The DPF's viability remains uncertain; the Commission provides only evasive answers regarding data security. The agreement's status could become subject to future negotiation; companies should take appropriate precautions. Legal uncertainty persists, and further developments must be closely monitored.
Following our report on 23 January, 2025, which highlighted the risks posed to the EU-US Data Privacy Framework (DPF) by political decisions in the US – particularly the dismissal of members of the PCLOB oversight board – the European Commission responded on 14 April 2025 to a related European Parliamentary question (E-000540/2025). However, the answer evasive about the concerns regarding the agreement's stability and avoids taking a clear stance on the highlighted risks.
The Commission indicates that it does not intend to repeal or suspend the adequacy decision for the DPF for the time being. Its main argument is that US Executive Order 14086 (EO 14086), which forms the basis of the DPF and establishes safeguards for EU citizens' data, remains in force. It also refers to the safeguards enshrined within it, such as limiting data collection to what is necessary and proportionate, and the redress mechanism established through the Data Protection Review Court.
However, this formal reasoning contrasts sharply with the specific, developments discussed back in January and reiterated in the parliamentary question:
PCLOB Independence: The dismissal of three Democrat members of the Privacy and Civil Liberties Oversight Board (PCLOB) by the Trump administration in January 2025, casting doubt on the independence of this key oversight body, which is crucial for monitoring US surveillance activities.
DOGE Access: Reports since February 2025 of increasing access to sensitive government databases by the newly created "Department of Government Efficiency" (DOGE), led by Elon Musk.
Law Enforcement Data Protection: Resulting doubts about whether adequate data protection is still ensured for data transfers in the area of law enforcement (Umbrella Agreement, Europol/Eurojust cooperation).
In its response, the Commission does not directly address the specific incidents (PCLOB dismissals, DOGE/Musk) and answers the questions posed inadequately:
On Question 1 (Does the Commission share concerns about PCLOB independence?): The Commission does not state whether it shares the concerns previously raised in January. It merely states it is "closely following the developments" and refers to the PCLOB's statutory, bipartisan structure.
On Question 2 (Will the DPF be suspended? If not, why not?): No suspension is announced. The explicitly requested justification for not suspending the framework is omitted. The Commission only mentions its general power to review and, if necessary, suspend, amend, or repeal the decision if the required level of protection is no longer ensured.
On Question 3 (Is data protection still ensured for law enforcement data?): This entire aspect is ignored in the Commission's answer.
Evaluation
The response is therefore limited to describing the formal legal framework without assessing the concrete risks discussed in January and mentioned in the question, or to answering the direct questions about its assessment and potential consequences. The omission of the question regarding data protection in law enforcement is particularly noteworthy.
This approach leaves room for speculation. It could suggest that negotiations are ongoing behind the scenes, or that the Commission, given the politically sensitive situation, wishes to avoid committing itself through clear statements and is refraining from directly addressing the allegations made in the question. This means that, the fragile foundation for transatlantic data transfers, as described in January, persists.
