Blog – News, events, positions

Privacy in 2023: What’s coming up?

Written by Rean Thomas | Jan 25, 2023 2:47:00 PM

Prediction #1: Brace yourself, Schrems III is coming!

by Harmonie Vo Viet Anh, Security and Privacy Manager

After the decision of the Court of Justice of the EU (CJEU) invalidating the “Privacy Shield” (so called decision “Schrems II”) because of US surveillance, the European Commission drafted a new adequacy decision. In the Schrems II decision the CJEU considered:

  • that the requirements of US domestic law, and in particular certain programs enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,
  • and that this legislation does not grant data subjects actionable rights before the courts against the US authorities.

However, these changes, made in the executive order 14086 after the invalidation of the “Privacy shield” to address these requirements, are minimal:

  • the new executive order uses the wording of EU law ("necessary" and "proportionate" as in Article 52 of the Charter of Fundamental rights of the EU) instead of the previous term "as tailored as feasible" used in  Section 1(d) of PPD-28. But since this new wording does not have the same legal implication as in the EU, the limitation of the bulk surveillance might not be efficient in practice.
  • there will now be a two-step procedure, with the second step being in front of a “Data Protection Review Court”. But, this will not be a “Court” in the normal legal meaning of Article 47 of the EU Charter or the US Constitution, but a body within the US government's executive branch. As this court is not a judicial body, it is unlikely that it can be recognized as such in application of the EU Charter.

This new deal between the US government and the European Commission would still not help the US fulfill the requirements of the CJEU in the Schrems II decision in order for the US to achieve an adequate level of data protection. So even if this new adequacy decision about the US is published by the EU Commission, we are very likely to face a new invalidation of this third deal.