The EU Court maintains the current regulations on data transfers between the EU and the US. The regulations thus pass a test that proved fatal for Privacy Shield.
The General Court of the European Union has rejected the appeal for annulment of the new trans-Atlantic framework for data transfers between the EU and the US. According to the court, the US currently provides an adequate level of protection for personal data.
The ruling comes after French parliamentarian Philippe Latombe challenged the validity of the European Commission’s adequacy decision, approved on July 10, 2023. This decision allows the transfer of personal data from the EU to American organizations without additional authorization.
Third Time…
The decision came after two regulations on such transfers were annulled by European justice. Safe Harbor and Privacy Shield in 2020 did not meet European rules on personal data protection. The July 10, 2023 decision follows these failed frameworks and is built on the establishment of an independent American supervisory body that handles data privacy cases: the Data Protection Review Court (DPRC).
Latombe argued that the DPRC would not actually be independent, as it was established by a presidential order. He fears that certain leaders, orange or not, could abolish or manipulate the court.
The Commission previously ruled that independence was sufficiently guaranteed and allowed data transfers on that basis. Furthermore, Latombe criticized the possibility for American intelligence services to collect personal data in bulk, without prior approval from a judicial authority.
Sufficient Safeguards
However, the Court finds that the rules surrounding the DPRC contain sufficient safeguards to ensure that the court functions effectively independently. For example, judges can only be dismissed for valid reasons, and neither the US Attorney General nor intelligence services may influence their work.
The court also refers to the ongoing supervision by the European Commission, which can suspend or withdraw the decision on data transfers if US regulations change. For instance, if judges were suddenly to be politically appointed, the Commission could take action itself.
Afterwards is also Acceptable
Regarding the bulk collection of personal data, the court notes that prior consent for data collection is not necessarily required according to the Schrems II ruling. However, subsequent judicial review must be possible. The DPRC provides this possibility, which according to the court meets European requirements.
The judges emphasize that the US legal framework, including the presidential order of October 2022 and accompanying regulations, provides sufficient protection that is essentially equivalent to that within the EU. This is the bar that needs to be met for lawful data transfers. The court therefore fully dismisses the appeal.
An appeal against the General Court’s decision can still be lodged with the European Court of Justice, but only on legal grounds.