BEERG Newsletter - EU/US Data Flows: First challenge to Data Privacy Framework launched

In an article on the EU Commission adopting an adequacy decision on the EU-U.S. Data Privacy Framework (DPF) in BEERG Newsletter issue #25 (July ’23) we predicted that there would be a challenge looking to invalidate the framework soon… and so it has. Sooner than many forecast, and from a source that very few would have predicted.

Philippe Latombe, a centrist member of the French parliament has lodged a challenge to the DPF with ECJ/CJEU's General Court. Latombe’s challenge, which uses Art 263 of the EU Treaty, has two parts. The first echoes the worries about U.S. mass surveillance made in the Schrems I and II cases. Specifically, he alleges that: the DPF is a copy of Privacy Shield; enables bulk personal data collection; does not provide an EU-equivalent redress mechanism, and that it lacks data security guarantees and protections against automated decision-making.

The second ground alleges a procedural breach by the EU, namely that the Data Privacy Framework was notified to EU countries in English only and was not published in the EU's Official Journal. 

Latombe is making his challenge as a private individual under Art 263, saying that the adequacy decision applies directly to him because data about him is transferred to the US via the DPF. This is an important point as Latombe as Art 263 is a fast-track procedure which allows the EU Court to review the legality of EU laws, but it also requires that the challenger demonstrate that the matter is of "direct and individual concern" to them. The claim could fall on this ground as the ECJ/CJEU has a history of interpreting the locus standi aspect of Art 263 very narrowly. 

While Latombe’s challenge may falter on the grounds of “standing”, others will be ready to pursue more robustly framed and argued challenges. The question is therefore: will any of them succeed? We have no doubt that the DPF will be subjected to years of wrangling in the EU courts, but as we said back in mid-July, we see a third invalidation as still unlikely. 

Circumstances have changed in the three years since Schrems II. You have the implications of Russian invasion of Ukraine and the critical importance to the trans-Atlantic data economy of AI and other cloud technologies require robust cross-border data flows. The EU Commission’s briefings suggest that it has learned a lot from its past defeats and that it is confident that it can address the EU court’s concerns. 

MEANWHILE in a separate – perhaps even positive development  - at the end of August the European news website Euractiv reported that Germany’s federal cabinet had adopted a new National Data Strategy. The German Digital Minister, the FDP’s Volker Wissing said the purpose of the strategy was to use the potential of generated data more effectively, strengthen digital innovation, and improve competitiveness, adding “data is the raw material of digitalisation, and we are sitting on a huge wealth of data”. 

Might this be an omen that German policy makers are starting to grasp that data processors can be a positive contributor to the economy and that data processing is not something to demonise and penalise? We hope it is.