European Court Says U.S. Data Transfer Framework Remains Valid for Now

Written by: Haim Ravia, Dotan Hammer

The European Union’s General Court (a lower court under the Court of Justice) dismissed an action to invalidate the European Commission’s Implementing Decision (EU) 2023/1795, which established the new EU-US Data Privacy Framework. The General Court’s decision affirmed that the Commission’s finding of an adequate level of protection for personal data transferred to the United States was lawful.

The General Court addressed two main pleas regarding the essential equivalence of U.S. law relating to privacy and data protection compared with EU fundamental rights:

1. Right to Effective Judicial Protection. The General Court rejected the argument that the U.S. Data Protection Review Court (DPRC) was neither independent nor established by law. The Court found that the safeguards in Presidential Executive Order 14086 regarding the appointment, dismissal, and oversight of DPRC judges ensure their independence and impartiality, thereby remedying the deficiencies identified in the Schrems II judgment, which had invalidated the ‘Privacy Shield’ (the predecessor of the EU-US Data Privacy Framework). Crucially, the Court held that while the DPRC was created by an executive act, the Commission is only obligated to ensure that the US provisions are essentially equivalent to EU law, and the sufficient safeguards provided satisfy the requirement of being “previously established by law”.
2. Rights to Private Life and Data Protection. The petitioner argued that the US framework infringed these rights by not requiring prior judicial authorization for the bulk collection of personal data by US intelligence agencies. The Court rejected this, clarifying that Schrems II requires judicial review after the fact, which is provided by the DPRC. The Court noted that Presidential Executive Order 14086 sufficiently circumscribes bulk collection by requiring it to advance a validated intelligence priority and sets specific safeguards. Considering the bulk collection is only the initial interception stage, and significant oversight is provided by an independent agency within the executive branch of the United States government, Inspectors General, and Congress, the lack of prior authorization alone is not sufficient to find that the US framework lacks essentially equivalent safeguards.

Notably, the General Court’s decisions are appealable to the EU’s top court, the Court of Justice. The Court of Justice is likely to have the final word on the validity of the new EU-US Data Privacy Framework, as it did with its predecessor programs, the Safe Harbor and the Privacy Shield.