EU's Apex Court Voids EU-US Safe Harbor Agreement
The ongoing saga in European courts over the protection of personal data when moved to the US by companies like Facebook and Google has reached a new milestone. The Irish High Court in Dublin is hearing a case about US privacy protections and surveillance policies, with a significant ruling expected around September 2025.
This ruling could potentially annul the EU-US Data Privacy Framework (DPF), challenging the legality of personal data transfers from the EU to the US without additional safeguards. The DPF, announced in March, aims to provide stronger protections for Europeans' personal data when transferred to the US and was designed to align US data protection practices more closely with EU requirements.
If the ruling does annul the DPF, it would reflect an assessment that US privacy protections under the DPF do not sufficiently safeguard personal data according to EU standards. This outcome may pressure US policymakers to strengthen privacy regulations or negotiate new terms to achieve an adequacy decision in the future.
Meanwhile, the EU continues to affirm adequacy decisions with other partners, such as the UK, which passed the Data (Use and Access) Act 2025 to maintain compliance with EU standards and continue free data flows. This contrasts with the uncertain situation regarding the US framework.
The potential CJEU decision follows previous disruptions like the Schrems II case, and if annulled, there would be no current adequacy decision facilitating free data transfer from the EU to the US. This would increase legal uncertainty since businesses would need to rely on alternative safeguards such as Standard Contractual Clauses (SCCs).
In the broader EU context, privacy is a basic human right, and most US states are still struggling to prohibit employers and schools from demanding passwords to employees' or students' social media accounts. President Biden issued an executive order adopting the EU-US Data Privacy Framework on October 7, 2022.
The DPF will likely affect how American companies like Facebook, Twitter, Pinterest, LinkedIn, Whatsapp, and Email collect, use, and store personal data collected from Europe. The alleged reason for the EU's challenge is that Europeans' personal data is unsafe in the US because the US law inadequately protects it and the US Government likes to spy on people's personal information.
Regardless of the CJEU's decision, the potential for increased trust in data transfers from the EU to the US for these American companies is a significant factor to consider. The full impact of the ruling depends on that pending judgment and potential appeals. Stay tuned for updates on this developing story.
- The annulment of the EU-US Data Privacy Framework (DPF) could potentially disrupt the way technology companies like Facebook, Google, Twitter, Pinterest, LinkedIn, Whatsapp, and Email manage personal data collected from Europe.
- If the Irish High Court rules to annul the DPF, it might push tech companies to prioritize strengthening privacy regulations to maintain compliance with EU standards, thus impacting the technology sector significantly.
