Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

EU–U.S. Data Privacy Transfer Framework (DPF) Survives First Challenge: What the General Court Decided

11 hours ago
6 minRead time
dpf data transfer
Share This Article
Share Post

The EU–U.S. Data Privacy Transfer Framework (DPF) has survived its first legal attack, as the EU General Court dismissed a French MEP’s challenge seeking annulment of the adequacy decision enabling transatlantic personal data transfers.

While this is positive news for businesses relying on the DPF, the decision does not end the debate: further DPF challenges are already expected. Below is the article initially published by DLA Piper’s global data protection team on Privacy Matters Blog.

Background: From Schrems II to the Data Privacy Framework

The case arose from a request for annulment filed by French MEP Philippe Latombe.

The Data Privacy Framework replaced the Privacy Shield, which the Court of Justice of the European Union (CJEU) invalidated in Schrems II (July 2020). Under the DPF, certified U.S. companies making legally binding commitments to comply with the framework’s principles may receive personal data from the EU without relying on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or conducting Transfer Impact Assessments (TIAs).

The European Commission concluded in July 2023 that the United States ensures an adequate level of protection for personal data, largely relying on Executive Order 14086, which introduced enhanced safeguards for U.S. signals intelligence activities. Importantly, the DPF only covers transfers to certified U.S. companies; transfers to other third countries outside the EEA still require SCCs, BCRs, or other valid mechanisms.

Latombe’s Challenge

Just weeks after the adequacy decision, Latombe challenged the legality of the DPF before the General Court, arguing:

  • Bulk data collection: U.S. intelligence agencies can still access large volumes of EU citizens’ data, allegedly breaching GDPR principles of minimisation and proportionality.

  • Lack of effective remedies: the Data Protection Review Court (DPRC) is not a truly independent tribunal and fails to meet Article 47 of the Charter and Article 45(2) GDPR.

  • Insufficient safeguards: the DPF does not address gaps in U.S. law on automated decision-making (ADM) and data security.

  • Procedural issues: the adequacy decision was initially published only in English, allegedly breaching Regulation No 1/1958 requiring EU acts to be available in all official languages.

The General Court’s Decision

The General Court rejected Latombe’s action, upholding the validity of the Data Privacy Framework:

  • Independence of the DPRC: The Court held that appointment rules, safeguards, and dismissal protections for DPRC judges ensure their independence.

  • Bulk data collection: The Court clarified that Schrems II does not prohibit bulk collection per se but requires judicial supervision. The DPRC’s binding and final review of intelligence activities was deemed sufficient.

  • Safeguards: The Court stressed that “adequate protection” under GDPR Article 45(1) means substantial equivalence, not identical protection. U.S. sectoral laws and commitments were considered sufficient.

What the Court Did Not Address

  • Standing: The Court did not resolve whether Latombe had standing to bring the action, leaving this question open for appeal.

  • Recent U.S. developments: The judgment only assessed the legal situation as of July 2023. Later developments – such as concerns about the Privacy and Civil Liberties Oversight Board under the Trump administration – were not considered. The European Commission, however, remains responsible for monitoring adequacy on an ongoing basis.

Analysis & Implications for Businesses

This decision provides temporary legal certainty for businesses relying on the EU–U.S. Data Privacy Framework. Companies can continue to transfer personal data under the DPF without immediately revisiting contracts or re-papering arrangements.

However, the ruling does not end the story:

  • Further DPF challenges are highly likely. Latombe may appeal to the CJEU, and privacy advocacy groups such as Max Schrems’ NOYB have already signaled new legal actions.

  • The General Court narrowed the scope. Its ruling only covered the arguments presented and left open the possibility of future challenges based on different grounds.

  • Ongoing monitoring is critical. The European Commission must continue to evaluate U.S. compliance. Businesses should also maintain backup transfer mechanisms (such as SCCs) in case the DPF is invalidated.

Conclusion: Legal Certainty, But for How Long?

The EU–U.S. Data Privacy Framework remains valid for now, but the General Court’s ruling is unlikely to be the final word. Given the history of Schrems I and Schrems II, organisations should prepare for the possibility of another invalidation. While the DPF currently provides a practical solution for transatlantic personal data transfers, its long-term stability remains uncertain.

For companies, the key takeaway is clear: enjoy the operational relief provided by the DPF, but stay vigilant and keep alternative data transfer safeguards in place.

On the topic, you can read the article “How to run a data transfer impact assessment after the Schrems II case“.

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post