[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_first-challenge-dpf_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"content":43,"inlineMedia":44,"id":46,"title":47,"excerpt":48,"locale":8,"slug":49,"authorSlug":10,"automaticTranslated":11,"publishedAt":50,"updatedAt":51,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"languages":52},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">On September 6 French MP and CNIL member Philippe Latombe lodged a request to \u003Cstrong>suspend the EU-US Data Privacy Framework\u003C/strong> before the EU Court of Justice, as first reported by \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.politico.eu/article/french-lawmaker-challenges-transatlantic-data-deal-before-eu-court/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">Politico\u003C/a>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Legal action against the Data Privacy Framework was largely expected. However, Mr. Latombe’s action might be short lived, as there are procedural hurdles to bringing the case to the Court.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">This blog will explain what is going on with the Data Transfer Framework, and why procedural requirements may spell an early doom for Latombe’s legal battle.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">\u003Cem>Update: on October 12 the Court \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.natlawreview.com/article/eu-us-data-privacy-framework-no-urgency-suspend-according-cjeu?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">denied Mr. Latombe's request\u003C/a> on prodedural grounds.\u003C/em>\u003C/ContentEditable>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#what-is-the-data-privacy-framework\">What is the Data Privacy Framework?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-is-the-story-behind-the-data-privacy-framework\">What is the story behind the Data Privacy Framework?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#will-mr-latombe-succeed-in-suspending-the-framework\">Will Mr. Latombe succeed in suspending the framework?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#how-will-things-play-out-in-the-long-term\">How will things play out in the long term?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#conclusions\">Conclusions\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaTwo />\u003CContentEditable  id=\"what-is-the-data-privacy-framework\" parent=\"\" tag=\"h2\" :articleId=\"1832\">What is the Data Privacy Framework?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">The Trans-Atlantic Data Privacy Framework (DPF) is a data transfer framework between the EU and the US. The DPF has been in place since July and allows for simple, \u003Cstrong>GDPR-compliant transfers of personal data between the EU and the US\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">In other words, the GDPR provides specific rules and standards for transferring data outside the EU, and the DPF helps organizations meet them. Without the framework, some EU-US data transfers would be impossible or trickier.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">The Framework is not an agreement under international law, but rather a combination of internal legal acts in the European and US law frameworks. Last year US President Joe Biden published an \u003Cstrong>Executive Order\u003C/strong> (\u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">EO 14068\u003C/a>) to limit the powers of surveillance agencies to spy on European data. And in July, the European Commission adopted an \u003Cstrong>\u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">adequacy decision\u003C/a>\u003C/strong>- an act that essentially “greenlights” a country as a safe destination for data transfers under the GPDR.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">For more information about the DPF and data transfer mechanisms under the GDPR, feel free to visit \u003CNuxtLink to=\"/blog/all-about-the-new-data-transfer-framework#how-does-the-trans-atlantic-data-protection-framework-work\"  >our blog\u003C/NuxtLink> on the topic.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-is-the-story-behind-the-data-privacy-framework\" parent=\"\" tag=\"h2\" :articleId=\"1832\">What is the story behind the Data Privacy Framework?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">We already \u003CNuxtLink to=\"/blog/all-about-the-new-data-transfer-framework#what-is-the-story-behind-the-dpf\"  >wrote about this topic\u003C/NuxtLink> extensively, so here is the short version.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">The DPF is not the first framework of its kind between the EU and the US. Two other frameworks- the Safe Harbor agreement and the Privacy Shield- served the same function in the past. However, both frameworks were \u003Cstrong>invalidated\u003C/strong> by the EU Court of Justice in the \u003Cstrong>Schrems I and II\u003C/strong> decisions. The rulings revolved around \u003Cstrong>US surveillance over foreign data\u003C/strong> and highlighted that the older frameworks were not sufficient to safeguard European data against intelligence agencies.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">After Schrems II, privacy NGO noyb pushed for a stricter application of Schrems II through strategic litigation aimed at Google Analytics- a web analytics tool that processes visitor data in the US. Noyb’s litigation led to the \u003Cem>de facto\u003C/em> ban of Google Analytics from several Member States, and sparked a heated debate about the lawfulness of EU-US data transfers under the GDPR.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">The DPF aims to end this situation of chronic uncertainty by \u003Cstrong>striking a balance\u003C/strong> between individual privacy, and the need to conduct electronic surveillance for national defense.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">The US government and the European Commission worked closely to ensure that the new framework would withstand the scrutiny of the EU Court of Justice (CJEU). The Executive Order published by US President somewhat limits surveillance agencies in how far they can snoop on European data, and introduces a new system for oversight and redress against abuses. The US and the European Commission are hoping that these new rules will allow the DPF to survive a “Schrems III” ruling.