The future of the EU-U.S. Data Privacy Framework

1. By way of background

The PCLOB is an independent agency within the Executive Branch of the U.S. government. Members of the PCLOB are appointed by the U.S. President and confirmed by the U.S. Senate. Its mission is to ensure that the U.S. federal government's efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.

Under the DPF, the PCLOB is responsible for overseeing U.S. intelligence agencies’ compliance with the procedural safeguards introduced in Executive Order 14086. The European Commission’s 2023 adequacy decision regarding the DPF places significant importance on the role of the PCLOB in ensuring that U.S. intelligence practices align with EU data protection standards under the DPF. Moreover, the PCLOB is responsible for overseeing the newly established Data Protection Review Court, which, under EO 14086, is intended to provide a redress mechanism for EU citizens challenging unlawful surveillance in the U.S. Thus, the PCLOB plays an integral role in the DPF, which raises tricky questions on the future of the DPF. We have asked Travis some of these questions.

2. Here is what Travis had to say

Q: Travis, you have served at the PCLOB from 2019 until you were fired by the new Administration in January 2025 – although you term lasted until January 2028. Other Democrats serving at the PCLOB have been fired as well. What is going on and what is the background of these dismissals?

A: Unfortunately, no rationale was provided for terminating three of the four active members of the Privacy and Civil Liberties Oversight Board. The three board members who were terminated, including me, are Democrats and the one board member who remains is a Republican. Both Ed Felten and I filed a lawsuit last week to challenge our removals from the PCLOB, which Congress established by law as an “independent agency.”

Q: Currently, the PCLOB is left with one remaining member instead of the five members originally appointed. Will other members be appointed soon or what are the plans of the new Administration regarding the PCLOB?

A: Any new board members would need to be nominated by the President, confirmed by the U.S. Senate, and appointed by the President thereafter. In the past, that process has typically taken at least 6 months, if not multiple years.

Q: One of the PCLOB’s tasks is to review the redress mechanism as part of the EU-U.S. Data Privacy Framework. Does this review still take place in practice and what is your prediction in this regard?

A: Technically, the PCLOB staff can continue to evaluate the Data Privacy Framework redress mechanism under the sole direction of the remaining Republican board member, Beth A. Williams. The Board currently lacks a quorum to do business since it has less than three board members and therefore cannot compel any federal agency to respond to staff requests for information (which may or may not be forthcoming). While the PCLOB staff could theoretically release a report on the redress mechanism in the future, that report would not reflect an independent process as it would have been overseen by one partisan board member and presumably would have been reviewed and revised by the current Administration. Thus, any staff report would essentially be the Administration’s report.

Q: How integral is the PCLOB’s review for the redress mechanism under the DPF from a U.S. law perspective – could the DPF continue to operate without a properly functioning PCLOB?

A: PCLOB is critical for external oversight, transparency, and accountability under the DPF. PCLOB’s role in the DPF framework has been highlighted by the European Commission and enshrined by the President in Executive Order 14086, one of the most substantial reforms of U.S. signals intelligence activities. PCLOB is the only independent agency charged with the review of the DPF, and the U.S. courts are otherwise not available for European data subjects to challenge unlawful collection, transfer, or use of their data. Unfortunately, PCLOB’s current dormancy ultimately reaffirms European concerns over the lack of comprehensive federal privacy legislation, redress mechanisms for Europeans, and independent oversight of the intelligence services in the United States.

Q: Beyond the role of the PCLOB, what is your personal view on the future of the DPF on the U.S. side? Do you expect the new Administration to also touch Executive Order 14086 of October 7, 2022, which is the “backbone" of the DPF, and its accompanying Regulations?

A: It is too early to predict with a reasonable degree of certainty. The new Administration appears to be reviewing all of the Executive Orders issued by President Biden. The President has not yet revoked Executive Order 14086, but he also has not endorsed it. Clearly, a revocation of that Executive Order or a fundamental restructuring of it that weakens privacy and civil liberties protections that are currently in the Executive Order would undoubtedly have significant ramifications for the DPF and U.S. adequacy.

Q: In your view, how does the new Administration view the importance of transatlantic flows of personal data?

A: In 2018, the Trump Administration pushed to have three PCLOB board members confirmed by the U.S. Senate on the eve of the annual Privacy Shield review. That Administration was also supportive of finding a replacement agreement for Privacy Shield after it was invalidated by the Court of Justice of the European Union in Schrems II. I do hope international data transfers as well as reform of signals intelligence activities will remain priorities for the current Administration.

Q: As you know, on the European side, the EU Commission is coming under increasing pressure to review its adequacy finding for the DPF in light of the recent developments. What do you hear in Washington on this?

A: Industry and the public interest communities are very concerned about the continued viability of U.S. adequacy and the DPF in light of recent developments at the PCLOB as well as their implications for the Data Protection Review Court. Washingtonians are awaiting to hear from the European Commission on these developments.

3. Our take

EU companies should prepare for the discontinuation of the DPF with great urgency. The signs are clear, and we would not expect EU data protection supervisory authorities to grant any "grace periods".