EU Court Upholds Transatlantic Data Transfer Pact

• The EU General Court has validated the 2023 EU-US data transfer framework, offering legal clarity for firms despite ongoing privacy concerns.

Legal Certainty for Cross-Border Data Transfers

The European Union’s General Court has upheld a data transfer agreement between the EU and the United States, originally signed in 2023. This framework replaces two previous accords that were invalidated by the EU’s highest court due to privacy concerns. Thousands of companies—including financial institutions, tech firms, pharmaceutical groups, and automakers—rely on such agreements to move personal data across the Atlantic for operational needs. These include payroll processing, cloud services, and other commercial functions.

The ruling provides a measure of legal stability for transatlantic data flows, which have faced repeated disruptions over the past decade. While the decision does not eliminate all legal risks, it signals institutional support for the current framework. The European Commission, which negotiated the deal on behalf of the 27 member states, maintains that the agreement ensures adequate protection for EU citizens’ data. This position was challenged in court but ultimately upheld.

Challenge from Privacy Advocates

French lawmaker Philippe Latombe filed a legal challenge against the European Commission, arguing that the agreement lacked sufficient safeguards for personal privacy. He pointed to concerns over bulk data collection and questioned the independence of the U.S. Data Protection Review Court (DPRC), the body designated to hear complaints from EU citizens. According to Latombe, the DPRC does not meet the standards of impartiality and legal robustness required under EU law. Despite these objections, the General Court found the framework to be legally sound.

Judges concluded that U.S. intelligence activities are subject to judicial oversight, referencing the DPRC as a mechanism for post-facto review. The court emphasized that, at the time of adoption, the United States provided an adequate level of protection for personal data transferred from the EU. Latombe retains the right to appeal the decision to the Court of Justice of the European Union (CJEU), which previously invalidated similar frameworks. The current case, T-553/23, may yet continue through further legal scrutiny.

Historical Context and Ongoing Debate

This ruling follows years of legal and political tension surrounding transatlantic data transfers. The two prior agreements—Safe Harbor and Privacy Shield—were both struck down by the CJEU after challenges led by Austrian privacy activist Max Schrems. His concerns centered on U.S. surveillance practices and the lack of effective legal remedies for EU citizens. Schrems has expressed skepticism about the new framework, suggesting that a deeper review of U.S. law could lead to a different outcome.

The EU’s broader regulatory stance on Big Tech has added friction to its relationship with the U.S., with past threats of retaliation from American officials. While the current framework may offer temporary relief for businesses, privacy advocates continue to push for stronger protections. The debate underscores the difficulty of reconciling differing legal standards and surveillance practices across jurisdictions. Future challenges could once again reshape the landscape of international data governance.