\u003C/ContentEditable>\n\u003CContentEditable  id=\"will-mr-latombe-succeed-in-suspending-the-framework\" parent=\"\" tag=\"h2\" :articleId=\"1832\">Will Mr. Latombe succeed in suspending the framework?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">We doubt it, because procedural hurdles might prevent merit from being discussed in the first place.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Most cases end up in the CJEU via a preliminary ruling. In other words, the case is first brought before the court of a Member State, and then referred to the CJEU by the competent judge in order to clarify the interpretation of European law. This is how the Schrems I and II cases made their way to the CJEU as well.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Mr. Latombe’s case is different because he lodged his request as a \u003Cstrong>direct action\u003C/strong>: he went straight to the Court and asked for the DPF to be annulled.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">This strategy has its pros and cons. On the one hand, direct action \u003Cstrong>bypasses domestic courts\u003C/strong> entirely, drastically shortening the time required to get a decision from the CJEU. On the other hand, EU law prescribes fairly strict requirements for direct actions: the applicant must successfully argue that the DPF concerns them \u003Cstrong>directly and individually\u003C/strong>. This could be a problem for Mr. Latombe because he is no more concerned by the DPF than any other EU citizen.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Traditionally, the requirement for direct and individual concern has been taken very seriously by the CJEU. This is why the Court will likely \u003Cstrong>dismiss the action without discussing its merit\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">We hope to be proven wrong because the fate of the DPF is the source of much legal uncertainty, and many organizations would greatly benefit from the clarity that a CJEU decision would bring.\u003C/ContentEditable>\n\u003CContentEditable  id=\"how-will-things-play-out-in-the-long-term\" parent=\"\" tag=\"h2\" :articleId=\"1832\">How will things play out in the long term?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Even if Latombe’s action is declared inadmissible, someone else will step up. Noyb already \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">announced its intention to challenge the framework\u003C/a>, and other advocacy organizations may also take action.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">So, sooner or later the CJEU will decide the fate of the DPF. And probably \u003Cstrong>shoot it down\u003C/strong>\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">Opinions on the new framework are quite polarized in the privacy community. Some believe the DPF to be the solution everyone has been longing for. Others- including noyb- consider it a Privacy Shield paint job and expect the CJEU to invalidate it as soon as the ball lands in its court (pun not intended).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">European institutions themselves are divided on the merits of the framework. The Commission is, of course, an enthusiastic proponent of the DPF. On the other hand, the EU Parliament \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.europarl.europa.eu/news/en/press-room/20230505IPR85012/meps-against-greenlighting-personal-data-transfers-with-the-u-s?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">rejected the DPF\u003C/a> by a large majority. The vote of the Parliament is not binding but might influence the tone of the debate and put some pressure on the CJEU.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">We don't think the new framework stands too many chances. In some ways it is a better framework than the Privacy Shield, but that is not saying much. There are yet too many problematics aspects in the DPF for the CJEU to overlook, and the overwhelmingly negative response of the Parliament will likely pressure the Court to put the framework under very close scrutiny.\u003C/ContentEditable>\n\u003CContentEditable  id=\"conclusions\" parent=\"\" tag=\"h2\" :articleId=\"1832\">Conclusions\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"1832\">We believe that privacy concerns everyone and that companies should be responsible in how they collect data. This is why we created Simple Analytics: the web analytics tool that provides businesses with all the insights they need- without touching personal data. If this sounds good to you, feel free to give us a try!\u003C/ContentEditable>\n","On September 6 French MP and CNIL member Philippe Latombe lodged a request to **suspend the EU-US Data Privacy Framework** before the EU Court of Justice, as first reported by [Politico](https://www.politico.eu/article/french-lawmaker-challenges-transatlantic-data-deal-before-eu-court/).\n\nLegal action against the Data Privacy Framework was largely expected. However, Mr. Latombe’s action might be short lived, as there are procedural hurdles to bringing the case to the Court.\n\nThis blog will explain what is going on with the Data Transfer Framework, and why procedural requirements may spell an early doom for Latombe’s legal battle.\n\n_Update: on October 12 the Court [denied Mr. Latombe's request](https://www.natlawreview.com/article/eu-us-data-privacy-framework-no-urgency-suspend-according-cjeu) on prodedural grounds._\n\n## What is the Data Privacy Framework?\n\nThe Trans-Atlantic Data Privacy Framework (DPF) is a data transfer framework between the EU and the US. The DPF has been in place since July and allows for simple, **GDPR-compliant transfers of personal data between the EU and the US**.\n\nIn other words, the GDPR provides specific rules and standards for transferring data outside the EU, and the DPF helps organizations meet them. Without the framework, some EU-US data transfers would be impossible or trickier.\n\nThe Framework is not an agreement under international law, but rather a combination of internal legal acts in the European and US law frameworks. Last year US President Joe Biden published an **Executive Order** ([EO 14068](https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/)) to limit the powers of surveillance agencies to spy on European data. And in July, the European Commission adopted an **[adequacy decision](https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721)**- an act that essentially “greenlights” a country as a safe destination for data transfers under the GPDR.