[co-author: Rachel de Souza]
The EU General Court has dismissed a French MEP’s challenge to the EU-U.S. Data Privacy Framework (“DPF”) for the transfer of personal data between the European Union (“EU”) and the United States (“U.S”). While the decision is welcome news to organisations relying on the DPF for transfers underpinning their business operations, the debate is far from settled and further DPF challenges should be anticipated.
Background
The case arose from a request for annulment of the EU-U.S. DPF by French MP, Philippe Latombe.
The DPF replaced the Privacy Shield Framework (“Privacy Shield”) which was invalidated by Schrems II in July 2020. The DPF enables certified companies that make legally binding commitments to comply with the DPF Principles (contained in Annex I to the adequacy decision) to receive personal data from the EEA without having to rely on EU-approved transfer mechanisms such as Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) and to conduct Transfer Impact Assessments (“TIAs”). The European Commission concluded that the United States ensures an adequate level of protection, comparable to that of the European Union, for personal data transferred from the EU to U.S. companies under the new DPF. An essential element of the U.S. legal framework on which the adequacy decision is based, concerns the Executive Order 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (see our previous Blog Posts here). It is important to note that the EU-U.S. adequacy decision based on the DPF does not prevent the need to perform TIAs for transfers to other countries outside of the European Economic Area (“EEA“), which remain necessary for non-adequate jurisdictions.
Latombe’s Challenge
Less than two months after the EU-U.S. adequacy decision was adopted, Latombe submitted challenges to the European Union General Court demanding the immediate suspension of the EU Commission’s adequacy decision and challenging the legality of the DPF. Latombe argued that:
- Bulk Data Collection: U.S. intelligence agencies can still access large amounts of EU citizens’ data, in violation of the GDPR’s principles of data minimisation and proportionality.
- Effective remedies: the DPF’s Data Protection Review Court (“DPRC”), is not an independent tribunal and does not offer guarantees similar to those required by Article 47 of the Charter of Fundamental Rights and Article 45(2) of the GDPR.
- Insufficient safeguards: the DPF does not address the absence of safeguards in the U.S. around automated decision-making (“ADM”) and data security.
- Procedural Issues: the DPF’s initial publication was only available in English and was not translated into the official languages of the European Union, as required Regulation No 1/1958.
The General Court’s decision
The General Court has dismissed Latombe’s action for annulment, finding, in particular:
- Independence of the DPRC: The General Court rejected the argument that the DPRC is not independent. The Court held that the appointment of judges to the DPRC and the DPRC’s functioning are “accompanied by sufficient safeguards and conditions to ensure the independence of its members“. In particular, the Court referred to the fact that judges of the DPRC may only be dismissed by the Attorney General and only for cause, and the Attorney General and intelligence agencies must not unduly impede or influence the work of the DPRC.
- Bulk Collection: The Court noted that the judgment in Schrems II does not suggest that the bulk collection of personal data must be subject to prior authorisation issued by an independent authority; rather that Schrems II instead requires that the decision authorising such collection must, at the very least, be subject to judicial review. The Court found that signals intelligence activities carried out by U.S. intelligence agencies, including when they carry out bulk collection of personal data, are subject to the subsequent judicial supervision of the DPRC, whose decisions are final and binding. Therefore, the bulk collection of personal data carried out by the intelligence agencies satisfies the requirements arising from the judgment in Schrems II.
- Safeguards: The Court rejected Latombe’s argument in relation to the absence of safeguards equivalent to those in the EU relating to ADM and security. In particular, the Court held that sectoral protections provided for by U.S. law must be taken into account and that the judgments in both Schrems I and Schrems II do not require a third country to guarantee a level of protection identical to that guaranteed in the EU – “the expression ‘adequate level of protection’ in Article 45(1) of the GDPR, had to be understood as requiring that that third country actually ensure, by reason of its domestic legislation or its international commitments, a level of protection of fundamental rights and freedoms that is substantially equivalent to that guaranteed within the European Union” .
What the Court did not decide
- Standing: The Court did not address the issue of whether Latombe himself had standing to contest adequacy. As a result, that issue is open for appeal. And it is not clear whether by addressing substantive issues without addressing standing, the Court is inviting further challenges to adequacy.
- Subsequent US developments: The Court made very clear that its decision was based on the facts and law as they stood at the time when the European Commission’s adequacy determination was adopted (10 July 2023). Accordingly, the Court did not address potentially relevant developments under the Trump administration including the firing of, and not replacing, members of Privacy and Civil Liberties Oversight Board (currently before U.S. Courts) and multiple alleged violations of U.S. privacy laws by U.S. government agencies. The Court indicated that the European Commission had the burden “to monitor on an ongoing basis the application of the legal framework on which that decision is based… with a view to determining whether the United States of America continues to provide an adequate level of protection.”
Analysis & Conclusion
The General Court’s decision marks a significant moment in the ongoing saga of EU-U.S. data transfers. While the General Court’s decision will be welcomed by organisations transferring personal data from the EU to the U.S., the debate is far from settled and this decision provides only temporary legal certainty. The ruling is limited to the specific challenges raised by Mr. Latombe and does not preclude future legal challenges based on different arguments, circumstances or new facts arising since July 2023. Whilst the General Court cites the Schrems II decision, there is a notable shift in the way the court ascribes a more general approach to assessing essential equivalence, as compared to the existing rigour provided in the European Essential Guarantees set forth by the EDPB. In addition, the European Commission will continuously monitor the adequacy decision and DPF and may suspend or amend the decision.
Max Schrems’ privacy organisation, My Privacy is None of Your Business (NOYB), which led the previous legal challenges to the DPF’s predecessors, Privacy Shield and Safe Harbor, has already announced that it will be examining the judgment in the coming days and itbelieves a broader review of U.S. law – especially the use of Executive Orders by the Trump administration “should yield a different result“. Latombe now has the option to bring an appeal against the decision of the General Court before the Court of Justice, and other parties may bring different challenges in the future.
Against that backdrop, businesses will be relieved not to have to jump into remediation and re-papering exercises, however those relying on the DPF should continue to monitor the situation and maintain backup transfer solutions in the likely event of further challenges.
[View source.]
