Trump’s PCLOB Purge Risks Banning Meta, ExTwitter, Google, And Even Truth Social From Europe

In his latest “drain the swamp” move that will actually flood the entire ecosystem, Trump demanded the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) resign immediately. This may sound like just more petty partisan BS, but it could have huge unintended consequences, including for Trump’s own companies.

Sometimes it helps to actually understand how government works before going in and smashing things.

One of the long list of nutty moves by the new Trump administration last week was to demand that the three Democratic-chosen members of the Privacy and Civil Liberties Oversight Board (PCLOB) resign by the end of the day. As far as I can tell, none of them have actually done so, but I imagine their tenure is not likely to last much longer.

Without the PCLOB providing a veneer of oversight on US surveillance, the entire EU-US data sharing framework could collapse, effectively banning Facebook, Instagram, ExTwitter, YouTube, and other US-based services (including Truth Social) from having any European users. Oops.

On Tuesday evening, each of the three members who were picked by Democrats — Sharon Bradford Franklin, Edward W. Felten and Travis LeBlanc — received an email from the White House telling them to submit resignation letters by the close of business on Jan. 23, according to three people with knowledge of the situation.

The people spoke on condition of anonymity for fear of reprisal. They said the email, sent by Trent Morse, the deputy director of presidential personnel, told the board members that that President Trump would terminate their positions if they did not resign by that deadline.

The fifth seat is currently vacant. The Trump White House did not tell the board’s sole current Republican-picked member, Beth Williams, to leave, two of the people familiar with the matter said.

While this could be seen as yet another version of Trump’s dissolving of various advisory boards (including the one investigating the massive Chinese Salt Typhoon hack), there’s a potentially much bigger impact here, which could do serious damage to a ton of American internet companies, including those of the tech oligarchs who lined up behind Trump on inauguration day.

That’s because the PCLOB is written directly into a US/EU agreement that acts as a key check on US government surveillance to ensure European citizens’ data is adequately protected when transferred to the US. Without this, the EU may find the framework fails to meet its privacy standards, and thus bar American internet companies from allowing anyone in the EU to access them.

And, yes, there’s some irony here, given the whole TikTok ban nonsense. The US justified that ban based on the claim that the Chinese government could demand access to data on US users using TikTok. This is the same thing: the EU can now effectively ban US internet companies by noting that the US government can demand access to EU users on those platforms.

In the past, the US might have had a moral high ground to push back on this. But after the TikTok ban, they no longer do.

To understand the details, though, involves understanding some wonky policy that often puts most people to sleep. But stick with it.

First, there’s the PCLOB itself. It was created in 2006 as a (supposedly) independent effort to oversee government activities that might violate civil liberties, in particular looking at efforts by law enforcement and the intelligence community to spy on Americans. Basically every president since its announcement has hated that it exists. Even though it was created in 2006, it wasn’t actually staffed until 2012 (yes, Obama went four years without filling it).

For a short time, it actually did some good work pointing out how the programs exposed by Ed Snowden appeared to be both illegal and unconstitutional.

Of course, soon after that, Congress focused on undermining the PCLOB as punishment for daring to point out the problems of US surveillance programs. By the time the Trump administration came around, the Board was already effectively dead. Trump did actually appoint some members to the board last time around. But now he’s demanding all of them but one resign.

Here’s the other part of the history that’s important; the ability of US internet companies to have EU users literally depends on the existence of this board. For well over a decade, there’s been a very important, but little followed, fight between the US and the EU over “trans-Atlantic data flows” regarding US companies collecting data on EU users.

The US and the EU negotiated a “privacy safe harbor” in which US companies had to get “certified” by random consultants that they “protected” EU data properly. In the wake of the Snowden revelations, EU privacy advocate Max Schrems challenged the Safe Harbor as being a fig leaf and not actually meeting EU privacy requirements, to which the EU Court of Justice agreed, throwing out the safe harbor.

The US and EU negotiated for a while and came up with a new plan, called the “Privacy Shield” rather than Safe Harbor, though it appeared to fix none of the actual problems of the Safe Harbor. It took a few years, but the EU Court of Justice again found the Privacy Shield insufficient in another case brought by Schrems.

Once again, the US and EU negotiated and once again, rather than doing the main thing that would fix the problem (limiting NSA surveillance authorities), the US and EU came to a new agreement called the “Data Privacy Framework.”

Meta, for one, celebrated this agreement in 2023, noting that it was necessary to “continue providing our services in Europe.” It’s not clear if ExTwitter or Truth Social were even aware that this happened, but it was important to both of them as well. I will note that X is listed as being certified under the Framework on the Data Privacy Framework site.

I don’t see Truth Social on the list, though it’s possible it’s registered under another name.

So, here’s where the rubber meets the road: the key part of the Data Privacy Framework that made it more acceptable than the earlier Safe Harbor or the Privacy Shield… was that it relied on the PCLOB to step in and make sure that there was oversight of US government surveillance programs, to make sure they did not violate specific privacy rights of Europeans.

The agreement directly calls out the important role of the PCLOB:

Thirdly, to the extent they carry out counter-terrorism activities, departments with criminal law enforcement responsibilities are subject to oversight by the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency within the executive branch composed of a bipartisan, five-member Board appointed by the President for a fixed six-year term with Senate approval

Without the prong of oversight, it’s quite reasonable to say that the Data Privacy Framework is no longer in effect.

And that could mean that EU data protection regulators could soon step in and block data transfers of EU users to US servers, effectively blocking EU users from using any of these American services. EU privacy folks are well aware.

Max Schrems, who brought the cases that killed both the privacy safe harbor and the Privacy Shield, put out a statement about this as well.

The European Union has relied on these US boards and tribunals to find that the US provides “adequate” protection of personal data. Relying on PCLOB and other mechanisms, the European Commission allows European personal data to flow freely to the US in the so-called “Transatlantic Data Privacy Framework” (TADPF). Thousands of EU businesses, government agencies or schools rely on these provisions. Without TADPF, they would need to stop using US Cloud Providers like Apple, Google, Microsoft or Amazon instantly. 

Schrems notes that companies can still rely on the DPF framework until it is officially annulled, but that could happen relatively soon.

Ironically, Trump’s own Truth Social could be one of the casualties if the EU decides to pull the plug on data transfers. Without a PCLOB rubber stamp, Truth Social may find itself locked out of the European market entirely. And while that might not matter too much to Trump, I would imagine the same thing matters quite a bit to “First Buddy” Elon Musk, whose ExTwitter has been losing tons of users and really needs EU users.

In other words, Trump’s reckless move threatens to cut off American tech giants from one of their most important markets, in a misguided attempt to avoid basic oversight and accountability.

So, yeah, for all of Zuckerberg sucking up to Trump, it may lead to losing EU users on Facebook, Instagram and WhatsApp. What good is self-removing your own spine to suck up to an ignorant authoritarian, when that authoritarian’s bull in a china shop approach to governing might just wipe out one of your largest markets?