Data Protection: The General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States

Judgment of the General Court in Case T-553/23 | Latombe v Commission: Data Protection: the General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States.


In so doing, it confirms that, on the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country.

The Charter of Fundamental Rights of the European Union [1] and the Treaty on the Functioning of the European Union (TFEU) [2] enshrine the right of every person to the protection of his or her personal data. On the basis of those legal instruments, and to avoid compromising the level of protection conferred within the European Union, EU secondary legislation [3] lays down the rules applicable to international transfers of personal data. 

In accordance with those rules, if the European Commission considers that a third country ensures an adequate level of protection, transfers of personal data to that country may take place without further authorisation, on the basis of the adequacy decision adopted by the Commission. Such a framework, established by the adequacy decision adopted by the Commission on 10 July 2023 (‘the contested decision’), [4] exists between the European Union and the United States of America. 

In the past, in the judgments in Schrems I [5] and Schrems II [6], the Court of Justice declared the two previous adequacy decisions [7] concerning the United States to be invalid, on the ground that they did not ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by EU law.

On 7 October 2022, the United States of America adopted an Executive Order [8] that strengthened the privacy safeguards governing activities carried out by intelligence agencies established in the United States. That order was supplemented by an Attorney General Regulation [9] that amended the provisions governing the establishment and functioning of the Data Protection Review Court (‘the DPRC’). 

Following an examination of those regulatory developments in the United States, the Commission adopted the contested decision, which put in place the new transatlantic framework for personal data flows between the European Union and the United States.

Against that background, Philippe Latombe, a French citizen and user of various IT platforms that collect his personal data and transfer them to the United States, asked the General Court to annul the contested decision. According to Mr Latombe, the DPRC is neither impartial nor independent, but dependent on the executive. 

Moreover, he submits that the practice of the intelligence agencies of that country of collecting in bulk personal data in transit from the European Union, without the prior authorisation of a court or an independent administrative authority, is not circumscribed in a sufficiently clear and precise manner and is, therefore, illegal.

The General Court dismisses the action for annulment.

As regards, in the first place, the DPRC, the General Court states inter alia that it is apparent from the file that the appointment of judges to the DPRC and the DPRC’s functioning are accompanied by several safeguards and conditions to ensure the independence of its members. Moreover, judges of the DPRC may be dismissed only by the Attorney General and only for cause, and the Attorney General and intelligence agencies may not hinder or improperly influence their work.

The General Court also observes that, under the contested decision, the Commission is required to monitor continuously the application of the legal framework on which that decision is based. Thus, if the legal framework in force in the United States at the time of the adoption of the contested decision changes, the Commission may decide, if necessary, to suspend, amend or repeal the contested decision or to limit its scope.

In the light of those considerations, the General Court rejects the plea alleging that the DPRC is not independent.

As regards, in the second place, the bulk collection of personal data, the General Court points out, in particular, that there is nothing in Schrems II to suggest that that collection must necessarily be subject to prior authorisation issued by an independent authority. 

Rather, it is clear from that judgment that the decision authorising such collection must, at a minimum, be subject to ex post judicial review. In the present case, it is apparent from the file that, under US law, signals intelligence activities carried out by US intelligence agencies are subject to ex post judicial oversight by the DPRC. 

Therefore, the General Court finds that it cannot be considered that the bulk collection of personal data by American intelligence agencies falls short of the requirements arising from Schrems II in that regard or that US law fails to ensure a level of legal protection that is essentially equivalent to that guaranteed by EU law.

In the light of those considerations, the General Court rejects the plea concerning the bulk collection of personal data and, therefore, dismisses the action in its entirety. (source curia.europa.eu/photo freepik.com)

_____________

1 Article 8(1) of the Charter.

2 Article 16(1) TFEU.

3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

4 Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.

5 Judgment of 6 October 2015, Schrems (Schrems I) C-362/14 (see also Press Release No. 117/15).

6 Judgment of 16 July 2020, Facebook Ireland and Schrems (Schrems II), C-311/18 (see also Press Release No. 91/20).

7 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce; and Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

8 Executive Order 14086.

9 Attorney General Regulation 28 CFR Part 201.

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

An overview of the regulatory framework on Gambling Services in the European Union

Image
written by Efi Thoma * The European Union (EU) does not have a harmonized, single regulatory framework for betting companies. Instead, the regulation of gambling services, including betting, remains largely within the competence of individual Member States.  This results in a diverse and often fragmented legal framework across the EU. While the EU facilitates some level of cooperation and sets overarching principles, the specifics of licensing, operational requirements, and consumer protection measures vary significantly from country to country. Despite the lack of a unified framework, several key principles and EU-level instruments influence the national regulations of betting companies. More specifically, the Treaty on the Functioning of the European Union (TFEU) guarantees the freedom of establishment and the freedom to provide services within the EU. These fundamental freedoms mean that Member States cannot unjustifiably restrict betting companies legally established in ano...
Read more

