Trump, the rule of law and the adequacy decision

Quis custodiet ipsos custodes?

A few days after Donald Trump took office, it emerged that he had acted to paralyse the Privacy and Civil Liberties Oversight Board (PCLOB).

Quis custodiet ipsos custodes? is a Latin phrase which can be translated as Who watches the watchers?

The PCLOB is, on paper, an independent agency of the US government that overseeing the surveillance authorities. Among other things, the PCLOB has issued reports and recommendations on US surveillance. The agency is supposed to have five members, picked by both Democrats and Republicans. Members are given relatively long terms of six years.

The agency has recently had four members, and one vacancy. The PCLOB needs at least three members to take official actions.

On Tuesday, three of the members – all picked by Democrats – received an email from the White House. It said they were expected to submit resignation letters by the end of the day today, Thursday. Otherwise, Trump would terminate their positions.

Update, 28 January 2025: Trump has terminated the members’ positions.

PCLOB and independence

The PCLOB has a role which is particularly important from a European perspective. It is part of the changes the US made to accommodate the European Commission after the Schrems II judgment and obtain a third adequacy decision.

Executive Order 14086 (EO 14086), which is the basis for the changes implemented by the United States, describes an annual evaluation by the PCLOB of the review mechanism established through the so-called Data Protection Review Court (DPRC). The PCLOB would then review, among other things, whether the DPRC is acting in accordance with EO 14086 and whether the intelligence agencies are fully complying with the DPRC’s determinations.¹

The European Commission’s adequacy decision in turn mentions the PCLOB in 31 places.

The adequacy decision highlights, among other things, the PCLOB’s oversight over the intelligence agencies and that in its work, the PCLOB has the right to access necessary documentation, including classified information, and conduct interviews; that the intelligence agencies have designated persons who report to the PCLOB on complaints and internal reviews; that the PCLOB is to be consulted when the Attorney General appoints members to the DPRC; and that the PCLOB is to conduct a regular and independent review of the functioning of the DPRC.²

This latter role of reviewing the DPRC is described in the adequacy decision as follows (footnote omitted):

”Finally, the correct functioning of this redress mechanism will be subject to regular and independent evaluation. More specifically, pursuant to EO 14086, the functioning of the redress mechanism is subject to annual review by the PCLOB, an independent body (see recital 110) (390). As part of this review, the PCLOB will, inter alia, assess whether the ODNI CLPO and DPRC has processed complaints in a timely manner; whether they have obtained full access to necessary information; whether the substantive safeguards of EO 14086 have been properly considered in the review process; and whether the Intelligence Community has fully complied with determinations made by the ODNI CLPO and DPRC. The PCLOB will produce a report on the outcome of its review to the President, Attorney General, Director of National Intelligence, head of intelligence agencies, the ODNI CLPO and congressional intelligence committees, that will also be made public in an unclassified version – and will in turn feed into the periodic review of the functioning of the present Decision that will be conducted by the Commission. The Attorney General, Director of National Intelligence, ODNI CLPO and heads of intelligence agencies are required to implement or otherwise address all recommendations included in such reports. In addition, the PCLOB will make an annual public certification as to whether the redress mechanism is processing complaints consistent with the requirements of EO 14086.”³

I have previously written about the adequacy decision and why Executive Order 14086 and the Data Protection Review Court are not sufficient to meet the requirements of EU law. I therefore believe that there is much to suggest that the adequacy decision would be invalidated if the CJEU were to rule on it. The PCLOB is part of this system and cannot alone address the shortcomings that exist.

Nevertheless, the PCLOB has, at least in theory, represented some form of independent oversight of the surveillance apparatus. It was initially located within the White House but was later given a relatively greater degree of independence. Although the PCLOB cannot be said to have ensured the defence of the rule of law in a surveillance context, it could perhaps have evolved further in that direction over time.

The rule of law and Trump’s behaviour

So what does the rule of law mean, and what consequences will Trump’s behaviour have?

The rule of law aims to prevent or limit the arbitrary use of power.⁴

Both the Council of Europe and what would become the European Union were formed against the backdrop of the legacy of the Second World War. The EU’s Treaties and Charter emphasise the rule of law. The rule of law is also mentioned in the preamble of the European Convention on Human Rights. Both the Court of Justice of the European Union and the European Court of Human Rights have emphasised the importance of the rule of law in decisions concerning signals intelligence.⁵

Trump’s behaviour, which is hard to describe as anything other than an expression of blatant contempt for the rule of law, shatters all this. There can no longer be any illusions about the independence of PCLOB members: it has been eviscerated. Who will trust that appointed replacement members – regardless of party affiliation – can act independently as long as Trump is president?

