EU General Court Upholds EU-U.S. Data Privacy Framework in Key Ruling

Written By Mona Hariri

Overview: What Is the EU-U.S. Data Privacy Framework?

The EU-U.S. Data Privacy Framework (DPF) is a transatlantic agreement that facilitates the lawful transfer of personal data from the European Union to the United States. It was introduced as a replacement for the invalidated Privacy Shield framework and was designed specifically to address the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision.

Under the DPF, the U.S. government has committed to limiting its access to EU personal data to what is necessary and proportionate, especially in the context of national security and intelligence activities. A central feature of the framework is the creation of the Data Protection Review Court (DPRC), which provides EU individuals with an independent redress mechanism if they believe their personal data has been improperly handled by U.S. intelligence agencies. Additionally, U.S. companies that choose to participate in the framework must self-certify their adherence to privacy principles that align with EU standards, and their compliance is enforced by the U.S. Federal Trade Commission. For many businesses, the DPF serves as a critical legal basis for ensuring GDPR-compliant transatlantic data flows when other transfer mechanisms are not used.

Case Summary: Latombe v. Commission

The case of Latombe v. Commission was initiated by Philippe Latombe, a member of the French National Assembly, who sought to annul the European Commission’s adequacy decision for the United States under the DPF. Latombe argued that the U.S. framework did not provide EU citizens with data protection that meets the standard of “essential equivalence” required by EU law.

His challenge focused on two core issues. First, he questioned the independence of the DPRC, arguing that this redress body could not be considered impartial or free from government influence. Second, he contended that U.S. intelligence agencies collect personal data without prior authorization from a court or an independent administrative authority, which, in his view, undermined the legitimacy of the framework’s adequacy status. Had the case succeeded, it would have cast doubt on the validity of the DPF and disrupted the legal basis for transatlantic data transfers relied upon by thousands of companies.

Key Legal Arguments Raised by the Applicant

Latombe’s arguments were rooted in concerns about both structural and procedural safeguards within the U.S. legal system. He asserted that the DPRC lacked true independence from the executive branch, and that allowing intelligence agencies to collect personal data without obtaining prior approval from a court or independent body fell short of the protections afforded under EU law.

The Court’s Approach and Dismissal on the Merits

Although there was some speculation that the General Court might dismiss the case for lack of standing, it instead proceeded to analyze the substance of the applicant’s claims. After considering the arguments in full, the Court dismissed the case on its merits.

Court’s Findings on the DPRC’s Independence

The Court found that the DPRC contains sufficient safeguards to be considered independent. It noted that judges are appointed through a formal process and may only be dismissed by the U.S. Attorney General, and only for just cause. It emphasized that neither the Attorney General nor U.S. intelligence agencies are permitted to interfere with or unduly influence the DPRC’s functioning. The Court also highlighted that the European Commission has an ongoing duty to monitor developments in the U.S. legal landscape and is empowered to suspend or revoke the adequacy decision if the level of protection diminishes over time.

Surveillance and Oversight: Ex Post Review Deemed Sufficient

In relation to the issue of bulk data collection by U.S. intelligence agencies, the General Court clarified that EU law does not require prior judicial or administrative authorization in every instance. Referring to the principles established in the Schrems II decision, the Court held that a system of meaningful ex post oversight, such as that provided by the DPRC, can be sufficient to meet the EU’s adequacy standard. In the Court’s view, the existing U.S. framework offers a level of protection that is essentially equivalent to that available in the EU, particularly in terms of accountability and redress.

Implications and Next Steps

This ruling provides legal certainty for organizations that rely on the EU-U.S. Data Privacy Framework to facilitate transatlantic data flows. It affirms the European Commission’s assessment that U.S. safeguards are adequate under GDPR, at least for now. However, the decision is not final. It may be appealed to the Court of Justice of the European Union, which could subject the framework to further judicial scrutiny. For the time being, though, companies can continue to use the DPF with confidence that it remains a valid and lawful mechanism for international data transfers.

Mona Hariri
Previous

California's SB 361: A Major Expansion of Data Broker Compliance Requirements
Next

China's Major Tech Platforms Begin Labeling AI-Generated Content in Line with New Regulations