Recent comments by NOYB Honorary Chair Max Schrems suggested he may not need to mount another legal challenge around lawful EU-U.S. data flows given the U.S. political developments impacting the EU-U.S. Data Privacy Framework.
In a discussion with TeachPrivacy CEO Daniel Solove, Schrems indicated the changes to U.S. independent agencies tasked with overseeing core aspects of the DPF will ultimately be enough for the European Commission to "basically pause the application of this deal or stop the deal on its own" before another case goes before the Court of Justice of the European Union. The prior EU-U.S. data transfer agreements, the EU-U.S. Safe Harbor Framework and the EU-U.S. Privacy Shield, were invalidated through CJEU decisions spurred by Schrems' complaints.
Since the finalization of the DPF in 2023, Schrems has maintained his prior court complaints remain unaddressed. Those concerns include the necessity and proportionality of signals intelligence collection by U.S. government surveillance authorities and the availability of actionable, independent judicial redress for EU data subjects.
European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath recently indicated it is the "objective" of the Commission to "to continue with full implementation and enforcement." Meanwhile, data protection authorities in Denmark, Norway and Sweden put out advisories on potential DPF complications.
According to Schrems, a legal challenge is still a possibility if the agreement continues to stand. He indicated a "Schrems III" could aim to challenge the DPF through a civil law injunction, arguing against a specific company to reduce the validity of the agreement itself.
Recent structural changes to the U.S. Privacy and Civil Liberties Oversight Board and the Federal Trade Commission are driving concerns around the validity of the DPF. Both entities play crucial roles in carrying out redress under the framework and the removal of Democrats from both agencies leaves questions around independent oversight.
"What we see as a problem now is that if already the ones that have statutory independence are de facto kicked down," Schrems said. "What does that mean for something that doesn't even have statutory independence, but basically just executive order independence? And how much can we argue that?"
Business impacts of a potential invalidation of the DPF would likely be felt by both the EU and the U.S., but Schrems argued European organizations likely stand to bear a heavier burden. Businesses would face legal uncertainty and increased expenses without DPF certification, including costs associated with necessary implementation of standard contractual clauses or other lawful transfer tools.
With general concerns around sufficient data protection, Schrems indicated consumers have worries on either side of the Atlantic. He said the issue is "European citizens versus business in general, no matter if it's American or European business."
Ensuring consumer protection circles back to regulation. The EU is at a crossroads with its digital rulebook as European Commission President Ursula von der Leyen recently acknowledged the bloc must "cut red tape."
Schrems said the tape cutting would be difficult with EU member states' individual digital regulatory regimes creating fragmentation and uncertainty for businesses and consumers alike. He proposed an EU-wide regulator, similar to how the European Data Protection Supervisor oversees EU institutions, as "a way to kind of bypass" a patchwork of regulation and enforcement.
Lexie White is a staff writer for the IAPP.
