USA flying blind: Data protection authority without oversight – supervisory authority ineffective – Image: Xpert.Digital
Data privacy crisis: Why the EU must react to US developments
USA: Data protection authority without oversight – data protection without control
The US was once considered a pioneer in data protection, but this image is increasingly crumbling. What was once taken for granted – the protection of personal data by an independent supervisory body – now seems a distant prospect. An alarming development casts a dark shadow over the privacy of millions of people: The central data protection authority, which is supposed to ensure compliance with the rules, is without effective oversight.
This situation is not only worrying, but also poses concrete risks. Who is monitoring whether companies and government agencies are handling your data responsibly? Who intervenes when data protection regulations are violated? The answer is alarming: no one, really. In this article, we examine the background of this development, analyze the potential dangers for citizens and businesses, and show what consequences this loss of control could have for the future of data protection in the USA. It's about more than just legal clauses – it's about your privacy.
Suitable for:
The EU-US data protection crisis: PCLOB dismantling jeopardizes transatlantic data flows
The dismissal of several members of the Privacy and Civil Liberties Oversight Board (PCLOB) by the US government has rendered the central oversight body for data protection at US intelligence agencies ineffective – with potentially far-reaching consequences for transatlantic data transfers. While the EU Commission has so far reacted cautiously, European companies face increasing legal uncertainty when using American cloud services. This current development could fundamentally jeopardize the EU-US Data Privacy Framework (DPF), which was only introduced in 2023, and force companies to urgently review their data transfer strategies.
The PCLOB as a key component of transatlantic data protection
The Privacy and Civil Liberties Oversight Board was originally established in response to the recommendations of the 9/11 Commission and later expanded into an independent agency within the U.S. executive branch. Its primary mission is to ensure that the U.S. government's efforts to combat terrorism are consistent with the protection of privacy and civil liberties.
Within the framework of the EU-US Data Privacy Framework, which has been in force since July 2023, the PCLOB plays a crucial role. The body is tasked with monitoring whether US intelligence agencies comply with the data protection requirements laid down in Executive Order 14086. This monitoring function was a key factor in convincing the European Commission that the US provides an adequate level of data protection.
The historical development of transatlantic data protection
The history of data transfer agreements between the EU and the US is marked by several setbacks. The previous agreements – Safe Harbor and Privacy Shield – were declared invalid by the European Court of Justice, mainly due to insufficient legal safeguards against excessive access by US intelligence agencies to the data of European citizens.
The current DPF was intended to address these problems by, among other things, establishing independent supervisory bodies such as the PCLOB and introducing complaint procedures for EU citizens. The European Commission explicitly emphasized the importance of these supervisory mechanisms in its adequacy decision.
The current crisis: Dismissal of PCLOB members
On January 27, 2025, the Trump administration demanded the resignation of the three Democratic members of the PCLOB and ultimately dismissed them. This action reduced the five-member body below its quorum—with only one member remaining, the PCLOB is no longer able to function.
This development is particularly worrying because the PCLOB is a legally established independent agency whose members are appointed for fixed terms. Dismissing its members constitutes a direct infringement on this independence and could lead to a return to the early days of the body, when its work was subject to direct control by the White House.
Suitable for:
Political dimension of the decision
The dismissal of the PCLOB members is not merely an administrative act, but sends a clear political signal: data privacy concerns are not a high priority in the current US administration. This stance contradicts the Unitary Executive Theory, which is advocated by the current US government and seeks to place the entire executive branch under direct presidential control.
Based on past experience, the reconstitution of the PCLOB is expected to take considerable time. During this period, the agency will be unable to initiate investigations or release reports on intelligence activities that may threaten civil liberties.
The EU Commission's reaction and the future of the DPF
Despite the obvious threat to the DPF, the European Commission has so far reacted cautiously to the dismissal of the PCLOB members. In its response to a parliamentary question of 14 April 2025, the Commission avoided taking a clear position on the risks to the stability of the agreement.
The Commission argued that Executive Order 14086, which forms the basis of the DPF, remains in force and contains safeguards for the data of EU citizens. It also referred to the legal remedy mechanism established by the Data Protection Review Court.
Possible consequences for the DPF
However, the PCLOB's malfunction could have far-reaching consequences for the validity of the DPF. In its first review report of October 2024, the Commission stated that it would "closely monitor the status of future vacancies and nominations/appointments" given the important role of the PCLOB.
