Another attempt to block EU–US data transfers has failed. The EU General Court confirmed that the EU–US Data Privacy Framework remains valid, meaning companies can continue transferring personal data across the Atlantic without relying on alternative mechanisms such as Standard Contractual Clauses.
Data Privacy Framework
The EU–US Data Privacy Framework (hereinafter – DPF) is the European Commission’s latest system for transferring personal data lawfully from the European Union to the United States. The idea behind an “adequacy decision” is simple. If the European Commission believes that a country outside the EU protects personal data well enough, companies can transfer data without needing extra permission. In July 2023, the Commission issued such a decision for the United States, officially establishing the DPF.
This framework was created after the Court of Justice of the European Union (hereinafter – CJEU) struck down previous systems – Safe Harbour and Privacy Shield – in the Schrems I and II cases because they did not provide enough protection for EU citizens’ data.
The US adopted Executive Order 14086 of October 7, 2022 to address these shortcomings, supplemented by an Attorney General Regulation. Together, these instruments created the Data Protection Review Court ( hereinafter – DPRC), which seeks to provide EU citizens with a mechanism for challenging unlawful surveillance.
What was the case all about?
Philippe Latombe, a French citizen who uses various IT platforms that collect his personal data and transfer it to the United States, asked the General Court to annul the contested decision, arguing that the new US safeguards are insufficient: the Data Protection Review Court (DPRC) lacks independence, and US intelligence agencies continue bulk data collection without proper limits.
According to Mr Latombe, the DPRC is neither impartial nor independent but dependent on the executive. Moreover, he submits that the intelligence agencies of that country of collecting bulk personal data in transit from the European Union without the prior authorisation of a court or an independent administrative authority is not circumscribed sufficiently clearly and precisely and is, therefore, illegal.
The Judgment
The General Court dismisses the action for annulment.
1. The Data Protection Review Court (DPRC) was not impartial or independent but rather dependent on the executive
The General Court concluded there are “several safeguards and conditions”, in particular those set out in Executive Order 14086 and the Attorney General Regulation (AG Regulation) that were sufficient to guarantee independence, impartiality and effective redress, in both the functioning of the DPRC and also in regard to the appointment and dismissal of judges.
The DPF also requires the EU Commission to continuously monitor the application of the legal framework on which the adequacy decision is based. This oversight means the EU Commission may limit the scope, suspend, amend or repeal the DPF should the legal framework change.
2. Bulk collection of personal data by US intelligence agencies is illegal.
The Court held that nothing in Schrems II requires bulk collection of personal data subject to prior judicial authorisation. Instead, the CJEU required that such collection be subject to ex post judicial review. Since under US law, intelligence activities are now subject to oversight by the DPRC, the General Court finds that it cannot be considered that the bulk collection of personal data by American intelligence agencies falls short of the requirements arising from Schrems II or that US law fails to ensure a level of legal protection that is essentially equivalent to that guaranteed by EU law.
Conclusion
The DPF remains in effect, enabling EU–US data transfers without requiring additional transfer mechanisms such as Standard Contractual Clauses. Organisations that have self-certified under the DPF can continue relying on it for now.
However, the decision may still be appealed, which means the future of the DPF is not yet fully secure. Organisations should remain attentive to further developments to ensure continued compliance.
Newsletter Subscription
Get in touch