The General Court of the European Union upholds the Data Privacy Framework

 

 

Dr Samira Allioui, Research fellow, Centre d'études internationales et européennes, Université de Strasbourg

Photo credit: Ibrahim Rustanov, via Wikimedia Commons

French Member of Parliament Philippe Latombe, who also sits on the board of the French data protection authority, the Commission Nationale de l’Informatique et des Libertés, brought an action, in his personal capacity, in the General Court of the European Union calling for the annulment of the Data Privacy Framework. On Wednesday, September 3, the General Court of the European Union dismissed MP Philippe Latombe's appeal against the Data Privacy Framework adequacy decision, the agreement governing data transfers between the EU and the United States, at the heart of a long legal saga. Since Latombe's case was brought as an action for annulment and not as a preliminary question by a national court, he not only had to prove that the deal was substantively wrong, but also that he was directly affected in order to be entitled to bring an action at all.

The DPF is the successor to the EU-U.S. Privacy Shield (the Privacy Shield), after the adequacy decision on the EU side adopted in light of the Privacy Shield was declared invalid in 2020 by the CJEU following litigation by privacy advocate Maximilian Schrems, acting through not-for-profit NOYB (none of your business), in the landmark case of Schrems II. The Privacy Shield was the successor to the EU-U.S. Safe Harbor Framework, which was declared invalid in 2015 in Schrems I. In response, the United States established the Data Protection Review Court (DPRC). The European Commission approved the DPF in July 2023.

Personal data transferred from the European Union to third countries is no longer subject to the GDPR in those countries. This requires compliance with certain safeguards prior to transfer, with the aim of ensuring adequate data protection in the destination country. An adequacy decision is one of the mechanisms for ensuring this protection, and the GDPR provides for a Commission decision recognizing, after a thorough examination, that the law of a third country offers guarantees deemed adequate.

It is clear that even though American law has since evolved towards greater oversight of intelligence services, one particular issue has long been a problem in US-EU relations: access to effective remedies in the United States, allowing Europeans affected by transatlantic transfers to challenge the processing of their data. This issue was already the subject of progress in 2022 with Executive Order 14086, which paved the way for a challenge mechanism. This allowed the European Commission to adopt a new adequacy decision in 2023, the very one that is being challenged in the Latombe case.

The new ruling

This new ruling is therefore part of a series of developments relating to transatlantic transfers. The fundamental issue is the adequacy of the safeguards provided abroad, and therefore the degree of requirement that the European Union must have vis-à-vis the states to which data are transferred. However, on this point, the reasoning followed by the General Court of the European Union contrasts sharply with the rulings handed down by the Court of Justice of the European Union in the Schrems I and II cases. In the Schrems II ruling, the Court insisted that "the third country must offer guarantees to ensure an adequate level of protection essentially equivalent to that guaranteed in the European Union," while also using the terms "essential equivalence" and "substantial equivalence" interchangeably. Only the latter expression—"substantial equivalent"—is adopted by the General Court, although it gives it a scope that appears to be weakened.

In its assessment of the adequacy of American law, the Court appears to be less demanding than the Court of Justice. In recent years, the latter has initiated a particularly demanding jurisprudential movement in matters of personal data protection, giving rise to numerous tensions with Member States, which themselves struggle to comply with the requirements of the Court of Justice. While the Schrems I and II judgments were perfectly in line with this trend, the Court's judgment seems to propose another direction, perhaps more favorable to national security issues.

In any case, in its analysis of the conditions to be met to conclude that foreign law is adequate, the Court draws its inspiration primarily from the ECtHR case of Big Brother Watch v. United Kingdom. On the contrary, the major decisions of the CJEU – we are thinking in particular of the La Quadrature du Net I case – dealing with the activities of intelligence services are not considered relevant by the Court. The latter were particularly demanding, where the ECtHR recognizes certain margins of appreciation for States, in particular due to the very sensitive nature of intelligence and national security issues.

The next developments?

Since this is a General Court ruling, it is likely that there will be an appeal to the CJEU. Let us assume, however, that the Court upholds the existing adequacy decision. Another fundamental question would inevitably arise. The General Court is not taking into account recent developments in US law, particularly since the return of President Donald Trump. However, some of the guarantees applicable in US law, highlighted by the General Court, already appear to be weakened. Let us give an example: the Privacy and Civil Liberties Oversight Board (PCLOB) which role is fundamental, particularly because it is involved in the appointment of members of the Data Protection Review Court, whose independence and impartiality are discussed at length in the General Court's ruling. However, President Donald Trump has terminated the terms of several PCLOB members, preventing it from functioning. The impact this could have on transatlantic data transfers has already been the subject of debate in the European Parliament and the United States. The saga surrounding transatlantic data transfers could thus, despite the Court's ruling, be the subject of new twists and turns.

Today, more than 2,800 US companies are DPF-certified, allowing them to continue relying on the adequacy decision (Article 45 of the GDPR) as the legal basis for their transatlantic transfers Data Privacy Framework. However, while this prevents massive disruptions to data flows, the stability of the framework is not guaranteed. It must be actively monitored, given regulatory or judicial events that may disrupt it.

Plus, if Mr. Latombe can still appeal the General Court's decision to the CJEU, it is uncertain whether the CJEU would follow the General Court's reasoning. It should be recalled here that the CJEU has in the past held that adequacy decisions must be assessed on the basis of the legal and factual situation at the time of the appeal, while in Latombe, the General Court departed from this standard and stated that decisions must be assessed on the basis of the situation at the time of their adoption (i.e., under the previous administration). Finally, the European Commission could, in theory, decide to suspend or repeal the DPF if it considers in the future that US law no longer provides sufficient protection for European Economic Area personal data.