Skip to content
· 9 min read

The Schrems Cycle: Why Every EU-US Data Framework Has Failed

By LumaVista Team

Three times in twenty-five years, the European Union and the United States have sat down and agreed on a framework for transferring personal data across the Atlantic. Twice, the Court of Justice of the European Union has looked at the result and struck it down — finding that it doesn’t protect Europeans from American surveillance.

We’re now on framework number three. And the same structural problem that killed the first two hasn’t gone anywhere.

If you work with data that crosses the Atlantic — and if you use any US cloud or AI provider, you do — this cycle isn’t abstract legal history. It’s the pattern that will determine whether your data transfers are legal next year, or the year after that. Here’s how we got here, why it keeps happening, and what you can actually do about it.

Three frameworks in twenty-five years. Two struck down. The structural incompatibility between FISA 702 and GDPR has not changed once.

Safe Harbor: the gentleman’s agreement (2000–2015)

The first attempt was almost charmingly naive. In 2000, the EU and US agreed on a framework called Safe Harbor. The idea was simple: US companies could self-certify that they met EU privacy standards, and the EU would treat those companies as providing “adequate” protection for personal data transfers.

Self-certification is exactly what it sounds like. Companies signed up on a website, promised they’d follow a set of privacy principles, and that was it. No auditing. No enforcement to speak of. The US Federal Trade Commission had theoretical oversight, but between 2000 and 2015, enforcement actions were vanishingly rare relative to the thousands of companies on the list.

Then Edward Snowden happened.

In June 2013, Snowden’s disclosures revealed the scale of NSA surveillance programs — including PRISM, which compelled companies like Google, Facebook, Apple, and Microsoft to hand over user data under FISA Section 702. The programs had been running since 2007. Every company on the Safe Harbor list that participated in PRISM had been self-certifying its privacy practices while simultaneously handing data to US intelligence agencies.

Austrian privacy activist Max Schrems — then a law student — had already been pressing Facebook on its data transfers. After the Snowden revelations, he filed a complaint with the Irish Data Protection Commissioner arguing that Facebook Ireland’s transfers to US servers couldn’t be considered “adequate” given what we now knew about US surveillance. The Irish DPC dismissed the complaint. Schrems sued.

On October 6, 2015, the CJEU delivered its judgment in Schrems v Data Protection Commissioner (Case C-362/14). The court declared the Safe Harbor Decision invalid. The reasoning was straightforward: a framework built on self-certification can’t provide adequate protection when the receiving country has mass surveillance programs that override those certifications. Fifteen years of transatlantic data flows had just lost their legal basis.

Safe Harbor framework dissolving after the Snowden surveillance revelations

Privacy Shield: the quick fix that wasn’t (2016–2020)

The EU and US scrambled. Within four months, they’d announced a replacement: the EU-US Privacy Shield, adopted in July 2016. This time, they addressed the surveillance problem. Sort of.

Privacy Shield introduced an Ombudsperson mechanism. Europeans who believed their data had been improperly accessed by US intelligence could file complaints with a State Department appointee, who would look into it and respond. The mechanism was designed to demonstrate that Europeans had a “remedy” — a way to challenge surveillance — which is something EU law requires.

The problems were immediately obvious to privacy advocates. The Ombudsperson wasn’t independent — they were a State Department official. They couldn’t confirm or deny whether surveillance had actually occurred. They couldn’t order intelligence agencies to do anything. And crucially, the underlying surveillance programs — FISA 702 and Executive Order 12333 — remained completely unchanged.

Max Schrems challenged Privacy Shield almost immediately after it went into effect, this time through a case about Facebook’s use of Standard Contractual Clauses (SCCs) as a transfer mechanism.

On July 16, 2020, the CJEU delivered Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) — known as Schrems II. The court struck down Privacy Shield, finding that US surveillance law gave intelligence agencies access to Europeans’ data “in a manner that is not limited to what is strictly necessary” and that the Ombudsperson mechanism didn’t provide an effective legal remedy.

The court was explicit about the structural issue. FISA 702 permits surveillance of any non-US person without individualized judicial authorization. The EU Charter of Fundamental Rights requires that any interference with privacy be proportionate and subject to independent oversight. These two legal frameworks are fundamentally incompatible. No amount of diplomatic language or creative institutional design had changed that fact.

