Challenge to EU-US data-transfer deal fails
An EU court has dismissed a challenge to a framework for the transfer of personal data agreed between the EU and US in 2023.
The EU’s highest court had found two previous frameworks to be invalid, as they did not ensure a level of protection of fundamental rights and freedoms that was essentially equivalent to that guaranteed by EU law.
The European Commission had approved the latest framework after the US took measures to strengthen privacy safeguards – including changes to the provisions governing the establishment and functioning of its Data Protection Review Court (DPRC).
‘Several safeguards’
French citizen Philippe Latombe, however, challenged the commission decision, arguing that the DPRC was neither impartial nor independent, but dependent on the executive.
Latombe also submitted that US intelligence agencies were collecting EU personal data in bulk without the prior authorisation of a court or an independent administrative authority.
The General Court found, however, that the DPRC’s functioning was accompanied by “several safeguards and conditions to ensure the independence of its members”.
Judicial oversight
The judges also noted that, under the commission decision, the EU body could suspend, amend, or repeal the framework if the legal situation in force in the US changed.
Referring to a previous ruling by the EU courts, the General Court said that any EU decision authorising the collection of personal data by the US must, at a minimum, be subject to ex post judicial review.
“In the present case, it is apparent from the file that, under US law, signals intelligence activities carried out by US intelligence agencies are subject to ex post judicial oversight by the DPRC,” the judges stated.