Is your company ready for the latest changes around cross-border data transfers?
Schrems III is on the way. Already, less than two weeks after the European Commission finalized it, the Austrian privacy activist Max Schrems has announced that he will be challenging the new EU-US Data Privacy Framework in court.
The privacy framework, which permits the flow of data between the European Union and the United States under the GDPR, is designed to address issues with the previous two data transfer agreements — both of which were struck down in court by Schrems and his nonprofit NOYB. But critics remain unconvinced.
“Just announcing that something is ‘new,’ ‘robust,’ or ‘effective’ does not cut it before the Court of Justice,” Schrems said in a statement. “We would need changes in US surveillance law to make this work,” he explained, adding “we are sick and tired of this legal ping-pong.”
There’s lots of uncertainty around the regulatory landscape as a whole, but data privacy experts anticipate that a Schrems III case would lead to more changes in data privacy requirements for organizations around the world. If the Court of Justice of the European Union agrees to hear the case, it would represent the third major legal challenge to data flows between the EU and the US.
So, when should we expect Schrems III, and what changes might it mandate for your organization? Below, we’ll dive into the Schrems legacy, what Schrems III will likely involve, and how you can prepare for challenges to the new EU-US Data Privacy Framework.
First, what are Schrems and Schrems II?
In the world of data privacy, the name Schrems is synonymous with challenges to data flows between the EU and the US. Two of the best known legal challenges to data privacy regulations have come from Max Schrems and NOYB, with both cases altering the regulatory landscape significantly.
Schrems I. The first Schrems case began in 2013, when the activist filed a complaint against Facebook for allegedly violating European data protection laws by transferring user data to the US. At the heart of the issue was the “Safe Harbor” framework, which allowed US companies to self-certify compliance with EU data protection standards. After two years, the European Court of Justice ruled in Schrems’ favor, effectively invalidating the Safe Harbor arrangement due to concerns about US government surveillance.
Schrems II. The second Schrems case, decided in July 2020, again revolved around Facebook’s data transfer practices. This time, the central issue was the EU-US Privacy Shield framework, the agreement that replaced the Safe Harbor framework. The court again found that the framework was insufficient, citing similar concerns about US surveillance practices and the lack of sufficient safeguards for EU personal data. Additionally, the court clarified that standard contractual clauses (SCCs), which had been an accepted data transfer mechanism, could no longer be used indiscriminately and instead required a case-by-case assessment of the recipient country’s data protection laws. This ruling prompted the creation of the EU-US Data Privacy Framework.
Schrems III: a response to the new EU-US Data Privacy Framework
At its core, Schrems III is expected to address concerns around the extent of US government surveillance. It will likely argue that the new EU-US Data Privacy Framework is inadequate to protect EU personal data from surveillance activity.
In a statement on its website, NOYB has explained that a fundamental problem with the new data privacy framework is that the US government continues to afford constitutional rights only to US citizens. Under the EU-US Data Privacy Framework, EU personal data is still subject to US mass surveillance — a central point of contention in both Schrems I and Schrems II.
In addition to addressing surveillance concerns, the EU-US Data Privacy Framework was also supposed to resolve issues with the previous redress mechanism, which set up an Ombudsperson to handle complaints from EU individuals about how their personal data is handled. But, NOYB argues, the new redress mechanism only offers minor improvements, and it doesn’t give EU data subjects a reasonable way to have their complaints heard.
“The allegedly ‘new’ Trans-Atlantic Data Privacy Framework is largely a copy of the failed ‘Privacy Shield,’” the nonprofit’s statement notes. “Despite the European Commission’s public relations efforts, there is little change in US law or the approach taken by the EU.”
It’s not only NOYB that’s taken this stance. The EU’s privacy watchdog, the European Data Protection Board, has also stated that the EU-US Data Privacy Framework falls short and that more needs to be done to protect Europeans’ privacy rights.
When should we expect Schrems III?
The short answer? As soon as early 2024. In July 2023, Schrems said that he currently expects the issues to be back at the Court of Justice by the beginning of next year.
It might seem like a short turnaround, but it’s a realistic timeline. First, NOYB has disclosed that various procedural options are already in place to challenge the EU-US Data Privacy Framework. Second, the organization has a record of filing challenges quickly: The Schrems II case was filed in 2015, just months after Schrems I was decided and before the resulting EU-US Privacy Shield was even formally adopted.
The previous Schrems cases can also give us a sense of when we might see an outcome. It was two years between the filing and the decision for Schrems I and five years for Schrems II, so it’s not likely that the issue will be resolved by the end of 2024 or even 2025. But the sheer fact of having another legal challenge to another EU-US data flow agreement is likely enough to make many organizations wary of making changes to their data privacy policies.
What’s the cumulative impact of the Schrems cases?
In response to the anticipated Schrems III case, the EU has announced that it believes it can credibly defend the EU-US Data Privacy Framework. But in many ways, the damage has already been done.
Already, some organizations have chosen not to adopt the EU-US Data Privacy Framework and are instead implementing their own stringent data privacy measures. These organizations are rightfully concerned that the benefits of the framework won’t outweigh the risks and that it’s only a matter of time before the agreement is struck down in court. In some cases, the outlook is leading to increased data localization.
Other commenters have grown cynical, pointing out that organizations are trapped in a Groundhog Day loop of endless Schrems challenges. These critics have noted that, between the internet data that consumers willingly provide in exchange for convenience and the data gathered covertly by government agencies, data privacy is already largely meaningless. This kind of cynicism is likely to have the unfortunate effect of making both individuals and companies more complacent about data protection, opening the door for more cybercrime.
It’s clear that there’s a vital need for a strong agreement balancing individual data privacy rights with the need for free data flows among the US and European Union member states. Before the EU-US Data Privacy Framework, there was a three-year deadlock on transatlantic data flows that left organizations without clear guidance on how to transfer data safely and securely. This lack of clarity hinders global commerce: Two-thirds of B2B digital trade this year, or $1.78 trillion, is expected to come from cross-border commerce.
Unfortunately, it doesn’t seem that the new framework will be sufficient. Instead, we’re likely on the verge of another cycle of litigation that upends the data privacy landscape and introduces more confusion and uncertainty.
Preparing for Schrems III and other data privacy challenges
Luckily, there are several ways to ensure strong data privacy and security for your business, regardless of the changing regulatory landscape.
Privacy by design. Already a key principle of the GDPR and other data protection regulations, privacy by design requires that companies proactively integrate privacy best practices into their technologies and daily operations. In another blog post, we explain how choosing the right data privacy framework can assist with meeting regulatory compliance.
Transparency. Accountability and clarity in data processing will likely be another core tenet of any future data protection framework. Organizations will be required to provide clear information about personal data handling practices and government access. Establishing regular security audits and clear policies around data handling now will likely pay off in the long run, regardless of how the Schrems III challenge turns out.
Implementing ironclad data privacy with ShardSecure. The ShardSecure platform offers a way for organizations to ensure data privacy and protect personal data from unauthorized third parties. By separating data access from infrastructure providers, our technology addresses data sovereignty concerns and allows organizations to regain control over their data. It has also been validated by independent privacy attorneys to meet the requirements of Use Case 5 of the European Data Protection Board’s recommendations for cross-border data transfers.