Max Schrems is an Austrian privacy lawyer who has now twice taken the EU-US data-transfer framework to court and won. Schrems II (2020) struck down the EU-US Privacy Shield. The ruling found that US surveillance laws (FISA Section 702 in particular) gave US authorities access to EU citizens' data in ways incompatible with European privacy law. There is now a replacement (the 'Data Privacy Framework' from 2023) but it's likely to be challenged again. The practical effect for EU businesses: any service that transfers personal data to the US is on shaky legal ground.
The actual ruling
The Court of Justice of the EU (CJEU) ruled on 16 July 2020 that the EU-US Privacy Shield, the framework that let EU companies transfer personal data to certified US companies, did not provide adequate protection under EU law. The reason: US surveillance laws give US authorities access to the data of non-US persons in ways that go beyond what's allowed under European privacy law. The court found that EU citizens had no effective way to challenge that surveillance.
Specifically, the court called out:
- FISA Section 702 (allows mass collection of foreign intelligence)
- Executive Order 12333 (signals intelligence)
- The Foreign Intelligence Surveillance Court's secret docket
What it means in practice
For European businesses, sending personal data to a US-based service became legally risky. You couldn't rely on Privacy Shield certification. You had to either:
- Use Standard Contractual Clauses + a separate Transfer Impact Assessment (a lot of paperwork, still legally fragile)
- Apply additional safeguards (e.g. encryption where the US provider doesn't hold the keys)
- Move the workload to a non-US provider
European Data Protection Authorities started enforcing this. In 2022, the Austrian DPA ruled that using Google Analytics violated GDPR. France, Italy, and others followed.
The replacement framework
In July 2023, the European Commission adopted a new EU-US Data Privacy Framework (DPF). It's based on Executive Order 14086 (signed by Biden) which adds a 'Data Protection Review Court' for EU citizens to challenge US surveillance. EU businesses can now transfer data to DPF-certified US companies with somewhat fewer headaches.
However: Max Schrems and his organisation (NOYB) have already announced they'll challenge the DPF. Most legal observers expect Schrems III within a few years. So the situation is 'temporarily fine, longer-term shaky'.
Why this matters for browsers
Browsers handle some of the most sensitive personal data possible: every URL you visit, every form you fill, your session cookies, your fingerprint. A US-based browser company is a US-jurisdiction data path. After Schrems II, that's a real legal concern for European businesses. The simplest fix is to use a browser based in the EU. That's what Dazr is.