Schrems Drawing Up Third Legal Challenge for U.S.-EU Privacy Deal
Legal advocates are discussing how to challenge the EU’s cross-border data transfer agreement with the U.S. for a third time, Max Schrems said Wednesday, discussing expectations for Schrems III (see 2211170005). President Joe Biden's executive order initiating an EU-U.S. Data Privacy Framework didn’t solve the fundamental issues between U.S. and EU surveillance policies, said Schrems during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
U.S. intelligence agencies continue to spy on foreigners in a way that would be considered a Fourth Amendment violation if other nations did the same thing to U.S. citizens, he said: Until there are cohesive policies across borders, expect perpetual legal challenges, he said.
Schrems graded the EU’s general data protection regulation (GDPR) with a D, despite positive grades from European Data Protection Board Chair Andrea Jelinek and former UK Information Commissioner Elizabeth Denham. GDPR enforcement is “not really” working, said Schrems. He blamed legal delays on procedural issues with multi-jurisdictional enforcement. Schrems is founder of noyb, an organization that files data protection cases with the EU courts. He said noyb has filed about 800 cases and many of them take several years just to get a response from the alleged violator. He admitted the GDPR is the “least stupid” privacy law in the world, and this is the “beginning” of the discussion. “We can’t expect the first law, the first version of it, to be the ultimate truth,” he said.
The GDPR “has worked” and will “work in the future,” said Jelinek, scoring the regulation with a seven out of 10. Companies around the world, even small American companies, have adapted to the GDPR because it’s clear that if they want to do business in Europe, they must comply, she said.
Schrems may think cross-border cases take too long, but policymakers will streamline the process over time, said Denham, now a consultant with Baker McKenzie. Jelinek said to expect the European Commission to issue a draft regulation before the summer to streamline cooperation across borders.
Denham scored the GDPR with an eight out of 10 because it “changed the data protection conversation around the world.” Schrems scoffed at the multi-million and multi-billion euro fines that regulators issued against U.S. tech companies under the GDPR. If the fines amount to only two or three days of revenue for the violator, the bottom line is they will continue to profit from breaking the law, he said. Fines aren’t the only measure of the effectiveness of the GDPR, said Denham. The impact on data practices also needs to be taken into account, she said, citing trends on data deletion. “Most companies want to do the right thing,” she said.
FTC Commissioner Alvaro Bedoya spoke separately at the event. Too often enforcers “fail to recognize the beauty and wonder in the technologies we regulate,” he said. “Instead we focus on bureaucratic line-drawing. I don’t want to fall for that.” However, he said artificial intelligence “presents fundamentally new dynamics for consumer technology” and is responsible for some of the “darkest of black boxes.” Companies need to be doing more to be transparent about how their technology operates, he said. Companies need to think particularly hard about how their products impact users’ mental health, particularly young users, he said, citing Surgeon General Vivek Murthy’s term “epidemic of loneliness” when discussing social media.