EU court's dismissal of US data transfer challenge raises privacy advocates' ire
- Reference: 1756915662
- News link: https://www.theregister.co.uk/2025/09/03/eu_us_data_challenge/
- Source link:
The EGC published its [1]decision [PDF] today dismissing the annulment [2]action brought by French lawmaker Philippe Latombe in 2023 a few months after the rule went into [3]effect in July of that year.
For those who don't recall the specifics of the EU-US DPF, it was the third iteration of an attempt to standardize rules for transmitting data from European companies to American ones (and vice versa) by establishing rules to guarantee that Europeans had rights to their data transferred to the US. The first two attempts at such a framework, Safe Harbor and Privacy Shield, were thrown out after privacy activist and lawyer Max Schrems [4]successfully argued to the EU Court of Justice that neither deal adequately protected Europeans' data in the hands of American companies.
[5]
One of the key components of the DPF that helped it survive to implementation was an executive order signed by President Joe Biden in 2022 that directed the US to fulfill its DPF obligations. That order included the creation of a Data Protection Review [6]Court (DPRC) to hear issues related to the DPF.
[7]
[8]
The independence of the DPRC was a central issue to Latombe, who argued that its creation via executive order left its existence entirely dependent on the US president. By that logic, the court is anything but independent or assured of continued existence were, say, a more mercurial leader to kill it or remove judges due to a perceived slight.
The EGC disagreed with Latombe's assertion.
[9]
"It is apparent from the file that the appointment of judges to the DPRC and the DPRC's functioning are accompanied by several safeguards and conditions to ensure the independence of its members," the court said in a press release. DPRC judges, the EGC noted, can only be dismissed by the US Attorney General, and then only for cause.
The European Commission, likewise, has its own responsibility to "monitor continuously the application of the legal framework," and "may decide, if necessary, to suspend, amend or repeal" the DPF if the US doesn't uphold its end of the bargain.
The court also disagreed with Latombe's assertion that the Schrems II case required "prior authorization issued by an independent authority" to collect data, which it said the decision didn't address. Instead, the court said that such data collection only had to be subjected to review after the fact, meaning Latombe's argument that American intelligence agencies were failing to meet DPF requirements "cannot be considered" as part of the decision today.
[10]
"In the light of those considerations, the General Court rejects the plea … and, therefore, dismisses the action in its entirety," it concluded.
Get ready for Schrems III
Schrems appeared unsurprised to hear that Latombe's case was dismissed.
Latombe's case was narrowly focused, Schrems [11]said through his None Of Your Business (noyb) privacy advocacy group today, giving him little room for success. Because it was an annulment action and not a preliminary question, Latombe "not only had to prove that the deal was substantively wrong, but also that he was directly affected in order to be entitled to bring an action at all," noyb said.
But the DPF is almost certainly still illegal, noyb charged, because it is structured almost identically to the two prior deals Schrems defeated in court. Toss in what noyb said is "the Trump administration's latest abuses of power in issuing executive orders," and there's likely ground for another Schrems-led defeat of a data sharing agreement.
"We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result," Schrems said in a statement.
The privacy crusader and lawyer pointed to Trump's dismissal of supposedly independent heads of government agencies as all the evidence the EU needs to consider the DPRC's independence only as strong as Trump's will not to mess with it.
"It is very surprising that the EU Court would find that sufficient," Schrems added. "Comparing this case with inner-EU cases such as on [12]Poland or [13]Hungary , it takes a lot of mental flexibility to accept this as an independent Court."
Schrems said his team is looking into its options for filing a legal challenge against the DPF.
[14]EU-US Privacy Framework could make life easier for a data biz, if it survives
[15]European Commission broke its own data privacy law with Microsoft 365 use
[16]Meta training AI on social media posts? Only 7% in Europe think it's OK
[17]EU takes another step towards US data-sharing agreement
While Schrems and EU privacy advocates are focused on the protection of Europeans' data, Tim Van Canneyt, partner at European law firm Fieldfisher, which specializes in supporting industries like the tech sector, said that the EGC's decision was likely political.
"Had the General Court struck down the DPF adequacy decision, it could have been interpreted – particularly by the Trump administration – as a deliberate move by the EU to undermine US economic interests," Van Canneyt told The Register . "That would have added fuel to the already simmering tensions around EU digital regulation and its perceived impact on American tech companies, not to mention the ongoing trade discussions."
Van Canneyt also said he doesn't see the EGC decision as departing from the logic of the Schrems I and II cases – something Schrems himself asserted – noting that while the legal standard remains the same, "the factual landscape has evolved."
"Today's judgment offers a degree of legal stability: data transfers to US entities under the DPF can continue uninterrupted," Van Canneyt explained. "Still, the long-term viability of the framework will depend on how US oversight mechanisms evolve."
