Insights European court rejects EU-US Data Privacy Framework (“DPF”) challenge


The DPF is a bespoke, opt-in certification scheme for US organisations that facilitates the transfer of personal data between the EU and the US in compliance with GDPR. It includes a set of enforceable principles and requirements that must be met in order to be able to join the Framework. Once a US organisation has been certified as meeting the requirements, it will be placed on the DPF List. In July 2023, the European Commission adopted a decision finding that, in accordance with article 45(3) GDPR, the DPF ensured an adequate level of protection for personal data. This means that transfers of personal data from the EU to organisations appearing on the DPF List may take place without specific authorisation.

In September, Philippe Latombe, a French citizen, filed a claim with the EU General Court seeking to annul the Commission’s adequacy decision. He also applied for interim relief requesting the Court to order a stay of execution of the adequacy decision pending the final hearing.

The Treaty on the Functioning of the EU (TFEU) allows the court to suspend an EU act in exceptional circumstances. Rules of procedure require the applicant to establish the legal grounds for suspension and that the circumstances require urgency, that is, they are necessary to avoid serious and irreparable harm to the person requesting the suspension such that they cannot wait for the outcome of the final application, in this case, the annulment of the adequacy decision. The existence of a strong prima facie case is not enough; the applicant must also demonstrate harm.

The applicant claimed that as a user of Microsoft 365 and other applications, his personal data may be transferred to the USA under the DPF and that the USA does not, contrary to the adequacy decision, ensure an adequate level of protection. The Commission asserted that the applicant failed to demonstrate how this would cause him serious harm or the nature of the harm he would suffer. In fact, the applicant did not show that his use of the software would in fact result in the transfer of any data under the DPF. The Commission also pointed out that there are other routes under the GDPR by which the applicant’s data may be transferred to the USA but no explanation had been given as to how the DPF puts the applicant at a greater disadvantage. The applicant remains free to make a complaint with his data protection supervisory authority if he believes there is a GDPR breach.

The Court dismissed the request for interim relief on the basis that the applicant had failed to demonstrate the urgency of the measures sought.

For the case report (not yet available in English), click here.