Microsoft has been granted permission to intervene in the Latombe vs. European Commission lawsuit. The case concerns the data privacy framework that enables data transfers between the EU and the US.
Microsoft will assist the European Commission in its defense of the EU-US Data Privacy Framework agreement. This agreement designates the US as a country where data protection is adequate and equivalent to that in the EU. The regulation has enabled transatlantic data transfers since 2023 and is essential for Microsoft (and other American companies) to conduct business smoothly in Europe.
Discussion over guarantees
French parliamentarian Philippe Latombe (DEM) sees no adequate security guarantees from the US. He believes that the agreement drafted by the Commission is indeed in violation of the rules of Article 45(2) of the GDPR.
That article requires, among other things, that the third country has adequate independent systems in place to guarantee the protection of data privacy. Latombe disputes that the courts in the US capable of ruling on potential data complaints are truly independent.
Microsoft intervenes
In an initial case, the General Court of the European Union dismissed the complaint. Latombe has filed an appeal. The Court of Justice will now rule on the matter. For the proceedings, Microsoft has now secured the right to intervene as an interested party on the side of the Commission, in defense of the EU-US Data Privacy Framework agreement.
This means Microsoft is allowed to present arguments and provide context. The company maintains that it stands on the side of privacy but asserts that the current framework fulfills its role. A ruling against the EU-US Data Privacy Framework agreement would be another spoke in the wheels of American companies operating in both the US and the EU.
Schrems I and II
The regulation of transatlantic data flows has been problematic for some time. The EU has already tried twice before to set up a framework for the secure transfer of data. The challenge is that protection in the third country must be equivalent, and the EU has strict rules, including the GDPR. In the US, on the other hand, extensive (secret) surveillance is possible.
In the Schrems I and Schrems II rulings, the court had to determine that the Safe Harbor and Privacy Shield arrangements, respectively, were not adequate. Microsoft now wants to help prevent a regulatory framework from being scrapped for a third time.
