With the European Commission’s recent announcement that it had deemed the revamped data-protection framework from the United States to be “adequate” under the European Union’s stringent General Data Protection Regulation (GDPR), the stage is set for what promises to be a legal rollercoaster in the European Court of Justice (CJEU). The Commission’s decision is certain to be challenged, and the CJEU’s ultimate decision in that case has the potential to shape transatlantic relations and global data governance for years to come.
One of the core issues at play is the effectiveness and independence of U.S. redress mechanisms for EU citizens, particularly the role of the Data Protection Review Court (DPRC). The Commission argues that the DPRC is both independent and possesses authoritative investigative powers. Critics, however, suggest that the court’s decisions could be overruled by the U.S. president, even in secret.
It’s a point that Max Schrems, a well-known privacy advocate, has also touched upon. Schrems challenges the practicality of the redress mechanism, citing the stringent requirements that President Joe Biden’s executive order placed on “qualifying complaints.” Schrems has also questioned whether EU persons will realistically be able to benefit from this avenue of redress, thereby undercutting the Commission’s assertion that it is “adequate.”
But perhaps the most legally charged debate concerns the very definition of “adequacy.” While critics effectively argue that “adequate” should mean nearly identical to GDPR, existing CJEU case law and the Commission itself maintain that a determination of adequacy is consistent with the existence of substantive and procedural differences. The term remains undefined, and we might see the CJEU pushed to clarify what exactly is meant by “adequate” and “essentially equivalent.”
Furthermore, the challengers see the Commission’s belief that the United States will act in good faith as the decision’s Achilles’ heel. Skeptics stress the possibility of secret U.S. rule changes, which could make the assessment underlying the decision out-of-step. It remains to be seen if the CJEU will decide to take such a cynical view.
The ramifications of a CJEU invalidation of the adequacy decision could be monumental, especially if combined with the continuation of the controversial and absolutist GDPR enforcement actions by privacy authorities. The effects on digital services—likely to be felt and disapproved of by European customers—could force not just the United States, but also the EU to rethink its data-protection policies.
On the other hand, a ruling upholding the adequacy decision could pave the way for a new era of transatlantic data cooperation, and preserve the GDPR as a law that finds the balance between privacy and other rights and interests of Europeans.
As the debate intensifies, the International Center for Law & Economics and EPICENTER are convening a Sept. 20 panel in Brussels to discuss this hot-button issue. The panel will also be live-streamed online, offering a critical platform for expert dialogue. The event promises to be a momentous occasion, shedding light on the complicated legal, political, and economic factors that will inevitably influence the CJEU’s historic decision.