The General Court of the European Union today handed down its judgment in the case of Latombe v Commission (T553/23) underscoring the continuing validity of the EU-US Data Privacy Framework (DPF) as a lawful transfer mechanism under Article 45 GDPR.
What was the case all about?
By way of reminder Philippe Latombe, a French MP and CNIL Commissioner, lodged a request for the annulment of the DPF at the Court of Justice for the European Union (CJEU) on 6 September 2023, making clear he was doing so in a personal capacity and not as a politician or member of a DPA.
Unlike the previous Schrems litigation, which involved preliminary rulings by the CJEU, M. Latombe brought a direct annulment action against the EU Commission's adequacy decision, which is the basis that underpins the DPF. This is a procedural and direct challenge and it is widely speculated this route was used to enable a quicker resolution.
In summary M. Latombe argued the DPF violates both the EU Charter of Fundamental Rights and the GDPR and therefore an adequacy decision should never have been granted. He argued that US surveillance practices and the independence of oversight bodies are incompatible with the required "essentially equivalent" laws in order to grant adequacy.
The case was further complicated in in that since the case was lodged the changes brought about by President Trump have caused additional concerns in this area (for more see our article here). Although the Privacy and Civil Liberties Oversight Board (PCLOB) is now quorate again, the alleged issue with the independence of the Federal Trade Commission (FTC) in enforcing the DPF principles in light of the Executive Order Ensuring Accountability for All Agencies remains.
So what happened today?
While the initial focus for many was on whether or not M. Latombe had standing to bring the case the General Court held that it is "in the interests of sound administration of justice, to examine its merits, without first ruling on its admissibility" (see paras. 14 & 15 and Council v. Boehringer C-23/00).
The judgment analysed the substantive issues of whether the EU-US DPF complies with the GDPR and the EU Charter of Fundamental Rights and "dismisses the action for annulment", as well as M. Latombe's pleadings in regards to automated decision making (ADM) and security of processing.
What was the basis of the challenge and why did it fail?
- The Data Protection Review Court (DPRC) was not impartial or independent but rather dependent on the executive (paras. 24 – 82)
The General Court concluded there are "several safeguards and conditions", in particular those set out in Executive Order 14086 and the Attorney General Regulation (AG Regulation) that were sufficient to guarantee independence, impartiality and effective redress, in both the functioning of the DPRC and also in regards to the appointment and dismissal of judges.
The DPF also requires the EU Commission to continuously monitor the application of the legal framework on which the adequacy decision is based. This oversight means the EU Commission may decide to limit the scope, suspend, amend or repeal the DPF should the legal framework change.
The "established by law" element under Article 47(2) of the Charter of Fundamental Rights has been seen as problematic from the DPF's inception as the DPRC was created by the executive, by a decision of the Attorney General, rather than a law adopted by the US Congress. However, the General Court said "it is necessary not merely to assess the formal nature of the legal text establishing a court and defining its operating rules, but it is necessary to ascertain whether that legal text provides sufficient guarantees to ensure its independence and impartiality..." In its assessment the Court held that Executive Order 14086 and the AG Regulation provide "guarantees intended to ensure the independence and impartiality of the DPRC".
It was also noted that in Schrems II, the CJEU held that "effective judicial protection could be ensured not only by a court or tribunal belonging to the judiciary, but also by any other 'body' which offered persons whose data are transferred to the US guarantees substantially equivalent to those required by Article 47 of the Charter of Fundamental Rights" (see para 81 and Schrems II para 197).
All of these matters taken together resulted in the General Court rejecting M. Latombe's plea that the DPRC is not impartial or independent.
- Bulk collection of personal data by US intelligence agencies is illegal (paras. 83 – 160)
The General Court also rejected M. Latombe's plea in relation to the bulk collection of personal data. The Court stated that indiscriminate bulk collection without restriction or safeguards is "not authorised in the US", and while "targeted collection" is not defined in US law it is generally used to "describe the collection of intelligence directed at a specific individual, communications account, or other identified target by intelligence agencies under the Foreign Intelligence Surveillance Act ("FISA") and E.O. 14086."
Timing was also a factor here with M. Latombe arguing prior authorisation by an independent authority was required. The General Court stated that the minimum requirement as set out in Schrems II was in fact the decision authorising the collection be subject to ex post judicial review (see para. 105). Again the General Court makes clear that on the evidence before it, the bulk collection of personal data by intelligence agencies does not fall short of the Schrems II requirements and therefore US law does not fail to ensure an essentially equivalent level of legal protection as guaranteed by EU law.
The Court also held that La Quadrature du Net and Others (C-511/18, C-512/18 and C-520/18) differs from the Latombe case and is "not relevant in the present case" as it deals with prior authorisation in combating counterfeiting and therefore is completely different in purpose to bulk collection of personal data undertaken by intelligence agencies. As well as rejecting Latombe's arguments based on Big Brother Watch & Ors v UK (CE:ECHR:2021:0525) (see paras. 128 – 147) and Opinion 5/2023 of the European Data Protection Supervisor (see paras. 148 – 153).
- The EU Commission failed to include a provision establishing Article 22 GDPR rights not to be subject to ADM (paras. 161 - 187)
Less attention has been focussed on this pleading, where M. Latombe alleges the EU Commission infringed Article 22 GDPR as it "failed to include a provision establishing the right of data subjects not to be subject to decisions based exclusively on the automated processing of personal data, including profiling, producing legal effects in relation to them or significantly affecting them".
This plea was also rejected as the sectoral protections provided by US laws, e.g. in the recruitment, employment, housing, insurance, home loans and credit sectors, were found to meet the test of an essentially equivalent level of protection to that guaranteed in the EU.
- The infringement of Article 32 GDPR (security of processing) by not ensuring essentially equivalent protection as guaranteed in the EU (paras. 188 - 204)
M. Latombe's final plea was that the EU Commission infringed Article 32 GDPR by finding the US offered substantially equivalent protections to those guaranteed in the EU in respect of adequate technical and organisational measures to ensure the security of the processing of personal data transferred from the EU to the US.
Again the Court reiterated that the third country did not have to have "identical" legal protections to those guaranteed in the EU, just that the level of protection was substantially equivalent. It held that the challenged provisions in Annex 1 of the DPF were similar in nature and while the language used differed, it did in fact provide essentially equivalent protections as under Article 32 GDPR and therefore rejected the plea.
Conclusion
It remains to be seen if M. Latombe will appeal the judgment but with the short timescales to lodge such an appeal (2 months + 10 days) this should become clear in the coming days. Costs may also be a factor with M. Latombe picking up the tab for his own and the EU Commission's costs. Whatever his decision, there are plenty of privacy activists who may yet pick up the mantle (e.g. see noyb's first reaction), especially in light of the current US administration's changes to oversight and apparent attitude to surveillance. As ever in the world of data privacy, it is a case of watch this space!
While today's decision underscores the continuing validity of the DPF as a lawful transfer mechanism, on a practical note, given the chequered history of EU-US data transfers, many organisations have already provided an alternative "fallback" transfer mechanism, such as SCCs, in contracts to ensure compliance in case the DPF would be invalidated in the future. So should an appeal be lodged there is no need to change anything until the final determination has been handed down but an audit of your data transfer mechanisms would be prudent - and for those who didn't add in a fallback mechanism now might be the time to do so.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