Van Canneyt, like Schrems, believes this decision only buys the EU some time, and that politics could be a key component of a future challenge, be it brought by Schrems or anyone else. ®
Get our [18]Tech Resources
[1] https://curia.europa.eu/jcms/jcms/p1_5126472/en/
[2] https://curia.europa.eu/juris/document/document.jsf?docid=279601&doclang=EN
[3] https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
[4] https://www.theregister.com/Tag/Schrems%20I%20and%20Schrems%20II/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLi6dZrfVMhPMUteye4ltgAAAFc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.justice.gov/opcl/redress-data-protection-review-court
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6dZrfVMhPMUteye4ltgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLi6dZrfVMhPMUteye4ltgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6dZrfVMhPMUteye4ltgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLi6dZrfVMhPMUteye4ltgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://noyb.eu/en/eu-us-data-transfers-first-reaction-latombe-case
[12] https://www.euronews.com/my-europe/2025/02/05/eu-court-upholds-320-million-fine-against-poland-over-controversial-judicial-reform
[13] https://www.aljazeera.com/news/2024/10/3/eu-takes-hungary-to-european-court-of-justice-over-soverignty-laws
[14] https://www.theregister.com/2023/05/11/data_privacy_minefield/
[15] https://www.theregister.com/2024/03/11/european_commission_infringed_data_protection/
[16] https://www.theregister.com/2025/08/07/meta_training_ai_on_social/
[17] https://www.theregister.com/2022/12/14/eu_us_data_sharing_agreement/
[18] https://whitepapers.theregister.com/
As mooted on these pages many times, any kind of true data sovereignty for the EU is a far off pipe-dream, and while these constant legal challenges to data exchanges between the EU & US might be important for technical legal reasons, they frankly make squat difference when it comes to operational decisions as in practical terms, data has to leave EU boundaries regardless
Even if the EU struck down the current framework, what are the EU Data Protection Authorities going to do? Fine literally every single company using Microsoft, Google, Amazon, Oracle, Salesforce and any one of thousands of other platforms and systems hosted in or owned by the US? If the legal framework is struck down, then chances are the same arguments would invalidate the Binding Corporate Rules that many large enterprises rely on as well, so that would be no alternative (even if you could afford the lawyers to sign off your own BDCs)
Of course that means that in practical terms the privacy of EU data hosted or processed in the US comes down to the whims of the US President and various three-letter US agencies, but again as discussed elsewhere, even if the data DOESN’T leave the EU, if the platform is owned or operated by a US company, then the privacy of that data is compromised in the same way anyway
The EU “privacy advocates” can stamp their feet all they like, but if the EU doesn’t allow practical solutions based on the reality of being entirely dependent on US technology companies, then it will only harm itself
"The EU “privacy advocates” can stamp their feet all they like, but if the EU doesn’t allow practical solutions based on the reality of being entirely dependent on US technology companies, then it will only harm itself"
Whilst I'm sure the EU will cave in even before TACO does, that's a pity because in the longer term it would help the EU to have a pretty major tech/data crisis soon. At the moment there's a lot of talk in Europe of data sovereignty, and reducing reliance on the US tech hegemony, but little of substance is actually done. Only a massive US/EU standoff will change that.
Dubious and pointless.
It is doubtful whether it is in the best interests of the 450m population of the EU that one unelected bloke should be allowed to upend trade between the EU and US by initiating a taxiff war that impacts negatively upon 27 entire economies, over GDPR, which has never been of any use or value to anyone anyway. Meanwhile, governments and their security services have always operated above the law and will continue to, spying on anyone they can.
There are more worthwhile legal battles to fight out there.
Re: Dubious and pointless.
Yes and No. The crux here is that any agreement is predicated on the US President being a nice chap who will allow the rules to apply equally on both sides of the pond. Since he is not and does not then you start with the fight which is easiest to win and then leverage for the next battle etc etc.
If you start with the toughest fight then you are minimising your chances of winning and could also use up all your funding before it even reaches the courts.
Re: Dubious and pointless.
"The crux here is that any agreement is predicated on the US President being a nice chap who will allow the rules to apply equally on both sides of the pond. Since he is not and does not then you start with the fight which is easiest to win and then leverage for the next battle etc etc."
US presidents have only ever acted in their own national interests. All that's changed is that the current occupant of the White House has completely thrown away the fig leaf of moderation and of diplomatic language. This is because he's thick, and a bully.
Re: Dubious and pointless.
> over GDPR, which has never been of any use or value to anyone anyway
Speak for yourself, I have found the GDPR to be of value.
re: executive orders
Executive Orders have no bearing on the situation. The only thing that matters is the USA PATRIOT ACT. Under that act the US government can request any information it desires from any company doing business in the USA, including subsidiaries and/or owners.