September was a watershed month for companies in Europe wanting to share data with the US. The General Court of the European Union rejected a challenge to a privacy framework between the two countries. This means that US organizations can continue to import personal data from the EU.

The challenge to the EU–U.S. Data Privacy Framework (DPF) came from French parliamentarian Philippe Latombe. He was unhappy with the details of the Framework, which allows a legal pathway for thousands of US companies to transfer EU personal data. He had challenged an EU decision to allow the DPF to operate, on two grounds.

First, he asserted that the US Data Privacy Review Court (DPRC) was not independent or impartial. This court, mandated by the Framework, is a US-operated body that reviews any complaints from EU residents about the treatment of their data. He also complained that the US intelligence agencies’ collection of bulk data without prior approval by the court violated the EU’s Charter of Fundamental Rights.

This wasn’t the first time that the EU has dealt with challenges to privacy frameworks. Lawyer Max Schrems had already challenged two attempts at equivalency frameworks between the EU and the US before.

Schrems filed his first complaint in 2013, challenging Facebook’s US data transfers under Safe Harbor, on the back of Edward Snowden’s NSA surveillance revelations. The October 2015 Schrems I ruling invalidated Safe Harbor entirely, finding US surveillance laws allowed interference beyond what was “strictly necessary”.

The EU and US tried again with Privacy Shield, which replaced Safe Harbor in 2016, but Schrems immediately challenged both the new framework and Standard Contractual Clauses, arguing underlying US surveillance authorities remained unchanged. The July 2020 Schrems II decision invalidated Privacy Shield while upholding Standard Contractual Clauses (SCCs), which are EU agreements that organizations can use to authorize data transfers. Those require Transfer Impact Assessments (TIAs) that require companies to do their own due diligence about whether EU data will be protected in the destination country.

A Failure to Convince the Court

Had Latombe succeeded in his initial challenge, it would have plunged companies back into the cumbersome world of SCCs. However, the court disagreed with him. Judges can only be appointed to the court by the Attorney General, it argued, ruling that this fitted the definition of independence. It also added that bulk courts didn’t require advance approval for bulk collection under Schrems II. Instead, it said, ex post (after the fact) authorization is enough. The DPRC already provides that.

All this points to the protections under US law being “essentially equivalent” to those under European law, according to the ruling, per the CJEU announcement.

It Isn’t Over Till It’s Over

So, what does this mean for the status quo? On the surface, it suggests that US businesses can continue transferring EU citizens’ data there with impunity. But don’t cast aside the law books just yet; there are already further legal challenges in the works that suggest this isn’t over.

NOYB (Schrems’ organisation, which stands for “None Of Your Business”) argues that the DPF simply repackages the same surveillance powers the CJEU has twice rejected. “The protections under the new deal are almost 1:1 a copy/paste of the previous deals that the CJEU found to be unlawful in Schrems I and Schrems II,” it said. “In some elements the protections are even worse than in the older Executive order that were not sufficient for the CJEU. It is therefore surprising that the General Court would issue a different decision on the 3rd version of the EU-US deal compared to the previous two versions.”

Latombe is now able to appeal, with a filing deadline of mid-November this year. With privacy advocates criticising the ruling, it’s likely that the DPF will face further attack.

With this in mind, organisations would do well to adopt a layered approach to data transfer as the most legally resilient strategy, say lawyers. Binding Corporate Rules (BCRs) also play a part here. These are agreements that companies secure with regulators to transfer data within their own offices across national borders.

“For now, the DPF remains a valid and streamlined pathway for EU to US personal data transfers,” explains legal firm Clifford Chance. “Build around it, keep SCC/BCR playbooks ready, refresh Transfer Impact Assessments (referencing EO 14086 and the DPRC where relevant), and monitor both the appeal and US oversight landscape,” the company advised.

In 2021, the European Data Protection Board (EDPB) also published guidance on what data exporters could do to help maintain EU data protections when exporting data to other countries. This document advises exporters to fully document their data transfers, and to verify the transfer tool they’re using under Article 46 of the GDPR. Alongside SSCs and BCRs, other such tools include codes of conduct, certification mechanisms, and ad hoc contractual clauses. They should also assess the law of the destination country if there is no adequacy agreement in place. It also advises on supplementary measures, such as encryption of the data, with keys retained in the EU.

So it’s business as usual for now, but risk management responsibilities mandate a backup plan. With a chaotic government to the west and the danger of further legal challenges in Europe, companies shouldn’t rely on the DPF entirely.