What the PCLOB Firings Mean for the EU-US Data Privacy Framework

On 27 January, the Trump Administration dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent body responsible for ensuring transparency and accountability in U.S. surveillance practices. With the removal of these members, including the Chair, PCLOB has lost its quorum, leaving it unable to function effectively, as only one member remains. It is unclear when replacements will be appointed, but based on past instances, the process is likely to take a long time, leaving the agency non-operational in the meantime.

As a transatlantic civil society organisation advocating for the respect of human rights in tech policy, Centre for Democracy and Technology (CDT) is deeply concerned by these developments. CDT US has extensively analysed the implications of these dismissals for U.S. surveillance practices, while CDT Europe has raised concerns about the impact of a non-operational PCLOB on the implementation of the EU-U.S. Data Privacy Framework (DPF). 

To support EU policymakers, we have prepared this brief in order to provide a clear overview of how these developments affect the implementation of the DPF and outline necessary steps to safeguard fundamental rights. 

1. What role does the PCLOB play under the DPF

The European Commission’s 2023 adequacy decision places significant importance on the role of the PCLOB in ensuring that U.S. intelligence practices align with EU data protection standards under the DPF. In its adequacy decision the Commission defines the PCLOB as follows: an independent agency within the executive branch composed of a bipartisan, five-member Board appointed by the President for a fixed six-year term with Senate approval. According to its founding statute, the PCLOB is entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties. In its review it can access all relevant agency records, reports, audits, reviews, documents, papers and recommendations, including classified information, conduct interviews and hear testimony. 

PCLOB’s Oversight Role in U.S. Intelligence Activities

Under the DPF, PCLOB is responsible for overseeing U.S. intelligence agencies’ compliance with the procedural safeguards introduced in Executive Order 14086 (EO 14086). These functions are intended to reinforce the credibility of U.S. surveillance safeguards and provide sufficient guarantees regarding the protection of the EU citizens’ fundamental rights by U.S intelligence agencies. 

PCLOB’s role includes monitoring whether U.S. intelligence activities adhere to the principles of necessity, proportionality, and respect for fundamental rights, which are key requirements for aligning U.S. surveillance practices with EU legal standards as established by the CJEU jurisprudence. It evaluates the implementation of EO 14086 safeguards, ensuring that new privacy protections are effectively enforced, and reviews intelligence procedures and policies to verify compliance with limitations on bulk data collection. PCLOB is responsible for conducting an annual review of EO 14086’s implementation, assessing whether U.S. intelligence agencies comply with the new procedural and fundamental rights safeguards established therein.

At the time of the dismissals, the expected annual report was under preparation, and its publication is on hold for an undetermined period of time. This report is a key piece of the EU Commission annual evaluation of the DPF. Therefore the inability to produce such a report would severely undermine the Commission’s ability to ensure compliance with EU standards, rendering PCLOB a futile safeguard for the purposes of the DPF. Recognising the gravity of this issue the Commission noted in its last implementation report that “given the important role of the PCLOB to review the implementation of EO 14086, the Commission will closely monitor the status of future vacancies and nominations/appointments.”

PCLOB’s Role in the Redress Mechanism: The Data Protection Review Court (DPRC)

In its 2023 resolution, the European Parliament highlighted significant concerns about the DPRC being placed under the executive branch, noting that “although the new redress mechanism does not allow for the U.S. Attorney General to dismiss and supervise the DPRC judges, it does not affect the relevant powers of the US President; stresses that as long as the US President can remove DPRC judges during their term, the independence of these judges is not guaranteed”. 

PCLOB is responsible for overseeing the newly established DPRC, which, under EO 14086, is intended to provide a redress mechanism for EU citizens challenging unlawful surveillance in the US. PCLOB’s responsibilities regarding the DPRC include:

• Monitors and evaluates how the DPRC operates to ensure complaints are handled fairly, independently, and in a timely manner, including assessing whether the DPRC has full access to necessary intelligence data.
• Is consulted in the appointment of DPRC judges, helping to reinforce the tribunal’s impartiality.
• Conducts an annual review of the redress mechanism under EO 14086 and publishes a report on its findings, including an unclassified public version, which informs the European Commission’s periodic review of the DPF.
• Reviews whether the substantive safeguards of EO 14086 are properly applied.
• Verifies whether the Intelligence Community fully complies with determinations made by the DPRC.
• Issues an annual public certification confirming whether the redress mechanism operates in line with EO 14086 requirements.

The CJEU previously struck down the Privacy Shield, finding, among other issues, that its Ombudsperson Mechanism lacked sufficient independence from the U.S. executive branch. While the DPRC remains under the executive branch, the European Commission characterized PCLOB’s independent oversight as a key safeguard to defend its compliance with the CJEU’s standard of independence. With PCLOB now non-functional, the legitimacy of the DPRC’s independence is at serious risk and could face legal challenges.

