Europe’s General Court has upheld the lawfulness of the data-sharing agreement between the European Union (EU) and the United States (US) following a legal challenge.
The court today dismissed legal action brought by a French MP to annul the EU-US Data Privacy Framework (DPF).
It found that the framework, which businesses rely on to transfer data between the EU and the US, ensured “an adequate level” of protection for personal data passing between the EU and the US.
The decision provides certainty for organisations and businesses that rely on the DPF to exchange data between the EU and the US.
However, the court’s ruling on 3 September could still be subject to a further appeal to the European Court of Justice, which has struck out two previous data-sharing agreements between the EU and the US.
French MP Philippe Latombe challenged the lawfulness of the EU-US Data Privacy Framework on the grounds that US intelligence services collect data in transit from the EU in bulk without adequate safeguards for the privacy of EU citizens.
He argued that the US Data Protection Review Court (DPRC), set up to hear complaints from EU citizens who believe their privacy rights have been breached by US intelligence agencies, was neither impartial nor independent of the US executive.
The Luxembourg court dismissed both claims, finding that there was nothing in European case law – established in the Schrems II case in 2020 – that requires US intelligence agencies to seek prior authorisation before intercepting bulk data from the EU.
The court found that it was sufficient that the US intelligence agencies were subject to judicial oversight by the DPRC. It found that the US court had safeguards in place to ensure the independence of its members from the executive.
The DPRC’s judges can only be dismissed by the attorney general, and then only for cause, and intelligence agencies may not hinder or improperly influence their work, the court found.
“Therefore, the General Court finds that it cannot be considered that the bulk collection of personal data by American intelligence agencies falls short of the requirements arising from Schrems II … or that US law fails to ensure a level of legal protection that is essentially equivalent to that guaranteed by EU law,” the court said in a statement.
Schrems considering appeal
The latest challenge to the EU-US data-sharing agreement follows two earlier challenges brought by Austrian lawyer Max Schrems.
The European Court of Justice struck down the EU-US Safe Harbour agreement in October 2015, in a case that became known as Schrems I.
In July 2020, in Schrems II, the court struck down a successor agreement, Privacy Shield, on the grounds that it did not provide European citizens with adequate right of redress when data is collected by US intelligence services.
The US adopted Executive Order 14086 in 2022 to strengthen protections for individuals under surveillance by US intelligence agencies. An order from the attorney general in the same year led to the creation of the Data Protection Review Court.
Schrems, honorary chairman of nyob, a non-profit organisation that campaigns on data protection and privacy, said he was considering appealing the General Court’s decision to endorse the Data Protection Framework.
He said the General Court appeared to have “massively departed” from the ruling by the Court of Justice of the European Union in Schrems II, which struck down the predecessor agreement to the Data Privacy Framework in 2020.
Schrems said actions by President Trump in the US, who has threatened to remove the independent heads of the Federal Reserve and the Federal Trade Commission, show that the independence of the Data Protection Review Court cannot be guaranteed.
“The court in question is not even established by law, but just by an executive order of the president – and can hence be removed in a second. It is very surprising that the EU court would find that sufficient,” he said.
EU-US data transfers protected for ‘some time’
Joe Jones, director of research and insights at the International Association of Privacy Professionals, said the court’s decision would keep EU-US data transfers “on an even keel” for some time, and would support a “significant chunk” of transatlantic trade.
“Many eyes will now turn to whether the case will be appealed to the Court of Justice, which has traditionally taken a more expansive approach to data protection cases, and has a two out of two strike rate against EU-US data adequacy decisions,” he added.
The Business Software Alliance, a trade body for the software industry, said the decision provided stability for businesses and consumers in the EU and the US that rely on cross-border data flows.
The EU-US Data Privacy Framework is essential for the digital economy and helps companies adopt technologies that drive growth and competitiveness.
“The safeguards built into the framework assure a high level of privacy protection,” a spokesperson added.
The European Commission opposed Latombe’s legal challenge, supported by Ireland and the US.
