"Independent" does not really change anything about the advisory/governance thing. And tech companies are very well known for breaking laws, especially privacy related ones, so I don't see the point either, yes.

> What about "independent" and "legally obligated"?

What about them? It can be as independent and legally obligated to focus on whatever set of interests you want, if its only an advisory board, then it has no real power. (And, unless there is some guarantee of information other than what the management of the main org feels like giving it to support its advisory function, it can't even serve as a reliable canary.)