French lawmaker Philippe Latombe’s latest lawsuit at the EU’s top court, which could derail the new EU-US data transfer deal, has found support in Germany, where the two-month-old agreement is already facing widespread criticism.
Read the original German story here.
Latombe, a French MEP from the liberal Mouvement D?mocrate (MoDem), filed two lawsuits with the EU Court of Justice last week seeking to overturn the most recent edition of the transatlantic data protection agreement between the European Union and the US.
Latombe also has support from colleagues in the German Bundestag, as the agreement, which governs all data transfers between the two continents, is also viewed critically in Germany.
“A legal review is not unexpected for me, as personal data from Europe does not enjoy the same level of EU protection in the US, even after the new edition of the Privacy Shield,” Maximilian Funke-Kaiser, digital policy spokesman for the liberal FDP, told Euractiv.
The EU court had struck down the two previous agreements, Safe Harbour and Privacy Shield, for failing to guarantee EU data protection standards in the US.
No surprise in the Bundestag
At the same time, various parliamentary groups in the Bundestag are very united in their criticism of the new agreement.
“The level of data protection in the United States is still inadequate. So it is only logical that the current agreement is also being challenged in court,” Petra Sitte, technology policy spokesperson for the Left Party parliamentary group, told Euractiv.
The European Commission must understand that its attempts at a transatlantic data transfer agreement will only be valid if something substantial changes, Sitte said.
The ongoing legal review, Funke-Kaiser added, “is as annoying as it is necessary in the context of the urgent need for clear rules of the game for companies”.
A lawsuit was also foreseeable, according to the opposition Christian Democratic Union (CDU/CSU).
Despite data protection concerns, it is also important to “create a contractually secure and clean basis for data exchange, especially between the major players, the US and Europe,” said CDU member Franziska Hoppermann.
New data transfer conditions
This is not the first time that a data transfer agreement between the US and the EU has come under fire.
The first agreement between the US and the EU, known as the Safe Harbour Agreement, was struck down by the EU’s highest court in 2015 after being challenged by Max Schrems, an Austrian lawyer and co-founder of the digital rights NGO NOYB.
In 2020, the Privacy Shield, the predecessor to the EU-US Data Protection Framework (DPF), was also struck down by the EU court, which cited the risk of massive surveillance and spying on EU citizens by US intelligence agencies.
As a result, the EU and the US agreed on the US Data Privacy Framework, a new Commission framework that entered into force on 10 July and is now intended to underpin and facilitate data transfers to the US.
The new conditions are designed to address some of the EU’s data protection concerns and limit the ways in which US intelligence agencies can obtain information about EU citizens.
In addition, the framework agreement contains other conditions for the collection of personal data.
EU citizens will also have recourse to the US Civil Liberties Protection Officer and the independent Data Protection Review Court.
According to Latombe’s statement, however, the EU-US data protection framework violates the EU General Data Protection Regulation (GDPR) and the bloc’s Fundamental Rights charter.
For example, the charter’s Article 52 guarantees and protects the fundamental freedoms of EU citizens, stating that restrictions on such freedoms may only be made where necessary and proportionate. “Proportionate” mass surveillance would violate this principle.
NOYB, which had already brought down the predecessors of the agreement, announced a challenge the day the EU-US data protection framework was adopted.
The “third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months”, it said.
It is highly likely that Schrems will file a suit with an Austrian court in the autumn, which will then refer the case to the EU Court of Justice for a preliminary ruling.
To file a case in Austria, Schrems will first have to wait for 10 October, when US companies registered in the commercial register and listed in the data protection framework will be able to exchange data with the EU.
Next week, Schrems will also meet with Latombe to exchange views on how to proceed.
[Edited by Oliver Noyan/Kjeld Neubert/Zoran Radosavljevic]
Read more with EURACTIV