General Court (of the CJEU) – Case concerning the independency of the DPRC and collection of data in bulk without ex-ante authorisation (Latombe T-553/23)
The General Court of the Court of Justice of the European Union has dismissed the annulment action brought by the French citizen Philippe Latombe against the Data Privacy Framework (‘DPF’).
Firstly, Mr Latombe stated that the work of the Data Protection Review Court (‘DPRC’) depends on the US executive branch.
Secondly, he asserted that the country’s intelligence agencies are collecting personal data in transit from the European Union in bulk, without prior authorisation from a court or an independent administrative authority.
Based on the foregoing, the General Court refers to the safeguards in place for the DPRC’s independence as well as the Commission’s competence to monitor the legal framework (the specific US laws in place) on which the DPF is based. In relation to the bulk collection of personal data, the Court states that the decision of collection must be subject to ex post judicial review, as is evidenced in this present case.
Philippe Latombe is a French citizen who claims to use various IT platforms that collect his personal data and transfer them to the USA.
Transfers of personal data from the EU to the USA
In the past there have been two successful contestations relating to transfers of personal data from the EU to the US:
The Court of Justice declared the European Commission Decision 2000/520/EC of 26 July 2000 invalid by judgment of 6 October 2015 (the judgement in Schrems I). The Decision, otherwise known as the Safe Harbour agreement, governed personal data transfers from the EU to the US.
Subsequently, by judgement of 16 July 2020 (Schrems II), the Court declared the EU-US Privacy Shield (the new agreement governing personal data transfers from the EU to the US) invalid.
In both cases, the Court of Justice held that the two systems (Safe Harbour and the Privacy Shield- for data protection governing transfers of personal data, did not afford a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed by EU law.
In search of a new framework, the European Commission (‘the Commission’) started talks with the US Government to adopt a new adequacy decision that would adhere to the requirements of article 45 (2) of the General Data Protection Regulation (‘GDPR’) relating to the assessment of an adequate protection level. This led to the latest framework (‘Data Privacy Framework’) established for personal data flows between the EU and the US (‘contested decision’).
Prior to the adoption of the Data Privacy Framework (‘DPF’), the US adopted the Executive Order 14086 (‘the Executive Order’). Under this Executive Order a two-layer mechanism is established for individuals to receive an independent and binding review and redress. This mechanism consists of the following two layers:
The first layer: the Office of the Director of National Intelligence’s Civil Liberties Protection Officer (‘ODNI CLPO’ or ‘CLPO’) who has the authority to investigate and review qualifying complaints to detect whether a violation has occurred and, if necessary, to order an appropriate remediation.
The second layer: a panel of the Data Protection Review Court (‘DPRC’) providing an independent and binding review of the CLPO’s decision, following the receipt of an application for review from the individual or an element of the Intelligence Community.
Relation to this case
In light of these developments, Mr Latombe, asked the General Court of the Court of Justice (‘General Court’ or ‘the Court’) to annul the contested decision. Mr Latombe (hereafter ‘the applicant’) relied on five pleas in law, one which he withdrew from.
This article will primarily focus on the second and third pleas relating to the alleged infringement of articles 7 and 8 (the respect for family and private life and the protection of data) of the Charter of Fundamental Rights of the European Union (‘CFR’), as well as the infringement of article 47 second paragraph of the CFR (right to a fair trial) and of article 45 (2) GDPR (elements for the assessment of an adequate level of protection).
Overview relevant US authorities DPF
The Court’s analysis
The second plea in law, alleging the infringement of articles 7 and 8 of the CFR
Article 7 CFR: Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Article 8 CFR: Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
The applicant claims that the Commission infringed above mentioned articles in the contested decision by concluding that the US provided an adequate level of protection compared to EU law with respect to the bulk collection of personal data by that country’s intelligence agencies. The applicant raised the following three complaints under this plea:
That intelligence activities carried out pursuant to Section 702 of the Foreign Intelligence Surveillance Act (‘FISA’) are not subject to the safeguards provided for in the Executive Order. The Court however held that Section 702 does not authorise bulk collection of personal data, but rather only targeted collection.
