EU's Top Court Annuls EU-US Safe Harbor Agreement
The EU-US Data Privacy Framework, adopted by the European Commission on July 10, 2023, aims to replace the invalidated EU-US Privacy Shield and provide a legal basis for transatlantic data transfers. This third attempt was designed to address the Court of Justice of the European Union's (CJEU) Schrems II ruling by including new U.S. government commitments to limit surveillance and a redress mechanism for EU citizens.
However, the DPF's long-term future remains uncertain due to ongoing legal and legislative factors. The U.S. Congress has only reauthorized key surveillance legislation (FISA 702) until April 2026, which is critical to the framework’s continuation. Privacy advocates, particularly Max Schrems’ organization NOYB, have announced preparations for a potential legal challenge ("Schrems III") against the DPF if it is deemed inadequate.
Notably, the EU General Court is scheduled to rule on September 3, 2025, in a direct annulment case against the Commission’s adequacy decision for the DPF (Latombe v. European Commission). This ruling could invalidate the DPF, creating similar legal uncertainty to the Schrems II situation, though any decision can be appealed to the CJEU, prolonging the final outcome.
Thus, while the DPF currently provides a legal mechanism for EU-US data transfers, it faces significant legal scrutiny and political uncertainty. Companies and regulators are closely monitoring developments as the September 2025 court decision and U.S. legislative changes approach.
Meanwhile, the Email Privacy Act, a bill to protect Americans' emails from government surveillance, was unanimously approved by the House Judiciary Committee on the same day. President Biden issued an executive order on October 7, 2022, establishing the EU-US Data Privacy Framework for cross-border data transfers. The Email Privacy Act does not directly address cross-border data transfers or the EU-US Data Privacy Framework.
In summary:
- The EU-US Data Privacy Framework provides a legal basis for transatlantic data transfers, but faces significant legal and political uncertainty.
- The Email Privacy Act, which aims to reform the Electronic Communications Privacy Act, was unanimously approved by the House Judiciary Committee.
- The EU-US Data Privacy Framework includes provisions for data protection, data subject rights, and enforcement mechanisms.
- The Email Privacy Act does not directly address the EU-US Data Privacy Framework or cross-border data transfers.
- The current status of the EU-US data privacy framework is that it is valid, but faces potential legal challenges and legislative uncertainties.
- The legal and political uncertainty surrounding the EU-US Data Privacy Framework (DPF) has sparked interest in policy-and-legislation, as the DPF's future hinges on ongoing court decisions and U.S. legislative changes.
- The previously approved Email Privacy Act, not directly related to the EU-US Data Privacy Framework, focuses on reforming the Electronic Communications Privacy Act, aiming to protect Americans' emails from government surveillance.
