A Trillion-dollar Privacy Disaster in the Making; Why You’ll Miss PCLOB Now That It’s Gone

The last few weeks have been tough ones for four-letter agencies.? The EEOC and NLRB have each seen their leadership decimated, with commissioners summarily and illegally fired.? The CFPB has had it even worse, with the entire agency effectively and, again, illegally and abruptly shut down.

So why should you care about the fate of some obscure agency that you’ve never heard of?? Especially since it has five letters instead of five (for my nerdy friends on LinkedIn who cannot wait to troll me on this, I am way ahead of you).

In short, we should all care because the end of PCLOB may very well mean the end of EU personal data transfers to the US that we have all gotten used to.? It may mean that US tech companies find themselves locked out of the EU market, threatening EU-US data transfers that the US Department of Commerce values at over $1 trillion dollars.? Yes, trillion.

OK, You’ve Got My Attention – But What the Heck is PCLOB?

The Privacy and Civil Liberties Oversight Board is a bipartisan independent entity that oversees US intelligence agencies. ?Per its “Strategic Plan 2022-2026,” PCLOB “provides advice and conducts oversight to ensure that efforts by the executive branch to protect the nation from terrorism are appropriately balanced with the need to protect privacy and civil liberties.”? PCLOB was established in 2006 by an overwhelming bipartisan vote through the Implementing Regulations of the 9/11 Commission Act.

The most important role that PCLOB plays for us Privacy types is directly supporting the agreement between the EU and the US that allows EU citizens’ personal data to be transferred to the US - with follow-on agreements that allow transfers from the UK and Switzerland.? The fundamental issue is that GDPR, the EU privacy law, prohibits the transfer of personal data of EU citizens to any country that does not provide the same level of protection of personal rights as GDPR.? This requires what GDPR calls an “adequacy determination” by the EU.? US mass surveillance of personal data, particularly after 9/11 presents a massive problem for GDPR protection of personal rights.? Other countries have been blessed with an adequacy determination over the years, but it was only very recently, based upon the EU-US Data Privacy Framework (DPF) agreement that the US has been granted such a determination and personal data transfers allowed.

PCLOB plays a central role in the DPF and the reason that the EU granted an adequacy determination to the US, because PCLOB is written directly into the DPF as a check on US mass surveillance:

. . . to the extent they carry out counter-terrorism activities, departments with criminal law enforcement responsibilities are subject to oversight by the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency within the executive branch composed of a bipartisan, five-member Board appointed by the President for afixed six-year term with Senate approval.

Concerns over PCLOB might seem overblown, until one recognizes the general fraughtness of the DPF.? The DPF marks not just the first time that the US has tried to satisfy the EU’s demands for the necessary level of protection over personal data transfers, but actually the third.?

The DPF stands on Shaky Ground

The story begins in 2000 with Safe Harbor, the first attempt by the US to reach an agreement with the EU to protect personal data under the weaker predecessor law to GDPR.? US companies could self-certify compliance with GDPR to allow them to freely transfer EU personal data to the US.? However, after the revelations by Edward Snowden about the massive extent of US mass surveillance programs, the CJEU, the highest court in the EU, invalidated the Safe Harbor in 2015 in a case brought by Austrian privacy activist Max Schrems.

The US quickly regrouped and reached a second agreement with the EU in 2016, the Privacy Shield.? The Privacy Shield promised stronger protections against US mass surveillance but was otherwise much like the Safe Harbor before it.? In fact, the Privacy Shield was so much like Safe Harbor that Max Schrems brought a new case against it (called “Schrems II,” with the first case retconned to “Schrems I”).? The CJEU once again agreed, terminating the Privacy Shield in 2020.

This led to years of uncertainty, as the US tried to find some way to appease the data privacy authorities in the EU without limiting US mass surveillance.? Cumbersome GDPR mechanisms like Binding Corporate Rules and GDPR Article 49 Special Derogations were too slow and too expensive to be practical beyond rare exceptions.? Most companies resorted to the complicated and sprawling EU-issued Standard Contractual Clauses (SCCs), to try to fill the gap.? But the difficulty of adapting the SCCs, with their byzantine level of complexity, to real-world demands cannot be overstated; it can only be shown, perhaps best by David Zetoony’s bewildering list of Gordian Knot SCC scenarios (some of these, like #8.5 really should come with a trigger warning).

