EU court upholds the data transfer framework between Europe and the United States

In today's interconnected world, many businesses routinely transfer personal data between Europe and America - whether through cloud services, international HR systems, customer databases, or business communications. GDPR requires that when personal data leaves the EU, the third country must ensure a level of protection for fundamental rights and freedoms that is essentially equivalent to the level of protection guaranteed within the EU under the GDPR, compared with the Charter of Fundamental Rights. This ruling confirms that the current system meets those requirements.

That said, it should be noted that the decision can still be appealed to the EU Court of Justice, and that the decision anyway and in all likelihood does not represent a final conclusion on the topic. 

The relationship between EU and US data protection has been particularly complex. The European Court first invalidated the Safe Harbor Privacy Principles in 2015 through the "Schrems I" judgment, and subsequently invalidated the EU-US Privacy Shield in 2020 through the "Schrems II" judgment. In both cases, the Court found that these systems did not guarantee a level of protection for fundamental rights and freedoms that was essentially equivalent to that guaranteed under Union law.

These decisions created significant uncertainty for businesses that relied on these frameworks for their day-to-day operations.

In October 2022, the United States took steps to address European concerns by adopting Executive Order 14086, which strengthened privacy protection measures for signals intelligence activities carried out by US intelligence services. This was supplemented by Attorney General Order No. 5517-2022, which established and regulated the Data Protection Review Court (DPRC).

Following examination of these US regulatory changes, the European Commission adopted the contested adequacy decision on 10 July 2023, under Article 45.3 of the GDPR, introducing the new transatlantic framework for personal data flows between the Union and the United States.

It should be noted, that multiple academics and interest groups have criticized the new framework, reflecting concerns about whether the framework truly provided "essentially equivalent" protection to EU standards, particularly regarding surveillance limitations and redress mechanisms.

Philippe Latombe, a French citizen who uses various IT platforms that collect his personal data and transfer it to the United States, challenged this new framework. His challenge raised five grounds: violation of EU language requirements (later withdrawn), violation of fundamental rights to privacy and family life, lack of independent judicial review, inadequate protection against automated decision-making, and insufficient data security measures.

Independence of the Data Protection Review Court

One of the most significant aspects of the ruling concerned the independence of the newly created DPRC. The court found that the DPRC consists of at least six judges appointed by the Attorney General for four-year renewable terms, applying the same criteria as federal judges and considering their prior judicial experience. Judges must be legal practitioners with appropriate experience in privacy and national security law, with at least half having prior judicial experience.

Crucially, DPRC judges can only be removed by the Attorney General for specific cause - negligence, misconduct, security violations, dereliction of duty, or incapacity - after due consideration of standards applicable to federal judges. The court noted that E.O. 14086 prohibits intelligence services and the Attorney General from improperly hindering or influencing DPRC's work.

The court specifically found that the deficiencies identified in the Schrems II judgment regarding the lack of guarantees that the executive power would not remove the Privacy Shield ombudsman and that the ombudsman's decisions would be binding have been addressed, as E.O. 14086 limits cases where the Attorney General can remove DPRC judges and prescribes that this body's decisions are binding.

Intelligence Data Collection: Targeted vs. Bulk Collection

The court provided detailed analysis of US intelligence collection practices. In the United States, signals intelligence collection for national security purposes should primarily occur through "targeted collection." When necessary for a validated intelligence priority that cannot reasonably be achieved through targeted collection, intelligence services may perform "bulk collection" of personal data.

Importantly, the court clarified that "mass collection" of personal data - defined as collection occurring in a general and undifferentiated manner without limitations or guarantees - is not permitted in the United States and cannot be performed either within or outside the United States.

The court found that E.O. 14086 establishes that intelligence services must prioritise targeted collection, with bulk collection only permitted when used to advance a validated intelligence priority that reasonably cannot be obtained through targeted collection. These priorities are established through a specific process involving the DNI and US President, with CLPO evaluation required for each priority.

Comprehensive Safeguards for Bulk Collection

The court noted that E.O. 14086 establishes fundamental requirements for all signals intelligence activities: they must be based on law or presidential authorisation; may only be conducted after determining it is necessary to maintain a validated intelligence priority; and must be conducted proportionally, balancing importance against impact on data subjects' privacy and civil rights regardless of nationality or residence.

Bulk collection may only be conducted to fulfil six specific objectives: protection against terrorism, espionage, weapons of mass destruction, cyber threats, threats to US or allied personnel, and transnational crime.

Prior Authorisation Requirements

A key issue in the challenge concerned whether US intelligence services required prior court authorisation for bulk collection. The court clarified that the Schrems II judgment did not require bulk collection to be preceded by prior authorisation from an independent authority, but rather that such decisions must at least be subject to ex post judicial review.

The court found that E.O. 14086 and the Attorney General's regulation ensure that US intelligence services' signals intelligence activities, even when conducting bulk collection, are subject to DPRC's ex post judicial review, with DPRC decisions being final and binding on both the US government and intelligence services, thus meeting Schrems II requirements.

Automated Decision-Making Protections

Regarding automated decision-making, the court noted that US law provides sectoral protection similar to that prescribed in the GDPR in areas such as lending, mortgage offers, recruitment decisions, employment, housing and insurance. Specific US laws include the Fair Credit Reporting Act, Equal Credit Opportunity Act, Civil Rights Act, Fair Housing Act, and Health Insurance Portability and Accountability Act regulations.

Data Security Measures

On data security, the court found that the terms used in the adequacy decision - "creates", "stores", "uses" and "disseminates" - constitute specific expressions for "processing" personal data as meant in Article 32 of the GDPR, and cover a large number of actions concerning personal data, including reading personal data.

The court noted that under Article 3.1 of the contested decision, the Commission is obligated to continuously monitor application of the legal framework, including conditions for onward transfers, exercise of individual rights, and US authorities' access to transferred personal data, to assess whether the US continues to ensure adequate protection levels, with authority to revoke, modify, or suspend the decision if adequate protection can no longer be ensured.

The court rejected all grounds of challenge and dismissed the action in its entirety, confirming that the United States provides adequate protection for personal data transferred from the EU. This provides increased legal certainty for businesses and organisations that need to transfer personal data across the Atlantic for legitimate purposes.

For businesses, this means:

• Legal certainty: You can continue to rely on the EU-US Data Privacy Framework for data transfers
   
• Operational continuity: Existing data transfer arrangements under the framework remain valid
   
• Compliance confidence: The framework meets European data protection standards with comprehensive safeguards
   
• Robust oversight: The framework includes independent judicial review through the DPRC and ongoing monitoring by the Commission

If your organisation transfers personal data to the United States, you should:

1. Review your current data transfer mechanisms to ensure US recipients are certified under the EU-US Data Privacy Framework
    
2. Update your privacy policies and data processing agreements to reflect the framework's requirements
    
3. Implement appropriate technical and organisational security measures as required
    

4. Stay informed about any potential appeals or changes to the framework

    

^{[1] Swedish translation of judgment: T-553/23}