Data transfer to the US: The case against the EU decision

An MP complains about the lack of legal protection for EU citizens using Facebook or Google in the US. Chances: Questionable.

Here, out: data exchange between the EU and the USA Photo: Apr

Berlin taz | The EU Commission should not have given carte blanche to transfer EU data to the US. French MP Philippe Ladombe believes this – and is now suing the EU Commission’s decision on the US data privacy framework at the EU Court of Justice (EuG).

Many companies such as Facebook or Google transfer data from EU citizens to the US for storage or processing there. However, this is only allowed if there is “substantially similar” data protection in the US. It is not necessarily organized in each individual case, the US has made general commitments to data protection, which have been accepted by the EU Commission, but not by the European Court of Justice (ECJ).

The ECJ already declared invalid the EU Commission’s Safe Harbor decision in 2015 and the Privacy Shield decision in 2020. He criticized the fact that US secret services are allowed to access data from EU citizens and that they do not have adequate legal protection.

Now there are Third try. In March 2022, the EU Commission and the US government agreed on a data privacy framework. In October 2022, US President Joe Biden signed an executive order to that effect. What is new is that EU citizens can appeal to a specialized US court (Data Protection Review Tribunal). In July 2023, the EU Commission declared the US data protection framework “adequate”.

Max Schrems plans a different path

On the other hand, MP Latombe from the centrist party MoDem has now filed a complaint with the ECJ in Luxembourg. US data protection is still disproportionately poor. However, since he was not “individually” affected by the Commission’s decision, his action would be inadmissible.

Austrian Max Schrems, whose lawsuits have struck down safe harbor and privacy shield provisions, is plotting a different path. Once companies rely on the new data privacy framework, they will take legal action against it in national courts, which will then submit the case to the ECJ. This way should be allowed.