Thus, the third EU-US agreement, the DPF, reached in 2023 was a great relief to all who transfer data, which is, of course, many major tech companies and others.? The DPF is subject to periodic review by the EU, and while it passed last time, in 2024, there were strong indications that EU authorities were not fully convinced that the US had sufficiently reigned in mass surveillance efforts.

And, as we will see, Max Schrems has been circling . . .

So, What Just Happened to PCLOB That Should Concern Me?

PCLOB is supposed to have five board members, but it had only four: three appointed by Democrats and one Republican.? Well, until recently, that is.

On January 22nd, the Trump administration sent an email that threatened to terminate the three Democratic members if they did not resign by the next day.? This took place around the same time that the Trump administration was shoving Democratic commissioners of the EEOC and NLRB out the door as well.? As noted by Rachel See , while the governing statute of the NLRB (but not the EEOC) contains a restriction against removing Board members for anything other than neglect of duty or malfeasance in office, PCLOB’s governing statute leaves Board members completely vulnerable.?

Per a PCLOB press release, all three Democratic Board members were terminated as threatened on January 23, 2025, reducing PCLOB to just one member and eliminating the possibility of a quorum.? Despite the promises in the press release that PCLOB has “significant ability to continue functioning,” it is hard to see how PCLOB can now serve as the oversight body demanded by the DPF.

The Ugly Geopolitical Reality

It should not go unmentioned that the gap between the second and third EU-US agreements, between the end of the Privacy Shield and the DPF was a long three years.? During that time, both the US and EU officials periodically announced that they were working on a new deal, but there were absolutely no real signs to show of any genuine progress.? There seemed to be no real urgency to reach a new deal and cut that Gordian Knot of data transfer requirements.

Then, on February 24, 2022, Russia invaded Ukraine, starting the first land war in Europe since WWII.? Just 29 days later, after three years of no progress other than empty pronouncements, the DPF was announced.? No one has ever officially said that the invasion of Ukraine was the reason why three years of unsolvable differences suddenly became so solvable, but those reporting on the situation, such as the international relations experts at Politico, certainly cite it as the critical factor.

It's worth noting that I found the link to that Politico article in a post by NOYB.eu (standing for “None Of Your Business”), the privacy advocacy organization that Max Schrems founded after his victory in Schrems II – a post that was highly critical of the DPF and pledged to go after it.? Because now it is time for us to get to the ever-lurking danger to the DPF that is Max Schrems and NOYB.

Has Schrems III Already Begun?

On the same day that the PCLOB took place, NYOB posted a blistering criticism:

The European Union has relied on these US boards and tribunals to find that the US provides "adequate" protection of personal data. Relying on the PCLOB and other mechanisms, the EU Commission allows European personal data to flow freely to the US in the so-called "Transatlantic Data Privacy Framework" (TADPF). The PCLOB is the only relevant "oversight" element of the deal. Other elements are just acting as recourse bodies. Thousands of EU businesses, government agencies or schools rely on these provisions. Without the TADPF, they would need to stop using US cloud providers like Apple, Google, Microsoft or Amazon instantly.

But even as we await the filing of Schrems III, the EU may find itself taking action sooner.? While the next review EU review of the DPF is not scheduled until October 2027, the EU has threatened other countries with termination of an adequacy determination before, such as during the UK’s Brexit.

As well, the political scenario where the EU relied greatly upon the US to prop up the defenses of Ukraine appears to be rapidly coming to an end, if recent headlines are any indication.? An EU that found itself forced into the DPF by the need for US money and weapons may well find itself relieved of the need to agree to turn a blind eye to US mass surveillance of EU citizens once that support has been taken away.

What Can We Can Do?

To be at least a little bit nonpartisan about this, we’ve been here before with PCLOB being muzzled; the Obama administration failed to appoint any Board member for four years.? But that was then, before any links of PCLOB to external promises, and this is now, with the continuation of the DPF standing at the brink and a trillion-dollar data flow at risk.?

If you are a lawyer or a privacy officer at a company that is a part of that trillion-dollar trade, now is the time to contact the trade industry groups you support, and your local members of Congress too, to lobby for at least a short-term solution to this threat to the DPF and the $1 trillion of trade that it protects.? The solution, at least for now, could be relatively simple: the current administration needs to appoint at least two new Board members, restore the quorum, and present some semblance of a functioning oversight body.? But that might go against the current blind rush to shut down so many agencies like PCLOB.? We can only hope that the trillion-dollar stakes here will override any rush to dismantle this particular small corner of the government.