Schrems III Is Coming: Why the EU-US Data Privacy Framework Won't Last

By Wingston Sharon | July 2024

Today marks one year since the European Commission adopted the EU-US Data Privacy Framework adequacy decision. It was July 10, 2023. There was cautious optimism in some quarters. There was immediate skepticism in others.

The skeptics are, in my view, correct. Here's why I think Schrems III is a matter of when, not if — and more importantly, what that means for organizations that have been treating the DPF as a stable, long-term solution.

A Brief History of Failure

If you're newer to this topic: Safe Harbor was the first framework governing EU-US data transfers. The Court of Justice of the EU struck it down in Schrems I (October 2015). The US and EU negotiated Privacy Shield as a replacement. The CJEU struck that down in Schrems II (July 2020). Now we have the Data Privacy Framework.

Both previous frameworks failed for the same structural reason: EU law requires that when personal data leaves the EU, it receives protection "essentially equivalent" to what GDPR guarantees. US surveillance law — specifically the bulk collection authorities under FISA Section 702 and related programs — cannot be reconciled with that standard.

The US government argued in both cases that surveillance access is narrow, targeted, and subject to oversight. The CJEU found, both times, that the oversight mechanisms weren't meaningful from the perspective of EU data subjects: no judicial redress, no notice, broad collection authorities.

What Changed (and What Didn't)

President Biden signed Executive Order 14086 in October 2022, which is the foundational policy change underlying the DPF. It does a few real things:

• Creates a "Data Protection Review Court" (DPRC) — a new body for EU individuals to challenge US surveillance
• Requires US signals intelligence to be "necessary and proportionate"
• Strengthens oversight within the intelligence community

The Commission determined this was sufficient for an adequacy decision. Max Schrems and noyb (his privacy advocacy organization) disagree, and they've said so in filings.

The core problem with EO 14086 is that it's an executive order. It doesn't change the underlying statutes — FISA Section 702 is still law, and it still authorizes the collection that the CJEU found incompatible with EU fundamental rights in Schrems II. An executive order can be reversed by the next administration. More importantly, from a legal standpoint, it can't override statutory authority.

The DPRC — the new "court" — is also not a court in any sense that EU law would recognize. Its members are appointed by the executive branch. Its proceedings are secret. The data subject can't see the evidence or the reasoning. Whether that constitutes meaningful judicial redress under Article 47 of the EU Charter of Fundamental Rights is, charitably, contested.

The Ongoing Legal Challenge

Noyb filed a complaint with the Irish Data Protection Commission shortly after the DPF adequacy decision was adopted. The Irish DPC is the lead supervisory authority for many US tech companies under GDPR's one-stop-shop mechanism. That complaint is working its way through the process.

The challenge doesn't need to succeed at the DPC level. Any negative DPC decision, or even a referral to the CJEU, can create years of uncertainty. And ultimately, challenges like this do tend to reach Luxembourg.

The CJEU has struck down two frameworks on essentially the same grounds. The legal arguments against the DPF are structurally similar to those that succeeded in Schrems I and II, because the structural problem — US surveillance law — hasn't been legislatively fixed.

FISA Section 702 was reauthorized by Congress in April 2024. There was a reform debate, but the bill that passed did not fundamentally change the bulk collection authorities. That reauthorization is the single most significant data point for anyone assessing DPF durability.

What This Means Practically

I want to be honest about the uncertainty here. The DPF might survive. The CJEU might assess EO 14086 differently than I expect. Legal outcomes are genuinely hard to predict.

But organizations that built their compliance posture entirely on Privacy Shield in 2016 and then scrambled after Schrems II in 2020 made an expensive bet. The pattern has now repeated twice. Treating the DPF as permanent infrastructure is, I think, the same bet.

What does viable risk management actually look like?

Data minimization first. The simplest fix for trans-Atlantic transfer risk is to transfer less data. Not every system that talks to a US service needs to send personal data. Audit what's actually being transferred and why. You'll often find significant reduction is possible without functionality loss.

EU-side storage for sensitive data. For data that needs strong protection — employee data, health data, anything with high GDPR sensitivity — storing it in the EU and not transferring it avoids the adequacy question entirely. This isn't always possible and isn't always cheap, but it's the only solution that doesn't depend on adequacy decisions holding.

Standard Contractual Clauses as a fallback. SCCs survived Schrems II (with additional transfer impact assessments required). They're more operationally burdensome than adequacy, but they don't disappear when a court rules. Building SCC-based transfer mechanisms as a backup for DPF-reliant transfers is reasonable insurance.

Avoid the "wait and see" trap. Organizations that say "we'll deal with this if the DPF gets struck down" are accepting that they may need to rebuild data architecture under crisis conditions. The window between a CJEU ruling and actual enforcement action is not always long, and regulators have shown more appetite for enforcement after repeated framework failures.

The Honest Version of "EU Sovereignty"

There's a version of EU data sovereignty discourse that's essentially marketing — cloud providers claiming their EU-based offering solves all your GDPR problems. It often doesn't, if the provider is a US entity subject to CLOUD Act requests.

The actual sovereignty question is more specific: which legal regimes have authority over your data, under what circumstances, and what mechanisms exist for challenging or limiting that access? EU-hosted data from a US provider is still potentially accessible via US legal process. EU-hosted data from an EU provider with no US nexus is in a genuinely different legal position.

Neither of those is automatically the right answer for every organization. But the framing matters. "We use EU hosting" is not a complete answer to data sovereignty questions.

At Agentosaurus, we're building on EU-native infrastructure for this reason — not because we think EU hosting is a magic compliance solution, but because it reduces the legal surface area we have to manage and aligns with the regulatory direction the EU is clearly moving in.

The DPF may survive another year, or three, or five. But the structural tension that produced Schrems I and II hasn't been resolved. Build accordingly.

Questions or disagreement on any of this — hello@agentosaurus.com.