Transatlantic data exchanges are projected to form the foundation of over $1 trillion in yearly trade and investment for multinational companies.[i] Despite its lucrative potential, there has been a long-standing legal tennis match in relation to the legal basis of data transfers to the U.S. and the third set has been played. In this article we analyse the decision of the General Court in the Latombe v Commision case.
Smartlegal Schmidt&Partners reports from Hungary:
- Background
Personal data transfer to countries outside the European Union under the GDPR[ii] is only possible based on certain safeguards. One of a “safeguard” is the so-called adequacy decision which may be issued if the European Commission has decided that a non-EEA country or specified sectors within that county ensure an adequate level of protection.
The European Commission has issued three adequacy decision in relation to the U.S. The first attempt was the Safe Harbor which was invalidated in 2015[iii], while the second was the Privacy Shield which was also invalidated based on the request of Maximilian Schrems in 2020.[iv]
In 2023, the European Commission adopted the EU-U.S. Data Privacy Framework (“DPF”) considering that transfers of personal data from the EEA to companies certified under the DPF enjoy an adequate level of protection. As a result, personal data can be transferred freely to U.S. certified companies, without the need to put in place further safeguards or obtain an authorisation.[v]
- Latombe’s challenge
A French citizen, Pierre Latombe filed an annulment action with the CJEU against the DPF arguing that the U.S. still fails to provide “essentially equivalent” protection to EU citizens.
Mr. Latombe’ main arguments were as follows:
- The Data Protection Review Court[vi] was not an independent and impartial tribunal previously established by law as required by the right to fair trial under the CFREU.[vii]
- The DPF violates the right to respect for private and family life and the right to protection of personal data under the CFREU[viii] because the U.S. did not ensure an adequate level of protection with regard to the bulk collection of personal data from intelligence agencies.
- The U.S. legal system does not provide guarantees against automated decision-making comparable to those provided by the GDPR[ix]
- The data security obligations under the DPF were too narrow violating Article 32 of the GDPR.
- The General Court’s decision
The General Court examined Mr. Latombe’s arguments and made the below conclusions.
- The Data Protection Review Court
Regarding the independency and impartiality, the General Court noted that the fact that judges of the Data Protection Review Court are appointed by the U.S. Attorney General based on the requirements similar to those of federal judges are sufficient to ensure the impartiality and independence. Further, the Data Protection Review Court has broad fact-finding powers and the power to overturn decisions from the Privacy and Civil Liberties Oversight Body.
When it comes to the “established by law” criteria of the CFREU, the Court concluded that although the Data Protection Review Court was created by the Regulation of the Attorney General, this was not enough to conclude that the Data Protection Review Court was not “established by law” as the requirement must not be interpreted formally but rather in relation to the guarantees of impartiality and independence of the court which were satisfied.
- Bulk data collection
In relation to Mr. Latombe’s argument that the DPF violates the rights to respect for private and family life and the right to protection of personal data as previous authorization for bulk data collection from intelligence agencies is not required, the General Court made the following observations.
According to the General Court bulk data collection in itself is not incompatible with the above-mentioned rights as the U.S. law provided sufficiently clear and precise rules on bulk data collection and that the Data Protection Review Court had the power to exercise ex-post judicial oversight which may be considered sufficient if robust enough. The Court added that contrary to Mr. Latombe’s argumentation, neither CJEU nor ECtHR case law requires ex ante authorization regime for bulk data collection.
- Automated decision-making
In connection to Mr. Latombe’ concerns related the lack of sufficient guarantees against automated decision making, the General Court concluded as follows.
The Court pointed out that in most cases, based on the extra-territorial effect of the GDPR[x], non-EEA data controllers and processors are directly bound by the guarantees of the automated decision making provided for by Article 22 of the GDPR. When this is not the case, the U.S. law does offer sectoral protection similar to the GDPR in areas like employment, insurance, credit where automated decisions are most likely.
- Data security
In relation to Mr. Latombe argument that U.S. requirements for data security were too vague, the General Court held that the security provisions of the DPF were broad enough in scope when interpreted in light of the entire legal text.
- Storm clouds still ahead?
To sum up, the General Court dismissed Mr. Latombe’s request for the annulment of the DPF so it remains valid and may serve as a data transfer mechanism to the U.S.
Despite the relief this ruling may bring to companies who rely on the DPF when transferring personal data to the U.S., the framework still remains fragile.
On the one hand, the decision may be challenged in front of the Court of Justice and on the other, privacy activists such as NOYB[xi] already indicated that they are considering launching further challenges.
Thus, it may be wise for companies transferring personal data to the U.S. to provide for a plan B such as standard contractual clauses to ensure compliance in case the DPF would be invalidated in the future.
In this article we analysed the judgement T‑553/23 of the CJEU (General Court)
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu
[i] https://www.culawreview.org/journal/playing-legal-ping-pong-schrems-i-ii-and-perhaps-iii
[ii] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
[iii] ECLI:EU:C:2015:650, C-362/14
[iv] ECLI:EU:C:2020:559, C-311/18
[v] European Data Protection Board EU-U.S. DATA PRIVACY FRAMEWORK F.A.Q. FOR EUROPEAN BUSINESSES1 Adopted on 16 July 2024
[vi] The said court has the power to review and overturn the decisions of the Privacy and Civil Liberties Oversight Body which has oversight powers on the activities of intelligence agencies.
[vii] CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION, Article 47
[viii] Article 7 and 8 of the CFREU
[ix] see Article 22 of the GDPR
[x] see Article 3 (2) of the GDPR
[xi] https://noyb.eu/hu/eu-us-data-transfers-first-reaction-latombe-case