The independence of all the US regulators who uphold EU-US data transfers is now in doubt, but the Commission is acting as if nothing has changed.

The Trump administration is considering abandoning the US side of the EU-US Data Protection Framework (DPF), also known as TDPF (Transatlantic Data Privacy Framework). It is attacking the judiciary and “so-called” independent agencies in the US government; and has pushed Democrats out of at least three of the five such institutions that ensure US compliance with the DPF.

“The zone is flooded,” a person speaking on condition of anonymity told Euractiv, referring to an infamous PBS interview in which former Trump chief strategist Steve Bannon said that when too much is happening at once, the public can only keep up with a fraction of it.

“While previous agreements were disputed over one or two points, now there’s like a hundred,” the person said. 

US surveillance and GDPR: Squaring the circle 

EU citizens’ personal data can legally flow out of the EU without strict safeguards to countries that the Commission deems to have adequate data protection measures in place, signed off by an ‘adequacy decision’.

While the US has no federal privacy law and its intelligence agencies have few legal barriers to accessing personal data of foreigners, it is estimated that over 90% of EU companies transfer data to and from the US, and the trillions of dollars in bilateral trade make an adequacy decision all the more important.

But the legality is tricky. The Court of Justice of the European Union (CJEU) struck down the two previous EU-US data deals. The current DPF has been criticised since it was drawn up.

The lack of independent oversight and redress mechanisms for US intelligence agencies was a key objection to the previous Privacy Shield agreement in the Schrems II decision.

The current DPF relies on a Biden-era remedy: an Executive Order establishing such oversight and redress.  

The Civil Liberties Oversight Board (PCLOB) was charged with external oversight, and a Civil Liberties Protection Officer (CLPO) was established within the Office of the Director of National Intelligence (ODNI) for internal oversight.

In terms of redress, the CLPO handles complaints in the first instance and a Data Protection Review Court (DPRC), with members appointed by the PCLOB, was established as an appeal body.

Having championed these institutions as cornerstones of the DPF, the Commission has been conspicuously silent in the face of their collapse.

PCLOB’s fall 

Set up by an act of Congress rather than by the executive branch, PCLOB was the most legally protected of the above-mentioned agencies.  

“Given the important role of the PCLOB… the Commission will closely monitor the status of future vacancies and nominations/appointments,” reads the Commission’s DPF review from October.  

But when Trump ignited European concerns over the DPF by calling for the three non-Republican members to resign, Commission spokesman Markus Lammert played it down. The DPF “remains applicable irrespective of members of the PCLOB,” he said, adding that the Commission is continuously monitoring the situation and has “all the necessary tools in place to react”.  

Trump then fired the Democrats in the PCLOB, leaving the five-person board with only one Republican, short of the three needed for it to formally make decisions.

“The agency has significant ability to continue functioning with its full staff and remaining Member to continue the Board’s important mission,” PCLOB spokesman Alan Silverleib told Euractiv. In fact, due to recent adjustments to prepare for a period with too few board members, the PCLOB has more authority and ability to continue its mission than in the past, he said.  

Sacked board member Travis LeBlanc tells a different story. “By firing us, the president has extinguished independent oversight of surveillance activities,” he wrote in the Guardian on 6 February.   

LeBlanc and his former colleague Ed Felton are now suing the president to have their jobs reinstated, arguing that their dismissals without cause violated the law, which requires the agency to be impartial and independent.

On 28 January, Irena Moozova, Deputy Director-General of DG JUST said the Commission would not be shy to react if the situation changed “dramatically.”

“For now, we have no further comments,” a Commission spokesperson said in response to repeated questions, echoing Lammert’s statements regarding “continuous monitoring.”  

DPRC, CLPO, IGs and privacy officials all under fire 

High European standards of independence don’t always translate into other constitutional contexts, Joe Jones, director of research and insights at the International Association of Privacy Professional (IAPP), told Euractiv. As an example, he cited the EU-Japan data agreement, where the presence of politically appointed regulators didn’t prevent legal data transfers.

But there’s a limit to what can be accepted, and the independence of all the agencies involved is called into question.

On 5 February, Euractiv reported that Obama-era Attorney General Eric H. Holder Jr, the most prominent Democrat in the DPRC, disappeared from the list of judges on the DPRC’s website after Republicans questioned his position on X.  

The US Department of Justice (DoJ) has not officially confirmed Holder’s departure, nor whether he was fired or left voluntarily.  

Separately, Never-Trumper Republican Paul Rosenzweig, special advocate for the DPRC, resigned in protest after the inauguration. 

In one version of the CLPO website the position appears to be dormant, but in another everything looks normal.  

In addition to DPF-specific institutions, the Commission’s DPF review highlights Inspectors General (IGs) and Privacy and Civil Liberties Officers as important oversight mechanisms.  

