EU's Supreme Court Nullifies EU-US Data Privacy Agreement

EU's Supreme Court Nullifies EU-US Data Privacy Agreement

The EU-US Data Privacy Framework, finalized in 2023, marks a significant shift in the way personal data is transferred between Europe and the United States. Replacing the Privacy Shield program, which was rejected by the EU Court of Justice in July 2020, this new framework provides a legal mechanism for American tech giants like Facebook (Meta) and Google to transfer EU personal data under EU data protection standards [1][3][4].

President Biden issued an executive order on October 7, 2022, adopting the EU-US Data Privacy Framework [2]. Companies must self-certify compliance to the DPF principles, which include limits on US government surveillance and new redress mechanisms for EU citizens [3][4]. Key impacts on these companies include:

1. Data Transfer Legality: The DPF enables transatlantic data flows that had become legally uncertain after the invalidation of previous frameworks like Safe Harbour and Privacy Shield. Without the DPF, American companies face legal risks and potential fines when transferring EU personal data [1][4].
2. Compliance Obligations: Companies must adhere to strict privacy and surveillance limitations. The framework requires commitments from the US government (via Executive Order 14086) limiting US intelligence access to EU data and establishing a Data Protection Review Court for compliance disputes [2][4].
3. Enforcement and Fines: Failure to comply with the DPF principles risks violating the US FTC Act and GDPR standards, exposing firms to significant penalties. For instance, Meta was fined €1.2 billion in 2025 for non-compliant EU-US data transfers [1][3].
4. Ongoing Legal Uncertainty: The framework’s future is uncertain due to upcoming EU court rulings (e.g., the September 2025 Latombe case) and potential legal challenges from privacy advocates like Max Schrems. These events threaten to disrupt or annul the DPF, increasing regulatory pressure on companies relying on it [1][5].
5. Operational Impact: American tech giants must invest in data governance controls, surveillance compliance measures, and maintain transparency to sustain EU data transfers under the DPF, influencing how they collect, store, and use EU personal data in their global operations [1][4].

Meanwhile, the Email Privacy Act, unanimously approved by the House Judiciary Committee on the same day, aims to reform a 30-year-old Electronic Communications Privacy Act (ECPA) by requiring law enforcement to obtain warrants from court before compelling companies to hand over access to emails [2]. However, the Email Privacy Act does not directly address cross-border data transfers or the EU-US Data Privacy Framework.

Both the EU-US Data Privacy Framework and the Email Privacy Act are separate initiatives addressing different aspects of data privacy and surveillance. The EU-US Data Privacy Framework includes major tech companies such as Facebook, Messenger, Twitter, Pinterest, LinkedIn, Whatsapp, and Email [6]. As these initiatives evolve, they will continue to shape the digital landscape and influence how personal data is handled across the globe.

1. The EU-US Data Privacy Framework, finalized in 2023, and the Email Privacy Act, approved by the House Judiciary Committee in 2022, are separate policy-and-legislation initiatives that address different aspects of data privacy and surveillance, respectively, in both the general-news and politics domains.
2. Both initiatives, the EU-US Data Privacy Framework and the Email Privacy Act, are significant legal developments in the tech industry, impacting data governance, surveillance, and privacy standards on a global scale.

Read also: