What’s new? The General Court of the EU rejected actions to suspend and annul the new transatlantic framework for personal data flows between the European Union (EU) and the United States (U.S.): the DPF. This action was raised by a member of the French Parliament, acting as an EU citizen (“MP Latombe”). In September 2023, he challenged the Commission’s adequacy decision of July 10, 2023 (the “Adequacy Decision”) which puts in place the new DPF: he introduced one action for annulment before the General Court and asked to the court to impose interim measures to suspend the Adequacy Decision.
- See more information on the legal proceedings: follow the link for additional information on both cases Latombe v Commission, T-553/23 (main proceedings and proceeding for interim measures).
- See press releases: the General Court issued a press release on the main proceedings of the case and MP Latombe issued a press release on the action for interim measures, both available in French.
Key takeaways: The General Court dismissed MP Latombe’s actions for annulment and for interim measures. It hereby confirmed that the U.S. ensures an adequate level of protection for personal data transferred from the EU under the DPF. Although the success of the annulment action appeared doubtful due to admissibility concerns, the General Court did not address the issue of standing. Instead, the General Court decided to rule on the merits for purposes of proper administration of justice. In this context, the General Court confirmed the validity of the Adequacy Decision, and hereby, of the DPF.
Ruling on the grounds of annulment: The applicant raised several pleas. Among them, he claimed that the DPF should have been translated into the EU official languages and that the DPF does not guarantee fundamental rights as well as effective remedies under the EU Charter of fundamental rights and the GDPR.
We will focus in this article on the three pleas that were assessed and dismissed by the General Court in the annulment action:
Plea 1: The Data Protection Review Court (DPRC) established under the DPF should not be considered an impartial and independent tribunal established by law under the European Convention of Human Rights (ECHR) for the following reasons: (1) the DPRC reviews decisions made by the Civil Liberties Protection Officer (CLPO), and the independence of the CLPO is questioned as it reports to the director of national intelligence; (2) DPRC judges are appointed by the General Attorney after consultation by the Privacy and Civil Liberties Oversight Board (PCLOB), and the PCLOB is part of the U.S. executive power, and (3) the DPRC is not established by a law but an executive act.
Plea 2: The DPF lacks sufficient legal safeguards regarding bulk data collection by intelligence agencies.
Plea 3: The DPF fails to adequately address the data protection right not to be subject to automated decision-making and the security standards required under the GDPR.
First, the General Court clarified that the judge’s legal assessment of the adequacy decision must undergo strict scrutiny at the time of its adoption; and that the required “adequate level of protection” between the EU-U.S. under GDPR does not mean an identical level of protection.
Second, the question of compliance with fundamental and human rights around effective judicial remedy, the right to a private and family life and prohibition of bulk retention of personal data is not new. Such arguments have been discussed by the Court in the previous Schrems judgements (See Schrems I, C-362/14, 6 October 2015 and Schrems II, C-311/18, 16 July 2020). Nevertheless, the General Court considered those pleas and decided that:
Plea 1: The DPRC is an independent and impartial tribunal established by law in compliance with the right to an effective judicial remedy under the ECHR:
- it is an independent body which may overturn the CLPO’s decision with binding and final decisions;
- there is no issue regarding the independence of the CLPO, as specific rules are in place to prevent any interference with its functioning and to safeguard its independence;there is no issue of independence with regard to the CLOB as the methods for appointment and renewal of the CPLO are subject to sufficient safeguards;the U.S. legal framework limits the possibility of influence from the U.S executive on the DPRC; and
- the fact that the DPRC is not established by law does not prevent its independence, as the DPRC’s structure and powers offer substantially equivalent guarantees to those required under EU law.
Plea 2: There are sufficient legal safeguards around bulk collection by national agencies:
- the applicable legal framework, such as Section 702 FISA, does not allow bulk collection (i.e., collection carried out in a widespread and indiscriminate manner without restrictions or safeguards); and
- although U.S. law does not require prior authorization by a judicial or administrative body for bulk collection, CJEU ECtHR case-law and EDPB opinion 5/2023 do not mandate for prior authorization, and in any event the U.S. provides post-collection judicial oversight via the DPRC.
Plea 3: The General Court rules that omission of the right not to be subject to an automated decision making and the obligation to ensure adequate security in the Adequacy Decision does not undermine lawfulness:
- U.S. entities are also in most cases governed by the GDPR;
- U.S. law provides sector-specific protections in areas in which the data protection rights at stake may apply, such as credit, employment and health;
- the Commission assessed in 2018 and with a follow-up report in 2019 that there was no evidence of automated decisions by U.S. companies under the former adequacy mechanism, the Privacy Shield;identical standards of security to the EU are not required; and
- the Adequacy Decision includes similar wording to the GDPR regarding security.
What ’s next? MP Latombe may appeal to the Court of Justice. He has 2 months to do so. In addition, this action for annulment will be likely followed by other legal actions (see previous press releases from noyb on the DPF and on the General Court ruling). Expected arguments will likely focus on the proportionality and the scope of the legal landscape of the U.S., and on the right to effective remedy and fair trial. The success of the annulment action could affect other legal avenues (e.g., reference for a preliminary ruling under Art. 267 TFEU). If there are other legal actions, we can expect that they aim to lead to a referral for a preliminary ruling. In this case, if references for a preliminary ruling are filed, the Court of Justice would be very likely to wait and see the issue of the first case to ensure the consistent interpretation of EU law.
What should businesses do? In short: continue to apply the GDPR, including Chapter V relating to data transfers: actions challenging the DPF do not allow businesses to circumvent GDPR obligations. Therefore, EU controllers and processors must still apply Chapter V of the GDPR related to data transfers and comply with their accountability obligation. This means that the assessment of data transfer flows, transfer impact assessments, and identification of the transfer tools must still be carried out, in light of the CJEU Schrems II judgment and the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
