European Union's Data Privacy Framework deal with the United States gets validated by the court, providing a reprieve for the European Commission

The European Court of Justice (ECJ) General Court has delivered a significant decision in favour of the Data Privacy Framework (DPF) agreement between the EU and the US. This ruling is seen as a major victory for US-EU transatlantic data flows and trade.

The origins of this battle can be traced back to a 2013 complaint by law student Max Schrems against Facebook and the inadequacy of the EU's year 2000 Safe Harbour agreement with the US. Schrems, the lawyer who lodged the initial complaint, still campaigns on the issue through an NGO he founded, None of Your Business (NOYB).

In 2015, the ECJ ruled Safe Harbour invalid in a case dubbed 'Schrems I'. This legal challenge created another delay and more uncertainty for companies transferring data to US entities. The DPF agreement, negotiated in July 2023, sets out the rules governing the transfer of the personal data of EU citizens between the EU and the US.

However, the DPF agreement was quickly dismissed by campaigners as a tweaked version of the previous flawed data transfer agreement, The Privacy Shield or 'Schrems II'. French MP Philippe Latombe launched a legal challenge against the DPF, arguing that it failed to provide adequate protection for EU citizens' personal data.

Despite the rejection of the legal challenge, Max Schrems believes the Court's ruling is still open to appeal and is considering bringing a broader challenge. Caitlin Fennessy, chief knowledge officer for the International Association of Privacy Professionals, shares similar sentiments, believing there might still be room for an appeal to test the issue of adequacy.

The US has introduced more legal oversight of the DPF at its end, addressing some of the concerns about its compatibility with European law and values. The US Data Protection Review Court provides ex post judicial oversight for signals intelligence activities carried out by US intelligence agencies.

However, Schrems expresses concerns about the use of Executive Orders by the Trump administration and its potential impact on US law. There is suspicion in Europe that the US approach to surveillance and privacy is deeply incompatible with European law and values.

Without the DPF agreement, EU companies would have to draft complex contracts with US suppliers for each data transfer, which would be expensive, time-consuming, and may not meet legal standards under real-world conditions. Max Schrems' NGO, None of Your Business (NOYB), still lacks legal certainty for users and businesses despite the Commission gaining another year from the ruling.

The European Commission has the possibility to reauthorize the EU-US data protection framework agreement according to the decision of the EU General Court. Chris Linnell, associate director of data privacy at consultancy Bridewell, notes the Commission's weak record of getting agreements with the US past courts in the EU.

Despite the ongoing concerns and potential for further appeals, the rejection of the legal challenge against the DPF provides a temporary relief for businesses and individuals transferring data between the EU and the US. The focus now shifts to the European Commission and the US government to address the remaining concerns and ensure the long-term viability of the DPF agreement.

European Union's Data Privacy Framework deal with the United States gets validated by the court, providing a reprieve for the European Commission