Thought for the week: Reflections on my IAPP Fireside Chat with Max Schrems

Last week was the IAPP Global Summit 2026 in Washington, D.C., and I am sharing a few reflections on my IAPP Fireside Chat: Digital Sovereignty and the Trans-Atlantic Relationship with NOYB Honorary Chairman Max Schrems. 

By way of brief background, you may recall that Schrems was the plaintiff that brought the claim that ultimately resulted in the European Court of Justice invalidation of the adequacy decision for the EU-U.S. Safe Harbor Privacy Arrangement on a very cold October morning in 2015. I spent three years of my life negotiating the Safe Harbor in the late 1990s when I worked for the U.S. Department of Commerce. I told the audience during my brief opening remarks that he had "killed my baby," but that I had gone through several rounds of counseling, was doing better now, and glad to have this chance for a discussion with him.

The time for the fireside chat went by far too quickly, but here are several key points I'd like to highlight.

Schrems is confident the European Court of Justice will dismiss the case against the DPF on procedural grounds. He seems to feel strongly the European Court of Justice will dismiss the current action against the trans-Atlantic data transfer vehicle, the EU-U.S. Data Privacy Framework, on procedural grounds, i.e., lack of standing. 

By way of quick history, the European Court of Justice struck down Safe Harbor in 2015, and its successor the EU-U.S. Privacy Shield, in 2020. 

More recently, the European Court of Justice accepted an appeal from a September 2025 decision of the European General Court that upheld the DPF on the substantive merits. The European General Court determined the DPF provides adequate protection, noting there are sufficient safeguards for independent oversight of government surveillance data collection activities, including the substantive protections in Executive Order 14086, the Civil Liberties Protection Officer review of complaints, the Data Protection Review Court, and the like. 

By ruling on the substantive merits, the European General Court sidestepped the delicate issue of whether the plaintiff, a French Parliament member, actually had standing to bring the claim. Schrems thinks the European Court of Justice will dismiss the claim on this procedural basis and not reach the merits. 

Here comes a sentence I never thought I'd say: I hope Max Schrems is right.

Schrems is still concerned about U.S. independence and enforcement for European privacy. He remains concerned with issues related to the independence of the U.S. Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, including whether Humphrey's Executor could be overruled by the U.S. Supreme Court and whether the U.S. system for substantive and procedural protections outlined in the DPF are working. 

I asked him why he thought only two complaints have been filed with the CLPO in the three years since the adoption of DPF. Is that a sign this is more of a theoretical, than an actual, concern for Europeans? He asserted that it is difficult to raise a claim because you need to show harm. I disagreed with that assertion based on the terms in executive order and implementing procedures and other factors, where it's clear a data subject only needs to provide an email address or other selector (no need to show harm). 

We didn't have a resolution on that point, but it was an interesting exchange. If you'd like a more background on these issues, you can read this article, "How could Trump administration actions affect the EU-US Data Privacy Framework?"

I also mentioned to Schrems that, if the European Court of Justice strikes down the DPF, no one should expect a replacement vehicle any time soon that is nearly as good on government surveillance, and the overall protections for Europeans will likely decline.

A nice moment on Safe Harbor. I reminded everyone that when we negotiated Safe Harbor in the 1990s, government surveillance was not an issue. It was all about the commercial privacy terms. Turning back the clock to the 1990s, 9/11 and Edward Snowden had not happened. In fact, it was near the end of the negotiations that Sue Binns of the European Commission asked, "Wait, what happens if a U.S. company receives a legal demand for data?"

I remember pulling the Rules of Civil Procedure off a shelf late at night to draft a short paragraph explaining that adherence to the Safe Harbor can be limited by U.S. laws that create conflicting obligations. Schrems said he had poured over that paragraph during the challenge to Safe Harbor. 

I may have imagined it, but I'd swear he started to say something nice about Safe Harbor — along the lines that the commercial terms were pretty good for the time. I cut him off and said, "Wait, are you saying something nice about Safe Harbor?" He then laughed and stopped talking. I wish I had let him go on a bit more.

Criticality of digital sovereignty. Although he didn't like the phrase "digital sovereignty," he did say he would like to get to a place where European data is not stored in the U.S. or otherwise accessible to U.S. authorities, and Europeans would no longer face the risk of U.S. government access to their data. 

I asked whether European businesses would be greatly disadvantaged if they could no longer access U.S. data centers and large language models. He did not disagree with those points, but considered the priority should be on the protection of data and the buildup of European data centers and LLMs.

Treaty idea is a good one. I asked Schrems if he would be in favor of the development of a treaty on government access to data and privacy — an idea that I have been promoting for many years. He said he would be in favor of a treaty framework along those lines as the key for him is not only substantive principles but actual enforcement. He called it a No-Spy Treaty — not a term I would use — and expressed doubts on whether enforcement would actually happen. In any event, I was surprised that I actually agreed with him that a treaty would be a good thing.

Going forward: focus on representative actions. His nonprofit, NOYB, has received a formal designation in Austria as a Qualified Entity to bring collective actions under the EU Representative Actions Directive. He noted this designation will offer NOYB the opportunity to bring claims on behalf of numerous data subjects against companies. 

I pressed him what his priorities would be in this regard, and he mentioned following up on cyber incidents. It will be important to watch this space to see what other priorities emerge for NOYB and other Qualified Entities.

A few takeaways 

DPF is probably more at risk. I hope Schrems is right that the European Court of Justice will dismiss the case against the DPF on procedural grounds. If it gets to the merits, I am confident the substantive and procedural rules on government surveillance, including the CLPO, DPRC, and the like, are strong and the procedures are working in practice, even though no one seems to be filing complaints in Europe. 

It is difficult to predict, however, whether the DPF would survive the challenge before the European Court of Justice based on the overall political environment and other factors. 

And, if the DPF is invalidated, I do not see a replacement vehicle being adopted anytime soon. For the EU and U.S. companies that engage in hundreds of billions of dollars/euros of trade in services every year, the DPF adequacy finding underpins their exchange of personal data, e.g., about consumers, business contacts, patients, employees, contractors, users, in accordance with the EU General Data Protection Regulation cross-border data transfer restrictions. 

This remains true regardless of whether the companies rely on the DPF directly, or whether the transfers are based on standard clauses, binding corporate rules, or other mechanisms. The DPF adequacy finding, and its approval of the DPRC and other government procedures, addresses the need for a transfer impact assessment on government access. Take out the DPF and the entire market would need to start developing transfer impact assessment documentation that explains how the companies address the government access issue.

Collective action is coming. The collective actions are going to start emerging more in Europe as NOYB and other organizations obtain designations to be Qualified Entities. Although perhaps not as pernicious at first, this is on a trajectory to start bringing U.S.-style class actions into the European environment.

I had a great time hosting the fireside chat with Max Schrems. It was fun and interesting, and I hope I get another chance to do it soon.