CJEU striking down Privacy Shield with the fundamental FISA 702 vs EU rights conflict unresolved

Data Privacy Framework: déjà vu with better marketing (2023–present)

After Schrems II, the transatlantic data transfer landscape was in chaos for nearly three years. Companies relied on SCCs with supplementary measures, transfer impact assessments, and a lot of creative compliance language. Many just kept transferring data and hoped for the best.

In October 2022, President Biden signed Executive Order 14086 — “Enhancing Safeguards for United States Signals Intelligence Activities.” The EO introduced two key changes: a requirement that US signals intelligence collection be “necessary” and “proportionate” (language chosen specifically to mirror GDPR terminology), and a new Data Protection Review Court (DPRC) where Europeans could challenge surveillance decisions.

Based on this executive order, the European Commission adopted its third adequacy decision for the EU-US Data Privacy Framework on July 10, 2023.

Sound familiar? It should. The pattern is identical to Privacy Shield: the US makes institutional changes that look like they address the court’s concerns, and the Commission issues a new adequacy decision. But the fundamental questions haven’t changed.

The DPRC problem

The Data Protection Review Court is the centerpiece of the DPF, and it’s the part most likely to fail judicial scrutiny. The DPRC’s judges are appointed by the US Attorney General — a political appointee in the executive branch. Proceedings are not public. Complainants don’t participate directly; a “special advocate” represents their interests. And the court’s decisions are classified.

Compare this to what EU law requires: an independent tribunal, accessible to the data subject, with transparent proceedings and an effective remedy. The DPRC checks some of these boxes on paper, but the gap between the mechanism and the standard is real.

The executive order problem

There’s a more fundamental issue. EO 14086 is an executive order — a presidential directive that can be modified or revoked by any future president with a stroke of a pen. It’s not legislation. It wasn’t passed by Congress. It has no permanence beyond the willingness of the current administration to keep it in place.

The Privacy Shield Ombudsperson was also created by executive action. When the Trump administration took office in 2017, the position sat vacant for over a year. Nobody was fired — the role just wasn’t filled. The mechanism the Commission had relied on as a cornerstone of its adequacy decision simply stopped functioning through bureaucratic neglect.

An adequacy decision that depends on an executive order is an adequacy decision that depends on the political preferences of whoever happens to be president.

An adequacy decision that depends on an executive order is an adequacy decision that depends on the political preferences of whoever happens to be president.

The PCLOB collapse

If you want to understand why the DPF is already in trouble, look at what happened to the Privacy and Civil Liberties Oversight Board.

The PCLOB is an independent federal agency created after 9/11 to oversee US surveillance programs. It has five Senate-confirmed members and the authority to review counterterrorism programs — including those operating under FISA 702 and EO 12333. The PCLOB was one of the institutional safeguards the European Commission pointed to when it adopted the DPF adequacy decision.

In January 2025, the administration fired the board’s three Democratic members. With one seat already vacant, that left a single sitting member — below the quorum the board needs to operate. A federal court ruled two of the removals unlawful in May 2025, and the government’s appeal is pending. As of March 2026, the board remains non-functional. The body that was supposed to provide independent oversight of the surveillance programs that have killed every prior framework is, for all practical purposes, gone.

This isn’t a theoretical weakening of safeguards. It’s the collapse of a specific institution that the Commission cited as evidence that US law provides sufficient protections. When the CJEU evaluates the DPF — and it will — the fact that the PCLOB was dismantled within two years of the adequacy decision will be hard to explain away.

Schrems III: when, not if

The first legal challenge to the DPF has already come and gone — and it won’t be the last.

French MP Philippe Latombe filed an action for annulment of the adequacy decision before the EU General Court in September 2023 (Case T-553/23). The case argued that the DPF suffers from the same structural deficiencies as Privacy Shield — that FISA 702 surveillance remains disproportionate by EU standards and that the DPRC doesn’t constitute an independent tribunal. The General Court dismissed the challenge in September 2025 — but it assessed the adequacy decision on the facts as they stood at its adoption in 2023, before the PCLOB firings. An appeal to the CJEU is expected.

NOYB — the privacy organization Schrems founded — has signaled its intent to challenge the DPF as well. In public statements, Schrems has described the framework as “largely a copy of Privacy Shield” and has noted that the structural issues identified in Schrems II remain unresolved.

The question isn’t whether there will be a Schrems III challenge. The question is when the CJEU gets the case — and what happens between now and then.

PCLOB oversight board crippled after member dismissals, unable to oversee surveillance programs

The oversight board the Commission cited as evidence of sufficient safeguards was dismantled within two years of the adequacy decision.

