EU Court's Dismissal Of US Data Transfer Challenge Raises Privacy Advocates' Ire

The European Union General Court (EGC) has rejected a challenge to the US-EU Data Privacy Framework (DPF) allowing data to continue flowing across the pond, but the challenges are unlikely to stop there.

The EGC published its decision [PDF] today dismissing the annulment action brought by French lawmaker Philippe Latombe in 2023 a few months after the rule went into effect in July of that year.

For those who don't recall the specifics of the EU-US DPF, it was the third iteration of an attempt to standardize rules for transmitting data from European companies to American ones (and vice versa) by establishing rules to guarantee that Europeans had rights to their data transferred to the US. The first two attempts at such a framework, Safe Harbor and Privacy Shield, were thrown out after privacy activist and lawyer Max Schrems successfully argued to the EU Court of Justice that neither deal adequately protected Europeans' data in the hands of American companies.

One of the key components of the DPF that helped it survive to implementation was an executive order signed by President Joe Biden in 2022 that directed the US to fulfill its DPF obligations. That order included the creation of a Data Protection Review Court (DPRC) to hear issues related to the DPF.

The independence of the DPRC was a central issue to Latombe, who argued that its creation via executive order left its existence entirely dependent on the US president. By that logic, the court is anything but independent or assured of continued existence were, say, a more mercurial leader to kill it or remove judges due to a perceived slight.

The EGC disagreed with Latombe's assertion.

"It is apparent from the file that the appointment of judges to the DPRC and the DPRC's functioning are accompanied by several safeguards and conditions to ensure the independence of its members," the court said in a press release. DPRC judges, the EGC noted, can only be dismissed by the US Attorney General, and then only for cause.

The European Commission, likewise, has its own responsibility to "monitor continuously the application of the legal framework," and "may decide, if necessary, to suspend, amend or repeal" the DPF if the US doesn't uphold its end of the bargain.

The court also disagreed with Latombe's assertion that the Schrems II case required "prior authorization issued by an independent authority" to collect data, which it said the decision didn't address. Instead, the court said that such data collection only had to be subjected to review after the fact, meaning Latombe's argument that American intelligence agencies were failing to meet DPF requirements "cannot be considered" as part of the decision today.

"In the light of those considerations, the General Court rejects the plea … and, therefore, dismisses the action in its entirety," it concluded.

Get ready for Schrems III

Schrems appeared unsurprised to hear that Latombe's case was dismissed.

Latombe's case was narrowly focused, Schrems said through his None Of Your Business (noyb) privacy advocacy group today, giving him little room for success. Because it was an annulment action and not a preliminary question, Latombe "not only had to prove that the deal was substantively wrong, but also that he was directly affected in order to be entitled to bring an action at all," noyb said.

But the DPF is almost certainly still illegal, noyb charged, because it is structured almost identically to the two prior deals Schrems defeated in court. Toss in what noyb said is "the Trump administration's latest abuses of power in issuing executive orders," and there's likely ground for another Schrems-led defeat of a data sharing agreement.

"We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result," Schrems said in a statement.

The privacy crusader and lawyer pointed to Trump's dismissal of supposedly independent heads of government agencies as all the evidence the EU needs to consider the DPRC's independence only as strong as Trump's will not to mess with it.

"It is very surprising that the EU Court would find that sufficient," Schrems added. "Comparing this case with inner-EU cases such as on Poland or Hungary, it takes a lot of mental flexibility to accept this as an independent Court."

Schrems said his team is looking into its options for filing a legal challenge against the DPF.

• EU-US Privacy Framework could make life easier for a data biz, if it survives
• European Commission broke its own data privacy law with Microsoft 365 use
• Meta training AI on social media posts? Only 7% in Europe think it's OK
• EU takes another step towards US data-sharing agreement

While Schrems and EU privacy advocates are focused on the protection of Europeans' data, Tim Van Canneyt, partner at European law firm Fieldfisher, which specializes in supporting industries like the tech sector, said that the EGC's decision was likely political.

"Had the General Court struck down the DPF adequacy decision, it could have been interpreted – particularly by the Trump administration – as a deliberate move by the EU to undermine US economic interests," Van Canneyt told The Register. "That would have added fuel to the already simmering tensions around EU digital regulation and its perceived impact on American tech companies, not to mention the ongoing trade discussions."

Van Canneyt also said he doesn't see the EGC decision as departing from the logic of the Schrems I and II cases – something Schrems himself asserted – noting that while the legal standard remains the same, "the factual landscape has evolved."

"Today's judgment offers a degree of legal stability: data transfers to US entities under the DPF can continue uninterrupted," Van Canneyt explained. "Still, the long-term viability of the framework will depend on how US oversight mechanisms evolve."

Van Canneyt, like Schrems, believes this decision only buys the EU some time, and that politics could be a key component of a future challenge, be it brought by Schrems or anyone else. ®