A potential threat to the EU-U.S. Data Privacy Framework has been tamped down by the European General Court. In a landmark ruling 3 Sept., the court dismissed a challenge brought by Member of French Parliament Philippe Latombe to annul the DPF and confirmed the framework validity based on the facts and law at the time of the European Commission's adequacy determination for the U.S. in 2023.
The General Court's decision rejected Latombe's claim that challenged the independence of the U.S. Data Protection Review Court, established as a key redress pillar under the DPF, and the sufficiency of safeguards governing bulk data collection by U.S. intelligence agencies without prior authorization, among other claims.
It was the third time the adequacy of an EU-U.S. data transfer agreement was assessed by the EU's highest courts in the last 10 years, with the first two challenges invalidating the EU-U.S. Safe Harbor Framework in 2015 and the EU-U.S. Privacy Shield in 2020. The latest ruling offers European and U.S. businesses stability and reassurance at a time of uncertainty between the two jurisdictions fueled by concerns around digital trade and discrepancies over regulatory approaches.
“The EU-U.S. Data Privacy Framework empowers businesses in the world’s largest economies to engage in efficient and streamlined transatlantic commerce,” U.S. Under Secretary of Commerce for International Trade William Kimmitt told the IAPP in statement. “Today’s ruling by the European Union General Court upholding the adequacy decision underlying this framework is a victory for the more than 3,400 U.S. companies that rely on transatlantic data flows to carry out their operations. Under the Trump Administration’s commitment to economic prosperity, the International Trade Administration will continue to administer the Data Privacy Framework to enable reliable, transatlantic data flows that underpin the $8.3 trillion economic relationship between the United States and Europe.”
The court's decision on the merits of the DPF can be appealed. Latombe, who first filed the challenge in September 2023, did not immediately respond to the IAPP's request for comment on his intentions to appeal.
Highlights from the ruling
Notably, the court limited its ruling to consideration of the framework's validity at the time the Commission adopted its adequacy determination and called attention to the Commission's role in reviewing the DPF's validity on an ongoing basis, with a breach or change in EU-U.S. adequacy requiring Commission intervention.
"The Commission is required to monitor continuously the application of the legal framework on which (the adequacy decision) is based," the court stated in a press release. "Thus, if the legal framework in force in the United States at the time of the adoption of the contested decision changes, the Commission may decide, if necessary, to suspend, amend or repeal the contested decision or to limit its scope."
In comments to the IAPP, Georgetown University Law Center Senior Fellow Kenneth Propp characterized the judgement as showing "an impressively detailed level of judicial engagement" considering the "extensive privacy safeguards" established in the framework. He added, "these safeguards were specifically designed to meet the high standard of protection that the European Court of Justice insists on, and in a way that complies with the U.S. constitutional framework."
The General Court did not address Latombe's standing to bring the case, while invoking an ability to proceed to ruling on the substance of the case "in the interest of administration of justice."
"On the one hand, this ruling will be seen as a major victory for the U.S., EU, trans-Atlantic data flows and trade as well as a positive sign for the framework's longevity," said IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, who previously served as the Privacy Shield director at the U.S. International Trade Administration. "On the other hand, the Court's decision to rule on the merits could tee up an appeal to the Court of Justice that puts the issue of adequacy front and center."
Fennessy will join IAPP Managing Director, Europe, Isabelle Roccia, CIPP/E, and Research and Insights Director Joe Jones for a LinkedIn Live 4 Sept. to further discuss the implications of the DPF's validation on the privacy profession.
Consideration from the court on a potential appeal could focus on two areas of particular emphasis outlined in the final decision, according to Propp.
"One is to examine the U.S. safeguards against a standard of 'essential equivalence' to EU data protection law, not the near-identity criterion that seemed to underlie the court's earlier 'Schrems' cases," he said. "The second was to consider not just the very strict European Court of Justice case-law on government surveillance, but also the past surveillance rulings of the European Court of Human Rights that affords a greater degree of discretion to governments."
The road ahead
It's unclear when an appeal might materialize and how the court might reconsider recent U.S. developments. The expulsion of U.S. Privacy and Civil Liberties Oversight Board Democrats, which is pending a U.S. court ruling, could play a role in future court debate as the independent board is an integral component of the DPF's redress prong.
NOYB Honorary Chairman Max Schrems was the challenger to each of the EU-U.S. frameworks that preceded the DPF. In a statement, Schrems said the General Court's ruling "massively departs" from the findings in his prior cases while opining the court "did not have sufficient evidence" on "a rather narrow challenge."
"We are convinced that a broader review of U.S. law — especially the use of executive orders by the Trump administration should yield a different result," Schrems added. "We are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses."
Business Software Alliance Senior Vice President for Global Policy Aaron Cooper said the DPF is "essential for the digital economy" and an annulment would have created "uncertainty and add significant complexity for companies" that would have had to shoulder the burden of securing other transfer mechanisms, including standard contractual clauses and binding corporate rules.
"The safeguards built into the Framework ensure a high level of privacy protection," Cooper added. "Close cooperation between the European Union and the United States can ensure that the Framework is fully implemented and serves as a durable, reliable foundation for both strong privacy protections and the free flow of information."
Joe Duball is the news editor for the IAPP.
