by our own.

On July 10, 2023, the European Commission (the “Commission”) issued an adequacy decision, concluding “that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations [sic] in the United States.” Commission Implementing Decision, EU 2023/1795, July 10, 2023 (the “Adequacy Decision”), Section 7. The Commission made that determination, in part, on the premise that the PCLOB would function as intended as part of the DPF.

The PCLOB is "entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties." To fulfill this function, the PCLOB has broad legal authority to access all relevant agency documents (including classified documents), interview witnesses and take testimony. Adequacy Decision, Section 167; 42 U.S.C. § 2000ee (g)(1)(A)-(B); Executive Order No. 14086, 87 FR 62283, October 7, 2022, (“EO 14086”).

The PCLOB is also tasked with conducting an annual evaluation of the DPF's redress mechanism created for European data subjects. This evaluation includes determining whether alleged DPF violations have been processed in a timely manner, whether the substantive safeguards have been properly considered, and whether the intelligence community has fully complied with applicable determinations. Reports of the outcome of the review are made to the President, the Attorney General, leaders of the intelligence community, Congress, and in unclassified form, to the public. Adequacy Decision, Section 194; EO 14086, Section 3 (e).

By law, the membership of the PCLOB includes a chair and four additional members, each appointed for a 6-year term, no more than 3 members of whom may be of the same party. Three members are required to achieve a quorum. 42 U.S.C. §2000ee (h) (1), (2) & (5). Until it is again able to achieve a quorum (which would require President Trump to appoint at least one Democrat, something he is arguably not in a hurry to do), it's not clear what action the PCLOB can take or whether any action it takes is valid.

The same press release that announced the termination of the PCLOB's Democratic members states that the board "has significant ability to continue functioning with its full staff and remaining Member Beth Williams." Whether you read that statement as reassuring, aspirational, or self-serving, it is also irrelevant. The question of whether the DPF supported by a one-person, all-Republican PCLOB still provides an adequate level of protection is a determination for the Commission, not the administration, to make.

The backstory for diminishing the PCLOB may cause the Commission additional concern. The Mandate for Leadership 2025: The Conservative Promise, better known as Project 2025, suggests that "trade protectionism may be the real motive behind data regulations" and that intelligence oversight provisions should be reexamined and potentially suspended if they "unduly burden intelligence collection." There are two glaring problems with this view.

First, it shows a lack of appreciation and respect for history that may seem distant, but remains sensitive. E.U. residents have had their life experience and family histories shaped by governments' collection and abuse of personal data as tools for blackmail, repression, persecution, and genocide. To many Europeans, this isn't an abstract legal or policy question, it's deeply personal and often painful. Project 2025’s easy assumptions and self-serving characterizations about the importance of US intelligence gathering sound like the problem E.U. regulators intend to avoid.

Second, seeing the DPF as a barrier to access to the European market isn't just wrong, it's backwards. Every company that chooses to comply with the DPF does so because it already has a E.U. market for its products or services. Nor does the DPF bar access to new E.U. markets. After all, U.S.-based businesses need only self-certify their compliance with the DPF, which involves concepts already familiar to them under U.S. federal and state privacy laws. If compliance with the DPF involved taking disproportionate, unfamiliar, expensive, difficult, or counterproductive steps, major public companies, leaders in their fields, would not have risked exposure to liability or their reputations by signing up to comply.

None of this has been lost on European regulators or privacy leaders. The question of whether the DPF, operating with the now diminished PCLOB, provides an adequate level of protection has already been raised in the European Parliament, with a suggestion that suspension of the DPF may be in order. noyb, the privacy activism group founded by Max Schrems, the Austrian lawyer and privacy activist who successfully challenged the DPF's predecessor frameworks on adequate protection grounds, has already commented. An EU Commission spokesperson made a statement to the effect that the principles underlying the DPF “remain applicable irrespective of the members of the PCLOB.” It is not clear what that means now that the PCLOB has a membership of one.

The reduced PCLOB and the now uncertain fate of the DPF create significant business risk that leading privacy teams are already working – and paying - to mitigate. While the DPF remains in effect for now, forward-thinking U.S. business and privacy leaders are taking steps to continue accessing E.U. markets and serving their customers without interruption no matter what the DPF’s fate turns out to be.

The standard contractual clauses or SCCs provide the most familiar alternative legal basis for data transfers under the GDPR. One commentator has suggested that parties enter into the SCCs as a precaution, referred to as "springing" SCCs, meaning that the SCCs will go into effect if and when the DPF is suspended or repealed.

That is sound and thoughtful legal advice. However, acting on it entails out of pocket expense, delay, tension in business relationships, and the associated disruption. The SCCs come with attachments that must be negotiated to reflect every trans-Atlantic data controller-processor relationship. In certain cases, U.S.-based processors may need new SCCs with their subprocessors. Putting SCCs in place increases the cost and friction of serving European markets.

U.S. businesses may not have much flexibility in deciding when and how to respond to the reduced PCLOB. Their European customers, regulated under the GDPR as data controllers and once content to do business under the DPF, may prefer to put the SCCs in place now, before any reassessment of the DPF occurs.

The decision invalidating the Privacy Shield, the DPF’s predecessor data transfer framework, exposed U.S. businesses then involved in trans-Atlantic transfers of personal data to “new costs, risks, and complexity.” Cory, Castro, and Dick, ‘Schrems II’: What Invalidating the EU-U.S. Privacy Shield Means for Transatlantic Trade and Innovation, Information Technology and Innovation Foundation, December 2020, p.11. If the DPF is invalidated, the impact will be significant and is likely to be hardest for small and medium sized businesses to bear. Some will pay unanticipated legal fees. Some will exit their European business.

In addition to the increased cost and disruption to U.S. business, the reduction of the PCLOB demonstrated that the U.S. government’s commitment to any data transfer framework is subject to domestic political forces. That may be a factor motivating a decision, if there is one, to modify or invalidate the DPF. In any event, the damage to U.S. credibility will require time and effort to repair. If the U.S. business community needs a DPF II (or whatever the DPF’s successor framework is called), U.S. negotiators should expect to hear about that from their European counterparts.

The Trump Administration could resolve this situation by restoring the PCLOB to full strength using processes provided under existing law. Of the many ways this development may play out, that prospect seems among the least likely.

While the DPF’s fate remains uncertain, the costs U.S. businesses incur in responding to the reduction of the PCLOB will presumably be passed on to customers, making U.S. products more expensive and less competitive – just like a tariff.