In a recent article in the European Law Blog, Ken Propp discusses the legal and judicial landscape evolving in response to the conclusion of the EU-U.S. Data Privacy Framework (DPF).
Although it has been applied only for a short period, the DPF is already facing legal challenge at the Court of Justice of the European Union (CJEU). In particular, French parliamentarian Philippe Latombe has initiated a direct action for annulment of the European Commission adequacy decision, and Austrian privacy activist Max Schrems is also said to be preparing a challenge to the DPF, potentially as an indirect action in a Member State court.
In light of such efforts, the Max Planck Institute for Procedural Law (MPI) convened a conference in Luxembourg in September to examine the DPF in the context of European fundamental rights and data protection law. MPI’s outgoing director, Professor Burkhard Hess, hosted the proceedings, which were also co-organized by the author of this post. Attendees included EU and U.S. negotiators of the DPF, judicial officials, internationally known experts in the areas of data protection and national security law, civil society representatives, and legal practitioners.
The two primary topics of discussion were whether a necessity and proportionality standard for the U.S. national security collection of personal data transferred from the EU to the United States would satisfy EU law, and how reinforced U.S. oversight and redress mechanisms for addressing claimed data privacy rights violations would compare to EU law requirements. Other points of discussion included whether the CJEU should apply to data transfers to third countries its separate jurisprudence relating to the retention of data by member state law enforcement agencies, and whether the CJEU should take into account longstanding case law of the European Court of Human Rights (ECTHR) on surveillance of individuals by security services. Additionally, it was debated whether the CJEU should consider how EU member states conduct intelligence activities when assessing US counterparts, and if it should also devote more of a focus to ongoing transfers of EU data to authoritarian states such as Russia.
Discussions at the conference suggested that issues relating to necessity and proportionality may prove thornier for the CJEU to resolve than those relating to oversight and redress. Other wildcards include EU member state disquiet regarding increased CJEU scrutiny of their intelligence programs and, at the same time, an emerging awareness within the EU of weaknesses in member states’ own surveillance oversight mechanisms.
To read the full article, click here.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.