EU court upholds new data transfer deal with the United States
The Court rejected arguments that US safeguards are insufficient, ruling that the newly established Data Protection Review Court is independent and that American intelligence agencies’ data collection practices meet EU standards when subject to judicial review.
The European Union’s General Court has confirmed that the United States currently provides a sufficient level of protection for Europeans’ personal data, allowing information to continue flowing across the Atlantic under a new legal framework.
The case was brought by Philippe Latombe, a French citizen, who asked the Court to cancel the European Commission’s 2023 decision that approved the so-called EU–US Data Privacy Framework. This framework replaced two earlier arrangements, known as Safe Harbour (2000) and the Privacy Shield (2016), which had been struck down by the EU’s highest court in the past. Those earlier rulings, called Schrems I (2015) and Schrems II (2020), found that US surveillance practices did not protect Europeans’ privacy rights to the same level guaranteed in EU law.
To address these concerns, the United States introduced reforms in 2022. A presidential order limited how intelligence agencies can handle personal data, and a new body called the Data Protection Review Court (DPRC) was set up to give individuals a way to challenge how their data is used. Based on these steps, the European Commission decided in July 2023 that the US offers ‘adequate’ safeguards, meaning companies can send personal data across the Atlantic without needing special authorisation.
Latombe argued that the DPRC was not truly independent and that US intelligence agencies still collect too much data in bulk, without proper oversight. But the General Court disagreed. It ruled that the DPRC has safeguards to protect its independence and that US data collection practices are subject to judicial review, which meets the requirements laid down in the Schrems II judgement.
The Court also stressed that the European Commission must keep monitoring the US system. If protections weaken, the Commission can suspend or withdraw its approval.
This ruling means that, for now, the EU–US Data Privacy Framework remains valid, giving legal certainty to thousands of businesses that rely on moving data across the Atlantic for services such as cloud computing, social media, and financial transactions. However, the decision can still be appealed to the Court of Justice of the EU, and legal challenges are likely to continue in the years ahead.
