The European General Court confirms the validity of the EU US Data Privacy Framework. Is the transatlantic data bridge now officially open?

New reforms since Schrems II

The exchange of personal data between the EU and the US has a turbulent history. The legal frameworks governing these exchanges were struck down twice by the Court of Justice of the European Union in the landmark cases Schrems I (2015) and Schrems II (2020).

According to the Court, US legislation did not provide sufficient safeguards against the broad access enjoyed by American intelligence and security services to personal data. Moreover, European citizens lacked adequate means to legally challenge such interference.

Following the concerns raised by the Court of Justice, the US government implemented significant reforms. Stricter rules were imposed on intelligence agencies, emphasising the GDPR principles of proportionality and necessity. Additionally, a new court — the “Data Protection Review Court” (DPRC) — was established to support European citizens and provide them with the possibility to take legal action against unlawful access to their personal data.

Based on these reforms, the European Commission ruled on 10 July 2023 that the US once again ensured an adequate level of protection. The “EU US Data Privacy Framework” subsequently entered into force and provided a legal framework for the transfer of personal data from the EU to the US.

This decision, however, immediately triggered considerable criticism. A French citizen, Mr Latombe, disagreed and brought the case before the European General Court. According to him, the DPRC could not be regarded as a truly independent and impartial tribunal, as the body would be too closely intertwined with the executive branch. He also argued that US legislation did not offer sufficient safeguards against mass data interception (“bulk data interception”) by intelligence and security agencies, which could occur without prior and effective judicial oversight.

The General Court recently ruled that Mr Latombe’s arguments could not be upheld and therefore dismissed the action for annulment. With regard to the independence of the DPRC, the Court found that the judges of this body enjoy sufficient guarantees to exercise their duties independently, including through their appointment procedure and protection against arbitrary dismissal.

As for mass data interception, the Court concluded that US legislation, as amended following Schrems II, now provides adequate restrictions and oversight mechanisms that align with the requirements of EU law on proportionality and necessity.

The legal saga is not over

This judgment is celebrated by some as a “victory” for the free flow of data between the EU and the US, following the earlier “defeats” (in Schrems I and Schrems II). However, caution is warranted before considering the Latombe ruling as a definitive and comprehensive endorsement of the DPF.

Indeed, the judgment of the General Court is subject to appeal before the Court of Justice, and it may still be overturned by the EU’s highest court. In light of previous case law, it is by no means excluded that the Court of Justice may once again raise critical concerns regarding the safeguards provided by the United States.

Moreover, the General Court ruled solely on the validity of the Commission’s adequacy decision, and not on its concrete application in individual cases.

European companies that transfer personal data to the United States must therefore continue to conduct their own thorough risk assessments and implement additional safeguards where necessary.

What does this mean for your organisation?

1. It is essential to map out carefully where your personal data (or those of your clients or employees) are stored and whether they are transferred outside the European Economic Area (EEA). Think, for example, of widely used tools such as Microsoft 365 (Outlook, Teams, OneDrive, SharePoint), Google Workspace, Amazon Web Services or other American cloud and software services. When using such services, personal data are typically processed on servers located in the United States.
2. Always consult the privacy statement of the relevant client or supplier. At Microsoft, for example, you can use the Microsoft Trust Center to check where data are stored and which transfer mechanisms are applied. A thorough mapping of data flows and the involved (sub )processors is a crucial first step toward compliant and future proof data protection.
3. Personal data may — at present — be transferred to US organisations certified under the EU US Data Privacy Framework. Always verify whether your American partner is indeed listed on the official DPF list before proceeding with any transfer. Microsoft Corporation, for example, is certified under the DPF, but this does not automatically apply to all US service providers.
4. Despite the current validity of the DPF as a legal basis for data transfers, it remains advisable not to disregard alternative transfer mechanisms. Large technology companies such as Microsoft and Google often use Standard Contractual Clauses (SCCs) alongside the DPF as an additional safeguard. It is recommended to check whether your suppliers offer such supplementary mechanisms and to implement them where appropriate. The combination of various legal instruments can contribute to a more robust and future proof strategy within this constantly evolving legal landscape.

Our PKF BOFIDI Legal lawyers are ready to support you

For any further questions regarding data protection and transfers outside the EEA, feel free to contact our PKF BOFIDI Legal team — we are happy to assist you.
For a refresher on GDPR rules, you can consult our previous article.

This article was written by Lauranne Piotrowski.