Trump’s Sacking of PCLOB Members Threatens Data Privacy

On Jan. 27, President Donald Trump fired all of the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB). His move renders the Board impotent as an oversight body and thereby threatens the EU-U.S. Data Privacy Framework, which supports the U.S. economy by permitting the flow of data between Europe and the United States. It could effectively return PCLOB back to its early days, when its members served “at the pleasure of the president,” and its work product was subject to White House control. It also portends a lengthy period in which the PCLOB has no quorum and therefore cannot commence investigations and issue reports on conduct of the intelligence community that threatens civil liberties.

PCLOB’s Inauspicious Start Under the Control of the President 

A recommendation from the National Commission on Terrorist Attacks Upon the United States (9-11 Commission report, p. 395) led to the establishment of the five-member PCLOB in 2004 under the Intelligence Reform and Terrorism Prevention Act (IRTPA).  Its original function was to provide advice to the president and agency heads to ensure that privacy and civil liberties are appropriately considered in regulations and policies related to anti-terrorism activities and information sharing requirements that were being implemented following the Sept. 11, 2001 terrorist attacks on the U.S. It was situated in the Executive Office of the President. All of its members were appointed by the president and, by statute, they served “at the pleasure of the president” for no fixed term of office. As originally constituted, the PCLOB had no responsibility to Congress other than to issue an annual report on its activities. 

That didn’t work out so well. An initial draft of its first annual report to Congress on its activities was shared with the president and came back with redlines from the White House Counsel that weakened the report. The redlined report had over 200 changes by the ACLU’s count and omitted statements about the disputed use of the material witness statute to detain people in the aftermath of the Sept. 11 attacks and about the PCLOB’s need for the President to direct agencies to cooperate with the Board. (pp. 40-41). This prompted a Democrat on the PCLOB—Lanny Davis—to publicly resign before testifying to Congress about  the need for PCLOB to become independent.

Rebirth as an Independent Agency

As a result, Congress, in the Implementing Recommendations of the 9/11 Commission Act of 2007, re-constituted the PCLOB as an independent agency within the executive branch. It made major changes to PCLOB’s statutory charter that, now, call into question President Trump’s authority to fire its members. Perhaps most notably, it removed the IRTPA provision indicating that PCLOB members “serve at the pleasure of the President.” It also removed PCLOB from the executive office of the president, deleted the statutory provision indicating that it was to operate under the “supervision” of the president, and substituted for it references to PCLOB as an “independent agency.” The president retained the power to appoint members of the PCLOB, but all of its members became subject to Senate approval and  Congressional testimony, and were given six-year terms of office. The circumstances under which they could be removed from office before their terms expired—and who could remove them—were not addressed. Finally, as a result of the amendments, no more than three of the five members of the PCLOB could be from the president’s political party. With respect to selection of the other two, the president had to consult with the other political party. 

The changes Congress made to PCLOB’s statutory charter demonstrated a clear desire to establish independence from the president—in particular, by stripping from the president the power to remove members at will. 

Hard-Hitting Reports and Shedding New Light

Shortly after it was up and running as an independent agency, PCLOB faced its first big test: the June 2013 revelations by then-NSA contractor Edward Snowden about intrusive, and possibly illegal, surveillance being conducted by the National Security Agency and other elements of the Intelligence Community. Its first report on those revelations underlined the value of its new independence. Focusing on Section 215 of the USA PATRIOT Act, PCLOB’s report questioned the lawfulness of the intelligence community (IC) interpretation that the statute authorized the bulk collection of records of phone calls made to, from, and within the United States, and debunked the brazen and oft-repeated IC myth that bulk collection had discovered or disrupted numerous terrorist attacks. Instead, the PCLOB announced that it had found no instance in which the bulk collection program had prevented an attack or provided unique value. Congress responded to these findings in the 2015 USA FREEDOM Act by outlawing bulk collection under Section 215 and other domestic intelligence authorities, and later allowing Section 215 to sunset.

These are not the kind of conclusions that members of a watchdog agency are likely to reach, publicize, and testify about to Congress if doing so could cost them their jobs as watchdogs. Nor is an agency dependent on the president for continued vitality likely to prompt disclosures of illuminating information that could be embarrassing to elements of his intelligence agencies. Indeed, PCLOB’s initial investigations of the Snowden revelations prompted, by the account of its then-Chair David Medine, the declassification of over 100 facts. A hostile and unchecked president could fire PCLOB members to stop such reports from coming out, or remove PCLOB members the moment they begin investigating intelligence activities that involve controversial or improper conduct. 

President Trump’s firing of PCLOB members threatens the Board’s ability to conduct investigations, issue critical reports, inform Congress about intelligence community misstatements, and prompt legislative changes to protect privacy and civil liberties. It also threatens the Board’s ability to prompt disclosure of information that helps the public and Congress better understand the scope of intelligence surveillance. 

