In a judgment handed down on Wednesday 3 September (Case T-555/23), the General Court of the European Union ruled that the level of protection for personal data in the United States was equivalent to the rules in force in the EU.
After the Court of Justice of the European Union invalidated its two previous adequacy decisions (‘Schrems I’ judgment of 2015 against Decision 2000/520 ‘Safe Harbor’ and ‘Schrems II’ judgment of 2020 against Decision 2016/1250 ‘Privacy Shield’ - see respectively EUROPE 11404/1 and 12529/2), the European Commission adopted, in July 2023, a third decision (2023/1795 - see EUROPE 13219/11) finding that the United States provides a level of protection for personal data equivalent to that in force in the EU.
Frenchman Philippe Latombe is seeking the third adequacy decision’s annulment, arguing that the American DPRC, which is responsible for monitoring data protection, is dependent on the executive. Furthermore, he argues, the practices of United States intelligence agencies, which collect personal data in bulk without prior authorisation from a judge, are not sufficiently regulated.
In its judgment, the General Court dismissed the action for annulment. In its view, the appointment of judges and the DPRC court, as well as its operation, are accompanied by guarantees and conditions designed to ensure the independence of its members. In particular, the attorney general and intelligence agencies may not hinder or unduly influence the court’s work.
The General Court also noted that the European Commission may at any time amend or repeal the contested decision if the American legal framework is weakened.
As regards the bulk collection of data, the General Court notes that, in accordance with the ‘Schrems II’ judgment (Case C-311/18), such collection need not be subject to prior authorisation by an independent authority but, at the very least, to ex post judicial review. In the General Court’s view, the fact that the activities of intelligence agencies in the United States are subject to ex post judicial review by the DPRC therefore meets the requirements of the ‘Schrems II’ judgment.
It concludes that US law provides substantially equivalent protection to that guaranteed by EU law.
The Business Software Alliance has welcomed a judgment that brings “stability” to businesses and consumers on both sides of the Atlantic, who “rely every day on trusted cross-border data flows”. Speaking on behalf of the International Association of Privacy Professionals (IAPP), Isabelle Roccia said that the General Court’s judgment “brings a breath of relief for operators at a time when the transatlantic digital environment is particularly tense” (see EUROPE 13700/18). However, she noted “an important nuance: the General Court did not rule on the question of whether the preconditions for its implementation are still intact today, opening the door to a possible legal battle on this critical point”.
See the General Court’s judgment (in French): https://aeur.eu/f/i8t (Original version in French by Mathieu Bion with Isalia Stieffatre)