{"id":4653,"date":"2025-09-03T19:46:37","date_gmt":"2025-09-03T19:46:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4653"},"modified":"2025-09-03T19:46:37","modified_gmt":"2025-09-03T19:46:37","slug":"relief-for-european-commission-as-court-upholds-eu-data-privacy-framework-agreement-with-us","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4653","title":{"rendered":"Relief for European Commission as court upholds EU Data Privacy Framework agreement with US"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The controversial Data Privacy Framework (DPF) agreement between the EU and the US has been upheld after the European Court of Justice (ECJ) General Court rejected a high-profile legal challenge that would have struck it down.<\/p>\n

\u201cThe General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States,\u201d the Court ruled<\/a>.<\/p>\n

\u201cOn the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,\u201d it added.<\/p>\n

Even with the possibility of an appeal, this will come as a huge relief for the European Commission (EC). Defeat at this stage would have sent it back to the drawing board with nothing to show for a decade\u2019s worth of painful negotiation, re-drafting, and repeated legal setbacks.<\/p>\n

Negotiated in July 2023, the EU-US DPF agreement<\/a> sets out the rules governing the transfer of the personal data of EU citizens between the EU and the US.<\/p>\n

It was quickly dismissed by campaigners who argued that it was simply a tweaked version of a previous flawed data transfer agreement, The Privacy Shield<\/a> or \u2018Schrems II\u2019, which the ECJ ruled against in 2020.<\/p>\n

Within weeks of the DPF\u2019s publication, French MP Philippe Latombe launched his legal challenge<\/a>, arguing that it failed to provide adequate protection for EU citizens\u2019 personal data in the face of worries about US government surveillance.<\/p>\n

This created yet another delay and more uncertainty for companies transferring data to US entities, in a battle whose origins are a 2013 complaint by law student Max Schrems against Facebook and the inadequacy of the EU\u2019s year 2000 Safe Harbour agreement with the US.<\/p>\n

In 2015, the ECJ ruled Safe Harbour invalid<\/a> in a case dubbed \u2018Schrems I\u2019, continuing a chain of legal obstacles that keep cropping up to this day.<\/p>\n

Suspicious friends<\/h2>\n

All this highlights suspicion in Europe that the US approach to surveillance and privacy is deeply incompatible with European law and values. However, in the Court\u2019s view, the US has since addressed these concerns by introducing more legal oversight of the DPF at its end.<\/p>\n

\u201cIn the present case, it is apparent from the file that, under US law, signals intelligence activities carried out by US intelligence agencies are subject to ex post<\/em> judicial oversight by the [US Data Protection Review Court],\u201d the judgment said.<\/p>\n

A key issue is whether the agreement achieves \u2018adequacy\u2019 \u2014 the extent to which US laws offer the same level of protection as EU equivalents.<\/p>\n

\u201cToday\u2019s EU General Court judgement will bring relief and reassurance to the thousands of US companies and their European partners that rely on the EU-US Data Privacy Framework for transatlantic and global business,\u201d commented Caitlin Fennessy<\/a>, chief knowledge officer for the International Association of Privacy Professionals (IAPP), a US trade organization.<\/p>\n

\u201cThis ruling will be seen as a major victory for the US-EU transatlantic data flows and trade as well as a positive sign for the framework\u2019s longevity. In this fraught geopolitical moment, EU and US officials will undoubtedly welcome the news,\u201d said Fennessy. However, she believed there might still be room for an appeal to test the issue of adequacy.<\/p>\n

This caveat was echoed by Chris Linnell<\/a>, associate director of data privacy at consultancy Bridewell, who noted the Commission\u2019s weak record of being able to get its agreements with the US past courts in the EU.<\/p>\n

\u201cIt\u2019s worth remembering that both Safe Harbour and Privacy Shield fell under legal challenge on similar grounds, and campaigners have already signaled that further appeals are likely. That means the framework may not be the last word in EU-US data transfers,\u201d he said.<\/p>\n

Does an agreement with the US make that much difference?<\/h2>\n

Without this agreement, EU companies would have to draft complex contracts with US suppliers imposing restrictions on data processing and handling. Requiring agreements for each transfer, this would be expensive and time consuming, assuming it even met watertight legal standards under real-world conditions.<\/p>\n

Companies would love to move on from this confusing situation, yet it might still be too soon to celebrate the ruling. Max Schrems<\/a>, the lawyer who lodged the initial complaint, still campaigns on the issue through an NGO he founded, None of Your Business (NOYB). He believed the Court\u2019s ruling was still open to appeal.<\/p>\n

\u201cThis was a rather narrow challenge. We are convinced that a broader review of US law, especially the use of Executive Orders by the Trump administration, should yield a different result,\u201d he said in a NOYB statement<\/a>.<\/p>\n

\u201cWe are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses,\u201d said Schrems.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The controversial Data Privacy Framework (DPF) agreement between the EU and the US has been upheld after the European Court of Justice (ECJ) General Court rejected a high-profile legal challenge that would have struck it down. \u201cThe General Court dismisses an action for annulment of the new framework for the transfer of personal data between […]<\/p>\n","protected":false},"author":0,"featured_media":4654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4653","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4653"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4653"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4653\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4654"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}