Speaking at the largest annual gathering of privacy professionals, Max Schrems, the Austrian data protection activist who torpedoed two previous EU-US data transfer systems, discussed how he may lodge a "Schrems III" case against the current EU-US Data Privacy Framework. The decision on whether to file a case will be based on the outcome of a pending appeal by a French lawmaker at the EU's highest court, Schrems said.
European data protection bad boy Max Schrems discussed the terms Tuesday under which he might bring a “Schrems III” challenge to the current EU-US data transfer system, deriding the present challenge being posed by a French lawmaker.Schrems also discussed how the EU and the US could end their data transfer issues, in his view, once and for all.
The Austrian man who successfully challenged the previous two trans-Atlantic data transfer systems — Safe Harbor and Privacy Shield in European court cases that have come to be known as “Schrems I” and “Schrems II” — told one of the world’s largest annual privacy gatherings* that for now, he can’t do anything to challenge the current system, the EU-US Data Privacy Framework, or DPF.
But, he said, that could soon change.
“First of all, right now we're a bit blocked with the Latombe case,” Schrems said, referring to the September 2023 challenge to the DPF before the European Court of Justice by French National Assembly member Philippe Latombe, who filed it in his personal capacity.
That case, Schrems said dismissively, “for various reasons, mainly procedural reasons, is not going to go anywhere,” calling it a “shit case.” One key problem, Schrems predicted, is that Latombe won’t be able to show he has standing to sue to the European court.
Latombe has argued the framework should be annulled because it doesn’t give EU citizens who want to contest the collection of their personal data by US authorities a “guaranteed right to an effective remedy and access to an impartial tribunal” (see here).
Schrems said he is waiting for the US Supreme Court to rule on Rebecca Slaughter’s challenge to her firing from the US Federal Trade Commission by President Donald Trump. That decision, Schrems said, will demonstrate whether the FTC, which enforces elements of the current DPF, is truly an agency independent of the executive branch of the US government.
If Latombe’s challenge to the DPF fails, Schrems said he will wait for the Supreme Court’s decision on the independence of the FTC before moving forward. Under Article 8(3) of the EU Charter of Fundamental Rights, Schrems noted, an “independent” body must monitor and enforce the processing of personal data (see here).
The FTC is designated as the independent legal enforcer evaluating whether US companies live up to their pledges to abide by the data privacy principles built into the DPF. Companies that fail to honor those privacy principles can be sanctioned by the agency for violating prohibitions on deceptive or unfair conduct.
But Schrems jousted Tuesday with panel moderator Brian Hengesbaugh, who negotiated the Safe Harbor agreement on behalf of the US Department of Commerce in the 1990s, about which US agency needs to be independent to satisfy Article 8 given that two US agencies have a role in the DPF.
The US Department of Justice's Data Protection Review Court is another independent entity added as part of the DPF system. The review court was established to provide redress rights to Europeans, the absence of which was a key reason why the European Court of Justice struck down Privacy Shield in 2020 in the Schrems II case. Only two European privacy complaints, however, have been filed with the review court, a senior US official said this week (see here).
“Do Europeans actually really care about this, or is this more of a theoretical?” Hengesbaugh said, noting the paltry number complaints filed from 27 EU countries.
Schrems acknowledged there is a theoretical element to the issue. And he agreed with Hengesbaugh on one point: that a treaty between the US and the EU might be the best way to permanently end the seemingly endless battle about the legality of trans-Atlantic data transfers.
“For this one, I've been saying we need to get a treaty on data and government access to data, an actual treaty going and get out of this bilateral thing,” Hengesbaugh said.
“Reasonable people are backing off this and are like, how are we going to fix this in the long term? It would be what they call this no-spy agreement, which basically means you give the same kind of judicial protections to foreigners as you give to your own citizens,” Schrems said. “Once that's granted to one another, then you don't have that problem with data transfers anymore.”
For now, though, Schrems said Europeans are so distrustful of the current US administration that no deal like that is likely. With some gallows humor, Schrems joked that people in his Noyb organization were worried his laptop and phones would be surveilled when he entered the US.
“People are terrified of the US government. You know, I was like, ‘Chill people, you know, worst case, I have connection flight to Guantanamo,’” Schrems joked, referring to the US base in Cuba where terrorists are incarcerated.
Schrems said his team even concluded there might be a silver lining for a possible “Schrems III” challenge if he was surveilled and denied entry to the US, joking that “at least if you got abducted at the border, we'd have a case!"
*IAPP Global Summit 2026: Privacy-AI Governance, Washington, DC, March 30-April 2, 2026.
Please email editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.