European Court Tosses Challenge to EU-US Data Flow Pact
The EU General Court threw out a challenge to the EU-U.S. Data Privacy Framework (DPF) on Wednesday, confirming that the U.S. adequately protects Europeans' personal data and that trans-Atlantic data flows can continue.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The ruling brought cheers from privacy professionals and lawyers.
The case, filed by French Parliament Member Philippe Latombe, sought annulment of the DPF (Latombe v. Commission, Case T-533/23). Latombe didn't immediately comment. The judgment itself wasn't immediately available.
Latombe argued that U.S. surveillance authorities' bulk collection of personal data violates the data minimization and proportionality principles of the General Data Protection Regulation (GDPR) and that the U.S. has failed to guarantee the right of Europeans to an effective remedy for data misuse, particularly because of the lack of independence of the Data Protection Review Court (DPRC).
The lawmaker also contended that the U.S. lacks a framework governing automated decision-making, and there are no GDPR-required safeguards for securing processed personal data once it's sent to the U.S. (see 2504030004).
The General Court press release noted that the European Commission granted the U.S. an adequacy decision in July 2023 based on U.S. Executive Order 14086, which strengthened privacy safeguards governing activities carried out by U.S. intelligence agencies, and an Attorney General Regulation that amended provisions governing the establishment and functioning of the DPRC.
The EU court dismissed Latombe's request for annulment of the DPF. It held that the case file made it clear that the appointment of judges to the review court and its functions contain safeguards to ensure the independence of its members; that judges of the review court can be dismissed only for cause by the attorney general; and that the AG and intelligence agencies can't improperly influence its work.
The General Court also noted that the EC is required under its adequacy decision to monitor the application of the DPF continuously, so if the legal framework in the U.S. changes, the EC could decide to suspend, amend or repeal the decision.
The court rejected Latombe's argument that bulk data collection must be subject to prior authorization by an independent authority, saying signals intelligence activities performed by U.S. intelligence agencies are subject to after-the-fact judicial oversight by the DPRC.
The EC welcomed the decision, which confirmed that the DPC is "a valid instrument for safe data flows across the Atlantic, based on strong safeguards," a spokesperson said in an email.
The judgment upheld the EC adequacy decision, but "crucially" didn't address the intrinsic legality of U.S. surveillance programs, said Tim Wybitul, a data, cyber and tech lawyer at Latham & Watkins. It assesses only whether the new U.S. safeguards -- the DPRC and reinforced bulk collection limitations -- satisfy EU fundamental rights standards.
"By dismissing the challenge, the Court signaled that a blanket shutdown of trans-Atlantic data flows under the GDPR is unwarranted, especially where the remaining concerns are political rather than legal," Wybitul emailed us, noting that he hadn't seen the full decision.
The ruling turns on adequacy, not on whether U.S. spying is “legal" under the Fourth Amendment or the Foreign Intelligence Surveillance Act, Wybitul said. The court was satisfied that U.S. cumulative checks and balances give Europeans remedies and protection similar in substance to those inside the EU.
The case is noteworthy from a policy standpoint because it might call for political, not judicial, solutions to "any residual discomfort with U.S. national-security surveillance," Wybitul said. The GDPR's adequacy tool is intended to facilitate data flows unless fundamental rights are clearly at risk. Using it to halt trans-Atlantic commerce over broader geopolitical questions would exceed its mandate, he added.
IAPP Director of Research and Insights Joe Jones wrote that the court limited its scrutiny to the laws and facts that existed at the time the EC adequacy decision was granted in 2023. There are "reasonable arguments both ways that factual/legal changes since then should/should not be considered."
Latombe's challenge was targeted and narrow, and its failure doesn't mean that another attempt, covering a broader set of arguments, wouldn't succeed, Austrian privacy activist Max Schrems said. "We are reviewing our options to bring such a challenge."
Latombe could also choose to appeal the ruling to the European Court of Justice, which, judging by its decisions in Schrems I (see 1510060001) and Schrems II (see 2007160002), might have a different view, Schrems added. In those cases, the ECJ annulled previous versions of the DPF.