International: Schrems sends letter to Trans-Atlantic Data Privacy Framework negotiators, warns of legal challenge
None of your business ('NOYB') published, on 23 May 2022, an open letter from Max Schrems, Honorary Chairman of NOYB and lead litigant in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), to EU Commissioner for Justice, Didier Reynders, U.S. Secretary of Commerce, Gina Raimondo, Pauline Dubarry, European Data Protection Board ('EDPB') Chair, Andrea Jelinek, and Chairman of the Committee on Civil Liberties, Justice and Home Affairs, Juan Fernando López Aguilar, presenting NOYB's preliminary observations regarding the Trans-Atlantic Data Privacy Framework ('TADPF') based on the announcement of an agreement in principle in March 2022 and further details that have been informally shared with stakeholders in various public or semi-public formats by the EU and the US.
In particular, the letter criticises the apparent rejection of US surveillance law reform in favour of commitments by means of executive orders, which are considered by NOYB as 'structurally insufficient to meet the requirements of the CJEU'. Based on such assessment, the letter sets out a warning to the addressed parties that the TADPF risks sharing the same fate as the Safe Habor and Privacy Shield agreements (i.e. being declared unlawful and being struck down by the CJEU), should further reforms to US law not be conducted. Therefore, the letter calls for the negotiators to work towards finding a long-standing, privacy-preserving solution for trans-Atlantic flows to avoid the prospect of a 'Schrems III decision'.
Specifically, the letter calls for the negotiators to reach an agreement that:
- applies a correct proportionality test on US surveillance law under Article 8 of the Charter of Fundamental Rights ('CFR'), having cast doubt over the including of the words 'necessary and proportionate' in a new executive order as equivalent to the EU proportionality test in Article 52 of the CFR;
- creates meaningul judicial redress under Article 47 of the CFR, having cast doubt over the effectiveness of the announced Data Protection Review Court in providing meaningful judicial redress; and
- updates the commercial privacy protections previously provided by the Privacy Shield Principles, having outlined reports that the negotiators do not intend to update the Privacy Shield Principles and assessed that the same do not provide equivalent protection to the GDPR.
Furthermore, the letter highlights that NOYB is prepared to challenge any final adequacy decision that would fail to provide the needed legal certainty, further noting that if such litigation is indeed necessary, NOYB will focus on a quick and efficient path for the CJEU to reach a rapid decision.