It took less than a week into the U.S. President Donald Trump's second mandate for privacy and data transfers to make it to the forefront, arguably alongside many other issues and in a less dramatic way. The executive order rescinding "harmful executive orders and actions" adopted under the previous administration set the tone: the ambition for a clean slate across policy areas.
In areas impacting our community issues, this translated most visibly in demanding that all three Democratic members of the U.S. Privacy and Civil Liberties Oversight Board resign by close of business 23 Jan. or be fired — some for show as their mandate was ending within days anyway.
The PCLOB is an independent watchdog formed to scrutinize U.S. surveillance practices and review their alignment with privacy and civil liberty requirements, including in the trans-Atlantic context, underpinning some of the U.S. government commitments under the EU-U.S. Data Privacy Framework. The U.S. Department of Justice also saw the dismissal of several top-level career officials in national security.
Again, this purge is not specific to areas of data protection or transfers but, for the sake of this column, it is fair to say these actions are sending up flares European officials won't fail to pick up.
That being said, there have been no firm signals from the Trump camp that EU-U.S. data transfers would be at risk. The PLCOB needs a quorum of three members to function and could be back at that level very soon. There is also no indication the new administration plans to do away with other building blocks that support the DPF implementation. And the DPF, much like its predecessors, has bridged several administrations with continued bicameral and bipartisan support.
There is also a question on this side of the pond on where the energy and political focus will be in the coming months. The unappealing prospects of a trade war are in play of course, but there is also a growing attention in Europe to data transfers to China, among others, as we expect possibly transformative regulator decisions later this year.
Elsewhere
Thirty European data protection authorities drew conclusions from their 2024 Coordinated Enforcement Action on the implementation of the right of access under the EU General Data Protection Regulation. European Data Protection Board Deputy Chair Zdravko Vukíc said, "how controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights."
The CEF shows more awareness of existing guidelines is needed. It also attests to the lack of documented internal procedures to handle access requests, inconsistent interpretations and barriers to individuals' exercise of rights, among others.
Overall, though, DPAs find compliance with the right to access is above average. The 2025 CEF will focus on the implementation of the right to erasure.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.