This week, the European Commission adopted a new adequacy decision for the EU-US Data Privacy Framework. Max Schrems, the influential Austrian lawyer and data privacy activist who already successfully had the two previous incarnations of the treaty overturned by the European Court of Justice (CJEU), nevertheless sees the new treaty as little more than a carbon copy of the failed “Privacy Shield”.
As a result, the new Trans-Atlantic Data Privacy Framework is expected to end up in the CJEU again within a few months, predicts Schrems. In his opinion, the fundamental problem is that the USA has refused to “reform FISA 702 to give non-US persons reasonable privacy protections”. “We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law,” Schrems goes on to say. Monday’s European Commission press release was virtually a word-for-word replica of the one released 23 years ago. The mere contention that something is “new”, “robust” or “effective” will not be sufficient to satisfy the European Court of Justice.
Noyb has already laid the groundwork for launching various legal challenges to the new treaty before the CJEU. It can be assumed that the new treaty will be used by the first companies over the next few months, opening the path for it to be challenged in court. It is also not unlikely that such a challenge may reach the CJEU from a national court by the end of 2023 or in early 2024, giving the European court the option of suspending the framework for the duration of the procedure.
Despite huge outrage in the EU following the Snowdon revelations and repeated calls from the European Parliament to implement counter-measures, the Commission appears to be giving precedence to EU-US relations and economic pressures on both sides of the Atlantic at the expense of the rights of European citizens and the requirements of European law, writes Schrems. The Commission talks up its role as “guardian of the treaties” and defender of the “rule of law” in the EU when it comes to member states violating EU law, but is now itself ignoring the European Court of Justice for the third time.
We are eagerly awaiting “Schrems III“ and would like to take this opportunity to again point out that we develop our cloud services in Europe and offer them 100 percent in compliance with GDPR – always in line with locally applicable data privacy and compliance requirements. Find out more on our website or directly from your local Retarus representative.
Photo (c) noyb/Georg Molterer
