Key point: The European General Court has upheld the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework, confirming that the United States ensures an adequate level of protection for personal data transfers.
Recap of the EU-U.S. Data Privacy Framework and Legal Challenge
The EU-U.S. Data Privacy Framework (DPF), adopted by the European Commission in July 2023, was designed to facilitate transatlantic data flows while ensuring compliance with EU data protection standards. The DPF came after regulatory reforms in the United States, including a U.S. Executive Order and Department of Justice/Attorney General regulation that enhanced privacy safeguards and established the Data Protection Review Court (DPRC).
On September 3, 2025, the EU General Court dismissed a legal challenge brought by Philippe Latombe, a French Member of Parliament, who argued that the DPRC lacked independence and that U.S. intelligence agencies’ bulk data collection practices were not sufficiently constrained.
Court’s Reasoning and Decision
The EU General Court found that, at the time of the Commission’s adequacy determination, the United States provided an adequate level of protection for personal data. The court emphasized that the regulatory changes in the U.S. had addressed prior concerns raised in the Court of Justice of the European Union (CJEU) Schrems I and Schrems II decisions, which had invalidated earlier EU-U.S. data transfer frameworks.
The EU General Court’s September 3rd ruling confirms that personal data transfers to U.S. organizations certified under the DPF can continue without additional authorization, streamlining compliance for EU-based entities.
What Could Result from the Court’s Decision?
For multinational organizations engaged in the collection, processing, storage or transfer of personal data of EU residents, the ruling provides short-term legal certainty and operational clarity. However, privacy advocates may continue to challenge the robustness of the DPF, particularly with respect to surveillance practices and judicial oversight in the U.S.
Possibility of Appeal and Next Steps
Under Article 56 of the Statute of the CJEU, the decision can be appealed within approximately two months. Thus, it is important to monitor whether Latombe or other parties pursue further legal action, which could once again subject the DPF to judicial scrutiny. The EU General Court also noted that the European Commission’s adequacy decision required continuous monitoring of the DPRC legal framework, and that changes to that framework could result in the Commission deciding to suspend, amend or repeal the adequacy decision. Accordingly, organizations relying on transatlantic data flows should remain vigilant to ensure that their data transfer mechanisms remain aligned to the DPF’s requirements, the structure and independence of the DPRC, or future legal challenges to the DPF itself.
[View source.]
