The EU’s General Court has rejected a legal challenge in Latombe v Commission T553/23) against the new EU-US data transfer framework that allows personal data to be transferred from the EU to the US. The Court confirmed that, at the time the system was adopted, the US provided a sufficient level of protection for personal data.
The Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union enshrine the rights to the protection of personal data. To make sure this protection isn’t weakened when data is sent outside the EU, the European Commission can approve countries that meet EU standards with its so-called adequacy decisions. If a country is approved, data can be transferred there without extra checks. The EU approved the US under an adequacy decision made on 10 July 2023.
As SCL readers will be aware, two similar agreements with the US (Safe Harbor and the Privacy Shield) were struck down by the EU’s CJEU (in the Schrems I and II cases) because they didn’t offer enough protection. In response, the US. made changes in 2022, including a new Executive Order and updates to how its Data Protection Review Court (DPRC) works. These changes were meant to improve privacy protections, especially around how US intelligence agencies handle data.
A French citizen (and also French member of parliament and CNIL commissioner but he was at pains to emphasise that he was acting in a personal capacity), Philippe Latombe, challenged the new decision. He argued that the DPRC isn’t truly independent and that US intelligence agencies collect data in bulk without proper oversight.
The General Court disagreed. It said the DPRC has safeguards to ensure its independence, and judges can only be removed for valid reasons. It also noted that the European Commission must keep monitoring the US system and can change or cancel the decision if needed.
Regarding bulk data collection, the Court said that EU law doesn’t require prior approval by an independent authority, but it does require later review by a court. The US system meets this requirement through the DPRC.
Latombe had also argued that the European Commission infringed Article 22 GDPR as it did not include “a provision establishing the right of data subjects not to be subject to decisions based exclusively on the automated processing of personal data, including profiling, producing legal effects in relation to them or significantly affecting them”. The Court rejected this, saying that the US’s sectorial rules (eg in areas such as home loans and employment) were found to meet the test of an essentially equivalent level of protection to the EU.
Finally, he argued that the European Commission infringed Article 32 GDPR by finding the US offered substantially equivalent protections to those guaranteed in the EU for adequate technical and organisational measures to ensure the security of the processing of personal data transferred from the EU to the US. The Court emphasised that a third country doesn’t have to have “identical” legal protections to the EU but they do have to be substantially equivalent. Although the language used in the data transfer framework was different to the GDPR, the effect was essentially the same.
Because of these findings, the Court dismissed the challenge entirely.
However, although it dismissed this particular action, it doesn’t stop another action being brought if the current US administration changes the way that it handles personal data. Among other things, there are concerns about the independence of the FTC due to the Executive Order Ensuring Accountability for All Agencies.
This ruling also doesn’t stop an appeal to the CJEU.
We probably haven’t heard the last of this, but in the meantime, European companies will be relieved that they can continue to transfer personal data to the US using this mechanism. However, many will have already started using SCCs because of the uncertainty over the past few years.
