Picture: Martyn Jandula / shutterstock.com
Long dispute over data protection
A dispute has been raging between Europe and the USA for years over the handling of personal data. The judges in Luxembourg have already overturned an agreement twice - first Safe Harbor (2015), then Privacy Shield (2020). The reason given at the time was that the intelligence services in the USA could access data too easily and there were hardly any ways for Europeans to defend themselves.
Now there is a new decision: The General Court of the European Union (EGC) in Luxembourg has ruled that the current Data Privacy Framework (DPF) is lawful. This means that it is still possible for companies to transfer personal data to the USA in a legally secure manner.
Lawsuit from France fails
French MP Philippe Latombe initiated the process. He was convinced that the new agreement would not solve the old problems either. His concern: US intelligence services could continue to have extensive access to European data - despite all the assurances from Washington.
The judges did not share this assessment. In their decision, they emphasized that the USA had provided sufficient guarantees when concluding the agreement to ensure an adequate level of data protection. The agreement was therefore not legally objectionable.
Economy takes a deep breath - but for how long?
The ruling is hugely important in practice. Without the DPF, countless companies - from start-ups and SMEs to large tech corporations - would be in a legal gray area. Cloud services, social media, international HR management - all of these depend on the free flow of data across the Atlantic.
But the joy could be short-lived. The highest EU judges have already struck down such agreements twice. This time, too, it is clear that an appeal can be lodged with the ECJ within a good two months. And there the tide could turn again.
Comment: Stable is different
The ruling provides certainty in the short term. But one thing is equally clear: this legal framework is not reliable. Anyone familiar with the course of the last ten years knows that the next "out" is always possible.
The crucial question remains: Can EU citizens really be protected from mass data access in the USA? As long as this is not clearly clarified, any agreement will remain on shaky ground.
Our tip: Companies should use the time and not rely on the DPF alone. Those who also work with standard contractual clauses or store data in the EU wherever possible will be better prepared in case Brussels and Washington fail again at the ECJ.
