Home » The New US-EU Data Deal: Will there be a Schrems III?

The New US-EU Data Deal: Will there be a Schrems III?


In previous years, the transfers of data have been a tug of war between the EU and the US. At the beginning, companies depended on an agreement known as the Safe Harbor Privacy Principles. But in 2015, a court case titled Schrems I, named after lawyer and privacy advocate Max Schrems, invalidated the agreement. Max Schrems claimed that the Principles offered weak protection against intrusion, and that the US intelligence agencies could access EU citizens’ far too easily.

Thus, a new set of rules name “Privacy Shield” replaced the Safe Harbor Principles. Privacy Shield provisions operated until 2020, when the European Court of Justice (CJEU) decreed that this Shield also offered insufficient protection against governmental intrusion. This case is known as Schrems II and drew attention to two major issues. The first was that the US could still undertake mass surveillance regardless of whether national security issues were at stake. The second issue emphasized the absence adequate procedures to monitor cases of data mishandling and to sanction violations. No independent and binding authority could argue on behalf of EU citizens when US intelligence activities overstep their bounds.

On the 7th of October 2022, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities.”1 This Framework was agreed to by both President Biden and European Commission President von der Leyen in March 2022: It includes explicit safeguards and review mechanisms for US intelligence activities and provide means to seek redress for privacy violations.

How does the New US-EU data deal differ from the previous ones?

Data transfers are essential to the US-EU economic relationships and businesses. There are more data flows between the US and Europe than anywhere else, enabling economic transactions between the two blocs worth $7.1 trillion. This explains why the outcome of Schrems II has caused serious disruptions. These have been partially circumvented by resorting to alternative transfer mechanisms, such as the Standard Contractual Clauses (SCCs). However, SCCs are not fully satisfactory. Thus, the announcement of the new U.S-EU data deal has been good news. Nevertheless, one wonders whether the new Framework will meet expectations.

According to the European Commission,2 the Framework represents a remarkable US commitment. In particular, the US will3

    • Enforce new safeguards to guarantee that future actions are both essential and proportionate to pursue national security. In this light, the US regime will almost replicate the EU standards;
    • Establish a new redress mechanism, which includes a new Data Protection Review Court. This Court will investigate and resolve complaints regarding access to European citizens’ data by US national security authorities. In case of illegal transfer of data, the court can impose sanctions of up to 20 million euros, or 4% of the firm’s total revenue.

The new agreement is not yet operational, though. First, the relevant branches of the EU must give the green light, and getting all 27 countries to agree can take a long time, not to mention the fact that eventual modifications must go back to the US for approval. Checks and double checks to avoid conflicts with any existing legislation will also take time. Moreover, there is a chance that the future US president will rescind the agreement. A third and most serious concern regards possible opposition from the activist group Access Now and the European consumer organization BEUC. According to them, the data deal is not enough. Max Schrems himself has also already expressed reservations about the Framework and questioned its ability to meet the “essentially equivalent protections” test articulated by the CJEU in Schrems II. He stated his intention to challenge the new agreement if its final details do not comply with EU law. For example, the US government has not promised to refrain from intruding, but just to limit its activity to “legitimate national security interests.”

Finally, it is unclear how the Framework will handle the recent Supreme Court decision in FBI v. Fazaga, which upheld the “state secrets” privilege, making challenging government surveillance agendas in federal courts increasingly hard. The Fazaga judgment also adds to the current weaknesses of the US privacy safeguards.

To conclude, an executive order alone will not solve the problems with the U.S. surveillance regime. Effective surveillance reform is needed to safeguard people’s privacy and place transatlantic data transfers on legal grounds. Companies and individuals in the United States will continue to pay the price until that happens.

2 European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, European Commission, 25 March 2022 https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087

3 Questions & Answers: EU-U.S. Data Privacy Framework, European Commission, 7 October 2022 https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_6045

You may also like

Leave a Comment