EU-U.S. Transfers: Schrems I, Schrems II, and the Data Privacy Framework
The CJEU struck down Safe Harbor (Schrems I, 2015) and Privacy Shield (Schrems II, 2020) over U.S. surveillance concerns. The EU-U.S. Data Privacy Framework (2023), backed by Executive Order 14086, is the third agreement and is expected to be challenged.
Two earlier agreements - U.S.-EU Safe Harbor and the EU-U.S. Privacy Shield - were put in place and struck down by the CJEU. In Schrems I (2015), the CJEU struck down Safe Harbor, driven by concerns about U.S. surveillance highlighted by the 2013 Snowden disclosures.
In Schrems II (2020), the CJEU struck down the Privacy Shield, again citing a perceived lack of protection from U.S. government surveillance and a lack of individual redress and proportionality. Importantly, Schrems II applies generally to all third countries - implicating countries like China that offer fewer protections than the United States.
In July 2023 the EU-U.S. Data Privacy Framework was finalized. Via Executive Order 14086, the U.S. agreed that surveillance would meet a necessity and proportionality standard and established an independent data protection review court for EU citizens. The U.S. designated the EU and member states as qualifying states, and the European Commission then issued its U.S. adequacy decision. Many expect this framework to be challenged as insufficient.