The controversial Data Privacy Framework (DPF) agreement between the EU and the US has been upheld after the European Court of Justice (ECJ) General Court rejected a high-profile legal challenge that would have struck it down.
“The General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States,” the Court ruled.
“On the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,” it added.
Even with the possibility of an appeal, this will come as a huge relief for the European Commission (EC). Defeat at this stage would have sent it back to the drawing board with nothing to show for a decade’s worth of painful negotiation, re-drafting, and repeated legal setbacks.
Negotiated in July 2023, the EU-US DPF agreement sets out the rules governing the transfer of the personal data of EU citizens between the EU and the US.
It was quickly dismissed by campaigners who argued that it was simply a tweaked version of a previous flawed data transfer agreement, The Privacy Shield or ‘Schrems II’, which the ECJ ruled against in 2020.
Within weeks of the DPF’s publication, French MP Philippe Latombe launched his legal challenge, arguing that it failed to provide adequate protection for EU citizens’ personal data in the face of worries about US government surveillance.
This created yet another delay and more uncertainty for companies transferring data to US entities, in a battle whose origins are a 2013 complaint by law student Max Schrems against Facebook and the inadequacy of the EU’s year 2000 Safe Harbour agreement with the US.
In 2015, the ECJ ruled Safe Harbour invalid in a case dubbed ‘Schrems I’, continuing a chain of legal obstacles that keep cropping up to this day.
Suspicious friends
All this highlights suspicion in Europe that the US approach to surveillance and privacy is deeply incompatible with European law and values. However, in the Court’s view, the US has since addressed these concerns by introducing more legal oversight of the DPF at its end.
“In the present case, it is apparent from the file that, under US law, signals intelligence activities carried out by US intelligence agencies are subject to ex post judicial oversight by the [US Data Protection Review Court],” the judgment said.
A key issue is whether the agreement achieves ‘adequacy’ — the extent to which US laws offer the same level of protection as EU equivalents.
“Today’s EU General Court judgement will bring relief and reassurance to the thousands of US companies and their European partners that rely on the EU-US Data Privacy Framework for transatlantic and global business,” commented Caitlin Fennessy, chief knowledge officer for the International Association of Privacy Professionals (IAPP), a US trade organization.
“This ruling will be seen as a major victory for the US-EU transatlantic data flows and trade as well as a positive sign for the framework’s longevity. In this fraught geopolitical moment, EU and US officials will undoubtedly welcome the news,” said Fennessy. However, she believed there might still be room for an appeal to test the issue of adequacy.
This caveat was echoed by Chris Linnell, associate director of data privacy at consultancy Bridewell, who noted the Commission’s weak record of being able to get its agreements with the US past courts in the EU.
“It’s worth remembering that both Safe Harbour and Privacy Shield fell under legal challenge on similar grounds, and campaigners have already signaled that further appeals are likely. That means the framework may not be the last word in EU-US data transfers,” he said.
Does an agreement with the US make that much difference?
Without this agreement, EU companies would have to draft complex contracts with US suppliers imposing restrictions on data processing and handling. Requiring agreements for each transfer, this would be expensive and time consuming, assuming it even met watertight legal standards under real-world conditions.
Companies would love to move on from this confusing situation, yet it might still be too soon to celebrate the ruling. Max Schrems, the lawyer who lodged the initial complaint, still campaigns on the issue through an NGO he founded, None of Your Business (NOYB). He believed the Court’s ruling was still open to appeal.
“This was a rather narrow challenge. We are convinced that a broader review of US law, especially the use of Executive Orders by the Trump administration, should yield a different result,” he said in a NOYB statement.
“We are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses,” said Schrems.
No Responses