Clifford Chance

On January 27, 2025, the White House announced the removal of Democratic members from the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency responsible for ensuring transparency and accountability in U.S. surveillance practices. The dismissal of these members, including the Chair, has left PCLOB without a quorum, hindering its ability to take formal action. 

Department of Government Efficiency (DOGE), led by Elon Musk, had been granted increased access to sensitive government databases.[1]

These developments, among others, have intensified scrutiny over data security and oversight within the U.S. government, raising alarm among EU policymakers regarding potential risks to European citizens' personal data.

With transatlantic data transfers already under a fragile truce, these latest  developments could be the spark that reignites a regulatory firestorm.

The EU’s cyclical approach to transatlantic Data Transfers

Transatlantic data transfers have historically been a recurring issue for EU regulators—rising and falling in priority depending on political and legal developments. In recent months, the focus had shifted toward broader digital sovereignty concerns, particularly through initiatives like the European Cloud Certification Scheme (EUCS). However, the Trump administration’s return to power signals a sharp turn back toward more aggressive scrutiny, reviving questions about the reliability of U.S. safeguards.

European Parliament's response to U.S. oversight changes

On February 5, 2025, MEP Raquel García Hermida-Van Der Walle submitted a formal parliamentary inquiry addressing U.S. data privacy policies. She questioned whether the European Commission acknowledges the concerns surrounding PCLOB’s independence and whether it would consider suspending the 2023 adequacy decision for data transfers from the EU to the US (the EU-US Data Privacy Framework) until the board is fully reinstated as an independent body.

The PCLOB plays a crucial role in overseeing U.S. intelligence agencies, especially those operating under the Foreign Intelligence Surveillance Act (FISA) Section 702. Its independence was a central pillar of the European Commission’s adequacy decision, and its current paralysis could force European regulators to reconsider whether U.S. safeguards remain 'essentially equivalent' to EU standards. With its effectiveness now in doubt, European authorities could reassess whether U.S. data protection mechanisms remain reliable.

The Chair of the Committee on Civil Liberties, Justice, and Home Affairs (LIBE), Javier Zarzalejos urged the Commission to clarify whether these U.S. oversight changes fundamentally alter the basis of the adequacy decision. In a letter to European Commissioner Michael McGrath, Zarzalejos questioned whether the recent changes to PCLOB undermine the Data Privacy Framework and if it still meets the "essential equivalence" standard set by the Court of Justice of the European Union (CJEU) in the Schrems II ruling.

Data Privacy Framework Remains (for Now)

Amidst all of this uncertainty, the EU-US Data Privacy Framework continues to remain in force.  To address concerns over the continued viability of the GDPR transfer mechanism, EU Commission spokesperson Markus Lammert told reporters that the rules underpinning the framework "remain applicable irrespective of the members of the PCLOB," while noting that the Commission was monitoring developments and reviewing "all the necessary tools" to react to any further developments.  Such mechanisms include the US National Intelligence Office's Civil Liberties Protection Office, which is charged under the agreement with receiving and addressing complaints from the EDPB, as well as the Data Protection Review Court, which reviews decisions and handles appeals.  These institutions remain in place—although they too have faced some instability as a result of President Trump's government-wide overhauls.  And indeed the PCLOB itself, while undoubtedly hampered by the dismissals, continues to function.  Following news of the dismissals, the PCLOB released a statement asserting that it plans to continue its work with the agency's "full staff" and its remaining member. 

Political Climate and Its Impact on Data Sovereignty

The ongoing debate over transatlantic data transfers aligns with the EU's agenda for broader push on digital sovereignty and data localisation. Recent discussions around the draft European Cloud Certification Scheme (EUCS) have highlighted growing concerns over foreign influence on European data infrastructure.

The return to power for President Donald Trump only heightens Europe's worries, as his "America First" stance could intensify challenges to the EU-U.S. Data Privacy Framework, possibly leading to renewed legal challenges similar to those seen in Schrems II. 

Cybersecurity experts, including Bart Jacobs from Radboud University, have warned that the Trump administration could amend the existing CLOUD Act (legislation which Trump enacted during his first term), making it easier for U.S. intelligence services to access European data.[2] Such a move would further weaken the already fragile EU-U.S. Data Privacy Framework, potentially pushing the EU towards stricter regulations on data transfers. For its part, the United States has also taken steps aimed at data sovereignty, on the basis of national security concerns.  For example, in December, the U.S. Department of Justice issued a Final Rule on  data transactions with "countries of concern" and covered persons involving U.S. bulk sensitive data or government-related data. The Rule prohibits certain highly sensitive transactions in their entirety; and restricts certain categories of transactions that would be prohibited, unless they comply with predefined security requirements developed by the Department of Homeland Security's Cybersecurity and Infrastructure Agency.  The rules have commanded attention from multi-national companies—particularly those with significant presences in China (including Hong Kong). (For additional information on this regulation, please see our article:  DOJ Final Rule on National-Security Risks Posed by Countries’ of Concern and Covered Persons’ Access to U.S. Sensitive Data )

Anticipating a potential Schrems III and Future Restrictions

Given the uncertainty surrounding the future of transatlantic data transfers, companies handling personal data – and, in particular, flows of personal data from the E.U. to the U.S. – should consider what steps they might take to prepare for potential regulatory shifts, including:

1. Inventory of Data Transfers – Identify and review all data processing activities involving transfers from the EU to the U.S.  In particular, having a comprehensive inventory of vendors, customers, and other third parties that are involved in cross-border data flows will be critical in quickly and effectively responding to significant changes in regulations.

2. Strengthen Data Transfer Safeguards – Consider what, if any, additional contractual, technical or operational safeguards may be appropriate for personal data transfers from the EU to the U.S.. The latest CNIL guide on Data Transfer Impact Assessments (DTIAs), published on January 31, 2025, provides guidance on compliance best practices for data overseas data transfers, and should be considered alongside other existing regulatory guidance on the conduct of DTIAs. Among other things, the CNIL recommends strengthening Standard Contractual Clauses (SCCs) by integrating robust supplementary measures to mitigate potential risks associated with U.S. government access and conducting a thorough DTIA.

3. Maintain DPF Certification but Prepare for Alternatives – Companies that have put resources towards certifying under the EU-US Data Privacy Framework should continue to maintain that certification and can continue to rely on it for cross-border data flows.  However, companies should also begin preparing for alternatives, such as the use of Standard Contractual Clauses. 

Conclusion

While the latest developments have undeniably reignited regulatory scrutiny, there is much still to be determined. The European Commission has yet to signal any suspension of the Data Privacy Framework, and ongoing diplomatic discussions may offer a path forward. However, businesses must anticipate a more volatile regulatory landscape, with increasing pressure from key EU countries, such as France, pushing for data localisation and European control over cloud services.

The looming possibility of a Schrems III ruling underscores the urgency for organisations to implement stronger compliance measures and prepare for an increasingly restrictive data transfer landscape. Companies relying on transatlantic data flows should proactively consider strengthening data transfer safeguards, assess their hosting solutions, monitor evolving regulatory shifts, and prepare for alternatives to stay ahead of potential disruptions.

References

[1] NPR, "Doge, Musk, USAID, Trump", February 3, 2025.

[2]Binnenlands Bestuur, "Waarom verkiezingswinst van Trump grote gevolgen heeft voor de overheid", November 1, 2024..