French MP Disrupts the Schrems Monopoly on Challenging Transatlantic Data Transfers
Aleksandr Tiulkanov
Upskilling people in the EU AI Act - link in profile | LL.M., CIPP/E, AI Governance Advisor, implementing ISO 42001, promoting AI Literacy
Philippe Latombe , a deputy of the French Parliament, has challenged the newly minted mechanism for transferring data from the EU to the US — the European Commission’s Adequacy decision on the EU-US Data Privacy Framework (DPF).
Some aspects of the challenge were predictable, but some are surprising in a way that may require business privacy managers also start managing anxiety resulting from this new case.
The Classic Bit
Philippe Latombe , who applied directly to the EU Court of Justice (CJEU), believes that the DPF suffers from the shortcomings of its predecessors, Privacy Shield and Safe Harbor, which were annulled following earlier complaints by an Austrian lawyer and privacy activist Max Schrems (these cases are now called Schrems II and Schrems I, accordingly).
According to Latombe – who is also a commissioner of the CNIL, the French data protection authority – the DPF and the EU Commission's adequacy decision on it are not in line with the EU Charter of Fundamental Rights and the General Data Protection Regulation.
In a press communiqué, the MP notes that the DPF does not provide sufficient protection for the personal data and the rights of Europeans, including when automated decisions are made about them, and does not give them access to effective redress in an impartial court.
The/Le Régime Linguistique
The French MP also believes that the DPF should also be declared invalid on procedural grounds: the text of the act implementing the DPF was not published in the Official Journal of the EU and was not delivered to the national authorities of the EU member states in their corresponding official languages.
“No versions of the text, other than the English version, have been developed and are not available to date… This unfortunate omission… in itself deserves to be fully analysed,” notes Latombe.
And the Plot Twist
The legal challenge mechanism chosen by Latombe differs from that used by Schrems.
In challenging the predecessor act, Schrems did so because his rights as a data subject were infringed when his data was transferred to the US by a particular business (Meta’s Irish unit), and the request to the CJEU was made not by Schrems himself but by the Irish court hearing his case.
Latombe, for his part, applied directly to the CJEU under Article 263 of the Treaty on the Functioning of the European Union — not as a CNIL Commissioner or MP, but in his capacity as an ordinary EU citizen.
Latombe Goes the Fast Route…
And here’s the privacy professionals’ worry: this procedure is considerably quicker than the one used by Schrems.
If successful, Latombe’s application will much more quickly disrupt the data flows to the US and will leave companies little time to adapt: there will be no iterations where the case will have to be decided and challenged slowly and sequentially from the national data protection authority to the referring court, and then to the CJEU.
领英推荐
Here, the application is directly to the CJEU and Latombe is asking for an immediate injunction before any deeper analysis.
This would be undesirable news for any privacy managers in the EU organisations who, as a matter of daily business, are transferring data to the US and who have just recently decided or were thinking of invoking the DPF as a basis to do so.
…Which Has Its Complications
It needs to be noted, though, that while faster than the Schrems way, Latombe’s way of disputing the Commission’s adequacy decision may be also more challenging for the applicant.
According to the CJEU case law, the condition for the admissibility of such an application is the direct (C-486/01 Front national v. European Parliament) and individual (C-25/62 Plaumann v. Commission) concern for the applicant.
This admissibility test could be said to set a bar much higher than just a usual legitimate interest in the outcome of the case.
Now, firstly, even to demonstrate such a usual legitimate interest, Latombe normally would have to show that a particular data controller subject to the EU jurisdiction is transferring his data to the US and is doing so based on the new adequacy decision and the DPF.
But then, secondly, the “direct concern” requirement for direct CJEU applications means Latombe will have to prove to the CJEU that the measure complained of (the EU-US adequacy decision) affects directly his legal situation and leaves no discretion to the addressees of that measure, who are entrusted with the task of implementing it, these likely being the national data protection authorities and the businesses who are data controllers.
And, thirdly, the “individual concern” requirement is even harder to meet. As narrowly interpreted by the CJEU, to be individually concerned by a decision that is not directly addressed to you, you must be affected in a way that sets you apart from everyone else – because of special attributes or conditions specific to you as an individual. You must be impacted distinctly, in the same manner as if you had been explicitly named.
Considering all of the above, whether Latombe’s application will be ruled admissible by the CJEU remains a big question. We will just have to wait and see.
What is hard to doubt is that Max Schrems will also not stand aside and will likely file his own complaint concerning the DPF as soon as practical based on his own legal analysis.
To Sum Up
Latombe has not yet published his application, so we cannot say much about the strength of his legal arguments before the CJEU. Admissibility will for sure be a challenge.
However, if successful, his case has the potential to disrupt transatlantic data flows profoundly and, in this instance – very swiftly, compared to the by-now-usual routine “à la Schrems”.
So, if you are a data privacy professional, and your employer or your clients were planning to or have already followed Meta and some other major businesses who have already started relying on the Data Privacy Framework, you now have a new data point for your analysis on whether to continue as planned before.
?
bit.ly/abhijeetsingh23 | brtsimpson.org
1 年Meenakshi Lekhi