European Court rejects challenge to EU-US data transfer agreement

Tech companies and other businesses won out Wednesday when a European Union court held that the United States adequately safeguards the personal data of Europeans.

The General Court of the Court of Justice of the European Union ruled against a French lawmaker who had challenged the EU-U.S. Data Privacy Framework (DPF), citing the fact that a U.S. data protection court provides independent oversight of U.S. intelligence agencies and their potential surveillance of Europeans’ data.

The lawmaker who brought the case, Philippe Latombe, had argued that the U.S. Data Protection Review Court (DPRC) — which is housed inside the Department of Justice and has been historically seen as a bulwark for checking U.S. data surveillance activities — is not sufficiently independent.

Latombe has also held that the DPF, which was agreed to in 2023, does not adequately shield Europeans from bulk data collection by U.S. intelligence agencies.

The General Court noted in a press release that the European Commission monitors the framework to make sure it is consistently applied and said that the DPRC ensures that intelligence services’ receive adequate oversight. 

Caitlin Fennessy, vice president and chief knowledge officer at the IAPP, said the ruling should be a relief for U.S. and European officials in “this fraught geopolitical moment.”

“It is a highly significant decision in that it is the first time one of the EU's high courts has ruled on the merits of a data transfer framework and supported that framework,” Fennessy said in an interview. 

“This bolsters confidence in the framework — there are thousands of companies relying on this framework and uncertainty is bad for business.”

Fennessy noted that the decision leaves room for an appeal to be filed with the European Court of Justice.

Digital freedoms advocates were disappointed by the ruling for a number of reasons including the fact that the Privacy and Civil Liberties Oversight Board (PCLOB), which has been an integral check on U.S. intelligence services’ surveillance efforts, currently lacks a quorum.

Greg Nojeim, senior counsel and director of the Security and Surveillance Project at the Center for Democracy and Technology, questioned the General Court’s assertion that there are adequate protections in place to ensure that DPRC judges are independent.

With the Federal Trade Commission, the DPRC and PCLOB all showing signs that they are beholden to the executive branch, he said, there is reason to be concerned that the DPF does not receive adequate oversight or do enough to protect Europeans’ data.