TL;DR
- The Privacy and Civil Liberties Oversight Board (PCLOB), a US data protection body, has been weakened by Trump’s decision to remove Democratic members.
- This threatens the Transatlantic data privacy framework (TADPF), which allows EU businesses to transfer data to the US.
- If the PCLOB is permanently weakened, the EU may be forced to annul the TADPF, making US cloud services potentially illegal for EU businesses (this has happend before)
- Trump’s recent executive order demands a review of all Biden-era security policies within 45 days, meaning the situation could escalate quickly.
- The European Commission may have to act soon.
The EU-US data transfer deal might be heading for another collapse. Trump’s decision to remove members from the US privacy watchdog has raised doubts about whether the US can still be considered a safe place for European data. If the PCLOB becomes dysfunctional, the entire foundation of the Transatlantic data privacy framework could crumble.
For EU businesses using US cloud services like Google, Amazon, and Microsoft, this could lead to legal uncertainty. And with Trump reviewing Biden-era policies, things could change within weeks.
What’s happening?
We’ve known for a while that US intelligence agencies can access data stored by US tech companies, even when that data belongs to Europeans (Thanks to Snowden). This has led to ongoing legal battles over whether the US offers enough privacy protections compared to the EU. Twice before, the Court of Justice (CJEU) has ruled that these protections are not enough.
In 2023, the European Commission pushed through the TADPF, relying on promises made in Biden’s executive orders and oversight by the PCLOB. The problem? These executive orders aren’t laws, meaning a new US president can undo them as he pleases. That’s exactly what might happen now.
The PCLOB is the only general oversight body ensuring US compliance with the deal. Other mechanisms only apply if a "plaintiff takes legal action", which is difficult under US law. With Trump removing PCLOB members, its ability to function is in doubt.
Why does this matter?
For EU businesses, the TADPF has been a legal safety net. As long as it exists, companies can legally transfer data to the US. If the EU annuls the framework, businesses, schools, and government agencies may no longer be able to use US cloud services without violating GDPR.
Some risks:
- Tech giants like Google, Microsoft, and Amazon may face EU restrictions if data transfers become illegal.
- EU businesses relying on US cloud services will need to find European alternatives or risk non-compliance. (GA4 sucks anyway :).
- Legal uncertainty could disrupt international business operations
Trump has also signed an executive order ordering a review of Biden’s national security decisions within 45 days. If he scraps Biden-era privacy commitments, the entire TADPF could collapse.
Final thoughts
The EU-US data transfer deal was always fragile, relying more on political promises than solid legal protections. Now, with Trump weakening oversight, the future of US cloud services in the EU looks uncertain. Businesses should start preparing for a "host in Europe" contingency plan in case the deal is really dead in the water.
At Simple Analytics, we believe in privacy-first web analytics. Unlike Google Analytics, we don’t rely on US cloud services. We are EU-based, GDPR-compliant and don't store any personally identifiable information. Feel free to give us a spin.