New President of the European Court of Human Rights

Image
The European Court of Human Rights has elected on 28.4.2025 Mattias Guyomar, Judge elected in respect of France, as its new President.  Mattias Guyomar succeeds Marko Bošnjak, Judge elected in respect of Slovenia. He will take up office on 30 May 2025. Read his bio here Furthermore, the Judge elected in respect of Armenia, Vahe Grigoryan, was formally sworn in in the Court's Main Hearing Room on 28.4.2025. Read as well:  Interventions in Justice System and the role of Artificial Intelligence / article by Giorgos Kazoleas, Lawyer in Cyprus
Read more

Access to documents: the Commission decision refusing a journalist of The New York Times access to the text messages exchanged between President von der Leyen and the CEO of Pfizer is annulled (CJEU)

Image
In its Judgment dated 14/5/2025 in Case T-36/23 (Stevi and The New York Times v Commission), the General Court ruled that the Commission decision refusing a journalist of The New York Times access to the text messages exchanged between President von der Leyen and the CEO of Pfizer is annulled. By an application based on the Access to Documents Regulation, [1], Matina Stevi, a journalist working for the daily newspaper The New York Times, requested the European Commission to provide access to all text messages exchanged between President Ursula von der Leyen and Albert Bourla, the chief executive officer of Pfizer, between 1 January 2021 and 11 May 2022.  The Commission rejected that application on the ground that it did not hold the documents covered by it. Ms Stevi and The New York Times requested the General Court of the European Union to annul the Commission’s decision.  In its judgment, the General Court upholds the action and annuls the Commission’s decision. The Court re...
Read more

Imposition of a fine on a bank in Greece for an incident of personal data breach

Image
The Greek Data Protection Supervisory Authority imposed on a Bank, as Data Controller, an administrative fine of EUR 100,000 for violating the principles of accuracy, integrity, and confidentiality of data, and the principles of data protection by design and by default, in conjunction with Articles 32, 33, and 34 of the GDPR, as well as an administrative fine of EUR 20,000 for violating the complainants' right of access. Complaints were submitted to the Supervisory Authority of Greece against the National Bank of Greece for the incorrect linking of a complainant's bank account with the mobile phone number of another complainant in the “i-bank Pay application”, which resulted in money transfers, via “IRIS online payments service”, which were made to the first complainant's account instead of the second's.  In the context of the administrative audit conducted by the Authority, the Bank eventually identified that the issue was due to incorrect configuration during the ...
Read more

Convention for the Protection of the Profession of Lawyer has been opened for signature

Image
The Council of Europe Convention for the Protection of the Profession of Lawyer has been opened for signature on the occasion of the meeting of Council of Europe Foreign Ministers organised in Luxembourg on 13-14 May. This is the first-ever international treaty aimed at protecting the profession of lawyer in a context of increasing reports of attacks on the practice of the profession, whether in the form of harassment, threats or attacks, or interference with the exercise of professional duties. The  Convention  has been signed by Andorra, Estonia, France, Greece, Ireland, Italy, Lithuania, Luxembourg, Netherlands, North Macedonia, Norway, Poland and Sweden. Belgium, Iceland, the Republic of Moldova and the United Kingdom will sign it on 14 May. Lawyers play a key role in upholding the rule of law and securing access to justice for all, including to defend victims of possible human rights violations. Therefore, public confidence in justice s...
Read more

Position of Legal Adviser in the European Climate, Environment and Infrastructure Executive Agency (CINEA)

Image
The European Climate, Environment and Infrastructure Executive Agency (CINEA) seeks to recruit  a Legal Adviser. The Agency fosters a culture of employee empowerment and engagement, emphasising collaboration, respect, integrity, trust. equality, diversity, and inclusion The Agency and its staff are committed to a number of core values including innovation, client focus, excellence, well-being, care, work-life balance, sustainability and working together. The European Climate, Environment and Infrastructure Executive Agency (CINEA) has been established by the European Commission to support stakeholders in delivering the European Green Deal through high-quality programme management that helps to implement projects contributing to decarbonisation and sustainable growth. CINEA implements parts of EU funding programmes for transport, energy, environment and climate action with strong focus on contributing to the European Commission's Green Deal priority. As a member of the Legal Sec...
Read more