Dr Samira Allioui, Research fellow, Centre
d'études internationales et européennes, Université de Strasbourg
Photo credit: Ibrahim Rustanov, via Wikimedia
Commons
French Member of
Parliament Philippe Latombe, who also sits on the board of the French data
protection authority, the Commission Nationale de l’Informatique et des
Libertés, brought an action, in his personal capacity, in the General Court of
the European Union calling for the annulment of the Data Privacy Framework. On
Wednesday, September 3, the General Court of the European Union dismissed
MP Philippe Latombe's appeal against the Data Privacy Framework adequacy
decision, the agreement governing data transfers between the EU and the
United States, at the heart of a long legal saga. Since Latombe's case was brought as an action for
annulment and not as a preliminary question by a national court, he not only
had to prove that the deal was substantively wrong, but also that he was
directly affected in order to be entitled to bring an action at all.
The DPF is the
successor to the EU-U.S. Privacy Shield (the Privacy Shield), after
the adequacy
decision on the EU side adopted in light of the Privacy Shield was declared
invalid in 2020 by the CJEU following litigation by privacy advocate
Maximilian Schrems, acting through not-for-profit NOYB (none of your business),
in the landmark case of Schrems II. The Privacy Shield was the successor
to the EU-U.S. Safe Harbor Framework, which was declared invalid in 2015
in Schrems
I. In response, the United States established the Data Protection
Review Court (DPRC). The European Commission approved the DPF in July 2023.
Personal data
transferred from the European Union to third countries is no longer subject to
the GDPR in those countries. This requires compliance with certain safeguards
prior to transfer, with the aim of ensuring adequate data protection in the
destination country. An adequacy decision is one of the mechanisms for ensuring
this protection, and the GDPR
provides for a Commission decision recognizing, after a thorough
examination, that the law of a third country offers guarantees deemed adequate.
It is clear that even
though American law has since evolved towards greater oversight of intelligence
services, one particular issue has long been a problem in US-EU relations:
access to effective remedies in the United States, allowing Europeans affected
by transatlantic transfers to challenge the processing of their data. This
issue was already the subject of progress in 2022 with Executive Order 14086,
which paved the way for a challenge mechanism. This allowed the European
Commission to adopt a new adequacy decision in 2023, the very one that is being
challenged in the Latombe case.
The new ruling
This new ruling is therefore part of a series of
developments relating to transatlantic transfers. The fundamental issue is the
adequacy of the safeguards provided abroad, and therefore the degree of
requirement that the European Union must have vis-à-vis the states to which
data are transferred. However, on this point, the reasoning followed by the
General Court of the European Union contrasts sharply with the rulings handed
down by the Court of Justice of the European Union in the Schrems I and II
cases. In the Schrems II ruling, the Court insisted that "the third
country must offer guarantees to ensure an adequate level of protection
essentially equivalent to that guaranteed in the European Union," while
also using the terms "essential equivalence" and "substantial
equivalence" interchangeably. Only the latter expression—"substantial
equivalent"—is adopted by the General Court, although it gives it a scope
that appears to be weakened.
In its assessment of the adequacy of American law, the
Court appears to be less demanding than the Court of Justice. In recent years,
the latter has initiated a particularly demanding jurisprudential movement in
matters of personal data protection, giving rise to numerous tensions with
Member States, which themselves struggle to comply with the requirements of the
Court of Justice. While the Schrems I and II judgments were perfectly in line
with this trend, the Court's judgment seems to propose another direction,
perhaps more favorable to national security issues.
In any case, in its analysis of the conditions to be
met to conclude that foreign law is adequate, the Court draws its inspiration
primarily from the ECtHR case of Big Brother Watch v. United
Kingdom. On the contrary, the major decisions of the CJEU – we are
thinking in particular of the La
Quadrature du Net I case – dealing with the activities of intelligence
services are not considered relevant by the Court. The latter were particularly
demanding, where the ECtHR recognizes certain margins of appreciation for
States, in particular due to the very sensitive nature of intelligence and
national security issues.
The next developments?
Since this is a General Court ruling, it is likely
that there will be an appeal to the CJEU. Let us assume, however, that
the Court upholds the existing adequacy decision. Another fundamental question
would inevitably arise. The General Court is not taking into account recent
developments in US law, particularly since the return of President Donald
Trump. However, some of the guarantees applicable in US law, highlighted by the
General Court, already appear to be weakened. Let us give an example: the Privacy
and Civil Liberties Oversight Board (PCLOB) which role is fundamental,
particularly because it is involved in the appointment of members of the Data
Protection Review Court, whose independence and impartiality are discussed at
length in the General Court's ruling. However, President Donald Trump has
terminated the terms of several PCLOB members, preventing it from functioning.
The impact this could have on transatlantic data transfers has already been the
subject of debate in the European Parliament and the United States. The saga
surrounding transatlantic data transfers could thus, despite the Court's
ruling, be the subject of new twists and turns.
Today, more than 2,800 US companies are DPF-certified,
allowing them to continue relying on the adequacy decision (Article 45 of the
GDPR) as the legal basis for their transatlantic transfers Data Privacy Framework.
However, while this prevents massive disruptions to data flows, the stability
of the framework is not guaranteed. It must be actively monitored, given
regulatory or judicial events that may disrupt it.
Plus, if Mr. Latombe can still appeal the General
Court's decision to the CJEU, it is uncertain whether the CJEU would follow the
General Court's reasoning. It should be recalled here that the CJEU has in the
past held that adequacy decisions must be assessed on the basis of the legal
and factual situation at the time of the appeal, while in Latombe, the General
Court departed from this standard and stated that decisions must be assessed on
the basis of the situation at the time of their adoption (i.e., under the
previous administration). Finally, the European Commission could, in theory,
decide to suspend or repeal the DPF if it considers in the future that US law
no longer provides sufficient protection for European Economic Area personal
data.
No comments:
Post a Comment