On September 6 French MP and CNIL member Philippe Latombe lodged a request to suspend the EU-US Data Privacy Framework before the EU Court of Justice, as first reported by Politico.
Legal action against the Data Privacy Framework was largely expected. However, Mr. Latombe’s action might be short lived, as there are procedural hurdles to bringing the case to the Court.
This blog will explain what is going on with the Data Transfer Framework, and why procedural requirements may spell an early doom for Latombe’s legal battle.
Update: on October 12 the Court denied Mr. Latombe's request, on grounds that he could not prove that the suspension was urgently needed.
- What is the Data Privacy Framework?
- What is the story behind the Data Privacy Framework?
- Will Mr. Latombe succeed in suspending the framework?
- How will things play out in the long term?
What is the Data Privacy Framework?
The Trans-Atlantic Data Privacy Framework (DPF) is a data transfer framework between the EU and the US. The DPF has been in place since July and allows for simple, GDPR-compliant transfers of personal data between the EU and the US.
In other words, the GDPR provides specific rules and standards for transferring data outside the EU, and the DPF helps organizations meet them. Without the framework, some EU-US data transfers would be impossible or trickier.
The Framework is not an agreement under international law, but rather a combination of internal legal acts in the European and US law frameworks. Last year US President Joe Biden published an Executive Order (EO 14068) to limit the powers of surveillance agencies to spy on European data. And in July, the European Commission adopted an adequacy decision- an act that essentially “greenlights” a country as a safe destination for data transfers under the GPDR.
For more information about the DPF and data transfer mechanisms under the GDPR, feel free to visit our blog on the topic.
What is the story behind the Data Privacy Framework?
We already wrote about this topic extensively, so here is the short version.
The DPF is not the first framework of its kind between the EU and the US. Two other frameworks- the Safe Harbor agreement and the Privacy Shield- served the same function in the past. However, both frameworks were invalidated by the EU Court of Justice in the Schrems I and II decisions. The rulings revolved around US surveillance over foreign data and highlighted that the older frameworks were not sufficient to safeguard European data against intelligence agencies.
After Schrems II, privacy NGO noyb pushed for a stricter application of Schrems II through strategic litigation aimed at Google Analytics- a web analytics tool that processes visitor data in the US. Noyb’s litigation led to the de facto ban of Google Analytics from several Member States, and sparked a heated debate about the lawfulness of EU-US data transfers under the GDPR.
The DPF aims to end this situation of chronic uncertainty by striking a balance between individual privacy, and the need to conduct electronic surveillance for national defense.
The US government and the European Commission worked closely to ensure that the new framework would withstand the scrutiny of the EU Court of Justice (CJEU). The Executive Order published by US President somewhat limits surveillance agencies in how far they can snoop on European data, and introduces a new system for oversight and redress against abuses. The US and the European Commission are hoping that these new rules will allow the DPF to survive a “Schrems III” ruling.
Will Mr. Latombe succeed in suspending the framework?
We doubt it, because procedural hurdles might prevent merit from being discussed in the first place.
Most cases end up in the CJEU via a preliminary ruling. In other words, the case is first brought before the court of a Member State, and then referred to the CJEU by the competent judge in order to clarify the interpretation of European law. This is how the Schrems I and II cases made their way to the CJEU as well.
Mr. Latombe’s case is different because he lodged his request as a direct action: he went straight to the Court and asked for the DPF to be annulled.
This strategy has its pros and cons. On the one hand, direct action bypasses domestic courts entirely, drastically shortening the time required to get a decision from the CJEU. On the other hand, EU law prescribes fairly strict requirements for direct actions: the applicant must successfully argue that the DPF concerns them directly and individually. This could be a problem for Mr. Latombe because he is no more concerned by the DPF than any other EU citizen.
Traditionally, the requirement for direct and individual concern has been taken very seriously by the CJEU. This is why the Court will likely dismiss the action without discussing its merit.
We hope to be proven wrong because the fate of the DPF is the source of much legal uncertainty, and many organizations would greatly benefit from the clarity that a CJEU decision would bring.
How will things play out in the long term?
Even if Latombe’s action is declared inadmissible, someone else will step up. Noyb already announced its intention to challenge the framework, and other advocacy organizations may also take action.
So, sooner or later the CJEU will decide the fate of the DPF. And it is hard to say how things will play out.
Opinions on the new framework are quite polarized in the privacy community. Some believe the DPF to be the solution everyone has been longing for. Others- including noyb- consider it a Privacy Shield paint job and expect the CJEU to shoot it down as soon as the ball lands in its court.
The truth probably lies somewhere in the middle: the DPF is a step forward from the past overall, but some aspects of Joe Biden’s Executive Order are still reason for concern and might be an issue for the Court of Justice.
European institutions themselves are divided on the merits of the framework. The Commission is, of course, an enthusiastic proponent of the DPF. On the other hand, the EU Parliament rejected the DPF by a large majority. The vote of the Parliament is not binding but might influence the tone of the debate and put some pressure on the CJEU. Finally, the European Data Protection Board adopted a somewhat prudent Opinion on the framework- possibly to avoid influencing an already polarized debate.
We believe that privacy concerns everyone and that companies should be responsible in how they collect data. This is why we created Simple Analytics: the web analytics tool that provides businesses with all the insights they need- without touching personal data. If this sounds good to you, feel free to give us a try!