EU General Court Upholds Trans-Atlantic Data Transfer Framework
The European Union General Court has ruled against a French politician’s attempt to annul the legal structure facilitating commercial data transfers between the EU and the U.S. This ruling, delivered on Wednesday, dismissed claims that the oversight of U.S. intelligence agencies lacks independence from federal oversight, a decision pivotal in maintaining the flow of data vital for transatlantic business operations.
This ruling represents a significant win for American technology firms and the EU and U.S. officials who constructed the framework intended to balance differing views on digital privacy. Following previous legal challenges, a high-ranking EU official in 2022 assessed the likelihood of the framework’s survival as substantially positive, estimating the odds at seven or eight out of ten.
Established in 2023 after extensive negotiations spurred by a 2020 ruling that invalidated the preceding framework, the EU-U.S. Trans-Atlantic Data Privacy Framework enables American companies to process and transfer data of European citizens. This facilitated cross-border business, which is estimated to be worth around 900 billion euros annually.
In 2023, French centrist politician Philippe Latombe challenged the validity of this framework, arguing that the oversight mechanisms established are politically influenced, thereby compromising independence. Central to Latombe’s argument is the Data Protection Review Court, which operates within the U.S. Department of Justice and reviews complaints from European citizens regarding potential violations of their rights by U.S. intelligence operations.
In its ruling, the General Court emphasized that the court’s review board possesses adequate independence and noted that the European Commission retains authority to amend or suspend the framework should circumstances warrant such actions. Latombe further claimed that the broad collection of internet traffic by U.S. intelligence agencies justified annulling the framework itself. However, the judges clarified that while data collection does not necessarily require pre-approval, it is subject to judicial review afterward—leading to the dismissal of Latombe’s lawsuit.
Privacy advocates express ongoing skepticism regarding the framework. Max Schrems, an Austrian activist known for challenging previous iterations of this legal structure, described Latombe’s case as narrowly focused, primarily reflecting the politician’s concerns over personal data security. Schrems indicated that a more comprehensive review of U.S. data protection laws, particularly concerning executive orders from the Trump administration, could lead to different judicial outcomes.
Itxaso Domínguez, a policy advisor at European Digital Rights, raised further concerns, stating that the Data Protection Review Court lacks robust political and operational stability. She emphasized that the reliance on self-certification for commercial surveillance offered by the framework presents significant weaknesses in enforcement and legal guarantees. According to Domínguez, existing mechanisms for redress largely exist in theory rather than practice, indicating a need for stronger protective measures.
Moreover, developments under the Trump administration, which included the dismissal of three Democratic members of the Privacy and Civil Liberties Oversight Board, may add to future legal vulnerabilities of the framework. This board plays a crucial role in addressing European complaints about data misuse, enforcing compliance with stipulated restrictions, and ensuring that intelligence activities remain within legal boundaries designed to protect European citizens from unauthorized surveillance.
The current makeup of the board, with only one Republican member, indicates a lack of a quorum to effectively meet its obligations. This diminishing oversight threatens the integrity of the legal structures safeguarding transatlantic data flows, potentially opening avenues for new challenges to the framework in the months and years to come.
