The Court of Justice for the European Union (CJEU) has handed down its judgment in the case of Latombe v Commission, underscoring the continuing validity of the EU-US Data Privacy Framework (DPF) as a lawful transfer mechanism under the GDPR.
What was the case all about?
Philippe Latombe, a French MP and CNIL Commissioner (CNIL being the French Data Protection Authority), lodged a request for the annulment of the DPF at the CJEU on 6 September 2023, making clear he was doing so in a personal capacity and not as a politician or member of a DPA.
Unlike the previous Schrems litigation, which involved preliminary rulings by the CJEU, Latombe brought a direct annulment action against the EU Commission's adequacy decision, which is the basis that underpins the DPF. This is a procedural and direct challenge and it is widely speculated this route was used to enable a quicker resolution.
In summary, Latombe argued the DPF violates both the EU Charter of Fundamental Rights and the GDPR and therefore an adequacy decision should never have been granted. He argued that US surveillance practices and the independence of oversight bodies are incompatible with the required "essentially equivalent" laws in order to grant adequacy.
The case was further complicated in that since it was lodged the changes brought about by the Trump administration have caused additional concerns in this area. Although the Privacy and Civil Liberties Oversight Board is now quorate again, the alleged issue with the independence of the Federal Trade Commission in enforcing the DPF principles in light of the Executive Order Ensuring Accountability for All Agencies remains.
What did the CJEU decide?
The CJEU analysed the substantive issues of whether the EU-US DPF complies with the GDPR and the EU Charter of Fundamental Rights. Itdismissed the action for annulment, as well as Latombe's pleadings regarding automated decision making (ADM) and security of processing.
What was the basis of the challenge and why did it fail?
Challenge: The US Data Protection Review Court (DPRC) was not impartial or independent but rather dependent on the executive
The CJEU concluded there are "several safeguards and conditions", in particular those set out in Executive Order 14086 and the Attorney General Regulation (AG Regulation) that were sufficient to guarantee independence, impartiality and effective redress, in both the functioning of the DPRC and also in regards to the appointment and dismissal of judges.
The DPF also requires the EU Commission to continuously monitor the application of the legal framework on which the adequacy decision is based. This oversight means the EU Commission may decide to limit the scope, suspend, amend or repeal the DPF should the legal framework change.
The "established by law" element under Article 47(2) of the Charter of Fundamental Rights has been seen as problematic from the DPF's inception as the DPRC was created by the executive, by a decision of the Attorney General, rather than a law adopted by the US Congress. However, the CJEU said, "it is necessary not merely to assess the formal nature of the legal text establishing a court and defining its operating rules, but it is necessary to ascertain whether that legal text provides sufficient guarantees to ensure its independence and impartiality..." In its assessment the Court held that Executive Order 14086 and the AG Regulation provide "guarantees intended to ensure the independence and impartiality of the DPRC".
It was also noted that in Schrems II, the CJEU held that, "effective judicial protection could be ensured not only by a court or tribunal belonging to the judiciary, but also by any other 'body' which offered persons whose data are transferred to the US guarantees substantially equivalent to those required by Article 47 of the Charter of Fundamental Rights".
All of these matters taken together resulted in the CJEU rejecting Latombe's plea that the DPRC is not impartial or independent.
Challenge: Bulk collection of personal data by US intelligence agencies is illegal
The CJEU also rejected Latombe's plea in relation to the bulk collection of personal data. The Court stated that indiscriminate bulk collection without restriction or safeguards is "not authorised in the US", and while "targeted collection" is not defined in US law it is generally used to "describe the collection of intelligence directed at a specific inpidual, communications account, or other identified target by intelligence agencies under the Foreign Intelligence Surveillance Act ("FISA") and E.O. 14086."
Timing was also a factor here with Latombe arguing prior authorisation by an independent authority was required. The CJEU stated that the minimum requirement as set out in Schrems II was in fact the decision authorising the collection be subject to ex post judicial review. Again, the CJEU makes clear that on the evidence before it, the bulk collection of personal data by intelligence agencies does not fall short of the Schrems II requirements and therefore US law does not fail to ensure an essentially equivalent level of legal protection as guaranteed by EU law.
The Court also held that its previous decision of La Quadrature du Net and Others, which focused on data retention, differs from the Latombe case and is "not relevant in the present case". This was on the basis that it deals with prior authorisation in combating counterfeiting and therefore is completely different in purpose to bulk collection of personal data undertaken by intelligence agencies.
Challenge: The EU Commission failed to include a provision establishing Article 22 GDPR rights not to be subject to ADM
Less attention has been focussed on this pleading, where Latombe alleges the EU Commission infringed Article 22 GDPR as it "failed to include a provision establishing the right of data subjects not to be subject to decisions based exclusively on the automated processing of personal data, including profiling, producing legal effects in relation to them or significantly affecting them".
This plea was also rejected as the sectoral protections provided by US laws, e.g. in the recruitment, employment, housing, insurance, home loans and credit sectors, were found to meet the test of an essentially equivalent level of protection to that guaranteed in the EU.
Challenge: The infringement of Article 32 GDPR (security of processing) by not ensuring essentially equivalent protection as guaranteed in the EU
Latombe's final plea was that the EU Commission infringed Article 32 GDPR by finding the US offered substantially equivalent protections to those guaranteed in the EU in respect of adequate technical and organisational measures to ensure the security of the processing of personal data transferred from the EU to the US.
Again, the Court reiterated that the third country did not need "identical" legal protections to those guaranteed in the EU, just that the level of protection was substantially equivalent. It held that the challenged provisions in Annex 1 of the DPF were similar in nature and while the language used differed, it did in fact provide essentially equivalent protections as under Article 32 GDPR and therefore rejected the plea.
What's next?
It remains to be seen if Latombe will appeal the judgment but with the short timescales to lodge such an appeal this should become clear in the coming days. Costs may also be a factor with Latombe picking up the tab for his own and the EU Commission's costs. Whatever his decision, there are plenty of privacy activists who may yet pick up the mantle, especially in light of the current US administration's changes to oversight and apparent attitude to surveillance. As ever in the world of data privacy, it is a case of watch this space!
Takeaway for employers
While this decision underscores the continuing validity of the DPF as a lawful transfer mechanism, on a practical note, given the chequered history of EU-US data transfers, many organisations have already provided an alternative "fallback" transfer mechanism, such as SCCs, in contracts to ensure compliance in case the DPF would be invalidated in the future. So should an appeal be lodged there is no need to change anything until the final determination has been handed down, but an audit of data transfer mechanisms would be prudent – and for those who didn't add in a fallback mechanism now might be the time to do so.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