Moreover, a Special Advocate of the DPRC has already resigned on his own initiative in protest against Trump.

The New York Times reports:

”Advisers to Mr. Trump subscribe to a strong view of presidential power called the unitary executive theory, under which the Constitution should be interpreted as giving presidents exclusive control of the executive branch and independent agencies are considered illegitimate. During the campaign, Trump allies vowed to stomp out pockets of independence in the executive branch if he won the election.”

Through his actions against the PCLOB, Trump has delivered on this also in terms of the President’s view on surveillance and (un)willingness to let power be scrutinised in this context.

The question is whether the DPRC is next in line.

Executive Order 14086 does state that DPRC members are given a protection for their positions – relative to the Attorney General, who needs good cause to remove members.⁶ But Trump is President and stands above the Attorney General. It is not hard to imagine that the DPRC members, who are supposed to deal with Europeans’ complaints about surveillance, are now wondering whether the President has them in his sights too.

Perhaps the DPRC members have already been threatened or retaliated against without our knowledge. Maybe it will happen in the future. Either way, the damage is already done: how can we now trust the DPRC members to feel safe in their positions and to make decisions independently? Especially when the PCLOB – whose own independence has been compromised – was supposed to be the force that independently scrutinised the DPRC.

For someone seeking to undermine or influence the DPRC, it is logical to start by attacking the PCLOB, which could otherwise have scrutinised the DPRC as part of its mandate, raising concerns and highlighting malpractice.

Trump’s actions against the PCLOB can thus be said to have cast a dark shadow over the entire surveillance review system, seriously impairing its legitimacy and credibility.

Impact on the adequacy decision

All of this naturally has a strong negative impact on the status of the adequacy decision.

It is likely that the European Commission will have to act in some way. First, probably by announcing that it is asking questions of its US counterparts (if such contacts have been established), and that it will carefully review the situation. The next question is if there is political will among EU governments to stand up for the rule of law.

It seems reasonable that EU member states should clearly stand up for one of the fundamental values of the EU. Not least at a time when more and more of our digital lives have been handed to a few US cloud service providers, all subject to the same surveillance legislation.⁷

As the President of the Court of Justice of the European Union, Koen Lenaerts, put it in 2015, after the Safe Harbour decision was invalidated: ”Europe must not be ashamed of its basic principles: The rule of law is not up for sale.”

Moreover, the situation could soon get significantly worse. Max Schrems at noyb writes:

”41 days for next crunch point. In one of the first Executive Orders Trump has signed on Monday, he determined that all Biden national security decisions (including the relevant decisions that the EU-US transfers rely upon) shall be reviewed and potentially scraped within 45 days. This means that further elements the TADPF relied upon could be killed in a matter of weeks. As the entire deal is based on Biden executive decisions, Trump could scrap all key elements of the deal with a single signature – leading to instantly illegal data transfers between the EU and the US.”

In just over a month, the basis for the entire adequacy decision could be gone. Brace yourselves!

How wrong can a person be…

On 6 November 2024, after the US election results were in, I wrote an internal analysis on the impact of the Trump presidency on the adequacy decision. The analysis concluded as follows:

”In short, the adequacy decision is good for the United States, and bad for the European Union. I don’t see any incentives for a Trump administration to risk its validity.”

I have thus already been proven wrong about Trump’s actions. The question is whether I was merely wrong, or whether it will turn out that I was wrong as hell.

Sources

1. Executive Order 14086 section 3(e). ↩︎
2. The European Commission’s adequacy decision recital 167. ↩︎
3. The European Commission’s adequacy decision recital 194. ↩︎
4. Jonsson Cornell and Sannerholm (editors), Rättsstatens principer s. 15, Iustus Förlag, Uppsala 2023. ↩︎
5. CJEU case C-311/18 Schrems II p. 187 and the ECHR’s judgment in Centrum för rättvisa v. Sweden p. 246 och 373. ↩︎
6. Executive Order 14086 section 3(d)(iv). ↩︎
7. We have given some Examples of US surveillance abuse. ↩︎