Doing Business in Europe? What to Know About U.S. Data Privacy and Security Changes Which May Threaten Transatlantic Commerce

by | Apr 1, 2025 | Corporate, Staff Writer

This article discusses recent changes at the Privacy and Civil Liberties Oversight Board (PCLOB) that could affect all U.S. businesses engaged in transatlantic commerce. Data, privacy, and security issues are quickly evolving in the United States (U.S.) and in the European Union (EU), requiring businesses to keep pace and be prepared to respond in a proactive manner or risk enforcement proceedings and the loss of valuable commerce and business dealings in the EU.

Changes at the PCLOB

Recent Trump Administration changes at the PCLOB affect all U.S. businesses that receive personal data and information from customers and businesses in the EU.

What is the PCLOB?

The PCLOB is an independent federal agency established by the 9/11 Commission Act of 2007 in response to concerns about the government’s surveillance programs and collection of private data and communications.[1] The bipartisan, five-member Board is appointed by the President and confirmed by the Senate. According to its website, “[t]he Board’s mission is to ensure that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.” [2]

The Board has several functions. First, it provides oversight by reviewing Executive Branch policies, procedures, regulations, and information to ensure that privacy and civil liberties are protected. [3] Second, it provides advice to the President and the Executive Branch on proposed legislation, regulations, and policies related to protecting the U.S. from terrorism. [4] Third, it plays a role in complying with U.S. obligations under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). [5]

What is the EU-U.S. DPF?

The EU-U.S. DPF facilitates “transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfer” from the EU to the U.S. [6] It is administered by the International Trade Administration (ITA), which is part of the U.S. Department of Commerce. Under the EU-U.S. DPF, U.S. businesses self-certify their compliance with the EU-U.S. DFP and commit to comply with its data privacy and security principles. Once a U.S. business “self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.” [7] The business is then placed on the Data Privacy Framework List maintained by the ITA. [8]

The EU determines if a non-EU country has an adequate level of data protection and then issues an adequacy decision, allowing data to flow from the EU to the non-EU country. [9] On July 10, 2023, the EU adopted an Adequacy Decision for the EU-U.S. Data Privacy Framework (Adequacy Decision). [10] On the basis of that decision, “personal data can flow freely from the EU to companies in the United States that participate in the [EU-U.S. DPF]” without those companies needing to put additional, cumbersome, and expensive data protection safeguards in place. [11]

The Adequacy Decision relied in large part on Executive Order 14086 (EO 14086) issued by President Biden on October 7, 2022. [12] EO 14086 places limits on the U.S. intelligence community’s surveillance operations and collection of personal data and information. It also identifies safeguards intended to address the EU’s concerns about data collection and privacy. To that end, EO 14086 tasks the PCLOB with consulting with the U.S. intelligence community in developing new data privacy policies and procedures consistent with the order and then with reviewing the updated policies and procedures issued by the intelligence community as directed by the order. [13] The PCLOB intended to issue its report on those new policies and procedures in 2025 but has yet to do so. [14]

2025 Changes

On January 27, 2025, President Trump fired all the Democratic members of the PCLOB, including the Chair. Only one Republican Board member remains. As a result, the Board does not have a quorum, rendering it unable to function until new members are appointed and confirmed—a process that has historically taken months and even years to accomplish.

The EU is watching the situation closely and has registered concern about the ability of the U.S. to meet its obligations under the Adequacy Decision. [15] Meanwhile, two of the fired members of the PCLOB have filed a lawsuit and challenged the dismissals, alleging violations of the Administrative Procedure Act and the Due Process Clause.

What’s Next?

In the event that the EU determines that the U.S. is unable to meet its obligations under the Adequacy Decision, businesses in the U.S. will no longer be able to rely on that document as proof of compliance with the EU’s data and security protection requirements. Should that happen, U.S. businesses will need to put additional (and potentially expensive and cumbersome) security measures in place to continue doing business in the EU. American businesses will need to be nimble, proactive, and have a plan in place to respond to these changes or risk losing the ability to do business in the EU.

BHGR’s Corporate Group is well-versed in state, federal, and international data privacy laws and is here to help you navigate the changes ahead. Contact us today if you have questions about the information in this article or what your business can do to protect itself.

This article is informational only. The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting based on information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein—and your interpretation of it—is applicable or appropriate to your particular situation. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. The content on this posting is provided “as is;” no representations are made that the content is error-free.

Resources

[1] https://www.pclob.gov/About/HistoryMission

[2] See id.

[3] See id.

[4] See id.

[5] https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj The EU-U.S. DPF also extends to the United Kingdom (UK), Gibraltar, and Switzerland.

[6] https://www.dataprivacyframework.gov/Program-Overview#:~:text=The%20EU%2DU.S.%20Data%20Privacy,with%20reliable%20mechanisms%20for%20personal

[7] Id.

[8] See id.

[9] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#:~:text=Adequacy%20decisions-,Adequacy%20decisions,adequate%20level%20of%20data%20protection.&text=The%20European%20Commission%20has%20the,decision%20by%20the%20European%20Commission.

[10] https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj

[11] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#:~:text=On%20the%20basis%20of%20the,clauses%20and%20binding%20corporate%20rules

[12] https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj

[13] https://www.federalregister.gov/documents/2022/10/14/2022-22531/enhancing-safeguards-for-united-states-signals-intelligence-activities

[14] https://documents.pclob.gov/prod/Documents/EventsAndPress/6e6c7a7b-6036-4d6d-b635-ffb53f68e4f4/Statement%20on%20PCLOB%20Review%20Under%20Section%203%20of%20EO%2014086,%20Completed%20508,%20Nov%207%202024.pdf

[15] https://www.europarl.europa.eu/doceo/document/E-10-2025-000540_EN.html