Prediction #1: Brace yourself, Schrems III is coming!
by Harmonie Vo Viet Anh, Security and Privacy Manager
After the decision of the Court of Justice of the EU (CJEU) invalidating the “Privacy Shield” (so called decision “Schrems II”) because of US surveillance, the European Commission drafted a new adequacy decision. In the Schrems II decision the CJEU considered:
that the requirements of US domestic law, and in particular certain programs enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,
and that this legislation does not grant data subjects actionable rights before the courts against the US authorities.
However, these changes, made in theexecutive order 14086after the invalidation of the “Privacy shield” to address these requirements, are minimal:
there will now be a two-step procedure, with the second step being in front of a “Data Protection Review Court”. But, this will not be a “Court” in the normal legal meaning ofArticle 47 of the EU Charteror theUS Constitution, but a body within the US government's executive branch. As this court is not a judicial body, it is unlikely that it can be recognized as such in application of the EU Charter.
This new deal between the US government and the European Commission would still not help the US fulfill the requirements of the CJEU in the Schrems II decision in order for the US to achieve an adequate level of data protection. So even if this new adequacy decision about the US is published by the EU Commission, we are very likely to face a new invalidation of this third deal.