While Trump hasn’t fired the specific IGs overseeing intelligence agencies, he has fired at least 17 others, violating a 2021 law by failing to give 30 days’ notice with a detailed rationale, and calling into question the independence of the remaining IGs. “It’s a very common thing to do,” said Trump. 

AP and Bloomberg have reported reshuffles and departures of DoJ officials and a rogue Musk-led Department of Government Efficiency (DOGE) is reaching ever further into the US government in its quest to fire bureaucrats.  

The exact situation of the DoJ and ODNI privacy officials is uncertain, but members of the Office of Personnel Management (OPM) privacy team have been fired. “They just got rid of the entire privacy team,” an OPM email address said in response to a CNN request. 

Neither the DPRC, ODNI nor the Department of Justice responded to Euractiv’s requests for comment.

Separation of powers and “so-called” independent agencies 

Judges and over 100 lawsuits are challenging the legality of the Trump administration’s actions, but JD Vance declared on 9 February that “judges aren’t allowed to control the executive’s legitimate power”, and Musk chimed in.  

The executive’s “legitimate power” is far-reaching, according to the Trump administration.

“Previous administrations have allowed so-called ‘independent regulatory agencies’ to operate with minimal Presidential supervision,” reads an Executive Order from 18 February. 

Instead, the Trump administration will ensure presidential oversight and control of the entire executive branch, according to the order.

“All executive departments and agencies, including so-called independent agencies, shall submit for review all proposed and final significant regulatory actions to the Office of Information and Regulatory Affairs (OIRA) within the Executive Office of the President before publication,” the EO reads. 

“We are studying the impact that these decisions could have on the DPF,” a Commission spokesperson told Euractiv when asked about the order. 

There is legal backing for the Trump administration’s arguments.

“The US Supreme Court has repeatedly ruled that the president can supervise officers exercising executive power, which ordinarily includes the power to fire them,” Alex Joel, senior project director and adjunct professor at American University’s Washington College of Law and previously a senior official at ODNI, told Euractiv.

Because PCLOB and IGs are part of the executive branch, the Trump Administration will argue that the President can fire them at his discretion, without having to show “cause,” especially since Congress did not include “for cause” clause in their statutes to disallow this kind of presidential intervention, Joel said.

“The President’s actions strike at the heart of the separation of powers,” LeBlanc and Felton’s complaint reads. 

Trump to kill it anyway? 

If Europe doesn’t invalidate the DPF first, Trump may simply revoke the EO on which it is based anyway.  

In Trump’s sweeping revocation of 67 executive orders immediately after taking office, he ordered a review of all Biden national security decisions within 45 days (6 March), including the DPF executive order (EO). 

The review is in line with Project 2025, a political agenda closely associated with the Trump administration, which states that an incoming president “should ask for an immediate study” of the DPF EO and “reset Europe’s expectations”. 

“The United States has never seriously pushed back against the EU; now is the time” the manifesto reads. 

Repealing the EO wouldn’t automatically kill the DPF, but it would force the EU to annul it.

Max Schrems, a privacy activist and plaintiff in the CJEU cases that struck down the two previous EU-US agreements, fears that the Trump administration will take away the EO’s safeguards in secret.

Not all EOs must be published, and the DPF EO already contains provisions that restricted elements of it confidentially, he told Euractiv.  

Project 2025 is calling for an incoming president to immediately “suspend any provisions that unduly burden intelligence collection.” 

It’s “an executive order that is limiting the US government to please Europe,” Schrems said.  “In their thinking, this is the first thing to kill,” he added. 

Noise ahead 

The Commission’s response to all of this has been to keep its mouth shut.  

Tensions between the EU and the US are at an all-time high, with Trump sidelining Europe in the Ukraine peace negotiations talks, and the US is threatening retaliatory tariffs if the EU enforces its digital rulebook. 

JD Vance specifically targeted the GDPR in his Paris tirade against EU over-regulation, saying the US will not accept foreign governments tightening the screws on US companies.

Silence may serve the EU and the US while they pick their battles, and silence is undoubtedly good for business.  

On the US side, the lack of comment on Holder’s departure from the DPRC helps to keep the boat from rocking.

On the EU side, the Commission could blame the CJEU for killing the previous agreements, but if the EU executive does scrap the deal, it will undoubtedly be seen as a political move against Washington. Better to say and do nothing in the meantime, seems to be the policy.

But silence can’t last forever. 

On 5 February, 19 MEPs from across the political spectrum called on the Commission to address the question of whether the DPF is still viable. The Commission has until 19 March to respond in writing. 

On 6 February, the chair of the Civil Liberties, Justice and Home Affairs (LIBE) Committee wrote to Commissioner McGrath asking whether the DPF still meets the essential equivalence requirement established by the ECJ after the PCLOB shootings and whether this affects the validity of the DPF.

Schrems told Euractiv that the Commission’s silence could leave companies in the legal limbo of an invalidated DPF.

“My biggest worry… is that there is no fucking contingency plan,” he said. 

[DE]