EU Commission President Ursula von der Leyen announced it where Max Schrems is most active: on Twitter. The Commission declared the new Data Privacy Framework (DPF) proposed by the US regarding personal data from the EU to be adequate. The agreement can therefore enter into force – but how long it will remain in place seems questionable.
Since the invalidation of the predecessor agreement Privacy Shield by the CJEU (Schrems II ruling), every company that sends personal data to the USA – e.g. using US marketing tools such as Google Analytics – has been on legally thin ice. The adequacy decision means that companies on both sides of the Atlantic can breathe a sigh of relief for the time being. Transfers will now be easier again.
But is the legal certainty really there?
If you believe the statements of the data protection activists of None Of Your Business (NOYB) around Max Schrems, you might doubt the sustainability of the agreement. Shortly after the presentation of the new data protection measures, which should really satisfy the ECJ this time, NOYB announced the challenge of the agreement – the demands of the court would not be met.
NOYB’s main points of criticism
- The ECJ found that mass surveillance under the US FISA 702 law is not “proportionate” under the EU Charter of Fundamental Rights. However, FISA has not been and will not be reformed on the part of the US.
- The US President’s Executive Order containing the new measures speaks of “proportionality” in the use of EU data, but with a different meaning than that of the ECJ, according to the activists.
- The Ombudsman Mechanism was renamed and split into a Civil Liberties Protection Officer (CLPO) and a new court, which NOYB does not, however, consider to be an independent body.
- Complainants will not have direct contact with the new facilities.
These and other deficits were also underlined in the critical resolution of the European Parliament against the new framework. In particular, it was criticised that the data protection measures introduced in the USA were not introduced by the legislator but by the executive and could be revoked at any time.
Schrems: Data Privacy Framework “in a few months” before the ECJ
Now, after the announcement of adequacy, NOYB has reaffirmed its intention: They will start the appeal process, and the issue could end up before the ECJ already “in a few months”, according to the group. “The supposedly ‘new’ transatlantic data protection framework is largely a copy of the failed ‘Privacy Shield’,” the activists write on their homepage. “Despite the European Commission’s public relations efforts, there is little change in US law or in the EU’s approach.”
NOYB had already prepared for the decision. A challenge before the CJEU is “already in the drawer”.
It is “not unlikely” that the challenge will be submitted to the CJEU by a national court as early as the end of 2023 or the beginning of 2024. “The CJEU would then even have the possibility to suspend the new agreement for the duration of the proceedings,” writes NOYB.
The past (Schrems, Schrems II) has proven that Max Schrems is a force to be reckoned with. Whether we have to get used to the term Schrems III, we will soon find out. For companies, however, the planning and legal uncertainties regarding data transfers to the USA are likely to remain.
Blog entry by NOYB | Title photo: Georg Molterer