EU-US Data Privacy Framework and third-country transfers
The General Court of the Court of Justice of the European Union, in case T-553/23, has dismissed an action seeking annulment of the European Commission’s adequacy decision for the EU-US Data Privacy Framework. The Court held that, at the time of the decision on 10 July 2023, the United States ensured an adequate level of protection for personal data transferred from the EU to organisations in the US participating in the EU-US Data Privacy Framework. The case concerns international transfers and objections relating, inter alia, to the Data Protection Review Court.
T-553/23: What was the case about?
The action was brought by an individual who used IT platforms that collected personal data transferred to the United States. He sought annulment of the Commission’s adequacy decision. The objections targeted both the independence of the Data Protection Review Court (DPRC) and the lawfulness of US intelligence collection.
The General Court assessed whether the US legal framework, including an Executive Order and a regulation issued by the Attorney General, provided sufficient safeguards. The Court also noted that the European Commission is required to monitor the application of the framework on an ongoing basis and, where necessary, amend, restrict or repeal the decision. The action was dismissed, meaning the EU-US Data Privacy Framework remains a valid transfer mechanism for personal data to the United States and supports transatlantic data flows.
Which parts of the GDPR were examined regarding transfers to the US?
The assessment was based on the third-country transfer regime under the General Data Protection Regulation (EU) 2016/679. The question was whether Commission Implementing Decision (EU) 2023/1795 meant that the recipient country ensured a level of protection essentially equivalent to EU law. Previous adequacy decisions for the US were annulled in Schrems I and Schrems II, setting the parameters for this review.
The Court examined in particular whether effective remedies and independent oversight were in place through the Data Protection Review Court. It also stated that bulk collection does not necessarily require prior authorisation, provided it is subject to ex post review. Against this background, the Court found that the requirements under EU law were met, supporting the European Commission adequacy decision.
Why the EU-US Data Privacy Framework matters for companies and organisations
The ruling provides clarity that transfers to certified US recipients can rely on the current adequacy decision. It also underscores the importance of redress and oversight in the recipient country. The Commission’s ongoing follow-up creates an embedded control mechanism for transatlantic data flows.
- Confirms that an adequate level of protection can rest on new due-process safeguards in the United States.
- Clarifies that ex post review can satisfy requirements for intelligence collection.
- Reaffirms the Commission’s duty of continuous monitoring and ability to amend an adequacy decision.
- Improves predictability for EU organisations planning transatlantic data flows.
GDPR takeaways for businesses after the ruling on transfers to the US
Businesses may continue to rely on the existing adequacy decision for transfers to the United States, provided the recipient participates in the EU-US Data Privacy Framework. Organisations should map affected data flows and review documentation and transparency notices. Follow the Commission’s monitoring and be ready to adjust if the decision changes. Shortcomings may lead to supervision, sanctions and reduced trust.