2. The Impact of PCLOB’s dysfunction on the EU-US DPF

The recent dismissal of PCLOB members appointed on a bipartisan basis has effectively crippled PCLOB as an oversight body and raises serious concerns about political interference in the independent oversight mechanism. This marks a potential regression to the times when PCLOB members served at the discretion of the President, and its work was subject to White House influence. This move by the new U.S. administration signals a potentially prolonged period without a quorum, as it remains uncertain when replacements will be appointed. Past instances suggest that the appointment process could take months or years, leaving the agency effectively non-operational for the foreseeable future. While the sole remaining PCLOB member has the ability to issue reports in her individual capacity or oversee the preparation of “staff reports,” these documents do not carry the same institutional weight as formal PCLOB reports. PCLOB reports are adopted through a deliberative process at the Board level, ensuring bi-partisan oversight and institutional legitimacy. In contrast, “staff reports” are technical documents produced at the working level and do not reflect the formal position of the Board as a whole. As such, they do not hold the same legal or procedural validity in official assessments or oversight processes. Furthermore, they certainly would not comport with the Commission’s vision of a reliable, bi-partisan oversight mechanism with members serving full, six-year terms of office that protect their independence from political influence.

The lack of an operational oversight body and the firing of most its members without cause raise fundamental concerns about the effectiveness and compliance with U.S. surveillance safeguards under EO 14086 for several reasons:

• No independent verification of U.S. intelligence compliance: With PCLOB in a sub-quorum state, there is no independent body ensuring that U.S. intelligence agencies comply with EO 14086 safeguards, leaving fundamental questions about whether surveillance activities remain within agreed legal limits.
• The DPRC’s legitimacy is now in question: PCLOB was meant to reinforce the independence and fairness of the DPRC, providing oversight to ensure it functions as an independent redress mechanism for EU citizens. Without PCLOB, the DPRC’s ability to operate as an impartial body is severely weakened. Even if PCLOB is eventually reconstituted, its independence is forever tarnished by the dismissal without cause of most of its members.
• The DPF’s entire independent oversight framework is at risk: The absence of an effective PCLOB further weakens the foundation of the DPF’s oversight structure, increasing the likelihood of legal challenges before the CJEU, similar to those that led to the invalidation of the Privacy Shield.

3. An agreement built on fragile ground

The DPF’s validity depends heavily on the safeguards introduced by EO 14086, which were introduced to address the CJEU’s concerns regarding oversight, accountability, and redress. The oversight and redress mechanisms were designed to provide the accountability and proportionality needed to meet CJEU standards of independence and effectiveness. However, the credibility of these safeguards hinges on the PCLOB’s independence and operational capacity. Given that the PCLOB had been weakened and  rendered effectively non-functional for what could be a lengthy period, essential equivalence is highly questionable. 

EU civil society and the European Parliament were very critical of the new adequacy decision granted by the EU Commission in 2023. In its resolution the Parliament urged the European Commission to renegotiate the framework, stating that it “fails to create essential equivalence in the level of protection” as required by EU law. Recent development pertaining to the removal of legitimately appointed PCLOB members only exacerbate these concerns. In its 2024 annual review of the functioning of the DPF, the Commission concluded that it will “closely monitor relevant developments in the next months and years, paying particular attention to (1) the upcoming reports of the PCLOB on the implementation of EO 14086 and … (3) the nomination and appointment of members to the PCLOB to fill upcoming vacancies.” Now that the Board members needed for a quorum have been fired, the report that the Commission relies on to monitor implementation and compliance cannot be issued by PCLOB, and the problem of prospective PCLOB vacancies that concerned the Commission a few months ago has worsened. 

Recommendations

• The European Commission must take this issue seriously by closely monitoring the situation to reassess whether the safeguards under the DPF still meet the CJEU’s requirements and actively engaging with the U.S. administration to demand the reappointment of new, PCLOB members approved on a bipartisan basis. 
• Should the U.S. administration and the U.S. Senate fail to restore PCLOB’s operational capacity within a reasonable timeframe, EU citizens’ personal data would be exposed to unlawful surveillance without guardrails necessary to preserve in contravention to their rights. Even before PCLOB’s ability to fulfill its role in the DPF had been put in doubt CDT had called for more protection of the rights of EU citizens against U.S. surveillance practices. Now, the DPF is on even shakier ground. As stated in the European Parliament’s resolution of 2023, the Commission is obligated to suspend the adequacy decision if the level of protection in the U.S. no longer meets the required standard of “essential equivalence” with EU data protection laws. Under the General Data Protection Regulation (GDPR), this assessment must be an ongoing process, continuously evaluating changes in law and practice to ensure compliance. 
• In light of previous CJEU decisions,  the EU should not wait for another legal challenge on account of PCLOB’s inoperability but instead proactively anticipate the risks and take the necessary measures to uphold the integrity of the agreement before it faces another inevitable invalidation by the CJEU.
• The European Parliament should engage in a transparent dialogue with the Commission and ensure that the above recommendations are followed.