That the Executive Order does not render the bulk collection of personal data subject to prior authorisation by a judicial or administrative authority (referring to, inter alia, the Schrems II case). The Court rejected this claim by noting that the decision authorising bulk collection must be subject, as a minimum, to an ex post facto judicial review.
That the Executive Order gives the President of the US the power to authorise a secret update of the specific obligations relating to bulk collection. Nonetheless, the Court determined that the Executive Order demonstrates that the power conferred upon the President of the US to make an update to the list of specific objectives of bulk collection is not unlimited. An update may only be made due to the emergency of new national security imperatives (e.g. new or heightened threats to national security). In addition, the updating of the specific objectives is, in most cases, made public. Moreover, even when remaining secret, bulk collection is subject to all the safeguards that are provided for in the Executive Order. Also, the existing oversight mechanism of the CLPO, as well as the review by the DPRC, remain.
The Court thus rejects all three complaints in the second plea in law, as well as the second plea in law in its entirety.
The third plea in law, alleging the infringement of the second paragraph of art. 47 of the CFR and of article 45 (2) GDPR
Article 47 (2) CFR:
Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.
Article 45 (2) GDPR:
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
The applicant alleges the Commission’s infringement of the above mentioned articles since, in the contested decision, it considered that the DPRC provided an adequate level of protection for the right of EU individuals to (1) an independent and impartial tribunal (2) previously established by law.
Independent and impartial tribunal
The applicant claims that the DPRC is not an independent and impartial tribunal since (1) its mission is to review decisions of the CLPO of the Director of National Intelligence, (2) it is composed of judges appointed by the Attorney General after consulting the Privacy and Civil Liberties Oversight Board (‘PCLOB’) and (3) the Attorney General does not preclude the possibility that its judges may be subject to forms of supervision on the part of the executive branch.
Firstly, the Court notes that the independent judiciary must be ensured in relation to the legislature and the executive. Regarding this matter, the Court refers to and distinguishes between two aspects of judicial independence.
External independence which requires that a court exercises its function autonomously, free from being subject to hierarchical constraints or dependent on any other body(‘s orders or institutions).
Internal independence which requires an equal distance of the judge from the parties to the proceedings and their interests relating to the subject matter of those proceedings.
Reviewing decisions of the CLPO
Relating to the first argument, that the DPRC is not independent and impartial tribunal since its mission is to review decisions of the CLPO of the Director of National Intelligence, the Court refers, among other things, to the following elements:
The DPRC is composed of at least six judges, who are appointed by the Attorney General, after consulting 1) the PCLOB, 2) the United States Secretary of Commerce and 3) the Director of National Intelligence. Individuals who aren’t employed by the executive branch at the time of their appointment or in the previous two years can be eligible for appointment to the DPRC. During their term, the DPRC judges aren’t permitted to have official duties or employment within the US Government.
Secondly, decisions of the CLPO are reviewed by a board of three DPRC judges who are assisted by a Special Advocate. The judges thus, do not solely rely on the CLPO’s assessment, but also on information and submissions provided by 1) the complainant, 2) the Special Advocate and 3) the intelligence agencies. Furthermore the DPRC must apply the related case-law of the US Supreme Court.
Thirdly, the DPRC has the authority to alter a decision, is not bound by the CLPO’s decision, and in the case of conflict with the CLPO, may adopt its own determination on the complaint. Moreover, the DPRC’s decision binding and final meaning that both the intelligence agencies and the US Government are required to comply with it.
Finally, the CLPO can only be dismissed by the Director and only in the following situations: misconduct, malfeasance, breach of security, neglect of duty or incapacity. In addition, the intelligence agencies and the Director are prohibited from impeding or improperly influencing the work of the CLPO.
