This article is more than 1 year old
Campaigners warn of legal challenge against Privacy Shield enhancements
Schrems III on the cards unless negotiators protect better oversight of US data access requests
European privacy campaigner Max Schrems is warning that enhancements to the EU-US Privacy Shield data-sharing arrangements might face a legal challenge if negotiators don't take a new approach.
In an open letter, Schrems – the lawyer behind the Schrems II ruling which put an end to the transatlantic data-sharing agreement – said that US assurances of EU citizens' data privacy would be insufficient to avoid another legal challenge.
"We understand that the US has rejected any material protections for non-US persons and is continuing to discriminate against non-US persons by refusing baseline protections, such as judicial approval of individual surveillance measures," the lawyer wrote.
"We understand that the envisioned deal will largely rely on US executive orders. Having worked on this matter with US surveillance experts and lawyers, such executive orders seem to be structurally insufficient to meet the requirements of the CJEU."
In 2020, the European Court of Justice struck down the so-called Privacy Shield after Schrems successfully argued it gave US government agencies access to EU citizens' personal data without commensurate protection.
Since then, companies have been forced to fall back on standard contractual clauses, or SCCs, to cover international data sharing between the EU and US. As well as being time-consuming to implement, SCCs may not be watertight.
In March, the US and EU announced they had reached an agreement to enhance the Privacy Shield data-sharing arrangement in a way that would "enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties," according to European Commission president Ursula von der Leyen.
What is Schrems I?
In the first case, arising from a complaint filed with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately toppled the biggest EU-US data-sharing deal, Safe Harbor. Schrems had alleged that Facebook violated the so-called Safe Harbor agreement which protects EU citizens' privacy, by transferring its users' data to the US National Security Agency (NSA).
In the Schrems I ruling, in 2015, Europe’s highest court ruled that data sharing between the EU and US under the Safe Harbor framework was invalid.
What is Schrems II?
Schrems, a former law student, brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency still wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US under Privacy Shield.
In July 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.
However, in the open letter, Schrems said the proposed data sharing policy did not offer sufficient controls over US agencies' access to EU citizen data.
- Lawyers say changes to UK data law will make life harder for international businesses
- Europe's GDPR coincides with dramatic drop in Android apps
- Google chases sovereignty market with EU Workspace Data product
- EU, US agree on Privacy Shield enhancements
Schrems said the view was based on "preliminary observations" of the political statements, rather than the final text which is still being negotiated. However, he warned that unless the concerns of his campaign group noyb (none of your business) were addressed, the EU could look forward to another legal challenge.
"We call on the negotiators to continue working for a long-standing, privacy preserving solution for transatlantic flows to avoid a 'Schrems III' decision," he said.
Privacy consultant Bill Mew, founder and owner of Mew Era Consulting, said executive orders had been used by US president Donald Trump to revoke protections in the country's Privacy Act for information held by the state on non-US citizens, part of the basis in law that undermined Privacy Shield. However, a subsequent president could reverse executive orders.
The track record on executive orders had a bearing on the trust between the two parties as they negotiated the final text of an agreement. It would require "a level of commitment and trust on both sides," Mew said.
He added: "Introducing any judicial process would need to be applied in law – you could not do this with an executive order. Unfortunately there is complete gridlock in Congress and it has proven impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass." ®