Thought Leaders: Doing business in Europe? What to know about U.S. Data Privacy and security changes which may threaten Transatlantic Commerce

Data privacy and security issues are quickly evolving in the United States (U.S.) and in the European Union (EU). This article discusses recent Trump Administration changes to the Privacy and Civil Liberties Oversight Board (PCLOB) that could affect all U.S. businesses engaged in transatlantic commerce.

The PCLOB is an independent federal agency established by the 9/11 Commission Act of 2007 in response to concerns about government surveillance programs and the collection of private data and communications. The Board has several functions. Applicable here, it plays a role in complying with U.S. obligations under the EU-U.S. Data Privacy Framework (DPF). The DPF facilitates transatlantic commerce by allowing U.S. companies to transfer personal data from the EU customers and businesses to the U.S. 

Under the DPF, U.S. companies self-certify that they will adhere to the DPF data privacy principles and will provide an adequate level of data protection for individuals and businesses in the EU. To meet those requirements, U.S. companies may rely on a DPF Adequacy Decision (Adequacy Decision) adopted by the EU in 2023. Under the Adequacy Decision, personal data can flow freely from the EU to U.S. without U.S. companies needing to put cumbersome and expensive data protection safeguards in place. However, the PCLOB is tasked with reviewing new U.S. government data privacy policies and procedures to insure they are consistent with the Adequacy Decision and to issue a report in compliance with that obligation. The PCLOB intended to issue its report in 2025 but has yet to do so.

On January 27, 2025, President Trump fired all the Democratic members of the PCLOB, including the Chair. As a result, the Board does not have a quorum, rendering it unable to function until new members are appointed and confirmed, which is typically a time-consuming process. The EU is watching the situation closely and has registered concern about the ability of the U.S. to meet its obligations under the Adequacy Decision. 

In the event the EU determines that the U.S. is unable to meet its obligations under the Adequacy Decision, U.S. companies will no longer be able to rely on that decision as proof of compliance with the EU’s data and security protection requirements. Should that happen, U.S. businesses will need to put additional, potentially costly security measures in place to continue doing business in the EU.

If you have questions about the PCLOB changes and their potential effect on your business, contact BHGR’s Corporate Group today. 

This article is informational only. The presentation or use of this information does not in any manner constitute an attorney-client relationship between BHGR and the website user. While the information on this site concerns legal issues, it is not intended as legal advice and is not a substitute for particularized advice from your own legal counsel.