Based on the foregoing the Court rejects the present argument.
The composition of the judges
The Court also rejects the applicant’s second argument relating to the DPRC’s composition of judges appointed by the Attorney General after consulting the PCLOB.
The Court states that the PCLOB is an independent agency within the executive branch. The independence of the PCLOB is evident from its bipartisan composition. The board, appointed by the President of the US, with Senate approval, is selected on, amongst other things, professional qualifications, without regard to political affiliation. In addition, no more than three members of the PLCOB should belong to the same political party. According to the Court, it should also be noted that, although the PCLOB was established within the executive branch, its founding statute established it as an independent agency focused on supervising the work carried out by the executive (in particular regarding the protection of privacy and civil liberties).
In addition, to ensure the independence of the DPRC judges from the executive branch, the DPRC judges may only be dismissed by the Attorney General for cause, such as misconduct, malfeasance, breach of security, neglect of duty or incapacity. Should the Commission be presented with indications that an adequate level of protection is no longer being ensured, it is obligated to inform the relevant US authorities. In such cases, the Commission is required to decide whether to suspend, amend or repeal the contested decision, or limit its scope.
Supervision of the judges
Relating to the argument of the applicant regarding the DPRC’s judges possible subjection to forms of supervision, the Court states, based on the Commission’s arguments, that the DPRC’s judges are not subject to day-to-day supervision.
Previously established by law
The applicant also claims that that the DPRC was not previously established by law, as it was not created by a law adopted by the US Congress but rather by an act of the executive, specifically a decision made by the Attorney General. The Court has dismissed this argument stating that in order to determine whether the requirements flowing from the second paragraph of Article 47 of the CFR are met, it is necessary not only to assess the formal nature of the legal instrument establishing a tribunal, but also to find whether that specific legal instrument provides enough safeguards to ensure the tribunal’s independence and its impartiality in relation to the other branches (e.g. the executive branch).
The Court refers to the multiple safeguards essentially equivalent to EU law in, inter alia, the Executive Order to ensure the independence and impartiality of the DPRC (some of these mentioned in the plea above). The Court also mentions that the Supreme Court of the US has recognised that the Attorney General can establish independent bodies, such as the DPRC. In addition the DPRC’s decision is binding and final. Accordingly, both the executive branch and the intelligence agencies are required to comply with it and the work of the DPRC is subject to oversight by the PCLOB.
In the light of all of the foregoing considerations, the third plea in law is also rejected in its entirety.
Conclusion of the Court
In conclusion, the General Court dismissed the action for annulment relating to the Data Privacy Framework.
The Court has thus confirmed that, at the time the Data Privacy Framework was adopted, the United States provided an adequate level of protection for personal data transferred from the European Union to organisations in the United States.
Key takeaways
It is important to note that an appeal against this decision of the General Court may be brought before the Court of Justice within two months and ten days of notification of the decision, on points of law only.
The Court of Justice has previously ruled on successful lawsuits against earlier EU-US frameworks, which were brought before it through preliminary questions. This is in contrast to the present case, in which Mr Latombe initiated legal proceedings before the General Court (first instance of the EU courts).
Furthermore, the question of how the transition of presidential power from former president Joe Biden, who signed the Executive Order, to the elected-president Donald Trump, will impact the course of any following legal proceedings remains to be seen.
For instance, in January 2025, three Democratic members of the Privacy and Civil Liberties Oversight Board were dismissed by an Executive Order from Trump. Nevertheless, the Commission noted that the Board can still function without a quorum and that a US court has reinstated the previously dismissed members. Because of the scope of the challenge, the General Court decided to abstain from a ruling relating to the use of Executive Orders by the Trump administration. It remains to be seen whether a potential case before the Court of Justice will have a different outcome.
European companies and governments must therefore exercise caution when transferring personal data to the US. This decision by the General Court could still result in an appeal to the Court of Justice (second instance of the EU courts), where the issue of adequacy may be assessed differently.