The structural problem that won’t go away

Here’s the thing nobody in Brussels or Washington wants to say plainly: the EU-US data transfer problem isn’t a diplomacy problem. It’s a legal incompatibility.

On one side, you have FISA Section 702, which permits warrantless surveillance of any non-US person reasonably believed to be outside the United States. It doesn’t require individualized suspicion. It doesn’t require judicial authorization for each target. It operates through broad annual certifications. Congress has reauthorized it every time it’s come up for renewal, and in April 2024 actually expanded the categories of companies that can be compelled to assist.

On the other side, you have the EU Charter of Fundamental Rights, which requires that any interference with the right to privacy be proportionate, necessary, and subject to independent judicial oversight. GDPR operationalizes these requirements for data transfers through Articles 44-49.

These aren’t negotiating positions. They’re constitutional commitments. The US isn’t going to reform FISA 702 to require individualized warrants for foreign targets — that would gut its intelligence capabilities. The EU isn’t going to water down its fundamental rights charter — the CJEU has struck down frameworks three times precisely to prevent that.

No diplomatic framework can bridge a constitutional gap. That’s why every attempt has failed, and why the next one will too.

The Meta fine as precedent

While the courts work through the DPF challenge, enforcement has already begun under the existing rules. In May 2023, the Irish Data Protection Commission fined Meta EUR 1.2 billion — the largest GDPR fine ever — for transferring European users’ data to the United States in reliance on Standard Contractual Clauses without adequate supplementary measures.

The fine matters beyond its headline number. It establishes that post-Schrems II, relying on legal mechanisms that don’t actually prevent US surveillance access isn’t just a theoretical violation — it’s an enforceable one. The DPC also ordered Meta to suspend its US data transfers, though enforcement was stayed pending the DPF adoption.

For every organization currently transferring data to the US under the DPF, the Meta decision is a preview. If the DPF is invalidated, the legal basis for those transfers disappears — and the precedent for billion-euro fines already exists.

What to do now

You can’t control what the CJEU decides. You can’t fix the structural incompatibility between FISA 702 and GDPR. But you can stop building your infrastructure on a foundation that’s been pulled out three times already.

  1. Map your transatlantic data flows. Every service, every API call, every AI tool. Know exactly which of your data touches US-jurisdiction infrastructure. You can’t manage what you haven’t identified.

  2. Distinguish residency from sovereignty. “EU region” doesn’t mean EU sovereign. Follow the corporate chain to the ultimate parent company. If it’s US-incorporated, the CLOUD Act applies regardless of where the server sits. We covered this distinction in detail in Data Sovereignty Is Not Data Residency.

  3. Run a DPF dependency audit. Which of your transfers rely on the DPF adequacy decision? Which use SCCs? Which have supplementary measures? If the DPF is invalidated, you need to know within hours which transfers are affected — not discover it over weeks.

  4. Build transfer-independent infrastructure for sensitive workloads. Don’t wait for the next invalidation. For your most sensitive data — AI research, legal analysis, regulated industry work — use infrastructure that doesn’t require transatlantic transfers in the first place. Self-hosted or EU-sovereign solutions eliminate the transfer question entirely. This is the approach we’ve built LumaVista around: AI research infrastructure that keeps your data under your jurisdiction, not somebody else’s.

  5. Document your transfer impact assessments. If you’re relying on SCCs as a fallback, GDPR requires you to assess whether the destination country’s laws provide adequate protection. Post-Schrems II, that assessment for US transfers has to account for FISA 702. Document your analysis and your supplementary measures — regulators are asking for these.

  6. Watch the Latombe appeal. The General Court dismissed Case T-553/23 in September 2025, judging the adequacy decision on its 2023 facts. An appeal to the CJEU is expected — and once the CJEU weighs in, the cycle could start again.

  7. Plan for the transition, not just the status quo. Every prior framework invalidation created a compliance scramble. Organizations that had already diversified their infrastructure barely noticed. Those that hadn’t spent months in emergency mode. You get to choose which group you’re in next time.

The Schrems Cycle isn’t a bug in EU-US relations. It’s a feature of two legal systems that make incompatible promises. The EU promises its citizens that their privacy is a fundamental right. The US promises its intelligence agencies broad surveillance powers over foreigners. No agreement can satisfy both promises at the same time.

The only way to break the cycle is to stop depending on it. Build infrastructure that doesn’t require a political agreement between Brussels and Washington to stay legal. The frameworks will keep coming and going. Your data architecture shouldn’t have to.