Max Schrems, the Austrian data protection activist whose lawsuits led to the invalidation of previous agreements, sees the dismissal of the PCLOB members as already a “first hole in the TADPF.” There is a risk that the agreement will be challenged again before the European Court of Justice and possibly declared invalid, which would lead to considerable legal uncertainty.
The TADPF stands for Trans-Atlantic Data Privacy Framework and is the current data protection agreement between the European Union and the USA. It was adopted by the EU Commission on July 10, 2023, as the successor to the "Safe Harbor" and "Privacy Shield" agreements, which had previously been invalidated by the European Court of Justice.
Purpose and function
The TADPF aims to ensure an adequate level of protection for personal data transferred from the EU to the US. It is not a law, but rather an adequacy decision pursuant to Article 45(1) of the GDPR. US companies wishing to process personal data from the EU must voluntarily undergo a self-certification process with the US Department of Commerce and commit to complying with certain data protection standards.
Practical significance
- Only certified US companies are allowed to invoke the TADPF and receive data from the EU.
- Additional safeguards are still necessary for data transfers to non-certified US companies.
- The TADPF is intended to provide legal certainty for companies in the EU and the USA and to facilitate transatlantic data traffic.
Criticism and uncertainties
The TADPF – like its predecessors – is subject to criticism because there are doubts as to whether the safeguards against surveillance by US authorities are actually sufficient. There is a risk that this agreement, too, could be declared invalid by the European Court of Justice in the future.
The TADPF is the current framework for transatlantic data transfers and is designed to ensure that personal data can be transferred from the EU to the USA in compliance with European data protection standards.
Impact on companies in the EU
The current situation poses significant challenges for European companies, especially those heavily reliant on US cloud services. US cloud services form the backbone of most European organizations, and a potential loss of the DPF could severely impact these business relationships.
Risks associated with data transfers to the USA
Should the DPF be declared invalid, companies transferring personal data to the US would have to implement alternative safeguards, such as Standard Contractual Clauses (SCCs). However, these offer less legal certainty and involve greater administrative effort.
Companies that use services from large technology companies like Google, Microsoft, and Meta, which are certified under the DPF, would be particularly affected. The abolition of the DPF could even force these tech giants to process European users' data in European clouds, which would involve significant costs and restructuring.
Recommendations for action for companies
Given the current legal uncertainty, companies in the EU should proactively review and, if necessary, adapt their data transfer strategies.
Review of cloud dependencies
A thorough analysis of your own cloud infrastructure is the first step. Companies should identify which of their systems and data depend on US-based cloud providers.
Cloudaware's Application Discovery and Dependency Mapping tools can help scan the entire environment – cloud and on-premises – and identify critical dependencies. This enables organizations to identify potential risk areas and develop alternative strategies.
Developing a strategy for emergencies
Companies should not only understand their current cloud dependencies but also develop a contingency plan in case the DPF is actually declared invalid. This could include implementing alternative delivery mechanisms such as SCCs or switching to European cloud providers.
Another important step is to verify whether US providers with whom data is shared are DPF-certified. The official list of DPF-certified companies is available at https://www.dataprivacyframework.gov/s/participant-search.
More information here:
Growing uncertainty in transatlantic data protection
The dismissal of the PCLOB members marks a critical turning point for transatlantic data protection and poses a serious test to the EU-US Data Privacy Framework. Although the European Commission has so far upheld the validity of the agreement, uncertainty about its future is growing.
Companies in the EU should closely monitor these developments and prepare for potential changes. Reviewing and, if necessary, redesigning their cloud dependencies is not only a legal requirement but also a strategic measure to protect their business interests.
The coming months will show whether the DPF can withstand the current challenges or whether European companies will once again be confronted with a fundamental restructuring of their transatlantic data flows.
Suitable for:
Your global marketing and business development partner
☑️ Our business language is English or German
☑️ NEW: Correspondence in your national language!
Konrad Wolfenstein
I would be happy to serve you and my team as a personal advisor.
You can contact me by filling out the contact form or simply call me on +49 89 89 674 804 (Munich) . My email address is: wolfenstein ∂ xpert.digital
I'm looking forward to our joint project.
