Few topics in data protection spark as much debate as the transfer of personal data to the U.S. This issue has been at the centre of GDPR case law and regulatory guidance for years, with the Court of Justice of the European Union (CJEU) and regulators such as the European Data Protection Board (EDPB) frequently shaping the rules in this area. Rightfully so, as the legal possibilities of data transfers between the EU and U.S. carries major economic implications.
A brief history
Even before GDPR came into force data transfers to the U.S. faced legal scrutiny. It began with the Schrems I case (C-362/14), where the CJEU struck down the Safe Harbour agreement. Safe Harbour had been designed to allow U.S. companies to receive personal data from the EU in compliance with the Data Protection Directive 95/46/EC (the predecessor to GDPR) but was found insufficient to protect EU citizens’ rights.
Safe Harbour was later replaced by the U.S. Privacy Shield, which was intended to serve the same purpose under GDPR. However, this too was invalidated by the CJEU in the Schrems II case (C-311/18) due to concerns about U.S. surveillance laws and the lack of effective legal remedies for EU citizens.
The most recent attempt to address these concerns is the EU-U.S. Data Privacy Framework (“DPF”), which has applied since July 2023. It was designed to provide an improved level of data protection for EU citizens and ensure legal certainty for businesses transferring data to the U.S. Whether the DPF actually solves the data protection issues described in Schrems II and elsewhere is subject to much debate.
The Latombe case
The Latombe case (T-553/23) marked the first significant legal challenge to the DPF, the successor arrangement to Safe Harbour and Privacy Shield. The applicant sought to have the DPF annulled, advancing arguments similar to those that led the CJEU to strike down the two earlier frameworks in Schrems I and Schrems II. Central to the challenge were claims that U.S. surveillance practices and the absence of adequate remedies for EU data subjects rendered the framework incompatible with the rights to privacy, data protection, and effective judicial protection under GDPR and the EU Charter of Fundamental Rights.
The EU General Court, however, confirmed that the legality of the adequacy decision had to be assessed solely on the basis of the factual and legal circumstances existing at the time of its adoption. Against that background, it conducted a detailed review of the legal and institutional reforms implemented by the U.S. following Schrems II. In particular, it examined the independence, powers, and procedures of the newly created U.S. Data Protection Review Court (DPRC), which now provides EU individuals with access to a binding redress mechanism to challenge unlawful surveillance activities.
The court also assessed the interaction between FISA Section 702 and Executive Order 14086. It noted that Section 702 governs only targeted surveillance programs subject to judicial oversight by a U.S. court and therefore does not authorize the kind of indiscriminate bulk collection that concerned the applicant. Bulk collection activities outside the U.S. are instead regulated under Executive Order 14086, which according to the court’s findings imposes strict limitations, including necessity and proportionality requirements, independent oversight mechanisms, enhanced transparency obligations, and clear restrictions on the permissible national security objectives. Together, these safeguards were found to provide an “essentially equivalent” level of protection for personal data as required under EU law.
After considering these reforms as they stood at the time of the adequacy decision, the court concluded that the DPF ensures a level of protection for personal data that is “essentially equivalent” to that guaranteed within the EU. It therefore rejected all pleas for annulment, confirming that the DPF satisfies the adequacy requirements of GDPR and allowing transatlantic data transfers to continue under this framework.
Why the DPF matters for businesses subject to GDPR
Based on the current guidelines from the EDPB, the DPF or an equivalent adequacy decision is arguably more or less essential to enable U.S. data transfers in accordance with GDPR.
From a legal perspective, the DPF functions as an adequacy decision under Article 45 GDPR, provided that the U.S. data recipient is certified under the framework. The main benefit for businesses subject to GDPR is that, when transferring personal data to certified U.S. recipients, they generally do not need to rely on alternative transfer mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Historically, these alternatives have often been time-consuming, costly, and cumbersome to implement and maintain.
In the period between Schrems II and the adoption of the DPF, when no adequacy decision for the U.S. existed, the EDPB issued guidelines on supplementary measures for SCCs to help organisations ensure that this transfer mechanism complied with GDPR. Some of the technical requirements tied to these supplementary measures are frankly unrealistic for most business purposes. At a general level, there is a clear absence of risk proportionality taken into account in these guidelines that results in a black-and-white approach to the rules. Factors such as data volume, data categories and what resources the specific organisation can reasonably be expected to have seem to be wholly disregarded. The EDPB would do well to take note from the more pragmatic approach taken by the ICO, the UK Data Protection Authority, when it comes to international data transfers.
An example I wish to highlight within the context of U.S. data transfers is that the EDPB guidelines essentially requires – in order for SCC to be a valid transfer mechanism – that data processed by U.S. cloud service providers are encrypted ‘in transit’, ‘in use’ and ‘at rest’, with the encryption key being solely in the possession of an EU entity. Furthermore, the EU entity holding the encryption key cannot have any direct or indirect ties to the U.S. (e.g., a U.S. parent company) that may trigger the application of U.S. surveillance laws such as FISA or CLOUD Act.
There can be a myriad of reasons (e.g., organisational, financial or unique services) that may entice a business to use a U.S. service provider, which is outside the scope of this article. The point being that demanding encryption of data at this level to protect against all forms of hypothetical scenarios of government overreach, irrespective of individual risk levels, results in these services being unusable for most business purposes. Consequently, had the DPF been invalidated in this ruling, SCCs would not be a realistic alternative for the majority of use-cases that requires U.S. data transfers.
Not all is said and done
It is possible that the decision is appealed to the CJEU. However, since the General Court dismissed the case after fully examining the substance of the adequacy decision as it stood on the date of its adoption and finding that the DPF ensures an essentially equivalent level of protection under EU law, any appeal would be limited to points of law only.
Furthermore, the DPF still remains subject to periodic reviews by the European Commission. The first review took place in July 2024, one year after the adequacy decision entered into force. Under Article 45(3) GDPR, future reviews must occur at least every four years, although the Commission has indicated that the next review will likely be held within three years (that is, by July 2027, counting from the first review) to allow for closer monitoring of how the DPF functions in practice.
Political developments, particularly changes in the U.S. legal landscape, could still affect the framework’s validity. Moreover, the outcome of this case does not prevent the DPF from facing further legal challenges in EU or even national courts.