Inability To Function Due To Lack of a Quorum

The removal of the three Democratic appointees could portend a long period during which PCLOB becomes substantially non-functional because it lacks a quorum. Under its statutory charter, the seats of at least three of PCLOB’s five members must be filled in order for the PCLOB to commence investigations and to issue reports. The Board has had one open seat for months — a Republican seat to which President Biden made a nomination on June 13, 2024 on which the Senate did not act. The firings leave PCLOB with only one active member (the sole remaining Republican appointee, Beth Williams) and render it substantially non-functional.

President Trump’s firing of PCLOB members could portend a long period of relative inactivity. The last time the PCLOB lost its quorum was in the summer of 2021; that quorum was restored in February 2022. PCLOB also lost its quorum was in January of 2017, just before President Trump’s first inauguration. It remained without a quorum until October 2018 — a full 20 months. During these periods, it could not commence any investigations or issue reports, though staff continued working with limited supervision on existing projects. Prior to that, the PCLOB lost its quorum in 2007, when it was first reconstituted as an independent agency. It took President Bush, President Obama, and the Senate five years to nominate and to confirm the members of the reborn PCLOB, which occurred on August 2, 2012.

Threat to Trans-Atlantic Data Flows and the EU-U.S. Data Privacy Framework 

Aside from its importance in protecting civil liberties, PCLOB cannot play its key role in enforcing U.S. obligations under the EU-US Data Privacy Framework (DPF) while it lacks a quorum of members. The European Commission would lose a key oversight tool for which it bargained, and the adequacy decision that it issued to support the DPF could be struck down under review at the Court of Justice of the European Union (CJEU), which struck down two predecessor EU-U.S. data privacy arrangements, the Safe Harbor Agreement and the Privacy Shield.

The DPF is the arrangement between the European Union and the United States that permits the flow of data between the EU and the U.S., and ensures that the U.S. maintains adequate privacy protections that are essentially equivalent for Europeans’ data, as is contemplated in the EU’s General Data Protection Regulation (GDPR). The European Commission determines whether a country outside of the EU maintains privacy protections that are essentially equivalent to those that govern data within the EU and issues an “adequacy decision” if it determines that they do. The Commission’s July 10, 2023 adequacy determination with respect to the U.S.  rests in large part on the Oct. 7, 2022 Executive Order 14086, which limits U.S. intelligence surveillance to 12 permissible purposes, and prohibits intelligence surveillance for the purpose of burdening dissent, restricting privacy, restricting the right to legal counsel, discriminating, or for collecting trade secrets to give U.S. companies a competitive advantage. It also introduces safeguards to promote accountability and provide redress for EU citizens in cases of abuse—an essential requirement for lawful processing recognized by the CJEU—which largely depend on the PCLOB’s independence and operational capacity. 

Executive Order 14086 requires the NSA and other elements of the IC to adopt new guidelines and practices that are consistent with the restrictions that the EO places on their intelligence surveillance activities. Those guidelines were released to the public on July 3, 2023.  Section 2(c)(iv) of EO 14086 “encouraged” PCLOB to review those guidelines for consistency with the requirements of the EO, and to issue a report with its findings. PCLOB agreed to conduct that review and announced plans to issue the report in 2025, but has not yet done so. Now that it has lost its quorum—because most of its members have been fired—it cannot issue the report until a quorum is restored (which could take months or years), raising doubt about  U.S. compliance with its obligations under the DPF. 

More broadly, even if PCLOB’s quorum is restored, its ability to carry out these responsibilities thoroughly and independently is compromised because its members could be removed as soon as they start investigating any conduct the president wants to keep hidden. Robust oversight requires the independence to challenge surveillance practices that may violate the law, a task made significantly more difficult when PCLOB members face the risk of removal for fulfilling their mandate.

Europe is watching, skeptically. The European Commission relied on the PCLOB review in the Commission’s adequacy decision on the DPF (paras. 126 and 167). EU Civil society and the European Parliament were very critical of the adequacy decision granted by the EU Commission. The Parliament adopted a resolution urging the European Commission to renegotiate the framework, stating that it "fails to create essential equivalence in the level of protection" as required by EU law. A hobbled PCLOB only exacerbates this issue. In its Oct.  9, 2024 review of the functioning of the DPF, the European Commission concluded that it will “closely monitor relevant developments in the next months and years, paying particular attention to (1) the upcoming reports of the PCLOB on the implementation of EO 14086 and … (3) the nomination and appointment of members to the PCLOB to fill upcoming vacancies.” Now that the Board members needed for a quorum have been fired, the report which the Commission is expecting cannot be issued in a timely manner, and the problem of prospective PCLOB vacancies that concerned the Commission a few months ago has worsened.

President Trump’s actions to paralyze the PCLOB threaten to destabilize the already fragile foundations on which the DPF stands, and could contribute to its collapse when the Commission’s adequacy decision is reviewed at the CJEU.  Without the DPF, numerous U.S. companies, such as tech giants Meta and Google, would be unable to rely on it to support the transfer of data from Europe to the U.S., which is crucial to the operation of their services. They would be forced to turn to a more cumbersome alternative legal basis for data transfers under the GDPR, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), which come with big challenges of their own and might not ultimately be feasible.