General Court rules in favor of EU-US Data Privacy Framework

The General Court, the second-highest court in the European Union, refuses to annul the EU-US Data Privacy Framework, a pact that was designed to legally transfer data between the EU and the United States.
For years, the EU and the US relied on the Safe Harbor agreement to exchange personal data for commercial purposes. However, in 2015, the Court of Justice of the European Union (CJEU) ruled that this agreement offered insufficient guarantees to protect the fundamental rights, privacy, and freedoms of Europeans.
In response, Brussels and Washington developed a new legal basis for data exchange in 2016. This new pact was called the Privacy Shield.
In the Summer of 2020, the Court of Justice also rejected this agreement, because it didn’t offer the same level of protection conferred within the European Union. According to the Court, Europeans couldn’t influence how personal data is processed in the US.
In 2023, after three years of negotiating, a new data exchange agreement was forged: the EU-US Data Privacy Framework. Based on this pact, European companies and organizations can securely transfer personal data of European citizens to US companies. No additional safeguards are required to ensure the same level of protection for personal data as in Europe.
Against this background, French lawmaker Philippe Latombe sued the European Commission and asked the General Court to annul the new transatlantic data exchange pact, arguing that there are no adequate guarantees for privacy protection because intelligence agencies collect personal data in bulk.
In addition, Latombe claims that the Data Protection Review Court (DPRC), the US agency that oversees the handling of Europeans’ data, is neither impartial nor independent.
The Luxembourg-based General Court sided with the Commission.
“The General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States. In so doing, it confirms that, on the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organizations in that country,” the General Court says in its ruling.
Privacy concerns regarding US surveillance were also dismissed due to the DPRC’s ex post judicial oversight. “Therefore, the General Court finds that it cannot be considered that the bulk collection of personal data by American intelligence agencies falls short,” the court concludes.
Latombe can appeal to the Court of Justice of the European Union (CJEU), the highest court in the European Union.
Max Schrems, Chairman of Austrian privacy advocacy group noyb, is surprised by the verdict of the General Court.
“It is clear that the lower court here massively departs from the case law of the CJEU. We are very surprised about this outcome. It may be that the General Court did not have sufficient evidence before it, or it wants to make a point to depart from the CJEU. We will have to analyse the ruling in more detail the next days,” he said in a response on Wednesday.