The Data Protection Framework (DPF), which underpins the adequacy decision upon which personal data can be transferred from the European Union, the UK, and Switzerland to the United States, has survived its first major legal challenge in the EU General Court, appearing for the moment to be more durable than its predecessors—Safe Harbor and Privacy Shield—which were both invalidated (in 2015 and 2020 respectively) by the Court of Justice of the European Union (CJEU).

The Case: Latombe v Commission

French MP Philippe Latombe brought the challenge, arguing that the DPF lacked sufficient safeguards for Personal Data. His concerns centered on (among other things) the independence of the Data Protection Review Court (DPRC), which handles complaints under the DPF. Latombe claimed the DPRC was not truly independent, as it was established by a regulation from the U.S. Attorney General, supplementing an executive order from former President Biden.

He also raised concerns about U.S. intelligence agencies collecting bulk personal data from the EU without prior judicial or administrative authorization, arguing that such practices were not clearly limited and therefore unlawful under European law.

The Court’s Response

The EU General Court dismissed the challenge, citing several key points:

• Judicial Independence: DPRC judges can only be dismissed “for cause” by the Attorney General, which the Court found sufficient to ensure independence.
• Ongoing Oversight: The European Commission is required to monitor the DPF and can revoke its adequacy decision if the U.S. legal framework changes.
• Judicial Oversight: The Court referenced the Schrems II decision, noting that bulk data collection must be subject to at least post-collection judicial review, which the DPRC provides.

What This Means

While the DPF remains valid for now, it’s not entirely out of the woods. The decision can be appealed to the CJEU—the same court that invalidated the previous frameworks. Privacy advocacy group NOYB has hinted that it is considering making challenges with a wider scope. Interestingly, the General Court chose to skip over the question of whether Latombe had sufficient standing to bring the claim at all in order to decide on the merits.

Organisations should bear in mind, even as the DPF survives, that it only applies to transfers:

1. From the EU, UK, or Switzerland;
2. To the United States;
3. To recipients who are certified under the DPF;

For other types of transfers, alternative mechanisms like Standard Contractual Clauses (SCCs) are still required.

Final Thoughts

This ruling offers a temporary sigh of relief for organisations relying on the DPF, but the landscape remains dynamic. Businesses should continue to monitor developments and ensure their data transfer mechanisms remain compliant.

Need help navigating international data transfers?

Reach out to our team for practical, up-to-date guidance tailored to your business.