Schrems III: What to Expect and How to Prepare

The Pattern So Far

The Schrems cases have been the most consequential legal challenges in the history of international data transfers. Understanding the pattern helps predict what comes next.

Schrems I (2015)

Max Schrems, an Austrian privacy activist, challenged the EU-US Safe Harbor framework. The Court of Justice of the European Union (CJEU) invalidated Safe Harbor, finding that US surveillance programs allowed mass access to European personal data without adequate safeguards.

Schrems II (2020)

Schrems challenged the successor framework, Privacy Shield, along with the use of Standard Contractual Clauses (SCCs) for data transfers to the US. The CJEU invalidated Privacy Shield and ruled that SCCs alone were insufficient without a case-by-case assessment of whether the recipient country provides adequate protection.

The EU-US Data Privacy Framework (2023)

In response to Schrems II, the US issued Executive Order 14086, establishing new safeguards and a redress mechanism for EU citizens. The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) in July 2023.

Why Schrems III Is Expected

The conditions that led to the first two challenges have not fundamentally changed. Here is why a third challenge is widely anticipated:

1. Executive Orders Are Not Legislation

The US safeguards underpinning the DPF are based on an executive order, not federal legislation. Executive orders can be modified or revoked by any sitting president without Congressional approval. This creates structural instability.

2. FISA Section 702 Remains in Force

The Foreign Intelligence Surveillance Act's Section 702 continues to authorize the collection of foreign communications data. While Executive Order 14086 introduced proportionality requirements, the underlying surveillance authority is unchanged.

3. The Redress Mechanism Has Limitations

The Data Protection Review Court (DPRC) established under the DPF has been criticized for several reasons:

• It is not a traditional court with full judicial independence
• Its proceedings are not transparent
• Complainants do not receive detailed information about the outcome of their cases
• It operates within the executive branch, not the judiciary

4. NOYB Has Signaled Its Intent

NOYB (None of Your Business), the organization founded by Max Schrems, has publicly indicated its intention to challenge the DPF. The organization has been monitoring the framework's implementation and gathering evidence for a potential legal challenge.

What a Schrems III Challenge Might Look Like

While the exact form of a Schrems III challenge is uncertain, several scenarios are plausible:

Scenario 1: Direct Challenge to the Adequacy Decision

NOYB or another organization could file a complaint with an EU data protection authority, which would then refer the question of the DPF's adequacy to the CJEU. This mirrors the path of the previous Schrems cases.

Scenario 2: Challenge Based on Changed Circumstances

If a new US administration modifies or weakens the safeguards established by Executive Order 14086, this could trigger a challenge based on changed circumstances that undermine the adequacy decision.

Scenario 3: Challenge to Specific Transfers

Rather than challenging the entire framework, a challenge could target specific data transfers where the DPF's safeguards are demonstrably insufficient for the type of data or the specific surveillance risks involved.

Potential Outcomes

Outcome	Likelihood	Impact
DPF upheld entirely	Low	Business as usual for DPF-certified organizations
DPF upheld with conditions	Medium	Additional requirements added to DPF transfers
DPF partially invalidated	Medium	Some categories of transfers disrupted
DPF fully invalidated	Medium-High	Third framework collapse; major disruption
SCCs further restricted	Medium	Additional transfer mechanism constraints

Timeline Considerations

Legal challenges at the CJEU typically take 18-24 months from referral to judgment. Given that preliminary challenges may need to work through national courts first, a final Schrems III ruling could come anywhere from 2026 to 2028.

However, organizations should not wait for a ruling to act. The uncertainty itself creates compliance risk, particularly for organizations in regulated industries where data protection authorities expect proactive risk management.

How to Prepare for Schrems III

1. Reduce Dependence on the DPF

Do not treat the DPF as your sole legal basis for EU-US data transfers. Implement supplementary measures and alternative transfer mechanisms.

Actions:

• Use SCCs alongside DPF certification
• Conduct Transfer Impact Assessments (TIAs) for all US transfers
• Document supplementary measures for each transfer

2. Evaluate Data Localization

For the most sensitive data categories, consider whether the data needs to leave the EU at all. European infrastructure options are increasingly competitive.

Actions:

• Map data flows to identify which transfers are essential and which are habitual
• Evaluate EU-based alternatives for key services
• Implement data minimization to reduce the volume of cross-border transfers

3. Strengthen Technical Measures

Technical measures that prevent the data importer from accessing plaintext data can survive a framework invalidation because they remove the surveillance risk at the technical level.

Actions:

• Implement end-to-end or zero-knowledge encryption where possible
• Use pseudonymization and tokenization to reduce the sensitivity of transferred data
• Deploy confidential computing for processing workloads

4. Implement Transfer Mechanism Diversification

Do not rely on a single transfer mechanism. Use a layered approach that combines multiple legal bases.

Actions:

• Maintain current SCCs with supplementary measures
• Consider Binding Corporate Rules (BCRs) for intra-group transfers
• Evaluate derogations under Article 49 GDPR for specific transfer scenarios
• Monitor the development of new transfer mechanisms

5. Monitor and Adapt

Stay informed about the legal proceedings and regulatory guidance related to Schrems III.

Actions:

• Subscribe to updates from NOYB, the EDPB, and relevant national DPAs
• Participate in industry working groups focused on international transfers
• Build flexibility into your data architecture to accommodate rapid changes

The Broader Lesson

The Schrems series illustrates a fundamental challenge: building stable data transfer mechanisms between jurisdictions with fundamentally different approaches to government surveillance and privacy rights.

Until there is structural convergence between EU privacy expectations and US surveillance practices -- which would require US federal legislation, not just executive orders -- the cycle of frameworks and challenges is likely to continue.

Organizations that build their data infrastructure with this reality in mind -- prioritizing technical protections, data minimization, and jurisdictional control -- will be best positioned regardless of how Schrems III unfolds. Solutions like GlobalDataShield that offer European-based infrastructure with strong technical safeguards provide a foundation that does not depend on the survival of any particular legal framework.