The European Union General Court (EGC) has dismissed a legal challenge against the EU-US Data Privacy Framework (DPF), allowing transatlantic data flows to continue for now. French lawmaker Philippe Latombe had argued that the framework’s Data Protection Review Court (DPRC)—established by a US executive order—lacked true independence, as its existence depends on the will of the sitting US president. However, the EGC ruled that sufficient safeguards exist to ensure the DPRC’s judicial autonomy, including protections against arbitrary dismissal of its members. The court also rejected claims that US intelligence agencies’ data collection practices violated DPF requirements, noting that post-collection review mechanisms, rather than prior authorization, were consistent with existing legal standards.
This ruling represents the third major attempt to create a stable legal mechanism for EU-US data transfers, following the invalidation of the earlier Safe Harbor and Privacy Shield agreements—both struck down due to successful legal challenges by privacy activist Max Schrems. Schrems has already signaled that further legal action is likely, arguing through his organization noyb that the DPF remains structurally flawed and vulnerable to political interference, particularly under future US administrations. He pointed to former President Trump’s record of dismissing independent officials as evidence that the DPRC’s independence cannot be guaranteed, suggesting that a broader review of US law could yet invalidate the framework.
Despite the court’s dismissal, the long-term legitimacy of the DPF remains uncertain. Legal and industry experts, including Tim Van Canneyt of Fieldfisher, acknowledge that while the ruling provides temporary stability for businesses reliant on transatlantic data flows, the framework’s durability hinges on evolving US oversight practices and political climates. Van Canneyt also noted that the decision may reflect geopolitical considerations, as invalidating the DPF could have escalated trade tensions between the EU and the US. For now, companies can continue operating under the DPF, but stakeholders should prepare for potential future legal challenges that could once again disrupt data transfer mechanisms between the two regions.
Ez a cikk a Neural News AI (V1) verziójával készült.
Forrás: https://www.theregister.com/2025/09/03/eu_us_data_challenge/.