Data transfer to the US: The case against the EU decision

A Member of Parliament is suing EU citizens in the US for not having legal protections when using Facebook or Google. Chances: Questionable.

Here, out: data exchange between the EU and the USA Photo: Apr

Berlin taz | The EU Commission should not have given carte blanche to transfer EU data to the US. French MP Philippe Ladombe believes this – and is now suing the EU Commission’s decision on the US data privacy framework at the EU Court of Justice (EuG).

Many companies such as Facebook or Google transfer data from EU citizens to the US for storage or processing there. However, this is only allowed if there is “substantially similar” data protection in the US. It is not necessarily organized in each individual case, the US has made general commitments to data protection, which have been accepted by the EU Commission, but not by the European Court of Justice (ECJ).

The ECJ already declared the EU Commission’s Safe Harbor decision invalid in 2015 and the Privacy Shield decision in 2020. He criticized the fact that US secret services are allowed to access data from EU citizens and that they do not have adequate legal protection.

Now there are Third try. In March 2022, the EU Commission and the US government agreed on a data privacy framework. In October 2022, US President Joe Biden signed an executive order to that effect. What is new is that EU citizens can appeal to a specialized US court (Data Protection Review Tribunal). In July 2023, the EU Commission declared the US data protection framework “adequate” in a decision.

Max Schrems plans a different path

MP Latombe, from the centrist MoDem party, is now suing the European Court of Justice in Luxembourg. US data protection is still disproportionately poor. However, as he was not “individually” affected by the Commission’s decision, his case would be inadmissible.

Austrian Max Schrems, whose lawsuits overturned safe harbor and privacy shield provisions, plans a different approach. Once companies rely on the new data privacy framework, they will take legal action against it in national courts, which will then submit the case to the ECJ. This path should be allowed.