Schrems; GDPR; cross-border data transfers; data governance; privacy shield; CJEU; Charter of Fundamental Rights;


In July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield Framework, the central data governance mechanism that once governed cross-border data transfers from the European Union (EU) to the United States. For the second time in five years, Europe’s top court invalidated the primary method of cross-border data transfers. Both times the CJEU found that the United States’s surveillance laws were, and remain, overbroad and fail to provide EU citizens with protections that are essentially equivalent to those guaranteed under the EU’s General Data Protection Regulation (GDPR) in light of the Charter of Fundamental Rights of the European Union. As a result, more than 5400 companies that utilized the Privacy Shield Framework are now scrambling to implement new mechanisms to govern their data transfers along with what they hope are effective supplementary technical, operational, or contractual measures to achieve an essentially equivalent level of protection for their cross-border data transfers from the EU to the United States. Currently, there exists minimal guidance about how companies may satisfy the GDPR’s requirements. Even if the United States and the EU negotiate and implement a “Privacy Shield 2.0” in the near future, a new framework is unlikely to remedy some of the faults the CJEU has consistently identified in U.S. surveillance law. This Note argues that a combination of private-law enhancements, contractual and technical, along with minor modifications to the administrative and judicial oversight of U.S. intelligence agencies, is required to create a sound and stable framework that achieves the needs of EU individuals’ privacy rights and still enables the United States to exercise legitimate foreign surveillance in the interest of national security.