[The above image was AI-generated by ChatGPT o3.]
Natasza is an LL.M. Candidate at Harvard Law School (2025). She holds her primary law degree from Jagiellonian University in Kraków, Poland, where she is also currently pursuing a Ph.D. in AI and data privacy. Natasza’s academic journey has taken her across five universities on three continents, including the University of Melbourne, the University of California San Diego, Ludwig Maximilian University of Munich, LUMSA University in Rome, and the University of Basel. Before joining Harvard, Natasza gained professional experience at the OECD, the United Nations, the Centre for AI and Digital Ethics at the University of Melbourne, and various law firms, contributing to projects on AI regulation, data privacy, digital trade, and competition law.
Case C-362/14, Maximillan Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650 (Oct. 6, 2015) (“Schrems I”).
Case C-311/18, Data Prot. Comm’r v. Facebook Ir. & Maximilan Schrems, ECLI:EU:C:2020:559 (July 16, 2020) (“Schrems II”).
Edward Snowden: a hero of privacy or a traitor to the United States? Regardless of which narrative prevails, one thing is sure—Snowden’s revelations reshaped U.S. intelligence law, making it some of the most transparent and recognizable worldwide. While few have heard about German or Chinese intelligence regulations, abbreviations such as FISA or CLOUD Act appear in the media almost as often as extreme weather updates.
However, is this really surprising? The U.S. has one of the most powerful intelligence services in the world. Thanks to its global reach, the U.S. intelligence system may indeed require more scrutiny and oversight. The U.S. is also home to the most potent military force, as well as the largest tech companies that facilitate communication services globally. Five of the six companies that are recognized by the European Union (EU) as “gatekeepers” (Alphabet, Amazon, Apple, ByteDance, Meta, and Booking) are American. Such power accumulation explains why even U.S. allies are concerned about American intelligence’s reach and access to non-U.S. persons’ data.
After Snowden’s revelations in 2013, Austrian privacy activist Maximilian Schrems filed a claim with Ireland’s Data Protection Commissioner, asking to stop Facebook Ireland from transferring his personal data to the U.S. servers. Schrems argued that U.S. law did not provide him sufficient data protection. This led to the Court of Justice of the European Union (CJEU)’s ruling in 2015, known as Schrems I, which invalidated the European Commission’s decision from 2000 on the adequacy of the U.S.-EU Safe Harbor Framework.
A year later, in 2016, the European Commission introduced a new adequacy decision called the Privacy Shield. Maximilian Schrems filed another complaint similar to his original challenge, arguing that the Commission’s new legislation failed to fix the problems he flagged in 2013. This, in turn, led to a CJEU judgment in 2020 (Schrems II), which invalidated the EU-U.S. Privacy Shield. (Schrems II discusses the case’s background, including Schrems’s follow-up complaint.) The Court’s arguments were very similar to those from the Schrems I judgment: the U.S. law does not meet the EU proportionality requirements when it comes to accessing EU-persons’ information and does not provide data subjects with any rights before the courts against U.S. authorities.
To address EU requirements, the U.S. took several measures, including President Biden’s Executive Order 14086, which emphasized proportionality and introduced a new redress mechanism for data privacy violations. The redress system established an independent ombudsperson mechanism within the Privacy and Civil Liberties Oversight Board to allow individuals (particularly non-U.S. persons) to file and resolve privacy complaints about U.S. intelligence activities, ensuring proportionality and accountability in surveillance. In May 2023, the EU and the U.S. established a new adequacy decision called the Data Privacy Framework, allowing EU data to be transferred to participating U.S. entities.
The critical question now is whether this framework will withstand scrutiny by the CJEU or meet the same fate as its predecessors. This debate leads to reconsideration of an issue that is compelling yet often overlooked within the EU: the lack of harmonized standards for surveillance law.
Given that the primary concerns over transatlantic data transfers relate to insufficient protection against U.S. government surveillance, it would be logical to define the EU surveillance standards first. However, national security law is not in the scope of EU competencies and is regulated separately by each EU Member State (as per Art. 4(2) of the Treaty on European Union). In many cases, the Member States provide varying levels of privacy and data protection, often falling below the standards already established by U.S. regulations.
Moreover, the EU does not consistently assess whether its Member States comply with the standards it demands from other partner countries. For instance, when the Pegasus spyware was reported in several EU Member States, including Poland—where it was allegedly used to surveil opposition politicians—no EU institution questioned the adequacy of these Member States as recipients of personal data from other EU citizens. This raises the question: Does the EU have the authority to demand greater safeguards from the U.S. than those provided by its Member States?
According to the CJEU, the U.S. does not have to replicate EU law exactly: the measures can differ as long as they provide an equivalent level of protection. It can be argued that, in the case of adequate surveillance laws, the EU strives for adequacy based on an idealized conception of its general standards, rooted in the Charter of Fundamental Rights of the European Union (Arts. 7, 8, and 47) and assuming that its Member States fully meet these requirements. However, the reality is more complex, especially in national security matters. As mentioned above, the EU Member states’ regulations on surveillance practices are neither harmonized nor meet the highest standards that the EU further requires from the U.S. In contrast, surveillance in the U.S. is regulated at the federal level, offering a comprehensive regulatory scheme that makes it possible to measure and directly compare with the EU platonic standards.
Achieving a balance between effective surveillance and privacy protection is challenging, as surveillance inherently conflicts with the right to privacy. This tension brings the trade-off between national security and individual privacy to the forefront. In this debate, especially when considering potential risks such as terrorism, compromising individual privacy is frequently seen as justifiable in the interest of broader societal safety.
So, what is the true goal of enforcing the EU ideal of surveillance standards in the U.S.? If those practices help to prevent terrorist attacks, does filtering electronic communications for specific keywords pose a genuine threat to privacy? Individual privacy violations, unlike threats to national security, rarely result in immediate harm. However, the core argument favoring privacy is the power imbalance between the state and the individual resulting from privacy intrusions. This concern echoes a Kafkaesque vision where individuals are left defenseless against an increasingly complex and opaque state apparatus.
In this third decade of the 21st century, it would be naive to expect the U.S. (or any other) government to abandon its well-established and extensively used intelligence tools. Nor is this the EU’s goal. So, what is the purpose of the legal battle led by Maximilian Schrems? The issue lies in unrestricted government access to personal data through programs that either remain unknown to the public or are known but lack transparency. The greater threat is the authorities’ ability to merge information from various sources, as privacy risks often do not stem from a single data point but form a complete picture formed by combining multiple data sources.
Governments that once enjoyed global trust and championed democratic values can rapidly lose that status. Politics is inherently vulnerable to capture by authoritarian-minded actors—a risk exemplified by Hungary’s shift in governance within the EU. Such a scenario poses serious dangers, and the EU’s concerns about individual privacy in third countries like the U.S. could prove legitimate with potentially significant implications for (ironically) collective security.