Brace Yourselves, Schrems III is Coming

The EU’s General Data Protection Regulation (“GDPR”) mandates that personal data may only be transferred to a third country for processing if that country’s laws give EU subjects adequate protection.[1] Without this protection, data transfers to a third country are considered unlawful.[2] The GDPR authorizes four lawful ways for a transfer of personal data to a third country.[3] Perhaps the least burdensome transfer mechanism for businesses is through an adequacy decision. This is when the EU commission grants a positive adequacy decision to a third country, which basically states that the third country will provide GDPR-like protections and no other safeguards are required for personal data transfers.[4] If such an agreement doesn’t exist, each individual company must provide appropriate safeguards through binding corporate rules, standard contractual clauses, or other certification mechanisms.[5] Given how frequently companies transfer data between the U.S. and the EU, and the countries’ strong trade relationship, this can be a heavy burden on companies and consumers.[6]

            To facilitate transferring data, there have been two attempts to establish a data transfer agreement, Privacy Shield I and II. Both agreements lasted for a short time and were stricken by the CJEU’s decisions in Schrems I and Schrems II.[7] In both court decisions, the Court of Justice of the European Union (“CJEU”) found that Mr. Schrems, the plaintiff, had data which could be accessed by US authorities such as the National Security Administration, without the same safeguards that were available in the EU.[8] The main missing safeguard was that there was no legal course of action by which EU citizens could challenge U.S. intelligence collection of a subject’s data.[9]

In March 2022, the Department of Commerce and the EU commission announced that it reached an agreement in principle to make a new Privacy Shield-like agreement, called the EU-U.S. Data Privacy Framework.[10] After the agreement in principle was announced, and to resolve underlying concerns the CJEU had with the previous agreements, the Biden administration issued a string of executive actions on October 7, 2022.[11] These orders issued new instructions on how U.S. intelligence agencies collected and used personal data.[12] Additionally, these orders directed the U.S. Attorney General to form a new Article II court, named the Data Protection Review Court, to issue decisions on alleged violations of U.S. surveillance law.[13] This new court system would allow foreign governments to issue complaints on behalf of their citizens.[14] These actions, theoretically, should give EU subjects a legal avenue to challenge law enforcement actions if they collect their data.

Many companies are likely breathing a sigh of relief, as a new data agreement will no doubt make data transfers between the EU and the U.S. easier than Standard Contractual Clauses, and these recent actions make it seem that this agreement will survive judicial scrutiny. Even though the agreement has not been finalized or gone into effect, it has its critics. Mr. Schrems stated that by making this agreement with the U.S., the EU commission is ignoring U.S. intelligence law and allowing EU subjects to be unlawfully surveilled.[15] Mr. Schrems also believes that the executive orders and GDPR conflicts since the U.S. executive orders still allow for surveillance when a legitimate purpose exists, which is not harmonious with the GDPR allowance for surveillance only when it is necessary and proportional.[16] Because of these concerns, Mr. Schrems believes the CJEU will likely decide against the new agreement between the U.S. and EU.[17] While the future of the EU-U.S. Data Privacy Framework has yet to go into effect, only time, and subsequent judicial review, will tell if it will survive longer than its predecessors.