A Data Protection Debacle With Global Repercussions
An everyday scenario:
A German authority or a European hospital uses a well-known US cloud platform to store and process sensitive data, including personal information, strategic plans, medical findings, and security-critical documents.
Previously, there were at least formal guarantees that such data could not be arbitrarily analyzed and further used by US authorities or companies. However, this guarantee is now null and void:
On January 27, 2025, the Trump administration dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB). This independent authority monitors and evaluates US surveillance practices to ensure transparency and data protection. With the loss of its members, the PCLOB lost its quorum and is currently unable to carry out its work effectively.
This development is important for European companies that do business with the USA or store data there. It once again raises questions about EU data sovereignty and secure communication solutions.
The Role of the PCLOB in the EU-US Data Protection Framework
The Privacy and Civil Liberties Oversight Board (PCLOB) is an independent agency within the US government’s executive branch established by Congress in 2004. It aims to balance national security and the protection of civil rights.
To this end, the Board advises the President and other senior executive branch officials to ensure that privacy and civil liberties concerns in the United States are appropriately considered in developing and implementing all terrorism-related laws, regulations, and executive branch actions.
Effects on European Companies
Transatlantic data traffic has already been a critical issue. In 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield invalid (Schrems II ruling) because US surveillance laws are not compatible with the General Data Protection Regulation (GDPR). In particular, the ECJ criticized the extensive surveillance powers of US security authorities and the lack of legal protection for affected EU citizens.
The Trump administration’s decision to dismiss the three Democratic members of the PCLOB now has further profound consequences for European companies, organizations and authorities:
The PCLOB was one of the few US institutions that at least provided a formal mechanism for safeguarding data protection rights. Without this protective body, European companies and organizations are now in an even more precarious position. The data processed via US services is hardly protected from uncontrolled access.
Companies that store their data in US clouds must now assume that this data can be legally analyzed, sold, or even passed on to US government agencies.
This poses a significant threat, particularly for critical infrastructure operators, municipalities, public authorities, and the healthcare sector. Sensitive information can fall into the wrong hands, resulting in data breaches and security risks.
This development is a wake-up call for those responsible in Europe. Dependence on US cloud services harbors enormous risks for data protection, compliance, and cyber security.
But what alternatives are there? And how can European companies and organizations regain their data sovereignty?