\n\nFor more information about the DPF and data transfer mechanisms under the GDPR, feel free to visit [our blog](https://www.simpleanalytics.com/blog/all-about-the-new-data-transfer-framework#how-does-the-trans-atlantic-data-protection-framework-work) on the topic.\n\n## What is the story behind the Data Privacy Framework?\n\nWe already [wrote about this topic](https://www.simpleanalytics.com/blog/all-about-the-new-data-transfer-framework#what-is-the-story-behind-the-dpf) extensively, so here is the short version.\n\nThe DPF is not the first framework of its kind between the EU and the US. Two other frameworks- the Safe Harbor agreement and the Privacy Shield- served the same function in the past. However, both frameworks were **invalidated** by the EU Court of Justice in the **Schrems I and II** decisions. The rulings revolved around **US surveillance over foreign data** and highlighted that the older frameworks were not sufficient to safeguard European data against intelligence agencies.\n\nAfter Schrems II, privacy NGO noyb pushed for a stricter application of Schrems II through strategic litigation aimed at Google Analytics- a web analytics tool that processes visitor data in the US. Noyb’s litigation led to the _de facto_ ban of Google Analytics from several Member States, and sparked a heated debate about the lawfulness of EU-US data transfers under the GDPR.\n\nThe DPF aims to end this situation of chronic uncertainty by **striking a balance** between individual privacy, and the need to conduct electronic surveillance for national defense.\n\nThe US government and the European Commission worked closely to ensure that the new framework would withstand the scrutiny of the EU Court of Justice (CJEU). The Executive Order published by US President somewhat limits surveillance agencies in how far they can snoop on European data, and introduces a new system for oversight and redress against abuses. The US and the European Commission are hoping that these new rules will allow the DPF to survive a “Schrems III” ruling.\n\n## Will Mr. Latombe succeed in suspending the framework?\n\nWe doubt it, because procedural hurdles might prevent merit from being discussed in the first place.\n\nMost cases end up in the CJEU via a preliminary ruling. In other words, the case is first brought before the court of a Member State, and then referred to the CJEU by the competent judge in order to clarify the interpretation of European law. This is how the Schrems I and II cases made their way to the CJEU as well.\n\nMr. Latombe’s case is different because he lodged his request as a **direct action**: he went straight to the Court and asked for the DPF to be annulled.\n\nThis strategy has its pros and cons. On the one hand, direct action **bypasses domestic courts** entirely, drastically shortening the time required to get a decision from the CJEU. On the other hand, EU law prescribes fairly strict requirements for direct actions: the applicant must successfully argue that the DPF concerns them **directly and individually**. This could be a problem for Mr. Latombe because he is no more concerned by the DPF than any other EU citizen.\n\nTraditionally, the requirement for direct and individual concern has been taken very seriously by the CJEU. This is why the Court will likely **dismiss the action without discussing its merit**.\n\nWe hope to be proven wrong because the fate of the DPF is the source of much legal uncertainty, and many organizations would greatly benefit from the clarity that a CJEU decision would bring.\n\n## How will things play out in the long term?\n\nEven if Latombe’s action is declared inadmissible, someone else will step up. Noyb already [announced its intention to challenge the framework](https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu), and other advocacy organizations may also take action.\n\nSo, sooner or later the CJEU will decide the fate of the DPF. And probably **shoot it down**\n\nOpinions on the new framework are quite polarized in the privacy community. Some believe the DPF to be the solution everyone has been longing for. Others- including noyb- consider it a Privacy Shield paint job and expect the CJEU to invalidate it as soon as the ball lands in its court (pun not intended).\n\nEuropean institutions themselves are divided on the merits of the framework. The Commission is, of course, an enthusiastic proponent of the DPF. On the other hand, the EU Parliament [rejected the DPF](https://www.europarl.europa.eu/news/en/press-room/20230505IPR85012/meps-against-greenlighting-personal-data-transfers-with-the-u-s) by a large majority. The vote of the Parliament is not binding but might influence the tone of the debate and put some pressure on the CJEU.\n\nWe don't think the new framework stands too many chances. In some ways it is a better framework than the Privacy Shield, but that is not saying much. There are yet too many problematics aspects in the DPF for the CJEU to overlook, and the overwhelmingly negative response of the Parliament will likely pressure the Court to put the framework under very close scrutiny.\n\n## Conclusions\n\nWe believe that privacy concerns everyone and that companies should be responsible in how they collect data. This is why we created Simple Analytics: the web analytics tool that provides businesses with all the insights they need- without touching personal data. If this sounds good to you, feel free to give us a try!\n",{"data":45},null,1832,"First challenge to the EU-US data transfer framework","French MP challenges the new data transfer framework, but procedural requirements may hinder his action","first-challenge-dpf","2023-09-26T11:28:19.198Z","2024-01-16T13:45:31.590Z",{"en":53,"de":54,"fr":56,"it":58,"es":60,"nl":62},{"slug":49},{"slug":55},"erste-anfechtung-des-eu-us-datenuebertragungsrahmens",{"slug":57},"premiere-remise-en-cause-du-cadre-de-transfert-de-donnees-entre-l-ue-et-les-etats-unis",{"slug":59},"prima-sfida-al-quadro-normativo-sul-trasferimento-dei-dati-tra-ue-e-usa",{"slug":61},"primer-desafio-al-marco-de-transferencia-de-datos-ue-ee-uu",{"slug":63},"eerste-uitdaging-voor-het-eu-vergeleken-met-kader-voor-gegevensoverdracht"]